Security > More stories

Linux Foundation releases PARANOID internal infosec guide

Linux Foundation project director Konstantin Ryabitsev has publicly-released the penguinistas' internal hardening requirements to help sysadmins and other paranoid tech bods and system administrators secure their workstations. The baseline hardening recommendations are designed that balance security and convenience for its …
Darren Pauli, 31 Aug 2015

Boffins laugh at Play Store bonehead security with instant app checker

An armada of university researchers have devised a novel method of detecting malicious applications on Android app, and by way of demonstration have dug up 127,429 shady software offerings, including some bearing exploits for a whopping 20 zero days. The scheme dubbed MassVet is the brainchild of eight researchers: Kai Chen; …
Darren Pauli, 31 Aug 2015

Friday beers scam up 240 percent, inflicts $1.2 billion in damages

Fake email supplier scams are booming and have inflicted $1.2 billion in damages to businesses globally in the past year according to the FBI. The scams formally known as "business email compromise" involved a fraudster compromising the email account of an existing supplier and attempting to steal funds by tricking staff into …
Darren Pauli, 31 Aug 2015
still_life_with_skull_cropped_648

Cisco ISE carries HTML authentication bug

Cisco's identified a bug in its Identity Services Engine: its admin portal doesn't properly authorise HTML requests, and that can let an attacker see custom pages an admin has created. The reason it matters is that sys admins' custom pages can contain sensitive security information about the network that ISE is managing. “The …
Uber launch party by https://www.flickr.com/photos/5chw4r7z/ CC2.0 sharelalike attribution https://creativecommons.org/licenses/by-sa/2.0/

Uber pulls up to the bumper, plonks Jeep hackers into driving seat

Uber has hired two security researchers as it shifts gears on its biz strategy with plans to develop driver-free cars. The cab app outfit has poached Twitter's Charlie Miller and IOActive's Chris Valasek. Those names may sound familiar to readers. That's because they're the chaps who recently demonstrated just how easy it was …
Kelly Fiveash, 29 Aug 2015

Associated Press sues FBI for impersonating its site to install spyware

The Associated Press is suing the FBI over allegations government agents used a fake news story to plant malware on the PCs of suspected criminals. The news agency, along with the Reports Committee for Freedom of the Press, filed suit against the Feds on Thursday in the US District court in Washington, DC, asking the court to …
Shaun Nichols, 28 Aug 2015
GHOST vulnerability

Drum roll, please .... Results are in for the collective noun for security vulns

We've closed the poll, and the results for our attempts to weed out candidates for a collective noun for security vulnerabilities are in. To recap: the recent rash of Android vulnerabilities has made it clear that a new collective noun for such flaws, and possibly a separate one for security bugs in general, was required. We …
John Leyden, 28 Aug 2015

Spaniard claims WWII WAR HERO pigeon code crack. Explain please

A 22-year old Spaniard claims that he's cracked a previously unsolved WWII coded message. Others have claimed this before and there's nothing particularly solid to back up the latest effort, but let's have a look at it anyway. Dídac Sánchez claims that he had cracked the encryption scheme used in the last undeciphered message …
John Leyden, 28 Aug 2015
LIZARD WEARING A TOP HAT SITS ON A BRANCH.  Brett Weinstein pic - ALTERED BY JUDE KARABUS - licensed under  CC 3.0

NCA arrests six Lizard Squad users after gaming firms, retailers targeted

The National Crime Agency has arrested six users of a Lizard Squad DDoS attack tool, which had been used against a national newspaper, a school, gaming companies, and a number of online retailers. Those arrested are suspected of maliciously deploying Lizard Stresser, which allows users to pay to take websites offline for up to …
Kat Hall, 28 Aug 2015
id4_white_house_648

Manchester skeptics annexed in hostile digital power grab

The Greater Manchester Skeptics Society (GMSS) has been obliged to start up a new group on Meetups.com, after someone with a very different agenda took over its profile on the social networking site. A glitch with the renewal of GMSS' Meetup Subscription allowed a non-committee member called "Sophie" (not her real name, we are …
John Leyden, 28 Aug 2015

Spooks, plod and security industry join to chase bank hacker

A group of security boffins have joined police and intelligence spooks in a clandestine mission to identify those behind distributed denial of service (DDoS) extortion attacks against major banks. An attacker using the handle DD4BC (DDoS for Bitcoins) is launching large DDoS attacks against banks and other big business in the …
Darren Pauli, 28 Aug 2015

Malvertising maniac messes MSN, serves corrupted creative

A chap who might just be the world's worst malvertising marauder has popped MSN, potentially compromising some of the site's 10 million daily visitors with an exploit kit so capable it p0wns almost half of those who encounter it. The attacker, understood to be an individual dubbed Fessleak, smashed MSN after popping Yahoo!, …
Darren Pauli, 28 Aug 2015

Google makes it official: Chrome will freeze Flash ads on sight from Sept 1

Google is making good on its promise to strangle Adobe Flash's ability to auto-play in Chrome. The web giant has set September 1, 2015 as the date from which non-important Flash files will be click-to-play in the browser by default – effectively freezing out "many" Flash ads in the process. Netizens can right-click over the …
Shaun Nichols, 28 Aug 2015

BitTorrent kills bug that turns networks into a website-slaying weapon

BitTorrent has fixed a flaw in its technology that quietly turns file-sharing networks into weapons capable of blasting websites and other internet servers offline. The San Francisco company said Thursday the patch for its libuTP software will stop miscreants from abusing the peer-to-peer protocol to launch distributed …
Shaun Nichols, 28 Aug 2015

Google tells iOS 9 app devs: Switch off HTTPS if you want that sweet sweet ad money from us

Google has told iOS 9 app developers to disable Apple's enforcement of HTTPS-only connections – or their in-app Google ads won't show up on up-to-date iPhones and iPads. Apple has added what it calls App Transport Security (ATS) to iOS 9 and OS X 10.11, which ensures software only uses encrypted connections when talking to …
Chris Williams, 27 Aug 2015

Still using ColdFusion? Really? Well, you'll want to install this patch

Adobe is advising users and administrators running ColdFusion to patch their software following the release of a security fix for an information disclosure vulnerability. The ColdFusion HotFix addresses a vulnerability in the handling of XML data for ColdFusion 10 and 11. Both patches address a single CVE-listed security …
Shaun Nichols, 27 Aug 2015

German spies sold out citizens to the NSA in exchange for super-snoop-ware XKeyscore

German weekly Die Zeit has published documents that reveal how the country’s domestic spies did a deal with the NSA to get their mitts on souped-up surveillance software. Under the 2012 agreement between the United States National Security Agency and the Federal Office for the Protection of the Constitution (BfV), the latter …
Jennifer Baker, 27 Aug 2015

Vote now: Who can solve a problem like Ashley Madison?

Poll Avid Life Media – the owner of hookup site Ashley Madison – has weeks-old openings for a data analyst and a senior system administrator. The opportunities (noticed by Vulture-eyed Reg staffers) got us thinking about who in the wide world of tech is capable of righting the hacker-raided Tinder-for-cheaters site, which has …
John Leyden, 27 Aug 2015
Man and Superman

Security for those who know they can't win the security war

In a post-Snowden world most IT people are painfully aware that most of us would not win a fight against a well-funded organisation, or government, that wants the data on your network, laptop or device. When someone is targeted by such an entity, they won’t go for the ever-popular “spooks” style secret bugging or custom zero- …
Stuart Burns, 27 Aug 2015
Eve in the Garden of Eden talking to a rather angry God on Snapchat

Ins0mnia bug means malicious iOS apps WILL NEVER DIE

A newly discovered vulnerability allows an iOS application to continue to run for an unlimited amount of time, even if an application gets terminated by a user. The flaw – dubbed Ins0mnia – potentially allows any iOS application to bypass Apple background restrictions, security researchers at FireEye warn. FireEye notified …
John Leyden, 27 Aug 2015

Hardened Linux stalwarts Grsecurity pull the pin after legal fight

The gurus behind the popular and respected Linux kernel hardening effort Grsecurity will stop providing free support for their stable offering. In future, only paying sponsors will get stable patches to shore up their kernels' defenses. The public stable patches will not be distributed beyond the next two weeks in response to …
Darren Pauli, 27 Aug 2015

Malware menaces poison ads as Google, Yahoo! look away

Feature Online advertising has become an increasingly potent threat to end-user security on the internet. More hackers than ever are targeting the internet's money engine, using it as a powerful attack vector to hide exploits and compromise huge numbers of victims. Malvertising, as poisoned ads are known, is as deadly as it is diverse …
Darren Pauli, 27 Aug 2015
Rat

Cisco's RAT-catchers spot sysadmin-targeted phish

File this under “it was bound to happen one day”: Cisco has spotted a targeted phishing attack based on a popular sysadmin automation tool. If someone in the “IT crowd” bunker falls for the phishing attack, Cisco's Talos Group says the payload exploits AutoIT, a scripting admin environment for Windows. Talos explains what's …

FireEye intern VXer pleads guilty for Darkode droid RAT ruse

A former FireEye intern has pleaded guilty to creating and selling the Dendroid malware on the raided Darkode criminal forum. Morgan Culbertson, 20, of Pittsburgh, pleaded guilty before a Pittsburgh federal judge and faces sentencing 2 December. He faces a maximum of 10 years prison and a $250,000 fine, and has no prior …
Darren Pauli, 27 Aug 2015
Dunce's cap graffiti by https://www.flickr.com/photos/lord-jim/ cc 2.0 attribution https://creativecommons.org/licenses/by/2.0/

Why is the smart home insecure? Because almost nobody cares

It's easy to laugh-and-point at Samsung over its latest smart-thing disaster: after all, it should have already learned its lesson from the Smart TV debacle, right? Except, of course, that wherever you see “Smart Home”, “Internet of Things”, “cloud” and “connected” in the same press release, there's a security debacle coming. …
Car crash

Verizon wants to smartify old cars

Black, grey, and white hats associated with car hacking are flying in the air today, with Verizon announcing it's going to vastly expand their attack surface. That's not what the US network operator actually says, of course. What the company has announced is that its “project hum” has gone general-availability. Hum is …
still_life_with_skull_cropped_648

Password 'XXXXairocon' pops Wi-Fi routers from ASUS, ZTE and others

A bunch of home gateway vendors, presumably sourcing their firmware from the same place, can be hijacked using depressingly common hard-coded logins. As the Carnegie-Mellon CERT states, the vendors involved are ASUS and ZTE in Asia, European vendors Digicom and Observa Telecom, and carrier Philippine Long Distance Telephone ( …
US Pentagon. Pic: DoD photo by MSgt Ken Hammond, USAF

You're hosting Uncle Sam's files in the cloud. You get hacked. This is what happens next

The US government has posted a new set of rules outlining how cloud providers should report IT security cockups that involve Uncle Sam's data. The new Department of Defense (DoD) rules [PDF] include requirements on how contractors who handle government information should deal with computer network breaches and attacks, and how …
Shaun Nichols, 26 Aug 2015

Krebs: I know who hacked Ashley Madison

It appears someone closely linked to the hacking gang that ransacked adultery website Ashley Madison has accidentally outed him or herself. Investigative computer security journo Brian Krebs, with the help of pals, today named a Twitter user they believe is involved with Impact Team, which publicly leaked 33 million accounts …
Team Register, 26 Aug 2015
keyhole_peeping_648

Ashley Madison hacked potential competitor, leaked emails suggest

Ashley Madison ran a hack attack against a potential competitor three years ago, according to leaked emails. Hackers from the self-styled Impact Team leaked the email archive of Avid Life Media president and CEO Noel Biderman last week, days after separately releasing user database files and other material from the adultery- …
John Leyden, 26 Aug 2015

Aviva phone hacker jailed for 18 months over revenge attack

A senior techie has been jailed for 18 month after he was convicted of hacking into hundreds of phones at insurance firm Aviva, an act of sabotage designed to extract revenge against a firm that supplied security services to the insurance giant. Richard Neale, 40, pleaded guilty to a hack against Aviva designed to cause …
John Leyden, 26 Aug 2015
shutterstock_mobile_theft_648

Britain’s device-theft capital is now … lovely Leicestershire

Leicestershire – slap-bang in the middle of rural England – has leapfrogged London as the UK’s electronic device-theft capital, according to a comparison of police force stats. A series of FoI (Freedom of Information) requests by ViaSat showed 51 per cent of thefts in Leicestershire were of electronic devices, compared with 27 …
John Leyden, 26 Aug 2015
Facepalming statue

Android in user-chosen lockscreen patterns are grimly predictable SHOCKER

People choose predictable Android lock screen patterns just like they pick predictable passwords. Research by Marte Løge, a recent graduate from the Norwegian University of Science and Technology, confirmed that the problems people have in setting up secure passwords and PINs are replicated in the field of Android lockscreen …
John Leyden, 26 Aug 2015
NHS defacement

NHS site defaced with screed protesting Syrian conflict

A UK National Health Service (NHS) site on which the organisation posts patients' stories describing their experience with illness has been defaced by an entity calling itself “Moroccanwolf” who claims the attack is an act of protest regarding western governments' lack of humanitarian actions in Syria. Google's cache suggests …
News team, 26 Aug 2015

The Onion Router is being cut up and making security pros cry

IBM is warning corporates to start blocking TOR services from their networks, citing rising use of the encrypted network to deliver payloads like ransomware. The advice comes in the company's latest X-Force research team report (PDF). IBM claims there were around 180,000 malicious traffic “events” in the USA between January 1 …

Devs are SHEEP. Which is good when the leader writes secure code

Programmers with security chops are seen as more productive and influential workers whom other coders strive to emulate, according to security researchers from North Carolina State University and Microsoft Research. A sextet of security researchers has produced a trio of studies on the topic, finding that programmers are …
Darren Pauli, 26 Aug 2015
GitHub DDOS

GitHub wobbles under DDOS attack

GitHub is under a distributed-denial-of-service attack being perpetrated by unknown actors. The service's status page reported “a brief capacity overload” early on Tuesday. The site's assessment of the incident was later upgraded to a a DDOS and at the time of writing the site is at code yellow. The graphic at the stop of …
Simon Sharwood, 26 Aug 2015

What Ashley Madison did and did NOT delete if you paid $19 – and why it may cost it $5m+

Add a multimillion-dollar US class-action lawsuit to the growing number of court battles facing the owner of the hacked Ashley Madison website. A class-action complaint [PDF] filed in a US District Court in California this week alleges that Avid Life Media (ALM) neglected to properly secure the highly compromising personal …
Team Register, 25 Aug 2015
Smilin' Marv

Mobile device screens recorded using the Certifi-gate vulnerability

Vulnerable plug-ins have been installed on hundreds of thousands of Android devices, allowing screens to be recorded, according to data from the scanning tool which discovered that the so-called Certifi-gate vulnerability is already being exploited in the wild. The Certifi-gate vulnerability was disclosed by security …
John Leyden, 25 Aug 2015

SMEs in the firing line as fake invoice scams skyrocket

UK small businesses need to be on heightened alert for fake invoices, following an alarming increase in this type of scam in the first six months of 2015. Action Fraud has received reports from 749 businesses reporting falling victim to this sort of con between January and June 2015 alone. This compares with 603 victims in the …
John Leyden, 25 Aug 2015

Carders fleece $4.2 million from Victoria's MyKi transport agency

Scammers have inflicted some AUD$4.2 million in damages of damage to Public Transport Victoria (PTV) by buying and selling MyKi travel cards loaded with cash stolen from credit cards. The agency in the southern Australian state coughed up the dough to international credit card holders whose cards were fleeced. MyKi cards are …
Darren Pauli, 25 Aug 2015
Ambulance

AshMad search outfit Trustify to El Reg: 'Trust us, we're the good guys'

Updated Online “Uber for private investigators” outfit Trustify is upset with The Register for not replicating its messaging with sufficient sycophancy. The company has, through PR company PR/serve, sent the following missive to explain why it harvested searches from the desperate and foolish visiting its site to see if they're on the …