Security > More stories

apple mac malware vxer

Ex-NSA security bod fanboi: Apple Macs are wide open to malware

A former NSA staffer turned security researcher is warning that bypassing typical OS X security tools is trivial. Patrick Wardle, a former NSA staffer and NASA intern who now heads up research at crowd-sourced security intelligence firm Synack, found that Apple's defensive Gatekeeper technology can be bypassed allowing unsigned …
John Leyden, 7 May 2015

F*cking DLL! Avast false positive trashes Windows code libraries

A misfiring signature update from anti-virus developer Avast triggered all sorts of problems on Wednesday. Avast acted promptly by withdrawing the definition update but not before numerous users had fallen foul of the problem. The withdrawn update incorrectly labelled various libraries (dlls) on Windows PCs as potentially malign …
John Leyden, 7 May 2015

Spooks BUSTED: 27,000 profiles reveal new intel ops, home addresses

A trio of transparency boffins have revealed personal details of 27,000 intelligence officers they say are working on surveillance programs. The resulting dump not only names the officers, but in some cases tells you where they live based on data sourced from LinkedIn profiles and other easy-to-access sources. M.C McGrath, …
Darren Pauli, 7 May 2015

Apple swats Webkit bugs that bit it on Safari

Apple has update its Safari browser to quash three Webkit-derived bugs. One of the bugs, CVE-2015-1155 , meant “ Visiting a maliciously crafted website may compromise user information on the filesystem,” thanks to “A state management issue … that allowed unprivileged origins to access contents on the filesystem.” CVE-2015-1156 …

Attackers target new XSS in millions of WordPress sites

Sucuri researcher David Dede has uncovered a critical cross-site scripting (XSS) vulnerability in a default WordPress plugin that allows attackers to hijack websites. Dede, part of a consultancy renown for its prolific WordPress popping, found the Twenty Fifteen plugin installed on all WordPress sites is being actively attacked …
Darren Pauli, 7 May 2015
Skull image

Infusion pump is hackable … but rumours of death are exaggerated

It's the kind of vulnerability that's tailor-made for infosec publicity: a brand of infusion pumps used to deliver drugs to patients in hospital has an open, unauthenticated Telnet port that allows an attacker access to the dosage database. Yes, it's a serious vulnerability that presumably applies as much to the pump's WiFi port …

Choc Factory finds 84,000 ad injectors targeting Chrome

Google spam abuse researcher Kurt Thomas says some 84,000 injectors and apps are targeting its Chrome web browser with dodgy advertising. Thomas says the apps include 50,000 browser extensions and 34,000 applications which target Chrome to display revenue-generating ads within the sites that victims browse. About a third of …
Darren Pauli, 7 May 2015

IETF updates TLS/SSL best practice guidance

Do: start rolling TLS 1.3, support TLS 1.2, and DTLS 1.2. Don't: negotiate sessions using TLS 1, TLS 1.1, SSL 2 or SSL 3. Those are the Internet Engineering Task Force's latest recommendations, set out in RFC 7525, Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS). The …
Cheat by https://www.flickr.com/photos/sohelparvezhaque/ CC 2.0 attribution https://creativecommons.org/licenses/by/2.0/

Tencent stripped of antivirus rankings for cheating on tests

Antivirus ratings firms AV‐Comparatives, AV-Test, and Virus Bulletin have stripped another company of its rankings for trying to game their tests. This time the culprit was Chinese giant Tencent, which is accused of compromising its own security systems for the sake of speed credits in testing. "After in-depth investigations, …
Iain Thomson, 6 May 2015
Infosec

Lenovo system update flaws plugged, security world not impressed

Lenovo faces renewed accusations of lax security practices - just three months after the Superfish debacle - after it was obliged to fix flaws in its software update system. Security researchers at IOActive uncovered a mechanism that would have allowed hackers to create a fake certificate authority in order to sign executables. …
John Leyden, 6 May 2015
Apple Watch Sport

Too much Appley WRISTJOBBERY could be BAD for your HealthKit

Users of Apple's healthcare data app platform - intended to allow developers access to healthcare info collected via its wristy gizmo - could be left wide open to security exploits, infosec bods have warned. The ResearchKit and HealthKit platform is intended to allow health researchers to aggregate information collected from iOS …
Kat Hall, 6 May 2015
register logo

In charge of security? We need to talk...

CIO Manifesto If you head up security for your organisation, you probably feel like you’re caught between know-it all techies, ignorant directors and unbending compliance regulations. So do most of your peers, and that’s why we want to bring you together to discuss the reality of running IT securely in 2015 at our May 20 roundtable. The …
Team Register, 6 May 2015

Hey devs! Confused by EU privacy law? Pull out the FLASH CARDS

Microsoft and University of Nottingham researchers say developers should be taught to design privacy and security using flash cards if they find wordy regulation documents onerous. The team including Redmond's Ewa Luger and the University's Lachlan Urquhart, Tom Rodden, and Michael Golembewski say regulation is out-of-touch and …
Darren Pauli, 6 May 2015
America

Snowden scandal latest: NSA, GCHQ lingo-spies replaced by unstoppable RHINEHART robots

The NSA has been using software to convert intercepted phone calls into transcripts stored in searchable databases, it is claimed. It is also entirely believable: Dragon Dictate isn't exactly top secret, is it? Documents leaked by Edward Snowden and published by The Intercept on Tuesday show that Uncle Sam's spies, and their …
Iain Thomson, 6 May 2015

DEFCON 23 to host Internet of Things slaughterfest

The Internet of Things (IoT) will, come August, be torn apart in a new hacking slaughterfest announced for DEFCON 23. The contest run by the brains behind the router-smashing SOHOplessly Broken challenge aims to stain the carpet with the blood of internet accessible gadgets and junk as hackers tear apart devices to capture flags …
Darren Pauli, 6 May 2015
Woman puts hand in camera lens. Pic: Steve Purkiss

Security bods gagged using DMCA on eve of wireless key vuln reveal

Updated Researchers at IOActive have been slapped with a DMCA (Digital Millennium Copyright Act) gagging order a day before they planned to release information about security vulnerabilities in the kit of an as-yet unidentified vendor*. A redacted version of the legal notice – posted on Google+ – has reignited the long standing debate …
John Leyden, 5 May 2015

Metasploit maker Rapid7 gobbles web app security testing firm

Metasploit firm Rapid7 has snapped up web and mobile application security testing company NT OBJECTives (NTO). Financial terms of the deal, announced Monday, were undisclosed. Rapid7 has folded NTO’s application security testing product, renamed as Rapid7 AppSpider, into its security data and analytics platform to give customers …
John Leyden, 5 May 2015
Exit sign. Pic:  Lukas Kästner

Accused Aussie game hacker flees to Europe ahead of trial

An Australian man facing 25 hacking charges has fled to Europe ahead of a court hearing for his alleged involvement in an international hacking operation targeting Microsoft, Valve, Epic, and the US Army, according to reports. The 19 year-old Perth man, who cannot be named as he was arrested as a juvenile in May 2013, is alleged …
Darren Pauli, 5 May 2015
Netflix FIDO logo

Netflix looses FIDO hack attack dog as open source

Netflix has released source code for its automated incident response tool to help organisations cut through the noise of security alerts. Project lead and security boffin Rob Fry together with Brooks Evans, and Jason Chan announced the unleashing of the Fully Integrated Defense Operation (FIDO) saying it has chewed the time to …
Darren Pauli, 5 May 2015

'Rombertik' malware kills host computers if you attempt a cure

Cisco researchers Ben Baker and Alex Chiu have found new malware that destroys a machine's Master Boot Record and home directories if it detects meddling white hats. The pair from the Borg's TALOS malware probing department say the "Rombertik" malware is designed to steal keystrokes and data and targets Windows users through …
Darren Pauli, 5 May 2015
Eavesdroppping Hound by Good Eye Might on Flickr under CC2

Analogue modems allow UNSTOPPABLE Android attack ... at 13bps

The better your Android smartphone's audio, the worse its security – the audio channel is the latest path for “low and slow” data leak attacks. A research group at the Rochester Institute of Technology (RIT) has demonstrated that you could create a covert data channel using a smartphone's voice channel. While it only runs at 13 …

Plod wants your PC? Brick it with a USB stick BEFORE they probe it

Criminals, activists, and whistle-blowers have a new tool to help foil police by shutting down laptops before they are examined. "USBKill" is a script that turns an innocent-looking thumb drive into a kill switch that, when unplugged, forces computers to shut down. Author "Hephaestos" (@h3phaestos) says their tool will prevent …
Darren Pauli, 5 May 2015

Sally Beauty Supply breached AGAIN

Colossal US cosmetics retailer Sally Beauty Supply has broken its silence and admitted it was breached for the second time in a little over a year. The company's admission follows its previous stonewalling of two requests for comment by The Register last Wednesday on the back of a tip off that the FBI was "on-site" at the firm …
Darren Pauli, 5 May 2015
Sad Android

Android tool catches apps silently pumping hundreds of ad, tracking servers red-handed

Security researchers have developed an Android application that's capable of alerting when other apps on a phone or tablet are covertly tracking users and connecting to ad networks. The team at France's Eurecom and Technicolor Research – explained in a paper published in the Cornell University Library archive that their …
Shaun Nichols, 5 May 2015

Windows 10 bombshell: Microsoft to KILL OFF Patch Tuesday

Ignite 2015 Microsoft has shown off some of the new security mechanisms embedded in Windows 10, and revealed a change to its software updates. Windows supremo Terry Myerson reckons the revised security patch rollout – effectively ditching the monthly Patch Tuesday – will shame Google. "Google takes no responsibility to update customer …
Iain Thomson, 4 May 2015
Reliance free internet from Internet.org

Zuck'ed up: Facebook opens up free internet in India – but bans HTTPS

Facebook's Internet.org has loosened the stranglehold on its free internet service in India and other countries. Now potentially any website can be accessed for free via the service as long as the site ditches HTTPS, JavaScript, and other things. The social network offers free mobile internet access to people in India, Tanzania …
Shaun Nichols, 4 May 2015
Tiltshift Manipulated Sandpit by https://www.flickr.com/photos/mmichaelis/ cc 2.0 attribution https://creativecommons.org/licenses/by/2.0/

Nasty Dyre malware bests white hat sandboxes

Seculert CTO Aviv Raff says a nasty piece of malware linked to widespread destruction and bank account plundering has become more dangerous with the ability to evade popular sandboxes. Raff says the Dyre malware ducks popular sandbox tools by detecting the number of cores in use. The known but effective and previously unused …
Darren Pauli, 4 May 2015

Mozilla to whack HTTP sites with feature-ban stick

Insecure websites will be barred from using new hardware features and could have existing tools revoked, if Mozilla goes ahead with a push towards HTTPS. Webmasters that don't turn on HTTPS could be excluded from the new features list under a Mozilla initiative designed to rid the net of careless clear text gaffes, sending a " …
Darren Pauli, 4 May 2015

Carders crack Hard Rock casino

Carders have hit the Las Vegas' Hard Rock Hotel and Casino stealing credit card numbers, names, and addresses, according to reports The company says malware found on its systems may have pinched the data from its retail and service locations. Criminals did not make off with PINs or other sensitive information, it says in a …
Darren Pauli, 4 May 2015
Unlocked padlock

'Just follow the damn Constitution!' FBI, DoJ skewered over demands for crypto backdoors

Vid FBI agents and US Department of Justice officials perhaps thought they were in for an easy ride during a congressional hearing on crime, terrorism and encryption. If so, they were mistaken. House reps on the Oversight and Government Reform Committee tore into the Feds' demands for skeleton keys to decrypt citizens' private files …
Iain Thomson, 1 May 2015

NSA-restraining US law edges closer to reality, leaves just 6.81 billion under mass surveillance

A law bill to mildly curb the NSA's blanket surveillance of innocent Americans has taken an important step toward being passed. On Thursday, the US House of Representatives' justice committee voted 25 to two in favor of a revised version of the USA Freedom Act – the original was killed last year in the Senate. Now it's looking …
Iain Thomson, 1 May 2015
Wall of Spam. Pic: freezelight

Wordpress munching contagion turns Linux servers into spam bots

The Mumblehard malware is turning Linux and BSD server into spam-spewing zombies. Security researchers at ESET have logged over 8,500 unique IP addresses during a seven-month research period looking into the junk-mail-linked malware menace. Mumblehard is made up of two different components. The first component is a generic …
John Leyden, 1 May 2015

Google Password Alert could be foiled with just 7 lines of JavaScript

Google has been obliged to revise its Password Alert anti-phishing protection just hours after releasing it when security researchers showed how the technology was easily circumvented. Security consultant Paul Moore (@Paul_Reviews) has published a proof-of-concept JavaScript exploit that skirted the defensive technology with …
John Leyden, 1 May 2015
Derailed train wagon. Pic: New York MTA

Major London rail station reveals system passwords during TV documentary

Updated What looks like system passwords at one of London's busiest railway stations – printed and attached to the top of a station controller's monitor – were exposed to viewers during a BBC documentary on Wednesday night. The login credentials were visible just before the 44 minute minute mark in the documentary Nick and Margaret: The …
John Leyden, 1 May 2015

EU Commish is rather pleased German BND and NSA thought it worth spying on

According to local media reports Thursday, German intelligence agency BND (the Bundesnachrichtendienst) has helped the US National Security Agency (NSA) spy on the European Commission and French authorities since 2008. German officials themselves were not targeted because of a NSA-BND deal signed in 2002. The revelations have …
Bomba alarm clock

Ubuntu to shutter year-old clock unlock bug

Ubuntu's latest edition contains a local access escalation flaw first reported a year ago that allows users to tinker with the system clock to become a root user. The attack, reported by Linux lover Mark Smith, isn't colossally risky as it impacts only local users; those with existing access to a machine. Smith has chided …
Darren Pauli, 1 May 2015
Boeing 787 10x

Boeing 787 software bug can shut down planes' generators IN FLIGHT

The US Federal Aviation Administration (FAA) has issued a new airworthiness directive (PDF) for Boeing's 787 because a software bug shuts down the plane's electricity generators every 248 days. “We have been advised by Boeing of an issue identified during laboratory testing,” the directive says. That issue sees “The software …
Mounties

Mounties nab Canadian woman, 27, in webcam hack shenanigans bust

The Royal Canadian Mounted Police has nabbed a Canadian woman believed to have originated a botnet which she used to recreationally terrorise victims. As the Mounties report, investigators from their Integrated Technological Crime Unit (ITCU) arrested a female on suspicion of operating a botnet after conducting a search at her …

Oracle paltry patch opens MySQL man-in-the-middle diddle

Adam Goodman of Duo Security has found a vulnerability in the 'vast majority' of Oracle MySQL databases that allows SSL to be stripped, exposing sensitive data to man-in-the-middle attackers. Goodman says Oracle attempted to sling a patch at the problem last year but did so only for some versions and further borked the effort by …
Darren Pauli, 1 May 2015
Cheat by https://www.flickr.com/photos/sohelparvezhaque/ CC 2.0 attribution https://creativecommons.org/licenses/by/2.0/

CHEATER! Test labs out AV vendor for using rival's engine

Chinese anti-virus vendor Qihoo 360 has been caught cheating on benchmarking tests by submitting versions running A-V engines from rival Bitdefender. The company has been reprimanded by established testing outfits Virus Bulletin, Av-Comparatives, and AV-Test which withdrew its 2015 certifications. In a joint statement [PDF] the …
Darren Pauli, 1 May 2015

Confidential information exposed over 300 times in ICANN security snafu

Two months after claiming there was "no indication" that confidential information was exposed in a security cock-up, domain name overseer ICANN has admitted it happened on at least 330 occasions. Following an audit of its main customer portal, the organization confirmed what we reported at the start of March: that misconfigured …
Kieren McCarthy, 30 Apr 2015
Raiders of the lost ark

Airbus to sue NSA, German spies accused of swiping tech secrets

European aerospace giant Airbus is promising legal action over claims its top blueprints were stolen by German spies and given to America's intelligence agencies. "We are aware that as a large company in the sector, we are a target and subject of espionage," the company said in a statement to the AFP newswire. "However, in this …
Iain Thomson, 30 Apr 2015