Feeds

Security > More stories

ActiveX

Redmond stall means IE Java axe won't swing till September

Microsoft has handed sysadmins a reprieve by delaying the blockage of vulnerable old versions of Java in its flagship Internet Explorer web browser until September. The postponement was made on the back of complaints to Redmond, which only provided a guide to managing the issue on Tuesday. "Based on customer feedback, we have …
Darren Pauli, 14 Aug 2014
balaclava_thief_burglar

Brit infosec firm lets hackers think they've stolen something

Security strategies generally concentrate on keeping the bad guys out, but British security outfit ClearSwift has stumbled upon another approach: if the bad guys get in, let them out with something. But scrub it clean on the way out the door. ClearSwift is the latest home for content-screening technologies first developed in the …
Simon Sharwood, 14 Aug 2014

Five Totally Believable Things Car Makers Must Do To Thwart Hackers

Car manufacturers are urged to implement a five-step program to improve their motors' computer security defenses. Today's rides are PCs on wheels and thus vulnerable to all sorts of potential hacks – such as the ones documented by Charlie Miller and Chris Valasek in their paper A Survey of Remote Automotive Attack Surfaces, here …
John Leyden, 14 Aug 2014
Edward Snowden

Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar

Rogue NSA sysadmin Edward Snowden says his former employer has developed software that will automatically attack foreign computers deemed to be a threat – without checking in with a human first. The system, dubbed MonsterMind, is designed to detect strikes against key US servers and block the assaults as quickly as possible. But …
Iain Thomson, 13 Aug 2014
ISIS leader Shakir Wahiyib with Facebook thumbs-up

Snowden leaks show that terrorists are JUST LIKE US

NSA whistleblower Edward Snowden's media allies have launched a counteroffensive against allegations by intelligence agencies that terrorists have upped their game in cryptography as a result of his leaks about NSA spying. Glenn Greenwald's The Intercept published leaked GCHQ mobile phone OPSEC guidance from 2010 alongside …
John Leyden, 13 Aug 2014
anonymous logo

Anonymous threatens to name cop who shot dead unarmed Michael Brown

A group claiming to be affiliated with hacktivist collective Anonymous has threatened to release the name of the police officer who shot unarmed teen Michael Brown in the town of Ferguson, Missouri. Operation Ferguson says it is a group of hackers linked to Anonymous. It was set up a day after the 18-year-old black man was shot …
The Blue Mosque in Istanbul

LulzSec supergrass Sabu led attacks against Turkey – report

Just months after reports emerged that LulzSec "kingpin" turned FBI snitch Hector Xavier Monsegur had allegedly led cyber-attacks against foreign governments while under FBI control, a "cache of sealed court documents" has provided some more startling reading. Monsegur – who prosecutors insist is "Sabu", a leading figure in …
John Leyden, 13 Aug 2014
Yesterday's launch of the TerreStar 1 satellite. Pic: ESA

Just when you thought you were alone in the bath: Hi-res mapping satellite ready for launch

An American firm is preparing to launch a satellite which will map the world in a higher resolution than the public has ever seen before. Tomorrow, DigitalGlobe expects to send its WorldView-3 satellite into orbit, where it will begin sending images of objects as small as 30cm in size. It will zoom up to space from Vandenberg …
Jasper Hamill, 13 Aug 2014
Don Draper is sad

We told you jailbreaking your iThing was dangerous

Chinese malware has infected more than 75,000 iPhones and hijacked some 22 million advertisements and stealing revenue from developers on the iOS jailbreak community, virus prober Axelle Apvrille says. The AdThief malware relied on the Cydia Substrate extension present only on jailbroken Apple devices to hijack advertising bucks …
Darren Pauli, 13 Aug 2014
NSA parody T-shirt

Naughty NSA was so drunk on data it forgot collection rules

Declassified documents from America's Foreign Intelligence Surveillance Court (FISC) shows that even the NSA didn't know the limits of what it was supposed to collect, and overstepped its authorisations for years. The documents were released to the Electronic Privacy Information Centre in response to an FOI request, and record …
Routers

Fifteen zero days found in hacker router comp romp

Defcon 22 Researchers have unveiled 15 zero day vulnerabilities in four home and small business routers as part of the SOHOpelessly Broken hacker competition in DEF CON this week. Four of the 10 routers offered for attack including the ASUS RT-AC66U; Netgear Centria WNDR4700; Belkin N900, and TRENDnet TEW-812DRU were fully compromised. …
Darren Pauli, 13 Aug 2014
Google Chocolate Factory

Beware of Greeks bearing spammy small omicrons, says Google

A week after switching on non-Eurocentric character support in Gmail, Google has announced that it's working to get its spam filters working in the new world. Last week, the Chocolate Factory flipped the switch on non-Latin character support. That gives it a brand-new spam-catching issue to address, as it explains in this blog …
Adobe security

You've got three days to patch Adobe Flash, Air, Reader

Adobe has patched seven vulnerabilities in its Flash and Air platforms and one in Reader and Acrobat that is being exploited by attackers. The vulnerabilities could allow attacker to "take control of affected systems" dubbed critical by the company. Administrators were urged to apply the updates within three days on Windows, …
Darren Pauli, 13 Aug 2014
IE8 patch

Looking forward to the end of Tuesday? You've patched this month's 37 Microsoft bugs, right?

True to its word, Microsoft released nine security patches this month, two of which are rated as critical. The company said that the August edition of Patch Tuesday addresses a total of 37 CVE-listed security vulnerabilities. Most of the flaws will be addressed by the cumulative Internet Explorer security update. The browser …
Shaun Nichols, 12 Aug 2014
Double Facepalm; when one facepalm is not enough.

Password manager LastPass goes titsup: Users LOCKED OUT

Updated Popular password management service LastPass went on the blink today, leaving users locked out of their accounts. Reg reader Tim Stephenson, head of IT at Liftshare, told us that the firm’s employees had experienced timeouts trying to access the site, browser plugins weren’t responding and users couldn’t authenticate themselves …
android malware mobile iphone

Chinese cops cuff teen over Heart App Android malware flap

Chinese authorities have arrested a 19-year-old suspected of unleashing a fast spreading strain of malware that infects Android smartphones. Police told Chinese newspapers including Sina.com that "Li", a 19-year-old software engineering student, was cuffed in Shenzhen on suspicion of creating the Heart App Android malware within …
John Leyden, 12 Aug 2014
Bitcoin system would kill mammoth mining pools

Fifteen countries KO'd in malware one-two punch

Someone suspected to be backed by a nation state is attacking embassies of former soviet states with a malware tool that has infiltrated networks across more than 15 countries. Hacked embassies of unnamed former soviet states include those located in: France; Belgium; Ukraine; China; Jordan; Greece; Kazakhstan; Armenia; Poland, …
Darren Pauli, 12 Aug 2014
dropbox privacy security eye

Xiaomi updates cloud messaging after privacy scare

Chinese mobe-maker Xiaomi has changed the defaults on its cloud messaging service, in response to concerns raised by F-Secure that it was storing users' private data. At issue is a service provided for its Mi phones, which was switched on by default until the over-the-air update was issued. In this blog post, F-Secure notes that …
Nest Labs' The Nest

Google leaves STUPID vuln on Nest devices

Google's Nest thermostat, poster-child for its Internet of Things ambitions and data collector of your home habits, gives root access to anyone with a USB drive and a quarter-minute to spare. That's the conclusion that Yier Jin, Grant Hernandez and Daniel Buentello have come to, and told the world in their presentation to …

NIST wants better SCADA security

America's National Institute of Standards and Technology (NIST) wants to take a hand in addressing the SCADA industry's chronic insecurity, by building a test bed for industrial control systems. The Reconfigurable Industrial Control Systems Cybersecurity Testbed is only in its earliest stages. According to this RFI, the …
Breach

2,285,295 Aussie logins nabbed in Russian password haul

More than two million unique login credentials for Australian internet users were stolen as part of the massive haul of 1.2 billion passwords by a Russian hacker outfit. Earlier this month Hold Security reported that Russian hackers under the group dubbed CyberVors amassed the largest ever cache of stolen website passwords …
Darren Pauli, 11 Aug 2014

IBM takes a shine to Lighthouse, gobbles bouncer-in-the-cloud biz

IBM has acquired upstart Lighthouse Security Group, which lets sysadmins manage user accounts and identities in an off-premises cloud. Big Blue said the privately held Rhode Island firm will, fittingly, join the IT giant's Security Identity and Access Management group. Lighthouse already bases its Gateway service on IBM's Tivoli …
Shaun Nichols, 11 Aug 2014
DIME

DIME for your TOP SECRET thoughts? Son of Snowden's crypto-chatter client here soon

DefCon Lavabit founder Ladar Levison will within six months carve out a military-grade email service from the ashes of Ed Snowden's favourite email client. As many of you will remember, Levison killed the service to prevent his clients' information from getting into the clutches of the Federal Bureau of Investigations. The popular …
Darren Pauli, 11 Aug 2014
Hacker image

GCHQ recruits spotty teens – for upcoming Hack Idol

The GCHQ-backed Cyber Security Challenge UK is bringing cybersecurity education to UK schoolkids aged from 12 to 18 with the importation of the US-created Cyber Patriot programme. The US Air Force Association ​CyberPatriot youth programme involves as battle of wits in cyberspace involving 1,500 international teams of under-18s …
John Leyden, 11 Aug 2014
An alternative Yahoo! logo, courtesy of a Flickr user

CryptoWall! crooks! 'turn! to! Yahoo! ads! to! spread! ransomware!'

Crooks are using Yahoo!'s advertising network to infect PCs with the CryptoWall ransomware, it's claimed. Windows software nasty CryptoWall encrypts a victim's files using an OpenSSL-generated key pair before demanding a ransom to decrypt the data. It communicates with its masters using RC4-encrypted messages to command servers …
John Leyden, 11 Aug 2014
GCHQ as seen on Google Earth

O2 vs Vodafone: Mobe firms grab for GCHQ, gov.uk security badge

Both Vodafone and O2 are claiming to be the best mobile phone network for people, particularly government people, who are worried about security. O2 is crowing about achieving the secure and government-approved network certification known as CAS(T), which stands for CESG Assured Service (Telecommunications), O2 being the first …
Simon Rockman, 11 Aug 2014
Sad Anonymous

Anonymous wifi the latest casualty of Russia net neurosis

Russians will be required to hand over their passport-validated phone numbers to access public wireless networks under new laws. The laws ban the use of public wireless networks, creating confusion around precisely which networks would be affected and what form of identification would need to be provided. Leonid Levin, deputy …
Darren Pauli, 11 Aug 2014
blackphone

Blackphone rooted at BlackHat

A security researcher at BlackHat has sparked a “did-he-didn't-he” Tweet-storm over the extent of an alleged “hack” of the “secure by design” Blackphone. The Twitter argument continues, with @TeamAndIRC first announcing that it only took five minutes to root the Blackphone* (see Bootnote); then backtracking on one claim because …

US 911 service needs emergency upgrade and some basic security against scumbags

Defcon 22 The US emergency response system is in urgent need of better security as it’s surprisingly easy to disable or spoof 911 calls. In a talk at Defcon 22 two doctors (who are also hackers) and a security consultant presented research into the emergency response system and how calls via fixed line, mobile phones and VoIP are routed. …
Iain Thomson, 11 Aug 2014

Why hackers won't be able to hijack your next flight - the facts

Defcon 22 Two seasoned pilots, one of whom is a published hacking expert, have been puncturing some of the myths about aircraft hacking at Defcon 22. Dr. Phil Polstra, professor of digital forensics at Bloomberg University (and a qualified commercial pilot and flight instructor) and "Captain Polly," professor of aviation at the University …
Iain Thomson, 10 Aug 2014
NSA parody T-shirt

Crypto Daddy Phil Zimmerman says surveillance society is DOOMED

Defcon 22 A killer combination of rapidly advancing technology and a desire for greater privacy among the public should condemn current surveillance state to an historical anachronism, according to PGP creator Phil Zimmermann. In an extended talk at Defcon 22 in Las Vegas, Zimmermann said it might seem as though the intelligence agencies …
Iain Thomson, 9 Aug 2014
Coco with WarKitteh collar

Beware WarKitteh, the connected cat that sniffs your Wi-Fi privates

Defcon 22 An inventive security researcher has successfully tested a war-driving kitty collar – so its wearer can prowl around the neighborhood exposing the lamentable state of Wi-Fi security. WarKitteh collar Wardriving cat couture. Credit: Gene Bransfield Gene Bransfield, a security researcher with Tenacity, told El Reg that while he …
Iain Thomson, 9 Aug 2014
Fail and You

Oracle Database 12c's data redaction security smashed live on stage

Defcon 22 Oracle’s much-ballyhooed data redaction feature in Database 12c is easy to subvert without needing to use exploit code, attendees at Defcon 22 in Las Vegas have heard. The redaction features in 12c are designed to automatically protect sensitive database material by either totally obscuring column data or partially masking it – …
Iain Thomson, 8 Aug 2014
Nuclear bomb image

Intruder alert: Cyber thugs are using steganography to slip in malware badness

Common or garden cybercrooks have taken to using steganography – the art of hiding secret information within another image or message file – to run a click-fraud scam. Steganography has long been the stuff of spy trade-craft and cypherpunk novels, but now cybercrooks have made the practice downmarket by applying it to the Lurk …
John Leyden, 8 Aug 2014
Photo of a stack of $100 bills

Smartcard firm Gemalto slurps SafeNet in $890m securo-boost deal

Security company Gemalto is buying data protection firm SafeNet. The deal, announced Friday, is valued at $890m and is being financed through cash and existing long-term credit facilities. Once completed the acquisition will add data protection technologies to Gemalto's core authentication products and services (e.g. smartcards …
John Leyden, 8 Aug 2014
Data breach image

'Up to two BEEELLION' mobes easily hacked by evil base stations

Black Hat 2014 videos The mechanisms used to update smartphone operating systems over the air are vulnerable to hijacking and abuse, researchers have claimed. Speaking at the Black Hat conference in Las Vegas on Thursday, the infosec bods believe up to two billion handsets are at risk, and that in some cases patches for the flaw still haven't been …
Iain Thomson, 8 Aug 2014

Yahoo! will! deploy! end-to-end! email! crypto! by! 2015!

Yahoo will fire up end-to-end (E2E) encryption for its email users by 2015, chief security officer Alex Stamos announced at Black Hat overnight. The Purple Palace has also created a PGP plugin forked from Google's new offering that will be native in mobile apps allowing Gmail and Yahoo mail to easily exchange encrypted email. …
Darren Pauli, 8 Aug 2014
Moments of perspiration

DON'T PANIC! Satellite comms hacking won't be able to crash an aircraft

Black Hat 2014 Nervous fliers have one less thing to worry about after it turns out that, despite some alarmist reports, hackers won't be making planes fall out of the sky any time soon. The sensational headlines came after reporters learned that Ruben Santamarta, a consultant with security firm IOActive, was going to talk at Black Hat about …
Iain Thomson, 8 Aug 2014
Dogecoin

Network hijacker steals $83,000 in Bitcoin ... and enough Dogecoin for a cup of coffee

Researchers at Dell's SecureWorks Counter Threat Unit (CTU) have identified an exploit that can be used to steal cryptocurrency from mining pools – and they claim that at least one unknown miscreant has already used the technique to pilfer tens of thousands of dollars in digital cash. The heist was achieved by using bogus Border …

Awooga: August Patch Tuesday incoming – with two remote-code exec bugs in IE, Windows

Microsoft has published advance notification for what it says will be a total of nine security update bulletins for its products – two of which are rated critical. The company said that the latest patch batch, set to arrive on August 12, will bundle critical Internet Explorer and Windows fixes with seven other tweaks for issues …
Shaun Nichols, 7 Aug 2014

Microsoft throws old versions of Internet Explorer under the bus

Microsoft has confirmed that it's ending support for old versions of Internet Explorer, and it's giving you just shy of 18 months to get up to date. Roger Capriotti, director of the IE team, blogged on Thursday that beginning on January 12, 2016, only the most recent version of IE on any supported version of Windows will …
Photo of a US Passport

Flying United Airlines? If you could just scan your passport with your phone, that'd be great

United Airlines is testing a passport-scanning feature in its phone app that could speed up the check-in process for international flights. The biz's iOS and Android software will allow passengers to upload an image of their passports within 24 hours of their departure and access their boarding pass. United said the system is …
Shaun Nichols, 7 Aug 2014