Feeds

Security > More stories

chalk outline of  human body at crime scene

Hi-tech Fagin couple used Apple scam cash to fly pickpockets to UK

A pair of phishing fraudsters each received long jail terms after they were convicted of making £15,000 through online scams before using the funds to finance the travel of other crooks into the UK. Constanta Agrigoroaie, 23, and Radu Savoae, 28, both of Mornington Avenue, Ilford, both pleaded guilty to conspiracy to commit …
John Leyden, 18 Jul 2014
Routers

L33t haxxors compete to p0wn popular home routers

Gird your loins router-makers: a throng of hackers are set to pry apart your woefully insecure hardware in a competition to expose bad firmware and hard-coded credentials. The competition will take place at the DEF CON 22 conference and glories in the name "SOHOpelessly Broken". The event is the brainchild of the Electronic …
Darren Pauli, 18 Jul 2014
Rickmote

Chromecast hack Rickrolls Google's TV stick

Chromecast-owning households may be set to endure Rick Astley's ghastly oeuvre, thanks to a new device that can hijack victims' TV sticks and insert replacement content. Dan Petro's device, the "Rickmote", is a slick Raspberry Pi box that can knock the Google Chromecast video streaming utility off wireless networks allowing …
Darren Pauli, 18 Jul 2014
Credit: IGNACIO LEONARDI http://www.freeimages.com/photo/1118608

NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'

Edward Snowden has given an interview to The Guardian from his Russian hideout and warned that, among other things, those naked selfies people send to their loved ones are common currency among NSA staff. "You've got young enlisted guys, 18 to 22 years old. They've suddenly been thrust into a position of extraordinary …
Iain Thomson, 17 Jul 2014
Fail and You

NASDAQ IT security spend: $1bn. Finding mystery malware on its servers: Priceless

NASDAQ servers were infected by malware that exploited two mystery zero-day vulnerabilities, according to a magazine cover story published today. Despite spending a ton of money on computer security, the stock exchange was wide open to attack, we're told. Today's report pulls back the curtain back to reveal a little more about …
Iain Thomson, 17 Jul 2014
Resident Evil zombie takeover

Pushdo Trojan outbreak: 11 THOUSAND systems infected in just 24 hours

A wave of attacks by cybercrooks pushing a new variant of the resilient Pushdo Trojan has compromised more than 11,000 systems in just 24 hours. Indian PCs have been most affected by the outbreak, but systems in the UK, France and the US have also been hit, according to security software firm Bitdefender. The Romanian firm …
John Leyden, 17 Jul 2014
Photo demonstration of a wireless hotel door lock

Don't put that duffel bag full of cash in the hotel room safe

Hotel safes are far less secure than guests are led to believe. Widespread use of default codes and other issues mean that it is relatively easy for criminals to get at hotel guests' valuables, security firm G DATA warns. The input panel, in front of the safe, to enter the PIN code or swipe a card through the credit card reader …
John Leyden, 17 Jul 2014
Bitdefender security image

Flaws found in Bitdefender enterprise endpoint manager

Holes have been reported in Bitdefender's Gravity end-point protection platform that allow hackers to target corporate infrastructure. Researcher Stefan Viehbock of SEC Consult Vulnerability Lab said the flaw affecting the latest version provided an entry point for attackers to move laterally through the network. "Attackers are …
Darren Pauli, 17 Jul 2014

LibreSSL RNG bug fix: What's all the forking fuss about, ask devs

A bug found and fixed in LibreSSL, the OpenSSL fork maintained by OpenBSD developers, is “catastrophic" or "overblown", depending on whom you talk to. Just days after the release of a portable version of the crypto library, a flaw was reported in LibreSSL's pseudo-random number generator – its PRNG, a vital component in strong …
John Leyden, 17 Jul 2014
Typewriter image

German NSA probe chief mulls spy-busting typewriters

Germany's government has mulled a return to typewriters in a bid to evade US spy agencies, according to the head of the nation's National Security Agency inquiry. The incredible decision came in response to a torrent of allegations that the NSA had spied on the German agencies and parties including Chancellor Angela Merkel. It …
Darren Pauli, 17 Jul 2014

Own a Cisco modem or wireless gateway? It might be owned by someone else, too

A number of Cisco home network gateways have a security bug that allows attackers to hijack the devices remotely. A firmware update to close the hole is being rolled out to ISPs to deploy. The networking giant said that certain Wireless Home Gateway products are vulnerable to a remote-code execution attack, which is triggered by …
Shaun Nichols, 17 Jul 2014
Map showing Narrabri in NSW

Supposed 'leader' of LulzSec pleads guilty to hacking, hubris

Matthew Flannery, once paraded by the Australian Federal Police (AFP) as the “leader” of international hacking collective LulzSec, has pleaded guilty to the five remaining charges against him, in Gosford Local Court. Flannery has waited since April 2013 to have the case settled. He is to be sentenced at a later date. At the …
Cloud security image

Skiddies turn Amazon cloud into 'crime-as-a-service' – security bod

Amazon Web Services' share of cloud-hosted malware-slingers has more than doubled in the last six months. That's according to NTT subsidiary Solutionary, which revealed the finding in its Q2 2014 Security Engineering Research Team (SERT) report published on Tuesday. The infosec researchers said that, out of the top ten ISPs and …
Jack Clark, 17 Jul 2014
UN High Commissioner for Human Rights Navi Pillay

UN to Five Eyes nations: Your mass surveillance is breaking the law

Edward Snowden should be shielded from prosecution because the world needs people willing to expose violations of human rights, says the UN's High Commissioner for Human rights Navi Pillay. Speaking at the launch of a report into digital privacy, Pillay said Snowden's revelations “go to the core” of the UN's concerns about mass …
smut side teaser

Crooks fling banking Trojan at Japanese smut site fans

Cybercrooks are targeting Japanese smut site aficionados with a new banking Trojan run. The Aibatook malware is targeting customers of Japanese banks who are also visitors on some of the country's most popular pornographic websites. Security researchers at anti-virus firm ESET estimated that more than 90 smut sites have been …
John Leyden, 16 Jul 2014
Homer Simpson reading on a tablet

UK data watchdog broke data law, says UK data watchdog

Britain's data cops have coughed to a serious security screw-up at the Information Commissioner's Office, and concluded that the ICO - only mildly - violated the Data Protection Act that it is supposed to police. It carried out an internal probe into what the ICO passively described as a "non-trivial security incident" that …
Kelly Fiveash, 16 Jul 2014

Redmond may buy security company it says is wrong about AD flaw

Microsoft is reportedly in talks to buy Israeli security firm Aorato for $200 million after this week pouring cold water on its claim to have discovered a critical flaw in Active Directory. Aorato was founded by former Israeli Defense Force hackers and offers products that detects attacks on against Active Directory. As …
Darren Pauli, 16 Jul 2014
Tommy lee image

Microsoft: You NEED bad passwords and should re-use them a lot

Microsoft has rammed a research rod into the security spokes of the internet by advocating for password reuse in a paper that thoroughly derails the credentials best practise wagon. Password reuse has become a pariah in internet security circles in recent years following a barrage of breaches that prompted pleas from hacked …
Darren Pauli, 16 Jul 2014
A man who has fallen asleep at an IDF booth

Run Oracle? Want to sleep tonight? Then sort these 113 patches

Oracle has emitted its quarterly Critical Patch Update, this time offering a mere 113 patches sysadmins and security folks should get busy implementing. This time around there's 29 fixes for Oracle Fusion Middleware, 20 for Java SE, ten in MySQL Server, seven in Hyperion products and five apiece for Oracle database and E- …
Simon Sharwood, 16 Jul 2014
Dambuster_Mohne_dam_breach

Mandatory data breach laws back on Australian agenda

Australia's on-again, off-again debate about data breach notification laws is on again, courtesy of a report into financial system regulation, at least until the government cans the idea (again). Register readers will recall that a Privacy Alerts bill was proposed by the previous government before the 2013 election, then delayed …

You don't need a HERO, you need a ZERO. From Google

+Comment Google will expand its computer security research efforts by forming a well-staffed full-time team called Project Zero. The web ad broker wants to hire the best of the best, who can find Heartbleed-grade vulnerabilities, or worse bugs, in software. It's also looking to extend its bounty program for reporting holes. Project Zero …
John Leyden, 15 Jul 2014
Max Headroom

Hamas hacks Israeli TV sat channel to broadcast pics of Gaza wounded

Gaza leaders Hamas took over an Israeli satellite channel for few minutes on Monday to broadcast pictures of Gaza wounded. Viewers who tuned into Israeli Channel 10 reported seeing images of people wounded from Israeli airstrikes on Gaza as well as propaganda messages promising more rocket strikes on Israel from Hamas' military …
John Leyden, 15 Jul 2014

British data cops: We need greater powers and more money

The UK's data privacy watchdog is lobbying for greater powers and funding after reporting a bumper workload. The latest annual report from the Information Commissioner’s Office (ICO) (PDF) reveals that the bureau responded to a record number of data protection and freedom of information complaints in the year to April 2014. The …
John Leyden, 15 Jul 2014
Kronos

'Father of Zeus' banking trojan appears at very reasonable price

A banking trojan dubbed the father of the infamous Zeus malware is being flogged on cybercrime marketplaces for a pricey $7000, says fraud specialist Etay Maor. The Kronos malware was sold on a cybercrime forum, pitched particularly to Zeus trojan customers given its capabilities to re-use that trojan's form grabbing templates …
Darren Pauli, 15 Jul 2014
Privacy image

Flaw in Google's Dropcam sees it turned into SPYCAM

Hackers could inject fake video into popular home surveillance kit Dropcam and use the system to attack networks, researchers Patrick Wardle and Colby Moore say. The wide-ranging attacks were tempered by the need for attackers to have physical access to the devices but the exploits offer the chance to inject video frames into …
Darren Pauli, 15 Jul 2014
Airship over NSA datacenter

NIST told to grow a pair and kick NSA to the curb

The US National Institute of Standards and Technology (NIST) has been urged to hire more crypto experts so it can confidently tell the NSA to take a hike. A report (PDF) from NIST's Visiting Committee on Advanced Technology (VCAT) – which scrutinizes and advises the institute – scolds NIST for being too reliant on the NSA's …
Shaun Nichols, 14 Jul 2014
cable

Hackers' delight: Hotel cyber-cafe, er, business centers, apparently – US Secret Service

The US Secret Service has quietly warned hotels that malware slingers are increasingly targeting PCs in hotel business centers to harvest sensitive information. In a non-public advisory, obtained by investigative journalist Brian Krebs, law enforcement officials have arrested members of a criminal gang that is accused of …
Iain Thomson, 14 Jul 2014

Will GCHQ furtle this El Reg readers' poll? Team Snowden suggests: Yes

Poll UK eavesdropping nerve center GCHQ has developed tools to manipulate online polls, ramp up page views for articles, and obtain private photos on Facebook. That's according to Glenn Greenwald's latest trawling of documents leaked by Edward Snowden. The surveillance agency can also, we're told, arrange calls between two selected …
Chris Williams, 14 Jul 2014
android malware mobile iphone

Gameover ZeuS botnet pulls dripping stake from heart, staggers back from the UNDEAD

The Gameover ZeuS malware is back from the dead just six weeks after a takedown operations that aimed to put a stake through the heart of the botnet, which is linked to the even more infamous CryptoLocker ransomware. International law enforcement acted against the crooks behind the Gameover ZeuS in early June. For the past month …
John Leyden, 14 Jul 2014
PayPal

XSS marks the spot: PayPal portal peril plugged

PayPal has plugged a potentially nasty flaw on its internal portal. The vulnerability, discovered by security analyst Benjamin Kunz Mejri of Vulnerability Laboratory, involved security shortcomings in PayPal's backend systems. More specifically, he said, it was an application-side filter bypass vulnerability in the official …
John Leyden, 14 Jul 2014
F-35

FBI: We found US MILITARY AIRCRAFT INTEL during raid on alleged Chinese hacker

A Chinese entrepreneur has been arrested for attempting to steal information on the United States' Lockheed F-22 and F-35 aircraft and Boeing's C-17 cargo plane. Su Bin – along with two uncharged Chinese co-conspirators – is alleged to have hacked into Boeing's corporate network as well as those of defence contractors in the US …
Darren Pauli, 14 Jul 2014

Popular password protection programs p0wnable

Researchers have detailed a series of quickly patched vulnerabilities in five popular password managers that could allow attackers to steal user credentials. "Critical" vulnerabilities were discovered and reported in LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword in work described by the University of California …
Darren Pauli, 14 Jul 2014

Apache patch: Cisco catches up with ANCIENT Struts2 vuln

Cisco has issued a patch for a four-year-old Apache Struts2 vulnerability. The original issue, CVE-2010-1870, was originally reported in July 2010. The vulnerability arises out of how Apache Struts2 handles commands passed to the Object-Graph Navigation Language. As the Apache notification states, “The vulnerability allows a …

We SO DO support Java on XP, maybe even JDK 8, says Oracle

Oracle has issued a statement saying that it absolutely does support Java on Windows XP and may even decide to support JDK 8 on the orphan OS. Oracle's post on the issue says "We expect all versions of Java that were supported prior to the Microsoft de-support announcement to continue to work on Windows XP for the foreseeable …
Simon Sharwood, 14 Jul 2014
Doctor Who: The First Adventure

New Doctor Who episode leaks online as proper trailer debuts

The mess at BBC Worldwide's Miami office that saw scripts for the new series of Doctor Who leak online has worsened, with a whole episode now doing the rounds of torrent sites. Radio Times reports that a “rough black and white edit” of the series' first episode, titled “Deep Breath”, escaped from the BBC's Miami office and …
Simon Sharwood, 13 Jul 2014
LibreSSL

LibreSSL crypto library leaps from OpenBSD to Linux, OS X, more

The OpenBSD project has released the first portable version of LibreSSL, the team's OpenSSL fork – meaning it can be built for operating systems other than OpenBSD. The LibreSSL project, which aims to clean up the buggy and inscrutable OpenSSL code, was founded about two months ago by a group of OpenBSD developers, so it only …
Neil McAllister, 12 Jul 2014
Hacker baseball cap

Another 'NSA-proof' webmail biz popped by JavaScript injection bug

German startup Tutanota has admitted its webmail service was vulnerable to a cross-site scripting bug despite boasting it offered an "NSA-proof email service." The flaw, which would have allowed attackers to inject malicious JavaScript into victims' browsers, was uncovered and reported last night by German security researcher …
John Leyden, 11 Jul 2014

Miscreants leak banking baddie's secret source

Miscreants have released the source code for the Tinba banking Trojan in a move that may spawn the development of copycats. The secret source behind early versions of the small (some versions weigh in at just 20KB) but pernicious banking Trojan was released through an underground forum last week, reports Danish security …
John Leyden, 11 Jul 2014

Do your execs take mobile security seriously?

Reader Poll One of the findings emerging from our latest poll is that many of you are highlighting a lack of exec awareness and air cover when it comes to mobile security. This in turn appears to translate to a lack of funding to put the systems in place to cope with new devices, BYOD and so on. Is this something you are experiencing? If …
Dale Vile, 11 Jul 2014

FBI and pals grab banking Trojan zombielord's joystick

Law enforcement and the security business have teamed up to disrupt the operation of the Shylock banking Trojan. The UK's National Crime Agency joined forces with Europol and the FBI to take down and seize the command and control servers key to running the botnet. Law enforcement also took control of the domains Shylock uses for …
John Leyden, 11 Jul 2014
Nyancoin logo

Exploit emerges for LZO algo hole

Security Mouse security researcher Don A Bailey has showcased an exploit of the Lempel-Ziv-Oberhumer (LZ0) compression algorithm running in the Mplayer2 media player and says it could leave some Linuxes vulnerable to attack. The LZO data compression algorithm was created by Markus Oberhumer in 1994 and was discovered to be …
Darren Pauli, 11 Jul 2014
Zombie Zero

Infected Chinese inventory scanners ships off logistics intel

A Chinese manufacturer has been accused of implanting malware that steals supply chain intelligence in its hand-held scanner firmware. Security firm TrapX says infected scanners have been sold to eight unnamed firms including a large robotics company. Variants of the malware broke into enterprise resource planning platforms to …
Darren Pauli, 11 Jul 2014