Feeds

Security > More stories

Silent Circle email

Silent Circle takes on Skype, Viber, mobile telcos with crypto-VoIP

Silent Circle has launched a global encrypted IP voice calling service that will go up against over-the-top services Skype and Viber, among others. The idea here, however, is that it will feature a way to communicate privately. It's more bad news for mobile carriers, which are already beating off roaming-revenue pinchers in the …
John Leyden, 10 Jul 2014
Facebook privacy image

Crusty API opened Facebook accounts to hijacking

A leftover API that Facebook forgot to kill has left accounts open to spammers and scammers, says security Stephen Sclafani. The flaw means an attacker could view other users' messages and post status updates. Sclafani found that a then mis-configured endpoint, since patched, allowed legacy REST API calls to be made on behalf of …
Darren Pauli, 10 Jul 2014
The chinese characters for China as used in the new .中国  domain

China trawls top-secret US personnel lists – report

An attack suspected to have originated in China breached security at the US Office of Personnel Management, according to The New York Times. The paper's report suggests the attackers attempted to access personnel records describing government workers who have applied for high-level security clearances. Those records, the report …
Simon Sharwood, 10 Jul 2014
Brute force

Brute-force bot busts shonky PoS passwords

A botnet has compromised 60 point of sale (PoS) terminals by brute-force password attacks against poorly-secured connections, FireEye researchers say. The trio including Nart Villeneuve, Joshua Homan and Kyle Wilhoit found 51 of the 60 popped PoS boxes were based in the United States. The attacks were basic and targeted remote …
Darren Pauli, 10 Jul 2014
FireEye image

FireEye patches OS, torpedos Exploit-DB disclosure

FireEye has patched a series of publicly-disclosed flaws in its operating system (FEOS) that facilitated man-in-the-middle attacks and command injection. The vulnerabilities released over June affected versions NX, EX, AX, FX, and CM of the FEOS and were patched in the first individual security bulletin for the system. The …
Darren Pauli, 10 Jul 2014

Victim of Tor-hidden revenge smut site sues Tor Project developers

The Tor Project has found itself on the receiving end of a lawsuit that claims the privacy software's developers aided a revenge porn slinger. An attorney at the Electronic Frontier Foundation (EFF) told The Register the allegations against the Tor team are baseless. In a lawsuit, Shelby Conklin accuses the Tor Project of …
Shaun Nichols, 10 Jul 2014
NSA's Fort Meade headquarters

Ex-NSA boss Alexander joins bankers' CYBER WAR COUNCIL

Former NSA head Keith Alexander has been tapped up to advise a new cyber war council for government and financial institutions in the US, according to Bloomberg. The biz news site has seen a proposal from the Securities Industry and Financial Markets Association (SIFMA) that suggests that the industry needs a committee of execs …
Senator Joe McCarthy, of "Reds under the bed" infamy

Snowden leaks latest: NSA, FBI g-men spied on Muslim-American chiefs

New documents from whistleblower Edward Snowden confirm that the NSA and the FBI spy on Muslim-American leaders, including Republican Party politicians and military veterans. The Intercept reports that the Feds are using tactics and techniques intended for catching terrorists and spies to monitor the email accounts of prominent …
John Leyden, 9 Jul 2014
PCS with a red X in front of them

ATTACK of the Windows ZOMBIES on point-of-sale terminals

Security watchers have spotted a fresh Windows-based botnet that attempts to hack into point-of-sale systems. Cyber threat intelligence firm IntelCrawler reports that the “@-Brt” project surfaced in May through underground cybercrime forums. The malware can be used to brute-force point-of-sale systems and associated networks, …
John Leyden, 9 Jul 2014
iPad Psycho image

That 'wiped' Android phone you bought is stuffed with NAKED SELFIES – possibly

It's hard being a security researcher. Several of them just had to view thousands of nude selfies pulled from second-hand phones and tablets for a campaign warning people who sell old devices. The beleaguered infosec bods saw 750 photos of naked women and 250 images of manhood from a pool of 40,000 photos still stored on a mere …
Darren Pauli, 9 Jul 2014
Rosetta Flash diagram

Weaponised Flash flaw can pinch just about anything from anywhere

Get cracking with the latest Flash upgrade, because the vulnerability it patches is a peach, allowing a cross-site request forgery (CSRF) attack for stealing user credentials. According to the Switzerland-based Google engineer that turned up the vulnerability, Michele Spagnuolo, sites that are/were vulnerable to the attack …
Lecpetex

Facebook scuttles 250k-strong crypto-currency botnet

Facebook has taken down a Greek botnet that at its peak compromised 50,000 accounts and infected 250,000 computers to mine crypto-currencies, steal email and banking details and pump out spam. The scuttled Lecpetex botnet spread malware including the DarkComet remote access trojan by social engineering techniques and was adept …
Darren Pauli, 9 Jul 2014
australian credit cards fraud contactless

Teensy card skimmers found in gullets of ATMs

A series of tiny and sometimes transparent card-skimming devices have been detected in ATMs across Europe, researchers say. Boffins with the European ATM Security Team (EAST) have plucked out and displayed some clever thumb-sized skimmers that hide from victims' view by fitting in cash terminals' gullets. The devices paraded in …
Darren Pauli, 9 Jul 2014

FAKE Google web SSL certificates tip-toe out from Indian authorities

Google is warning that dodgy SSL certificates have been issued by India's National Informatics Centre (NIC): these certs can be used by servers to masquerade as legit Google websites and eavesdrop on or tamper with users' encrypted communications. According to this blog post by Google's security team, the Googlers noticed …
Iain Thomson, 9 Jul 2014

Russian MP fears US Secret Service cuffed his son for Snowden swap

The US Secret Service has announced the arrest of a man accused of being "one of the world's most prolific traffickers in stolen financial information," touching off a diplomatic firestorm in the process. Roman Valerevich Seleznev, who goes by the online handle Track2, is accused of hacking into point-of-sale systems to steal …
Iain Thomson, 8 Jul 2014

Dear Windows Journal, today I got owned: 29 security bugs swatted

Microsoft has released patches for 29 security vulnerabilities, while Adobe has released an update for Flash Player. Redmond's latest Patch Tuesday batch is composed of six bulletins, two of which have been rated as critical updates. Three others have been rated important, and the sixth is considered a moderate risk. The …
Shaun Nichols, 8 Jul 2014

China's 'Deep Panda' crew targets Middle East policy wonks - report

A group of China-based cyber spies have begun targeting national security think tanks, initially targeting analysts focusing on the Asia-Pacific region before switching their focus to Iraq. Infosec threat intelligence firm CrowdStrike warns that a group it dubs Deep Panda has begun targeting think tanks, particularly those …
John Leyden, 8 Jul 2014

Panic like it's 1999: Microsoft Office macro viruses are BACK

Macro viruses involving infected Word and Excel files were a plague in the late 1990s. Yet, like grunge music, the genre fell into decline as techniques and technologies moved on. More recently macro viruses have staged something of a revival, thanks to social-engineering trickery. Windows executable malware has dominated macro …
John Leyden, 8 Jul 2014
Prison window

Computing student jailed after failing to hand over crypto keys

+Comment A computer science student accused of hacking offences has been jailed for six months for failing to hand over his encryption passwords, which he had been urged to do in "the interests of national security". Christopher Wilson, 22, of Mitford Close, Washington, Tyne and Wear, was jailed for refusing to hand over his computer …
John Leyden, 8 Jul 2014

IEEE expands malware initiatives

Standards body the IEEE has launched two new anti-malware initiatives designed to help software and security vendors spot malware that's been inserted into other software, and improve the performance of malware detection by cutting down on false positives. The organisation's Anti-Malware Support Service (AMSS) is designed to …
Doctor Who meme

Doctor Who season eight scripts leak online

Scripts for the first five episodes of the yet-to-be-screened and highly-anticipated series eight of Doctor Who have been leaked online. The leak is said to have come from BBC Worldwide's new Miami office, which was arranging translation of the new series for non-English speaking markets. The scripts are said to bear a BBC …
Darren Pauli, 8 Jul 2014
Bloatware foistware

Insecure AVG search tool shoved down users' throats, says US CERT

The US Computer Emergency Response Team (CERT) has warned users about software download sites' practice of including unasked-for downloads, after one such program - AVG's Secure Search toolbar - was found to be insecure. Known as "bloatware" or "foistware", unasked-for software is bundled into to the installation wrappers used …
Darren Pauli, 8 Jul 2014
Bitcoin bloodbath

Gendarmes grab French Bitcoin exchange in €200k sting

The operators of an illegal French Bitcoin exchange have been collared by the gendarmes and their Bitcoin holdings confiscated. A sketchy story out of Reuters says that the raid netted €200,000 worth of the crypto-currency, but doesn't outline what specific laws the exchange is accused of breaking. The Reuters story merely …
Feinstein

Cyber-Senate's cyber-security cyber-law cyber-scares cyber-rights cyber-fighters

On Tuesday the US Senate will meet in a closed-door session to mark up the forthcoming Cybersecurity Information Sharing Act of 2014 (CISA) – and the proposed new rules on data sharing between big biz and government have privacy groups seriously worried. CISA is an offshoot of the proposed Cyber Intelligence Sharing and …
Iain Thomson, 8 Jul 2014
Fail and You

Vid shows how to easily hack 'anti-spy' webmail (sorry, ProtonMail)

Video + Update A security researcher has demonstrated a classic JavaScript-injection attack against ProtonMail – the webmail system developed by boffins and CERN to withstand surveillance by the world's intelligence agencies. German security expert Thomas Roth published a video over the weekend showing how he exploited a trivial …
Iain Thomson, 7 Jul 2014
Evil Android

App permissions? Pah! Rogue Android soft can 'place phone calls at will'

Researchers at German security firm Curesec have identified bugs present in most versions of Android that can allow malicious applications to place phone calls, even when they lack the necessary permissions. By exploiting these vulnerabilities, rogue apps can get up to such mischief as surreptitiously dialing out to expensive …
Li-Fi D-Light

Fridge hacked. Car hacked. Next up, your LIGHT BULBS

Those convinced that the emerging Internet of Things (IoT) will become a hackers' playground were given more grist for their mill with news on Friday that security researchers have discovered a weakness in Wi-Fi/mesh networked lightbulbs. Researchers at Context Information Security discovered that LED light bulbs from …
John Leyden, 7 Jul 2014

German spy agency staffer spied for NSA during gov probe into NSA spying – report

A German intelligence agency staffer has been arrested after allegedly being caught spying on behalf on the US, according to reports by German newspapers. The country's Federal Prosecutor's office has confirmed that a man had been arrested on suspicion of being a foreign spy, but gave no further details. According to reports in …
John Leyden, 7 Jul 2014
Sign outside the National Security Agency HQ

Don't panic! Mega cloud biz group says NSA just one among many threats

Enterprises are being told to not abandon the cloud out of fear of possible threats to their data security posed by US government snoops. The Open Data Center Alliance (ODCA) has advised big companies the benefits of cloud – escaping their legacy IT – far outweigh risks of the National Security Agency pilfering their secrets. …
Gavin Clarke, 7 Jul 2014
Street View spymobile captures Street View spymobile on Street View

Brit celebs' homes VANISH from Google's Street View

Google is scrubbing out the homes of Blighty's rich and famous from its nosey Street View site. It has been reported that the likes of former Labour Prime Minister Tony Blair, former Beatle Paul McCartney and Led Zeppelin axeman Jimmy Page have had their houses blurred on the mapping service. Popstar Lily Allen and former RBS …
Team Register, 7 Jul 2014
North Korea South Korea hacking

NORKS hacker corps reaches 5,900 sworn cyber soldiers - report

North Korea has doubled the number of government hackers it employed over the last two years according to military sources from the South. The allegations claim 5900 "elite" personnel were employed in Pyongyang's hacking unit, up from 3000 in 2012. The hackers had their crosshairs firmly fixed on Seoul but operate from bureaux …
Darren Pauli, 7 Jul 2014
Mobile phone stolen by pickpocket

USA to insist on pre-flight mobe power probe

The USA's Transport Security Administration (TSA) has announced new, “enhanced security measures” that will require mobile phones to be charged before taken aboard international flights to the nation. The new requirement is simple. As explained here, the new arrangements will mean that “During the security examination, officers …

'Spy-proof' IM launched: Aims to offer anonymity to whistleblowers

Security experts have teamed up to created a stealthy internet messenger client designed especially for whistleblowers. The ‪invisible.im project promises an instant messenger that leaves no trace‬. The team behind the project include Metasploit Founder HD Moore and noted infosec and opsec experts The Grugq. That's the infosec …
John Leyden, 4 Jul 2014
Random numbers

Crypto thwarts TINY MINORITY of Feds' snooping efforts

US government court-sanctioned wiretaps were sometimes defeated by encryption, according to official figures on law enforcement eavesdropping released this week. State police were unable to circumvent the encryption used by criminal suspects in nine cases last year, while plain text was recovered in 32 of 41 cases where use of …
John Leyden, 4 Jul 2014
Zuckerberg topless

Journal that published Facebook emoto-furtle study: Proper boffins get CONSENT

Facebook's ethical standards do not meet those of most researchers who conduct studies on human subjects, the journal which published the "secret", emotion-manipulative research on nearly 700,000 of the social network's users has said. The journal of the Proceedings of the National Academy of Sciences (PDF), has now made a …
Kelly Fiveash, 4 Jul 2014

So which miscreants wrote the CosmicDuke info-slurping nasty?

Security researchers have uncovered a link between a Trojan and a recently discovered cyber-espionage tool which suggests cyber-spies behind recent attacks on Western governments cut their teeth writing conventional Trojans. CosmicDuke combines elements from the Cosmu Trojan and a backdoor known as MiniDuke, previously …
John Leyden, 4 Jul 2014

Austrian Tor exit relay operator guilty of ferrying child porn

An Austrian man has been found guilty after child sex abuse material transited his Tor exit relay. IT administrator William Weber was charged in November last year after state police raided his home confiscating 20 computers, gaming consoles and devices after one of his seven global Tor exit relays funneled the illicit material …
Darren Pauli, 4 Jul 2014
Spotify

PANDA chomps through Spotify's DRM

Music can be ripped from Spotify using a tool that cracks digital rights management copyright protection, a Georgia Tech University researcher says. Code dubbed Platform for Architecture-Neutral Dynamic Analysis - aka PANDA - posted to GitHub does the job, says researcher Brendan Doln-Gavitt. "[The technique] by itself is just …
Darren Pauli, 4 Jul 2014
Grumpy cat

What do we want? CAT VIDEOS! How do we get them? TOR!

The Onion Router project has fired back at the National Security Agency, after it emerged that those who use the network – and read Linux magazines – are considered worthy of surveillance. Tor's blogged riposte points out that “Just learning that somebody visited the Tor or Tails website doesn't tell you whether that person is a …

Big Java security fixes on the way – but not so fast, Windows XP users

As if running Windows XP after Microsoft withdrew support wasn't risky enough, XP users who have Java installed may soon have even more to worry about. Oracle is due to issue its next Critical Patch Update – the massive, quarterly fix-it fests that deliver security updates across the company's entire product line, including Java …
Syrian electronic army

Hacked Israel Defence Force Twitter account spruiks nuke leak fears

Hacker outfit the Syrian Electronic Army (SEA) hours ago cracked Israel's Defence Force (IDF) Twitter account where it posted a fake warning of a possible nuclear leak due to rocket strikes. The group posted under the IDF (@IDFSpokesperson) account of a "possible nuclear leak in the region after two rockets hit [the] Dimona …
Darren Pauli, 4 Jul 2014
Paul Winchell

Your Android phone is a SNITCH: Wi-Fi bug makes you easy to track

Your mobile device could be compromising your privacy by broadcasting your location history over the air, even when it is in sleep mode, according to new research by the Electronic Frontier Foundation. Of particular concern are newer Android gadgets, specifically those running Android 3.1 "Honeycomb" or later. That version of …