Feeds

Security > More stories

AWS levels up in game of government security – and now one step below classified access

Amazon Web Services (AWS) has leveled up its US government security certification, winning the right to handle more sensitive work from the Department of Defense (DoD). The company has, of course, blogged the news that it has won provisional authorization to operate levels three to five of the DoD's cloud security model. Level …
Simon Sharwood, 21 Aug 2014
Facebook security

Facebook slings $50k Internet Defense Prize™ at bug hunter duo

Facebook and Usenix have together created the Internet Defense Prize™ – and awarded its first gong to security bods Johannes Dahse and Thorsten Holz. The pair, of Ruhr University Bochum in Germany, received $50,000 from Facebook's prize-giving committee for their paper, Static Detection of Second-Order Vulnerabilities in Web …
Darren Pauli, 21 Aug 2014

Cyber spies whip out 'Machete', stride towards Latin America

Security watchers are tracking a new cyber-espionage campaign that appears to be targetting Latin American countries including Venezuela, Colombia and Ecuador. The so-called "Machete" campaign has been zoning in on governments, military and law enforcement agencies and embassies in South America for the last four years, stealing …
John Leyden, 21 Aug 2014
Windows 8.1 update 1 power search

Microsoft: We plan to CLEAN UP this here Windows Store town

Microsoft has promised to crack down on rogue apps in its Windows Store following criticisms that the marketplace is littered with "scam" software. Windows Store – which debuted with Windows 8 – is littered with misleading apps. Typical problems include knock-off "unofficial" packages of free apps such as the VLC media player. …
John Leyden, 21 Aug 2014
Malaysia Airlines Boeing 777 9M-MRO

Chinese hackers spied on investigators of Flight MH370 - report

Malaysian officials investigating the disappearance of flight MH370 have been targeted in a hacking attack that resulted in the theft of classified material. The malware-based hacking attack hit around 30 PCs assigned to officials in the Malaysia Airlines, the Civil Aviation Department and the National Security Council, a …
John Leyden, 21 Aug 2014
GCHQ Benhall doughnut aerial view

Hear ye, young cyber warriors of the realm: GCHQ wants you

Spooks have called upon the good people of Blighty to help protect an airline from attack by a vicious group of nerdy cyber-terrorists. That might sound like the secret services are getting a bit desperate, but don't worry kids: it's only a game. The bods at GCHQ have announced a new part of the Cyber Security Challenge UK …
Jasper Hamill, 21 Aug 2014
padlock

Boffins propose security shim for Android

An international group of researchers believes Android needs more extensible security, and is offering up a framework they hope either Google or mobe-makers will take for a spin. The project is described in this paper slated for the Usenix Security Symposium on Friday in San Diego. The researchers from Germany's Technische …
Flytrap

New twist as rogue antivirus enters death throes

A rogue anti-virus program called Defru has taken to the browser to find a smarter way of infecting users, Microsoft researchers say. The Defru malware blocks users from visiting certain websites and instead displays warnings about fake perceived threats while the correct intended web address was still displayed. Most victims …
Darren Pauli, 21 Aug 2014

Amazon flicks switch on CloudFront security features

Amazon has beefed up security on its CloudFront services, adding Perfect Forward Secrecy, OCSP stapling and session tickets to its SSL support. The company describes the new AWS features in full in this blog post. Session tickets are designed to improve performance, particularly in the case of an interrupted session between …
Android

Slapdash SSL code puts tons of top Android Play Store apps in hack peril

Sloppy programming, poor patching, and unreliable trust engines are rife within Android apps, according to a new study. In short, millions smartphone users are potentially wide open to man-in-the-middle attacks, it's claimed. Researchers at security firm FireEye went through the 1,000 most popular Android applications from the …
Iain Thomson, 21 Aug 2014
balaclava_thief_burglar

Did you swipe your card through one of these UPS Store tills? You may have been pwned

UPS has discovered an outbreak of debit and credit-card-reading malware in 51 of its branches in the US. Exactly which strain of malware was involved is not known; a spokesperson told The Register today: "We're still investigating the infection." It's hoped the identity of the malware will be revealed once that probe is complete …
Stuxnet

Oi! Rip Van Winkle: PATCH, already

Nearly 20 million computers remain infected with malware targeting a vulnerability first targeted four years ago by the Stuxnet worm. The flaw (CVE-2010-2568) was a Windows operating system bug in the way shortcuts worked allowing quiet download of the random dynamic library on Win Server 2003 and XP through to version 7. Since …
Darren Pauli, 20 Aug 2014
traffic light hacking

Need a green traffic light all the way home? Easy with insecure street signals, say researchers

Criminals monkeying with traffic lights are a staple of cinema: the 1969 Italian Job and Luc Besson's Taxi are particularly fine examples. Now researchers have demonstrated that fact is much less glamorous – and simpler – than fiction. Youtube clip from the Italian Job In a paper [PDF] delivered to the USENIX Security 2014 …
Iain Thomson, 20 Aug 2014

Heartbleed implicated in US hospital megahack

The Heartbleed flaw is responsible for the high-impact US hospital hacking attack disclosed this week, an unnamed investigator told Bloomberg. As many as 4.5 million patient records have been exposed in an attack against Community Health Systems, a US hospital group that manages more than 200 hospitals. China-based attackers …
John Leyden, 20 Aug 2014

Brother, can you spare a DIME for holy grail of secure webmail?

Feature Lavabit founder Ladar Levison promised attendees at security conference DefCon that he'd carve out a secure messaging service from the wreckage of the email service favoured by rogue NSA sysadmin Edward Snowden within six months. The Dark Internet Mail Environment (DIME) project is promising, but recent problems experienced by …
John Leyden, 20 Aug 2014
Ruhr University's malware architecture

How to marry malware to software downloads in an undetectable way (Hint: Please use HTTPS)

Be thankful it's only a proof-of-concept of a hack: German researchers have shown that internet software distribution mechanisms can be turned into virus vectors, without modifying the original code. The Ruhr University boffins – Felix Gröbert, Ahmad-Reza Sadeghi and Marcel Winandy – have developed an on-the-fly mechanism for …
Mozilla Firefox

Lazy sysadmins rooted in looming Mozilla cert wipeout

Mozilla is about to revoke some weak X.509 PKI certs, and has warned sysadmins that it will affect the Firefox browser and they'll need to assess their infrastructure. The four affected root certificates from Entrust and ValiCert are marked for removal because they contained weak keys. A further seven from CyberTrust, Thawte …
Darren Pauli, 20 Aug 2014

Cryptolocker flogged on YouTube

Cryptolocker is being flogged over YouTube by vxers who have bought advertising space, researchers Vadim Kotov and Rahul Kashyap have found. The researchers made the discovery while monitoring YouTube and website banners for instances where malware writers had actually purchased space to foist their wares on unpatched web users …
Darren Pauli, 20 Aug 2014
usb nuclear button hub

Nuke regulator hacked three times in three years

The US Nuclear Regulator Commission (NRC) has been hacked three times in as many years, according to documents obtained under freedom of information requests. Unnamed foreign hackers sent hundreds of phishing emails - targeting 215 staff in one incident alone - in what was dubbed a 'credential harvesting campaign', according to …
Darren Pauli, 19 Aug 2014
Sydney Opera House Hackathon logo

NSW to build federated ID management rig for staff, punters

The Australian State of New South Wales (NSW) will build a federated identity system – or “Identity Hub” - for its many thousands of staff and also for the State's citizens. Oracle, NTT and consultancies Qubit and Dataweave and will work together on the project. The latter company will project manage and then support the system …
Simon Sharwood, 19 Aug 2014
Three  UK Passports

e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt

Brit taxpayers face a £224m bill in cancellation fees after the UK government scrapped a £750m contract for a passenger-checking computer system at its borders. The contract for the e-Borders IT project, which is supposed to scrutinize the identities of people entering the country, was signed in 2007, back when the Labour Party …
Iain Thomson, 19 Aug 2014
Google UK office logos

Google to offer special accounts for kids: report

Google is reportedly investigating how it can offer accounts to children. The Information reports that The Chocolate Factory is considering a regime whereby parents can set up accounts for kids and control the Google services they are permitted to access. Kids under 13 are currently not permitted to sign up for Google+. As your …
Simon Sharwood, 19 Aug 2014

Think crypto hides you from spooks on Facebook? THINK AGAIN

Activists just got another reason to worry about what spooks might be able to learn about them, with boffins demonstrating that a decent traffic fingerprint can tell an attacker what's going on, even if an app is defended by encryption. The researchers from the Universities of Padua and Rome have found that for activities like …
Lock security

Linux kernel devs made to finger their dongles before contributing code

Beginning on Monday, the security of the Linux kernel source code has become a little bit tighter with the addition of two-factor authentication for the kernel's Git code repositories. Contributing code changes to the Linux kernel sources at Kernel.org already required more than just a password, even before the change. …
Neil McAllister, 18 Aug 2014
Aphex Twin

Tor-rorists get sneaky Aphex Twin album peek in dance guru hypegasm

Richard James, aka electronic music composer Aphex Twin, has been using the power of Tor to hype his new album – and to remind computer users about their own system's security. http://syro2eznzea2xbpi.onion — Aphex Twin (@AphexTwin) August 18, 2014 The .onion link above leads to a web server hidden in the Tor anonymizing …
Iain Thomson, 18 Aug 2014
medical_doctor_health_channel

'Chinese crims' snatch 4.5 MILLION patient files from US hospitals

One of the largest healthcare providers in the US claims Chinese hackers ran riot through its systems between April and June this year – accessing names, addresses and social security numbers of millions of patients. But Community Health Systems (CHS) insists no medical records nor any financial data were grabbed by the …
Iain Thomson, 18 Aug 2014

Germany 'accidentally' snooped on John Kerry and Hillary Clinton

Calls made by US secretary of state John Kerry and his predecessor Hillary Clinton were "accidentally" intercepted by German intelligence agencies, Der Spiegel reports. The Bundesnachrichtdienst (BND), the German intelligence service, snooped on a satellite phone conversation that Kerry made in 2013, a year after it intercepted …
John Leyden, 18 Aug 2014

Something's phishy: More holiday scam spam flung at real hotel customers

Updated Multiple customers at several hotels are getting hit up with a sophisticated phishing scam based on real hotel bookings. The latter all share the common factor of being made through Booking.com. Last week we reported how the wife of a Reg reader received a scam email after booking a family holiday in a hotel in Mallorca, Spain …
John Leyden, 18 Aug 2014

Rupert Murdoch says Google is worse than the NSA

Media tycoon Rupert Murdoch has taken to Twitter and labelled Google worse than the NSA. Here's The Dirty Digger's missive: NSA privacy invasion bad, but nothing compared to Google. — Rupert Murdoch (@rupertmurdoch) August 17, 2014 Murdoch and Google have history, with the former accusing the latter of stealing his newspapers …
Simon Sharwood, 18 Aug 2014
Privacy image

Irish credit unions in privacy breach

Irish credit unions are in the midst of a privacy storm, with that country's privacy watchdog accusing some institutions of trafficking in illegally-obtained data. The Office of the Data Protection Commissioner (ODPC) says it's investigating whether some credit unions hired private investigators to obtain confidential data from …
Malware

VXer fighters get new stealth weapon in war of the (mal)wares

A bare-metal analysis tool developed by University of California researchers promises to help tip the battle between virus writers and black hats by cloaking malware investigation efforts. The tool is the latest weapon in the war between the diaspora of independent and vendor malware researchers and their VXer foes. Their …
Darren Pauli, 18 Aug 2014
Hacked sarcasm

Boffins find hundreds of thousands of woefully insecure IoT devices

More than 140,000 internet-of-things devices, from routers to CCTV systems contain zero-day vulnerabilities, backdoors, hard coded crackable passwords and blurted private keys, according to the first large scale analysis of firmware in embedded devices. Four researchers from EURECOM France found the flaws when conducting a …
Darren Pauli, 17 Aug 2014
blue screen of death

Microsoft cries UNINSTALL in the wake of Blue Screens of Death™

Microsoft has urged users to remove a buggy update as it yanked download links to the offending patch, after reports emerged it caused the dreaded blue screen of death. The fixes issued on Patch Update Tuesday addressed privilege escalation bugs but an apparent font cache clearing issue lead to Windows boxes turning the colour …
Darren Pauli, 17 Aug 2014

Time to ditch HTTP – govt malware injection kit thrust into spotlight

A new report form the Toronto-based internet watchdog Citizen Lab has shown cases of governments running network injection attacks that can deliver malware via any HTTP web connection. The dossier looks at two hacking tools created by the Italian firm Hacking Team and the German biz FinFisher that use the injection attack vector …
Iain Thomson, 16 Aug 2014

Supervalu supermarket stores stung by sneaky sales system scammers

Supervalu, one of the biggest supermarket chains in the US, is warning customers who shopped with them between June 22 and July 17 to check their bank statements, after investigators discovered hackers have been at work. "The safety of our customers' personal information is a top priority for us," said CEO Sam Duncan. "The …
Iain Thomson, 15 Aug 2014

Apple slings fanbois' data at Chinese servers in China Telecom deal

In an effort to woo buyers in China, Apple has inked a deal to store Chinese customer data in Chinese servers for the first time. Plenty of technology firms are leery about storing sensitive information in China (although given the NSA's reach, US servers aren't exactly private) but Apple has hired China Telecom to use the telco …
Iain Thomson, 15 Aug 2014

Revealed ... GCHQ's incredible hacking tool to sweep net for vulnerabilities: Nmap

For the past five years, British spying nerve-center GCHQ has been port scanning internet-connected computers in 27 countries – in a exhaustive hunt for systems to potentially exploit. That bombshell comes amid fresh leaks detailing the dragnet surveillance programs operated by the Five Eyes nations: America, UK, Canada, …
John Leyden, 15 Aug 2014
apple mac malware vxer

Don't think you're SAFE from Windows zombies just 'cos you have an iPhone - research

Fanbois aren't safe from Windows malware - and it's all down to iTunes syncing. The music software's sync is the Achilles' heel that could expose otherwise secure iOS devices to malware, security researchers warn. Simply connecting an iPhone or iPad to an infected Windows machine through a USB cable leaves it vulnerable to …
John Leyden, 15 Aug 2014
GameOver

Insert coin to continue: GameOver ZeuS zombie MUTATES, shuffles back to its feet

The resurfaced GameOver bot is back with a vengeance, having infected 12,000 computers after the network was taken down in June, according to Arbor Networks. The bot was taken out in June in a coordinated and high-profile crackdown by security companies and the FBI and Europol. Servers and domains were seized, disrupting both …
Darren Pauli, 15 Aug 2014
Tesco Hudl

Giving your old Tesco Hudl to Auntie June? READ THIS FIRST

UK supermarket Tesco’s Hudl tablet will offer up data from past users – even if it’s been factory reset. The Register spoke to Ken Munro from security firm Pen Test Partners, who said he'd bought 17 Hudls and AllWinner tablets from eBay and found that not only does the reset process not wipe all the data, it’s possible to …
Simon Rockman, 15 Aug 2014
Infosec

Who needs hackers? 'Password1' opens a third of all biz doors

Hundreds of thousands of hashed corporate passwords have been cracked within minutes by penetration testers using graphics processing units. The 626,718 passwords were harvested during penetration tests over the last two years conducted across corporate America by Trustwave infosec geeks. The firm's threat intelligence manager …
Darren Pauli, 15 Aug 2014
Invasion of the Body Snatchers

Chrome update to raise alarms over deceptive download bundles

Google is planning to roll out an update to the Safe Browsing feature of its Chrome web browser that will alert users to a new category of suspicious downloads: ones that look like they're installing helpful software but could also include additional, unexpected payloads. Safe Browsing already issues alerts to known malware …
Neil McAllister, 15 Aug 2014