Security > More stories

PoSeidon, brother of Zeus, forks up point of sale terminals

Cisco has found a new and stupendously badass breed of point of sale (POS) malware it says is meaner than the code that tore through Target. The "PoSeidon" malware is built on the shoulders of infamous Zeus money sucking exploit kit and sports improvements to BlackPOS which plundered millions from Target payment terminals in …
Darren Pauli, 23 Mar 2015
eyeofSauron

Want to hide your metadata? You probably can't

With every development in Australia's data retention debate, the question arises: “how can I stop the government getting its hands on my metadata?” Routinely, often non-technical journalists give the glib answer to “use encryption”, rattle off their favourite list of technologies, and over-simplify things to the point of danger …
Bret Hartman, VP and CTO, Cisco

Everything is insecure and will be forever says Cisco CTO

While in Melbourne enduring the antipodean version of Cisco Live!, The Register's networking desk met veep and CTO Bret Hartman. Here's what he told us about network security, a field he feels is basically doomed. Forever. The Register: The last twelve months tells us we have insecure devices connected through gateways, sending …

Australian online voting system may have FREAK bug

UPDATE Next weekend, voters in the Australian State of New South Wales go to the polls to elect a new government. Some have already cast their votes online, with a system that may be running the FREAK bug. So say Vanessa Teague and J. Alex Halderman, respectively a research fellow in the Department of Computing and Information Systems …
Darren Pauli, 22 Mar 2015

Firefox, Chrome, IE, Safari EXPLOITED to OWN Mac, PCs at Pwn2Own 2015

Security vulns in every one of the big four web browsers were exploited at the Pwn2Own hacking contest on Friday to remotely execute arbitrary code on Windows PCs. Firefox, Safari, Chrome and Internet Explorer all fell to the skills of the competition entrants, some in less than a second. All the vulnerabilities exploited will …
Iain Thomson, 21 Mar 2015
Office Space

Apple: Those security holes we fixed last week? You're going to need to repatch

Apple has released a follow-up to last week's security update after finding a pair of flaws that are still vulnerable on patched systems. The Cupertino giant said that the 2015-003 update would address two flaws; a man-in-the-middle vulnerability and type confusion error in OS X Yosemite (10.10.2). Both of the flaws, CVE-2015- …
Shaun Nichols, 20 Mar 2015
All UK police forces use Tetra

More than 260 suspects charged in UK child abuse crackdown

Teachers, a retired magistrate, a doctor, and civil servants are among 264 suspected paedophiles charged as part of a major UK police operation targeting those accessing child abuse images online. Operation Notarise, which launched around a year ago, is the biggest UK inquiry into people allegedly sharing child abuse images …
John Leyden, 20 Mar 2015

Rocket Kittens target defence and IT bods from Europe & Israel

A seemingly state-sponsored hacking crew has compromised systems in several organisations in Israel and Europe, according to new research by Trend Micro. The so-called Rocket Kitten group has targeted defence and IT industries, government entities and academic institutions. Victims include civilian and academic organisations in …
John Leyden, 20 Mar 2015
President Putin doing judo

British Judo in deep shido after cyber attack

The British Judo Association has temporarily shut down its online membership application system after an illegal intrusion snagged some members' details. The association is grappling with an information breach that has possibly tossed members' credit card info right into the clutches of online criminals. The BJA has warned its …

Tax fraud fugitive nabbed after posting selfies

A US man charged with tax fraud and identity theft has been arrested after fleeing authorities and allegedly posting bragging selfies on Twitter. Lance Ealy, 28, of Ohio was arrested in a raid Wednesday in Atlanta by federal authorities after he skipped trial on charges he purchased stolen Social Security numbers and personal …
Darren Pauli, 20 Mar 2015

US threatened Berlin with intel blackout over Snowden asylum: report

The US Government threatened to starve Berlin of intelligence if it harboured fugitive document-leaker Edward Snowden, German Vice Chancellor Sigmar Gabriel says. The National Security Agency (NSA) leaker considered Germany as a place of refuge after he fled to Russia from the United States via Hong Kong in 2013. Moscow granted …
Darren Pauli, 20 Mar 2015
Facebook privacy image

Facebook found leaking private photos

Bug hunter Laxman Muthiyah has reported a Facebook vulnerability that exposes private photos to potentially malicious applications. The hacker received US$10,000 from Menlo Park for reporting the bug in Facebook Photo Sync and an API that allows third party apps to siphon private pics. Muthiyah says iOS and Android apps that …
Darren Pauli, 20 Mar 2015
DDoS image

Massive DDoS racks up $30,000-a-day Amazon bill for China activists

Chinese activist site Greatfire.org which masks censored traffic into the country is under a sustained distributed denial of service (DDoS) attack that is racking up $30,000 a day in server costs. The website masks internet traffic from websites including Facebook and Google, so it can be seen in China, and does so using cloudy …
Darren Pauli, 20 Mar 2015
putin topless

Kaspersky Lab hits back at Bloomberg's Russian spy link hit piece

Russian computer security biz Kaspersky Lab is working closely with Russia's intelligence services and gathering information on its customers, it has been claimed. An exposé, published by Bloomberg, details allegations that since 2012 Kaspersky has been replacing senior management staff with those close to the Russian Federal …
Iain Thomson, 19 Mar 2015

Hackers prove security still a myth on Windows PCs, bag $320,000

Day one of the 2015 Pwn2Own hacking contest in Vancouver, Canada, saw big wins for contestants and headaches for software makers: competing teams successfully exploited fresh vulnerabilities in Adobe Flash and Reader, Microsoft's Windows and Internet Explorer, and Mozilla's Firefox, to hijack PCs. The competition, now in its …
Iain Thomson, 19 Mar 2015

No password or PIN, but I have a fake ID. Sure, take the domain

The world's largest registrar GoDaddy is under fire, after it handed control of a domain name in exchange for no more than a fake ID (and a little bit of good, old-fashioned chutzpah). Despite no knowing the account's PIN or credit card details or having access to its listed email account, GoDaddy handed over login details to …
Kieren McCarthy, 19 Mar 2015

OpenSSL 'high' severity flaw just a puny DoS risk

OpenSSL patched a “high” severity flaw as part of a patch batch on Thursday that turned out to be nowhere near as scary as widely feared. Fortunately, fears the software update might address another Heartbleed have been confounded. The worst of the flaws – dubbed ClientHello (CVE-2015-0291) – is simply a DoS risk, as an advisory …
John Leyden, 19 Mar 2015
Bank vault

Banks defend integrity of passcode-less TouchID login

Royal Bank of Scotland and NatWest have played down claims by a security researcher that their new Touch ID banking login feature might be circumvented, arguing the hack would only be possible with jail-broken iPhones — the use of which is not recommended. Last month, RBS and NatWest became the first UK-based banks to offer …
John Leyden, 19 Mar 2015
2001: A Space Odyssey

GCHQ: Ensure biz security by STOPPING everyone from TALKING

GCHQ is advising organisations to consider stripping staff of smartphones and memory sticks in order to make themselves less exposed to cyber attacks. The advice from the intelligence agency's CESG (Communications-Electronics Security Group) information assurance arm comes against a backdrop of increased concerns about the theft …
John Leyden, 19 Mar 2015

Pinterest throws cash at topless bug-finders

Pinterest has stopped giving out t-shirts and started paying cash for vulnerabilities found under its bug bounty program. The web clipboard will offer up to US$200 under the BugCrowd-managed program for nine of its assets, including the Android and iOS applications. Security engineering lead Paul Moreno said the number of bug …
Darren Pauli, 19 Mar 2015

Target tosses US$10 million at victims of breach

US retailer target has reportedly agreed to settle lawsuits regarding its 2013 data breach for US$10 million, or up to $10,000 per litigant. Target was popped in late 2013, when it leaked up to 40 million customer records. The company's since caught a sueball from banks, shed its CEO and burned through $148 million, among other …
Simon Sharwood, 19 Mar 2015

Noobs can pwn world's most popular BIOSes in two minutes

Millions of flawed BIOSes can be infected using simple two-minute attacks that don't require technical skills and require only access to a PC to execute. Basic Input/Output Systems (BIOS) have been the target of much hacking research in recent years since low-level p0wnage can grant attackers the highest privileges, persistence …
Darren Pauli, 19 Mar 2015
Crop of doctor with pen and clipboard

Premera Blue Cross is sick after hackers plunder their servers

Health insurance firm Premera Blue Cross has admitted that it has become the latest victim of data theft after hackers targeted its IT department's servers in what's been dubbed a "sophisticated attack". On May 5 last year online hackers successfully penetrated Premera's defenses and cracked servers containing personal, …
Iain Thomson, 19 Mar 2015

Ex-Autonomy chief Mike Lynch's Darktrace bags £12.6m from investors

Darktrace, the Cambridge-based cyber security company backed by the billionaire superyacht-owner Mike Lynch, has raised $18m (£12.6m) from investors. The latest funding round includes a cash injection from Invoke Capital, Lynch’s venture fund that was one of Darktrace’s first backers. It has also bagged funds from Talis Capital …
Kat Hall, 18 Mar 2015
James Franco clutches puppy alongside Seth Rogen in a still from The Interview

NORK internet outage was payback for Sony hack – US politician

A North Korea network outage last December came in retaliation for the Sony hack, a US lawmaker claims. Michael McCaul of Texas – Republican chairman of the House Homeland Security Committee – linked disruption of North Korea's thin internet pipe to the earlier devastating attack against Sony Pictures Entertainment. “There were …
John Leyden, 18 Mar 2015

Fatally flawed RC4 should just die, shout angry securobods

Security researchers have banged another nail into the coffin of the ageing RC4 encryption algorithm. The latest password recovery attacks against RC4 in TLS by Christina Garman of Johns Hopkins University, Prof. Kenny Paterson and research student Thyla van der Merwe (both of Royal Holloway, University of London) show that …
John Leyden, 18 Mar 2015
Collection of antique keys

Sensitive apps with 6.3 BILLION downloads found open to FREAK

Thousands of Android and Apple apps could lose sensitive financial and privacy data through exposure to the FREAK vulnerability, researchers say. The FREAK (Factoring RSA Export Keys) attack allowed sensitive data to be stolen before encrypted connections are secured by requesting weak export-grade 512-bit RSA keys. FireEye …
Darren Pauli, 18 Mar 2015

Is the DNS' security protocol a waste of everyone's time and money?

Internet security experts are arguing over whether a key protocol for protecting the internet's naming systems should be killed off. DNSSEC was developed in 1994 but it wasn't taken seriously until 2008 when a bug in the domain name system's software made it possible for someone to imitate any server – from websites or email …
Kieren McCarthy, 18 Mar 2015
Routers

Cisco posts kit to empty houses to dodge NSA chop shops

Cisco will ship boxes to vacant addresses in a bid to foil the NSA, security chief John Stewart says. The dead drop shipments help to foil a Snowden-revealed operation whereby the NSA would intercept networking kit and install backdoors before boxen reached customers. The interception campaign was revealed last May. Speaking …
Darren Pauli, 18 Mar 2015
Zombie cloud

D-Link patches yet more vulns

D-Link is moving to patch a bunch of vulnerabilities in consumer products, which almost certainly means that most users either won't know the patch is happening or won't run the update. The first CERT advisory, here, covers DCS-93 series network cameras (models 930L, 931L, 932L and 933L using version 1.04 2014-04-21 of the …

Windows 10 will finally drop in 'summer' says Microsoft

Microsoft has announced that Windows 10 will launch in "summer" this year. The news emerged from an event in China, so it seems safe to assume Redmond means the northern hemisphere's summer between June and August. Executive veep for Windows Terry Myerson says Windows 10 "will launch in 190 countries and 111 languages". We're …
Simon Sharwood, 18 Mar 2015

Microsoft scrambles to kill Live.fi man-in-the-middle diddle

Microsoft is firing off updates to kill a fake certificate that can be used to create a convincing man-in-the-middle attack against its Live services. Certificate Authority Comodo has killed the bad cert, which it issued, and now Redmond is following suit by updating its revocation list for Windows platforms. "Microsoft is …
Darren Pauli, 17 Mar 2015

Redmond boffins' infosec trick will ship better code, faster

Security boffins from Microsoft and North Carolina State University have developed a method to help software developers better identify attack surfaces and therefore ship code more quickly. The work is effective enough for Microsoft's own security teams to consider adopting it in its internal review processes. The technique is …
Darren Pauli, 17 Mar 2015

Pub O'clock probe finds thousands of repeated 512-bit RSA keys

Four researchers, a zmap scan and a Friday afternoon have shown that while sys admins are cleaning the FREAK bug out of their Web servers, broadband routers remain a perpetual feast. The boffins from Royal Holloway at the University of London – Martin Albrecht, Davide Papini, Kenneth Paterson and Ricardo Villanueva-Polanco – …
Mulder in The X-Files

SAP admits - shock! - it sells to governments, denies that means backdoors

SAP is wrapped up in possibly the silliest conspiracy theorising The Register has seen yet, issuing an angry denial that having sold software to government agencies means it built backdoors into its products. Well – it's probably an angry denial, but it's phrased with the good manners of corporate PR. The kerfuffle began with …

BlackBerry joins the FREAK show

BlackBerry has joined the lengthening list of FREAKed-out vendors, publishing a list of currently-vulnerable software and promising fixes as soon as possible. The famous FREAK is the vulnerability that OpenSSL inherited from the 1990s, because America's rules at the time meant “export-grade” encryption was limited to a maximum …

Microsoft gives EMET divine powers to repel God Mode attack

Microsoft has released an update to its Enhanced Mitigation Experience Toolkit (EMET) that kills off an attack known as God Mode and improves Windows' defensive capabilities. The toolkit is designed to better protect Windows systems by diverting, terminating, and blocking the most common attacks. It hardens legacy applications …
Darren Pauli, 17 Mar 2015

OpenSSL preps fix for mystery high severity hole

The OpenSSL Project will repair a "high severity" security hole in updates due Thursday. Information is thin on the ground. El Reg has asked OpenSSL for more details to help admins prepare for the patching. The hole will be patched as part of a series of fixes that will land on 19 March and apply to versions 1.0.2a, 1.0.1m, 1.0 …
Darren Pauli, 17 Mar 2015

One BEEEEEELLION sensitive records went AWOL in 2014

At least one billion records of personally identifiable information (PII) were leaked in 2014, according to IBM X-Force. The total number of records compromised in 2014 was more than 25 per cent higher than in 2013, when 800 million records were leaked. Three in four (74.5 per cent) of these incidents took place in the United …
John Leyden, 16 Mar 2015
snowden SXSW

Snowden tells tech bigwigs: It's up to you to thwart mass surveillance

SXSW 2015 In a quietly arranged Q&A session at South by Southwest (SXSW) on Sunday morning, Edward Snowden told about thirty influential people from the tech world that the onus for thwarting mass surveillance was falling to them. Snowden had previously spoken at SXSW with the American Civil Liberties Union, explaining to attendees the “ …
Bounty hunters

Bounty! hunter! discovers! holes! in! Yahoo! Stores! security!

Security researcher Mark Litchfield is $24,000 the richer after discovering three vulnerabilities involving Yahoo! Stores and hosted websites. The three vulnerabilities were fixed by Yahoo! after Litchfield alerted the internet giant through its bug bounty programme. The first and most serious of the vulnerabilities opened up …
John Leyden, 16 Mar 2015
Logging onto Windows 10 with a mobile for 2-factor authentication

Yahoo! wheels! out! password! on-demand! service! for! simpletons!

Yahoo! is trialling a service that removes the need to remember your passwords, providing users aren't so absent-minded they don't also lose or mislay their mobile phones. The on-demand password service allows registered users to get a short password sent to their phone. On-demand passwords is an opt-in service, initially only …
John Leyden, 16 Mar 2015