Feeds

Security > More stories

The particle tube deconstructed at LHC

CERN's 2014 Xmas gift from the Large Hadron Collider: Two new baryons

Analysis of Large Hadron Collider data collected in 2011 and 2012 has turned up two new subatomic particles: a couple of baryons that are six times as massive as a proton. The atom-smasher's LHCb experiment produced data that looks a lot like particles designated Xi_b'- and Xi_b*- which were first predicted by Canadian particle …

GOTCHA: Google caught STRIPPING SSL from BT Wi-Fi users' searches

Google's "encryption everywhere" claim has been undermined by Mountain View stripping secure search functions for BT WiFi subscribers piggy-backing off wireless connections, sysadmin Alex Forbes has found. The move described as 'privacy seppuku' by Forbes (@al4) meant that BT customer searches were broadcast in clear text and …
Darren Pauli, 20 Nov 2014
Android logo

'Most advanced mobile botnet EVER' is coming for your OFFICE Androids

A newly discovered variant of NotCompatible is establishing what has been called the most advanced mobile botnet yet created. Security researchers at Lookout warn that the latest version of the Android malware is capable of infiltrating secure enterprise networks via compromised devices. NotCompatible uses a peer-to-peer control …
John Leyden, 19 Nov 2014
Night scene of bank station in central london

London police chief: City bankers, prepare for a terrorist cyber attack. Again

+Comment Western financial institutions should prepare themselves for cyber attacks from Islamic militants, the head of the City of London police warns. Commissioner Adrian Leppard urged preparations ought to be put at hand during a security conference in New York. According to the FT, he singled Islamic State of Iraq and the Levant (aka …
John Leyden, 19 Nov 2014
DDoS image

Asian mobiles the DDOS threat of 2015, security mob says

Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles, according to DDoS security bod Shawn Marck. Vietnam clocked in fifth place in the firm's latest threat report, in which India and Indonesia did not feature, outpaced by China, the US, Russia and …
Darren Pauli, 19 Nov 2014
spark fun electronics rotary dial mobile phone

Lame phone dodgers fleece finance's foolish and fat fingered

Scammers are attempting to fleece a hundred top US financial companies by registering phone numbers close to those in use by the firms, engineer Scott Strong says. Of some 600 top financial institutions across the US, 103 or about 20 percent had scammers register their numbers with only the last few digits altered in a bid to …
Darren Pauli, 19 Nov 2014
hands waving dollar bills in the air

Hewlett Foundation lays out MEELLIONS on security

The Hewlett Foundation has found US$45m in its other jacket, and has anointed three lucky US universities to spend on security research. MIT, Stanford and UC Berkeley will share the simoleons, in a program MIT says is designed to generate a “robust marketplace of ideas”, whatever that is. On a more pragmatic basis, the …
Micro SIM Card

SMS pwnage on MEELLIONS of flawed SIM cards, popular 4G modems

A Russian research team has found vulnerabilities in millions of the world's SIM cards, and separate flaws in common 4G modem platforms. Together, the bugs could allow attackers to send crafted SMS text messages to gain access to critical systems and install malware on connected computers. In one dramatic and hypothetical …
Darren Pauli, 19 Nov 2014

Patch NOW! Microsoft slings emergency bug fix at Windows admins

Microsoft has released a security patch to squash a bug in Windows that hackers are exploiting to compromise whole networks of computers. Redmond said today a vulnerability (MS14-068) in the Kerberos authentication system, used by default in the operating system, allows a normal user to ramp up their privileges and access rights …
Shaun Nichols, 18 Nov 2014
BrickArms' Toy taliban figure

HALF A BILLION TERRORISTS: WhatsApp encrypts ALL its worldwide jabber

WhatsApp has announced that it will encrypt all its 600m users' text messages by default, which is a serious stride forward for privacy - and one which will no doubt be criticised by spooks and police worldwide. The rollout, announced today, was described by the app maker as the "largest deployment of end-to-end encryption ever …
Kieren McCarthy, 18 Nov 2014

Mozilla, EFF, Cisco back free-as-in-FREE-BEER SSL cert authority

A new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting next year. The move will make it even more easier for people to run encrypted, secure HTTPS websites. Let’s Encrypt aims to provide an easier way to obtain and use a digital …
John Leyden, 18 Nov 2014
Jade Goody and pals

Anonymous ‪hacks the Ku Klux Klan after Ferguson‬ threats

Hactivist collective Anonymous has taken out the websites and Twitter accounts of white supremacist group the Ku Klux Klan following threats by a local chapter of the Klan against protestors in ‪Ferguson, Missouri. Tensions in Ferguson are high in the run-up to a ruling on whether criminal charges will be brought against a white …
John Leyden, 18 Nov 2014

Northern Ireland website leaves front door open, spills users' data

The creators of this Irish website may be fluent in the language of the Emerald Isle, but they are distinctly unversed in computer security. The Líofa (Fluent) website – a UK government project [PDF] – suffered not so much a data breach as a data giveaway. Users' personal information such as names, addresses, emails and phone …
Jennifer Baker, 18 Nov 2014
2001: A Space Odyssey

Can’t be TRUSTe-d? Online privacy firm coughs $200k to settle 'deception' charges

TRUSTe, which issues the privacy seals displayed on thousands of websites, has paid a settlement over charges it deceived consumers through its Privacy Seal Program. As part of an agreed settlement with US consumer watchdogs at the Federal Trade Commission, it also promised it would ensure all certified websites removed a …
John Leyden, 18 Nov 2014
Dougevault image

Gee THANKS: Cryptoscum offer a free decrypt in latest ransomware racket

Dougevault image Ransomware thieves are taking a leaf from the greasy salesperson's handbook and offering customers victims a free decryption of a file of their choosing, malware researcher Tyler Moffitt says. Scammers would foist the CoinVault ransomware on victims through a variety of attack vectors and encrypt their files …
Darren Pauli, 18 Nov 2014
Bittorrent logo detail

Cries of spies as audit group finds possible 'backdoor' in Bittorrent Sync

Updated: BitTorrent responds Popular file sharing platform BitTorrent Sync is 'probably' leaking hashes to its website and access to shared data, a group audit has found. The platform downloaded some 10 million times allowed users to synchronise data over networks using encrypted peer-to-peer at speeds said to be 16 times faster than Dropbox, using …
Darren Pauli, 18 Nov 2014
The standard USB 3 connector

USB coding anarchy: Consider all sticks licked

Thumb drives are so inconsistently manufactured it is all but impossible to know if any unit could be reprogrammed to own computers, researcher Karsten Nohl says. The conditions that determined if a unit could be hacked varied not only between vendors but also within product unit lines due to manufacturers buying different …
Darren Pauli, 18 Nov 2014
apple mac malware vxer

Three WireLurker suspects arrested in China – reports

Three people suspected of involvement in the WireLurker malware campaign have been arrested in China, according to reports. The suspects – whom the Beijing Public Security "internet" unit named only as Chen, Lee and Wang – were apparently arrested in the Beijing area following an investigation assisted by local security firm …
John Leyden, 17 Nov 2014

Holy cow! Fasthosts outage blamed on DDoS hack attack AND Windows 2003 vuln

Fasthosts' five-hour collapse today has been blamed on a Distributed Denial of Service attack and a security flaw spotted on its Windows 2003 shared web server kit. The company explained the torrid morning it had suffered in an emailed statement to The Register. Earlier today, after we reported that Fasthosts had gone titsup, …
Kelly Fiveash, 17 Nov 2014

State Dept shuts off unclassified email after hack. Classified mail? That's CLASSIFIED

The State Department has suspended its unclassified email system in response to a suspected hacking attack. The unprecedented shutdown on Friday was reportedly applied to give technicians an opportunity to repair possible damage, as well as to apply security improvements. A senior department official said possible problems were …
John Leyden, 17 Nov 2014
Don't Panic towel

WinShock PoC clocked: But DON'T PANIC... It's no Heartbleed

Security researchers have released a proof-of-concept exploit against the SChannel crypto library flaw patched by Microsoft last week. The release of a PoC for the MS14-066 vulnerability through the Canvas tool from Immunity Inc underlines the need to patch. The flaw opens the door to remote code execution on unpatched servers …
John Leyden, 17 Nov 2014
Tor

Attack reveals 81 percent of Tor users but admins call for calm

The Tor project has urged calm after new research found 81 percent of users could be identified using Cisco's NetFlow tool. A research effort led by professor Sambuddah Chakravarty from the Indraprastha Institute of Information Technology in Delhi found that well-resourced attackers such as a nation-state could effectively …
Darren Pauli, 17 Nov 2014
Moonbase Otago's OneRNG entropy generator

Meet OneRNG: a fully-open entropy generator for a paranoid age

One of the many bits of technology that attracts paranoia in a post-Snowden era is random number generation, and a New Zealand developer hopes to help solve that with an all-open entropy generator. As often happens in Middle Earth New Zealand these days, Paul Campbell of Moonbase Otago is invoking Tolkien by naming the project …

VXers Shellshocking embedded BusyBox boxen

Malware writers have crafted new wares to attack embedded devices running BusyBox and not yet patched against the ShellShock vulnerability, researcher Rhena Inocencio says. Miscreants' tool of choice for such attacks is malware called "Bashlite" that, once executed on a victim machine, probes for devices such as routers and …
Darren Pauli, 17 Nov 2014

You really need to do some tech support for Aunty Agnes

Users who don't update their anti-virus may as well uninstall it according to infection rate statistics published by Microsoft. Redmond said in the seventeenth installment of its Security Intelligence Report that machines with outdated, deactivated or expired anti-virus platforms were just as prone to infection as those without …
Darren Pauli, 17 Nov 2014
Random numbers

EVERYTHING needs crypto says Internet Architecture Board

The Internet Architecture Board (IAB) has called for encryption to become the norm for all internet traffic. Last Friday, the IAB issued a statement saying that since there is no single place in the Internet protocol stack that offers the chance to protect “all kinds of communication”, encryption must be adopted throughout the …
Sad cloud

Oi, Europe! Tell US feds to GTFO of our servers, say Microsoft and pals

Apple, Microsoft, HP and other cloud giants are begging Europe for help to stop US feds seizing customers’ data from servers on the Continent. A policy paper [PDF] published on Friday by DigitalEurope – which represents the above goliaths – urged the European Commission to wade into an ongoing legal fight between Uncle Sam and …
Jennifer Baker, 14 Nov 2014

Apple: Want a PATCH for iOS Masque attack? TOUGH LUCK, FANBOI

Apple has downplayed the Masque iOS security threat, saying no one has actually been affected by the security vulnerability. The Masque Attack opened by the security shortcoming creates a way for attackers to replace genuine iOS apps with malicious doppelgängers, as previously reported. Security firm FireEye warned about the iOS …
John Leyden, 14 Nov 2014
The Blue Mosque in Istanbul

HSBC Turkey WON'T reissue cards despite 2.7 MILLION account details going AWOL

HSBC Turkey has confessed to a security breach exposing the details of 2.7m credit card accounts but the bank has made a decision not to reissue cards after deciding that the data exposed is not enough to make fraudulent transactions. The compromise – limited to the international bank's business in Turkey – exposed credit card …
John Leyden, 14 Nov 2014

Poll trolls' GCHQ script sock puppets manipulate muppets

A group of security professionals/online miscreants have found and themselves created thousands of online accounts to manipulate forum posts, popular news articles and mailing lists using techniques pioneered by the UK's GCHQ spy agency. Researchers Azhar Desa, Harron Meer and Marco Slaviero of Thinkst found posts created around …
Darren Pauli, 14 Nov 2014

Dormant IP addresses RIPE for hijacking

Spammers are using loop holes in the internet routing registry to commandeer address space and pump out junk mail, and potentially launch denial of service attacks and steal traffic. As explained by cyber crime reporter Brian Krebs and Cisco researcher Jaeson Schultz, IP addresses can be snatched by scammers who establish bogus …
Darren Pauli, 14 Nov 2014

US Marshals commit DIRTBOX INTRUSION on Americans, says report

US marshals have reportedly fitted mini mobile phone cells, nicknamed dirtboxes, inside aircraft so that they can locate mobes from the sky. Or, in other words, another one of Uncle Sam's agencies has found another way to secretly track citizens. The g-men, who work for the courts and track down fugitives, have a fleet of light …
Iain Thomson, 14 Nov 2014

US carder gets nine years in cooler, must pay back $50 MEELLION

Georgia carder Cameron Harrison has been sentenced to nine years jail and ordered to pay US$50.8 million in restitution for purchasing stolen credit cards from scuttled website carder.su. Harrison, 28, who used the handle Kilobit pleaded guilty to three charges and was sentenced overnight by Nevada District Judge Andrew Gordon …
Darren Pauli, 14 Nov 2014

Lads from Lagos using 'Predator Pain' on hapless 419 victims

Advanced-fee fraudsters are adopting the tactics of state-sponsored hackers in attacks targeting small- to medium-sized businesses, rather than large corporates, according to research from Trend Micro. 419 gangs are using the Predator Pain and Limitless keyloggers to steal network credentials through spear-phishing attacks, …
John Leyden, 13 Nov 2014
Files

UK.gov teams up with moneymen on HACK ATTACK INSURANCE

+Comment The UK government last week partnered with 12 insurance companies to develop the "cyber-insurance" market. But experts are split on whether encouraging the development of the nascent market will result in the adoption of improved security practices. Cabinet Office Minister Francis Maude said that while cyber insurance adds an …
John Leyden, 13 Nov 2014

Pay-by-bonk chip lets hackers pop all your favourite phones

Blood is flowing on the floor of the Pwn2Own challenge slaughterhouse, after whitehats hacked their way through an Apple iPhone 5S, Samsung Galaxy S5, LG Nexus 5 and Amazon Fire, most often by using Near Field Communications. The annual contest backed by HP, BlackBerry and Google, and run by HP's Zero Day Initiative …
Darren Pauli, 13 Nov 2014

'Chinese hackers' pop US weather bureau, flatten forecast feeds

Chinese hackers have breached the USA's weather forecasting systems, disrupting emergency and disaster planning in a hack one US congressman described as a cover-up, the Washington Post reports. The September hack was not discussed internally by the National Oceanic and Atmospheric Administration (NOAA) until 20 October and even …
Darren Pauli, 13 Nov 2014

ISPs are stripping encryption from netizens' email – EFF

Some ISPs are removing encryption from customers' connections to email servers – threatening the privacy of their communications – claims civil-liberties group the Electronic Frontier Foundation. Incidents in the US and Thailand over recent months have seen service providers intercepting their customers' data to strip a security …
John Leyden, 12 Nov 2014

Yorkshire man NICKS 1,000 Orange customer records. Court issues TINY FINE

A man who attempted to illegally access the passwords and login details of more than 1,000 Orange customers has been fined just £500 for his actions. The Information Commissioner's Office said that the 25-year-old company director Matthew Devlin was handed the financial penalty after he appeared before Calderdale Magistrates' …
Kelly Fiveash, 12 Nov 2014

Annus HORRIBILIS for TLS! ALL the bigguns now officially pwned in 2014

The appearance of a critical flaw in Microsoft SChannel - patched as part of this year's phenomenal November Patch Tuesday - means that every major TLS stack has now fallen victim to a critical flaw at some time during this year. The security flaw (MS14-066) in Microsoft's TLS cryptography library open the door to remote code …
John Leyden, 12 Nov 2014
Sky's Sainsbury's iPad shopping trolley

Target, Home Depot and UPS attacks: Dude, you need to rethink point-of-sale security

A new report on point-of-sale malware presents the most detailed examination of the malicious code behind high-profile attacks against US retailers to date. Cyphort Labs’ in-depth look focuses on Target, Home Depot and UPS breaches and involved an analysis of BlackPOS, FrameworkPOS and Backoff malware samples. The researchers …
John Leyden, 12 Nov 2014
Infosec

Cybersecurity? Nothing to do with us, mate – Google and Facebook

Google, eBay, Facebook, Yahoo! foursquare and Microsoft want nothing to do with the proposed new EU cybersecurity law. In an open letter to Europe’s telco ministers last week, CCIA (the Computer & Communications Industry Association) said the proposed Network and Information Security (NIS) Directive should excluding internet …
Jennifer Baker, 12 Nov 2014