Feeds

Security > More stories

You don't need a HERO, you need a ZERO. From Google

+Comment Google will expand its computer security research efforts by forming a well-staffed full-time team called Project Zero. The web ad broker wants to hire the best of the best, who can find Heartbleed-grade vulnerabilities, or worse bugs, in software. It's also looking to extend its bounty program for reporting holes. Project Zero …
John Leyden, 15 Jul 2014
Max Headroom

Hamas hacks Israeli TV sat channel to broadcast pics of Gaza wounded

Gaza leaders Hamas took over an Israeli satellite channel for few minutes on Monday to broadcast pictures of Gaza wounded. Viewers who tuned into Israeli Channel 10 reported seeing images of people wounded from Israeli airstrikes on Gaza as well as propaganda messages promising more rocket strikes on Israel from Hamas' military …
John Leyden, 15 Jul 2014

British data cops: We need greater powers and more money

The UK's data privacy watchdog is lobbying for greater powers and funding after reporting a bumper workload. The latest annual report from the Information Commissioner’s Office (ICO) (PDF) reveals that the bureau responded to a record number of data protection and freedom of information complaints in the year to April 2014. The …
John Leyden, 15 Jul 2014
Kronos

'Father of Zeus' banking trojan appears at very reasonable price

A banking trojan dubbed the father of the infamous Zeus malware is being flogged on cybercrime marketplaces for a pricey $7000, says fraud specialist Etay Maor. The Kronos malware was sold on a cybercrime forum, pitched particularly to Zeus trojan customers given its capabilities to re-use that trojan's form grabbing templates …
Darren Pauli, 15 Jul 2014
Privacy image

Flaw in Google's Dropcam sees it turned into SPYCAM

Hackers could inject fake video into popular home surveillance kit Dropcam and use the system to attack networks, researchers Patrick Wardle and Colby Moore say. The wide-ranging attacks were tempered by the need for attackers to have physical access to the devices but the exploits offer the chance to inject video frames into …
Darren Pauli, 15 Jul 2014
Airship over NSA datacenter

NIST told to grow a pair and kick NSA to the curb

The US National Institute of Standards and Technology (NIST) has been urged to hire more crypto experts so it can confidently tell the NSA to take a hike. A report (PDF) from NIST's Visiting Committee on Advanced Technology (VCAT) – which scrutinizes and advises the institute – scolds NIST for being too reliant on the NSA's …
Shaun Nichols, 14 Jul 2014
cable

Hackers' delight: Hotel cyber-cafe, er, business centers, apparently – US Secret Service

The US Secret Service has quietly warned hotels that malware slingers are increasingly targeting PCs in hotel business centers to harvest sensitive information. In a non-public advisory, obtained by investigative journalist Brian Krebs, law enforcement officials have arrested members of a criminal gang that is accused of …
Iain Thomson, 14 Jul 2014

Will GCHQ furtle this El Reg readers' poll? Team Snowden suggests: Yes

Poll UK eavesdropping nerve center GCHQ has developed tools to manipulate online polls, ramp up page views for articles, and obtain private photos on Facebook. That's according to Glenn Greenwald's latest trawling of documents leaked by Edward Snowden. The surveillance agency can also, we're told, arrange calls between two selected …
Chris Williams, 14 Jul 2014
android malware mobile iphone

Gameover ZeuS botnet pulls dripping stake from heart, staggers back from the UNDEAD

The Gameover ZeuS malware is back from the dead just six weeks after a takedown operations that aimed to put a stake through the heart of the botnet, which is linked to the even more infamous CryptoLocker ransomware. International law enforcement acted against the crooks behind the Gameover ZeuS in early June. For the past month …
John Leyden, 14 Jul 2014
PayPal

XSS marks the spot: PayPal portal peril plugged

PayPal has plugged a potentially nasty flaw on its internal portal. The vulnerability, discovered by security analyst Benjamin Kunz Mejri of Vulnerability Laboratory, involved security shortcomings in PayPal's backend systems. More specifically, he said, it was an application-side filter bypass vulnerability in the official …
John Leyden, 14 Jul 2014
F-35

FBI: We found US MILITARY AIRCRAFT INTEL during raid on alleged Chinese hacker

A Chinese entrepreneur has been arrested for attempting to steal information on the United States' Lockheed F-22 and F-35 aircraft and Boeing's C-17 cargo plane. Su Bin – along with two uncharged Chinese co-conspirators – is alleged to have hacked into Boeing's corporate network as well as those of defence contractors in the US …
Darren Pauli, 14 Jul 2014

Popular password protection programs p0wnable

Researchers have detailed a series of quickly patched vulnerabilities in five popular password managers that could allow attackers to steal user credentials. "Critical" vulnerabilities were discovered and reported in LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword in work described by the University of California …
Darren Pauli, 14 Jul 2014

Apache patch: Cisco catches up with ANCIENT Struts2 vuln

Cisco has issued a patch for a four-year-old Apache Struts2 vulnerability. The original issue, CVE-2010-1870, was originally reported in July 2010. The vulnerability arises out of how Apache Struts2 handles commands passed to the Object-Graph Navigation Language. As the Apache notification states, “The vulnerability allows a …

We SO DO support Java on XP, maybe even JDK 8, says Oracle

Oracle has issued a statement saying that it absolutely does support Java on Windows XP and may even decide to support JDK 8 on the orphan OS. Oracle's post on the issue says "We expect all versions of Java that were supported prior to the Microsoft de-support announcement to continue to work on Windows XP for the foreseeable …
Simon Sharwood, 14 Jul 2014
Doctor Who: The First Adventure

New Doctor Who episode leaks online as proper trailer debuts

The mess at BBC Worldwide's Miami office that saw scripts for the new series of Doctor Who leak online has worsened, with a whole episode now doing the rounds of torrent sites. Radio Times reports that a “rough black and white edit” of the series' first episode, titled “Deep Breath”, escaped from the BBC's Miami office and …
Simon Sharwood, 13 Jul 2014
LibreSSL

LibreSSL crypto library leaps from OpenBSD to Linux, OS X, more

The OpenBSD project has released the first portable version of LibreSSL, the team's OpenSSL fork – meaning it can be built for operating systems other than OpenBSD. The LibreSSL project, which aims to clean up the buggy and inscrutable OpenSSL code, was founded about two months ago by a group of OpenBSD developers, so it only …
Neil McAllister, 12 Jul 2014
Hacker baseball cap

Another 'NSA-proof' webmail biz popped by JavaScript injection bug

German startup Tutanota has admitted its webmail service was vulnerable to a cross-site scripting bug despite boasting it offered an "NSA-proof email service." The flaw, which would have allowed attackers to inject malicious JavaScript into victims' browsers, was uncovered and reported last night by German security researcher …
John Leyden, 11 Jul 2014

Miscreants leak banking baddie's secret source

Miscreants have released the source code for the Tinba banking Trojan in a move that may spawn the development of copycats. The secret source behind early versions of the small (some versions weigh in at just 20KB) but pernicious banking Trojan was released through an underground forum last week, reports Danish security …
John Leyden, 11 Jul 2014

Do your execs take mobile security seriously?

Reader Poll One of the findings emerging from our latest poll is that many of you are highlighting a lack of exec awareness and air cover when it comes to mobile security. This in turn appears to translate to a lack of funding to put the systems in place to cope with new devices, BYOD and so on. Is this something you are experiencing? If …
Dale Vile, 11 Jul 2014

FBI and pals grab banking Trojan zombielord's joystick

Law enforcement and the security business have teamed up to disrupt the operation of the Shylock banking Trojan. The UK's National Crime Agency joined forces with Europol and the FBI to take down and seize the command and control servers key to running the botnet. Law enforcement also took control of the domains Shylock uses for …
John Leyden, 11 Jul 2014
Nyancoin logo

Exploit emerges for LZO algo hole

Security Mouse security researcher Don A Bailey has showcased an exploit of the Lempel-Ziv-Oberhumer (LZ0) compression algorithm running in the Mplayer2 media player and says it could leave some Linuxes vulnerable to attack. The LZO data compression algorithm was created by Markus Oberhumer in 1994 and was discovered to be …
Darren Pauli, 11 Jul 2014
Zombie Zero

Infected Chinese inventory scanners ships off logistics intel

A Chinese manufacturer has been accused of implanting malware that steals supply chain intelligence in its hand-held scanner firmware. Security firm TrapX says infected scanners have been sold to eight unnamed firms including a large robotics company. Variants of the malware broke into enterprise resource planning platforms to …
Darren Pauli, 11 Jul 2014
NSW Police car

Sydney coppers clobber cabbie carder crims

Sydney police have swooped on a fraud ring that implanted skimmers into taxis to clone customers' credit cards. Police on July 1 arrested four men involved in the ring including a 29 year-old taxi driver at Chullora, nabbed a fifth chap later that day, and raided a Sydney CBD unit where 800 credit cards, a laptop and cloning …
Darren Pauli, 11 Jul 2014

German government orders local CIA station chief to pack his bags

The German government has ordered the local station chief of the CIA to leave the country immediately – after a second German government official was arrested in an investigation into US surveillance on its erstwhile ally. "The representative of the US intelligence services at the embassy of the United States of America has been …
Iain Thomson, 10 Jul 2014

Dodgy Google, Yahoo! SSL certs nuked in Windows – finally

One week after Google spotted an SSL certificate issuer dishing out certs that could be used to impersonate Google and Yahoo! websites, Microsoft has taken action to block the illicit certificates from being used on its software. The certs, issued by India's National Informatics Centre (NIC), were detected on July 2 by Google's …
Iain Thomson, 10 Jul 2014

Adobe Flash: The most INSECURE program on a UK user's PC

Adobe Flash Player was the most insecure program installed on UK computer users PCs throughout the second quarter of 2014, according to stats from vulnerability management firm Secunia. Nearly seven in 10 (69 per cent) UK PC users were found to have an end-of-life version of Adobe Flash Player 13 installed during Q2 2014. Users …
John Leyden, 10 Jul 2014

UK's emergency data slurp: IT giants panicked over 'legal uncertainty'

The UK government secured the backing of the country's main political parties today to rush an emergency Data Retention and Investigation Powers Bill (DRIP) through Parliament just seven days before MPs break for summer recess. It comes after communications providers and telcos who operate in Britain but have headquarters based …
Kelly Fiveash, 10 Jul 2014
Silent Circle email

Silent Circle takes on Skype, Viber, mobile telcos with crypto-VoIP

Silent Circle has launched a global encrypted IP voice calling service that will go up against over-the-top services Skype and Viber, among others. The idea here, however, is that it will feature a way to communicate privately. It's more bad news for mobile carriers, which are already beating off roaming-revenue pinchers in the …
John Leyden, 10 Jul 2014
Facebook privacy image

Crusty API opened Facebook accounts to hijacking

A leftover API that Facebook forgot to kill has left accounts open to spammers and scammers, says security Stephen Sclafani. The flaw means an attacker could view other users' messages and post status updates. Sclafani found that a then mis-configured endpoint, since patched, allowed legacy REST API calls to be made on behalf of …
Darren Pauli, 10 Jul 2014
The chinese characters for China as used in the new .中国  domain

China trawls top-secret US personnel lists – report

An attack suspected to have originated in China breached security at the US Office of Personnel Management, according to The New York Times. The paper's report suggests the attackers attempted to access personnel records describing government workers who have applied for high-level security clearances. Those records, the report …
Simon Sharwood, 10 Jul 2014
Brute force

Brute-force bot busts shonky PoS passwords

A botnet has compromised 60 point of sale (PoS) terminals by brute-force password attacks against poorly-secured connections, FireEye researchers say. The trio including Nart Villeneuve, Joshua Homan and Kyle Wilhoit found 51 of the 60 popped PoS boxes were based in the United States. The attacks were basic and targeted remote …
Darren Pauli, 10 Jul 2014
FireEye image

FireEye patches OS, torpedos Exploit-DB disclosure

FireEye has patched a series of publicly-disclosed flaws in its operating system (FEOS) that facilitated man-in-the-middle attacks and command injection. The vulnerabilities released over June affected versions NX, EX, AX, FX, and CM of the FEOS and were patched in the first individual security bulletin for the system. The …
Darren Pauli, 10 Jul 2014

Victim of Tor-hidden revenge smut site sues Tor Project developers

The Tor Project has found itself on the receiving end of a lawsuit that claims the privacy software's developers aided a revenge porn slinger. An attorney at the Electronic Frontier Foundation (EFF) told The Register the allegations against the Tor team are baseless. In a lawsuit, Shelby Conklin accuses the Tor Project of …
Shaun Nichols, 10 Jul 2014
NSA's Fort Meade headquarters

Ex-NSA boss Alexander joins bankers' CYBER WAR COUNCIL

Former NSA head Keith Alexander has been tapped up to advise a new cyber war council for government and financial institutions in the US, according to Bloomberg. The biz news site has seen a proposal from the Securities Industry and Financial Markets Association (SIFMA) that suggests that the industry needs a committee of execs …
Senator Joe McCarthy, of "Reds under the bed" infamy

Snowden leaks latest: NSA, FBI g-men spied on Muslim-American chiefs

New documents from whistleblower Edward Snowden confirm that the NSA and the FBI spy on Muslim-American leaders, including Republican Party politicians and military veterans. The Intercept reports that the Feds are using tactics and techniques intended for catching terrorists and spies to monitor the email accounts of prominent …
John Leyden, 9 Jul 2014
PCS with a red X in front of them

ATTACK of the Windows ZOMBIES on point-of-sale terminals

Security watchers have spotted a fresh Windows-based botnet that attempts to hack into point-of-sale systems. Cyber threat intelligence firm IntelCrawler reports that the “@-Brt” project surfaced in May through underground cybercrime forums. The malware can be used to brute-force point-of-sale systems and associated networks, …
John Leyden, 9 Jul 2014
iPad Psycho image

That 'wiped' Android phone you bought is stuffed with NAKED SELFIES – possibly

It's hard being a security researcher. Several of them just had to view thousands of nude selfies pulled from second-hand phones and tablets for a campaign warning people who sell old devices. The beleaguered infosec bods saw 750 photos of naked women and 250 images of manhood from a pool of 40,000 photos still stored on a mere …
Darren Pauli, 9 Jul 2014
Rosetta Flash diagram

Weaponised Flash flaw can pinch just about anything from anywhere

Get cracking with the latest Flash upgrade, because the vulnerability it patches is a peach, allowing a cross-site request forgery (CSRF) attack for stealing user credentials. According to the Switzerland-based Google engineer that turned up the vulnerability, Michele Spagnuolo, sites that are/were vulnerable to the attack …
Lecpetex

Facebook scuttles 250k-strong crypto-currency botnet

Facebook has taken down a Greek botnet that at its peak compromised 50,000 accounts and infected 250,000 computers to mine crypto-currencies, steal email and banking details and pump out spam. The scuttled Lecpetex botnet spread malware including the DarkComet remote access trojan by social engineering techniques and was adept …
Darren Pauli, 9 Jul 2014
australian credit cards fraud contactless

Teensy card skimmers found in gullets of ATMs

A series of tiny and sometimes transparent card-skimming devices have been detected in ATMs across Europe, researchers say. Boffins with the European ATM Security Team (EAST) have plucked out and displayed some clever thumb-sized skimmers that hide from victims' view by fitting in cash terminals' gullets. The devices paraded in …
Darren Pauli, 9 Jul 2014

FAKE Google web SSL certificates tip-toe out from Indian authorities

Google is warning that dodgy SSL certificates have been issued by India's National Informatics Centre (NIC): these certs can be used by servers to masquerade as legit Google websites and eavesdrop on or tamper with users' encrypted communications. According to this blog post by Google's security team, the Googlers noticed …
Iain Thomson, 9 Jul 2014

Russian MP fears US Secret Service cuffed his son for Snowden swap

The US Secret Service has announced the arrest of a man accused of being "one of the world's most prolific traffickers in stolen financial information," touching off a diplomatic firestorm in the process. Roman Valerevich Seleznev, who goes by the online handle Track2, is accused of hacking into point-of-sale systems to steal …
Iain Thomson, 8 Jul 2014