Security > More stories

Logging onto Windows 10 with a mobile for 2-factor authentication

Yahoo! wheels! out! password! on-demand! service! for! simpletons!

Yahoo! is trialling a service that removes the need to remember your passwords, providing users aren't so absent-minded they don't also lose or mislay their mobile phones. The on-demand password service allows registered users to get a short password sent to their phone. On-demand passwords is an opt-in service, initially only …
John Leyden, 16 Mar 2015
Barbed wire against a clear blue sky

Dread Pirate Roberts' first mate Peter Nash faces life behind bars

Updated An Australian faces life behind bars in the USA after entering a guilty plea for his role in Ross Ulbricht's Silk Road operation. Peter Phillip Nash, who went by the tag “Samesamebutdifferent” on the online drug bazaar, put his hands up to narcotics and money laundering charges. Nash was arrested in the Australian city of …

Mozilla peers into processes with student-built forensics probe

Student hackers from the University of Buenos Aires have developed with Mozilla an open-source forensics tool to analyse memory of running processes. Computer science quartet Marco Vanotti, Patricio Palladino, Nahuel Lascano, and Agustin Martinez Suñé are part of Masche Team, who are "highly motivated by coding, security and …
Darren Pauli, 16 Mar 2015

Princeton boffins sniff Tor users' IDs from TCP ACKs and server sweat

Tor is regularly recommended as a vital privacy protection technology, and just as regularly, researchers discover ways to de-anonymise users, and the latest of these has just hit Arxiv. The research, led by boffins from Princeton, demonstrates ways to de-anonymise Tor users with access to just one end of a communication path, …
Facebook malware

Ow.ly plus AWS plus Box roped into worm-spreading spree

Users with a bent for nasty content and too much trust in shortened links are helping to spread a Facebook worm, according to researchers at Malwarebytes. Senior researcher Jérôme Segura has documented a Kilim-family worm that attracts users by promising smut with a link that's been shrunk by link-shortening service ow.ly. The …

Sydney's Bugcrowd lands $6m from venture capitalists

Vulnerability mercenary outfit Bugcrowd has scored $6 million in Venture Capital funding. The Series A funds for the crowd-sourced security testing outsourcer have been provided by Costanoa Venture Capital, Rally Ventures, Paladin Capital Group and Australian outfit Blackbird Ventures. Bugccrowd founder Casey Ellis says the …
Darren Pauli, 16 Mar 2015
Oracle frankenstein

Oracle adds secure-ish boot support to its Linux distro

Oracle has released a new secure-boot version of its Linux, but the new issuance is attracting criticism that it's not actually secure. The issue, according to a series of Tweets by Linux engineer Matthew Garrett, is that Oracle's Unbreakable Enterprise Kernel supports kexec_load() and carries the same signature as the kernel …
One Windows: Windows 10 will be delivered on multiple device types

Leaked Windows 10 build hints at peer-to-peer patching

A new build of Windows 10, number 10036, appears to have somehow found its way beyond Redmond's firewalls, and folks running it report it has all manner of interesting additions. The main eyebrow-raiser is a new dialog titled “Choose how you download updates” that offers an option to “Download apps and OS updates from multiple …
Simon Sharwood, 15 Mar 2015
padlock

Yahoo! spaffs! out! plugin! to! bring! crypto! to! everyone's! email!

Yahoo! has shown off an OpenPGP-based end-to-end e-mail encryption it says will be offered as a plug-in by the end of the year. Its aim is to make PGP-based encryption more accessible to the everyday layperson. Described in this blog post by Purple Palace chief information security officer Alex Stamos, the mail encryption code …
Homer Simpson reading on a tablet

Help! Virgin Media FORGETS to renew its security certificate on contact page

Virgin Media has failed to renew its security certificate on the company's 'Contact us' page of its website. It is currently displaying an "untrusted connection" warning about the help.virginmedia.com url. Customers who attempt to contact the Liberty Global-owned cable firm are greeted with the confusing alert that suggests …
Kelly Fiveash, 15 Mar 2015
teslacrypt

Gamers! Ransomware will scramble your save files unless you cough up $1,000

Researchers have spotted malware that targets gamers, and threatens to trash their in-game progress unless they pay up. teslacrypt target files Of the 185 file types encrypted, games are Teslacrypt's top target The software nasty, dubbed Teslacrypt, works in the same way as traditional ransomware like Cryptolocker. It …
Iain Thomson, 13 Mar 2015
Jamie Oliver

Telly chef Jamie Oliver in embarrassing infection double shocker

Mockney chef Jamie Oliver is a wizard at cooking – but his website team isn't exactly cordon bleu standard, as his webpages have put steaming dishes of malware back on the menu. Last month, researchers at security firm Malwarebytes found jamieoliver.com was hosting an exploit kit that could dish up malware to visitors looking …
Iain Thomson, 13 Mar 2015
HMS Belfast on the Thames. Pic: Nick Hewson

Hurry shipmates - the black hats have hacked our fire control system

The final instalment of Blighty's Cyber Security Challenge, a ten-month process to find new talent for Blighty's infosec workforce, will conclude this afternoon. The Cyber Security Challenge Masterclass, organised by BT, and described as "a series of national competitions, learning programmes, and networking initiatives designed …

Microsoft RE-BORKS Windows 7 patch after reboot loop horror

Reports are emerging that a twice-issued Microsoft Windows 7 patch is still causing pain for users, with some claiming the fix is triggering continuous reboots. The patch was first issued as KB2949927 and withdrawn in October due to system faults, before being re-released this week as KB3033929. Sporadic reports across internet …
Darren Pauli, 13 Mar 2015

OpenDNS snags network monitoring service BGPmon

Cloud security firm OpenDNS is buying network and routing monitoring services outfit BGPmon. Financial terms of the deal, announced on Thursday, were not disclosed. BGPmon offers services based on the Border Gateway Protocol (BGP), a core network protocol used by every major network and ISP, which maps preferred paths for …
John Leyden, 13 Mar 2015
Gary Kovacs, CEO of AVG. Pic: World Economic Forum

'Get your privacy policy down to one page': AVG CEO throws glove down

Interview The Register caught up with AVG (and ex Mozilla) CEO Gary Kovacs at Mobile World Congress last week. AVG is talking up its Zen security product – a sort of mobile device management for the home – which Kovacs says is extending to cover Internet of Things (IoT). “You will be able to manage your wearables as well as the key parts …
Tim Anderson, 13 Mar 2015
Lock security

Google tells world where Apps users live after WHOIS SNAFU

Names, home and email addresses, and phone numbers for a whopping 282,867 Google Apps domains have been exposed through previously borked private WHOIS records, Cisco boffins say. The research is the work of Nick Biasini, Alex Chiu, Jaeson Schultz, Craig Williams and William McVey of Cisco's Talos team who today published an …
Darren Pauli, 13 Mar 2015
HMRC

Security vendor's blog post pinched to make HMRC phish look legit

Netcraft has found that security firm TrustWave inadvertently gave phishers a helping hand. The situation starts in this December 2010 blog post by Gavin Neale of M86 Security Labs, a company since acquired by TrustWave. Until Wednesday, that post included an image of a faked email from UK taxation agency HM Revenue and Customs …
Simon Sharwood, 13 Mar 2015
Zombie rising from the grave

Cisco FREAKs out, starts epic OpenSSL bug-splat

Cisco admins will be watching and waiting for fixes, with the company announcing that many of its OpenSSL implementations are carrying a bunch of post-POODLE fleas. The Borg has been looking over its kit and software since the OpenSSL project disclosed a bunch of vulns in January, and on March 10 detailed the impacts it's …

Patch Flash now: Google Project Zero, Intel and pals school Adobe on security 101

Hot on the heels of Microsoft's Patch Tuesday release, Adobe has published security fixes for its Flash Player browser plugin. The March 12 update for the internet's screen door addresses 11 CVE-listed vulnerabilities. Adobe is listing the patch as a top deployment priority for Windows, OS X and Linux systems. Among the flaws …
Shaun Nichols, 12 Mar 2015
USB bomb

Forget viruses: Evil USB drive 'fries laptops with a power surge'

Security experts have been warning for years about the dangers of USB sticks as a conduit for malware, but a Russian researcher has bragged about coming up with a more direct method for borking a computer – with old-fashioned electricity. The idea is cunningly simple but fiendish, and reminds us of the Etherkiller: the …
Iain Thomson, 12 Mar 2015
eyeofSauron

UK says comms metadata can kill personal privacy

The UK's inquiry into whether it conducts mass surveillance and the legality of such an effort has recommended tighter controls on access to communications metadata. The inquiry, which as we've reported finds that mass surveillance capabilities exist in the UK, but are used appropriately. The inquiry also rejects use of the …
Simon Sharwood, 12 Mar 2015
GCHQ is following you on Twitter, Faceboo, email...

Bulk interception is NOT mass surveillance, says parliamentary committee

Parliament's intelligence committee report into security and privacy has concluded GCHQ's bulk interception of net traffic is not mass surveillance, and so permissible. However, it also called for new umbrella laws to regulate the actives of spy agencies and provide greater transparency. The Intelligence and Security Committee …
John Leyden, 12 Mar 2015

Kaspersky claims to have found NSA's 'space station malware'

Kaspersky malware probers have uncovered a new 'operating system'-like platform that was developed and used by the National Security Agency (NSA) in its Equation spying arsenal. The EquationDrug or Equestre platform is used to deploy 116 modules to target computers that can siphon data and spy on victims. "It's important to …
Darren Pauli, 12 Mar 2015

104 Australian orgs report breaches to privacy commissioner

Australian organisations have voluntarily submitted 104 data breach notifications over the last year, the Privacy Office says. News of the breach disclosures arrived today, the first anniversary of the country's tougher privacy policies, among reports of 4,016 privacy complaints, a 43 percent increase over the prior year. …
Darren Pauli, 12 Mar 2015

$1.3 million survelliance systems fights Logan bogans

Queensland's Logan City Council has opened a $1.3 million CCTV surveillance centre using facial recognition technology to track drunks, criminals, and burst water mains. The monitoring program has grown over the last decade from nine CCTVs to more than 300, and runs on the Teleste platform used in Paris, Sweden and in Austria's …
Darren Pauli, 12 Mar 2015
Hello Barbie

Mattel urged to scrap Wi-Fi mic Barbie after Register investigation

Privacy activists are urging Mattel to axe its Hello Barbie doll, which sends recordings of children's voices across the internet for voice-recognition analysis. The improbably proportioned doll is fitted with a small embedded computer, a microphone, a speaker and a Wi-Fi interface. When the toy's belt buckle is pressed, Barbie …
Iain Thomson, 12 Mar 2015
Hillary Clinton

Clinton defence of personal email server fails to placate critics

Analysis Hillary Clinton's admission that she was perhaps unwise to make exclusive use of a personal email account while serving as US Secretary of State has failed to placate critics, some of whom are trying to use the affair to derail her expected challenge for the White House next year. Clinton has issued a minimal mea-culpa stating …
John Leyden, 12 Mar 2015

Australians! Let us all rise up against data retention

Comment No one likes being watched. The moment another eye sets upon us, we seize up. All our fluid actions become forced, unnatural and overthought. We dream up all sorts of ridiculous schemes that might allow us to hide in plain sight as we wait impatiently for that gaze to move elsewhere. Could we find clothing that blends in with …
Mark Pesce, 11 Mar 2015
bug on keyboard

Panda antivirus labels itself as malware, then borks EVERYTHING

Panda users had a bad hair day on Wednesday, after the Spanish security software firm released an update that classified components of its own technology as malign. As a result, enterprise PCs running the antivirus software tied themselves in something of a knot, leaving some systems either unstable or unable to access the …
John Leyden, 11 Mar 2015
Cartoon of fist clutching dollars smashing out of smartphone

PayPal pays $60m for Israeli predictive security start-up

PayPal has confirmed a $60m acquisition of security intelligence firm CyActive. The online payments firm, soon to be spun off from eBay, accompanied the announcement of the deal with plans to open a research hub in Israel. CyActive, founded by ex IDF intelligence unit cyberspies in 2013, specialises in trying to predict the …
John Leyden, 11 Mar 2015
ISIS leader Shakir Wahiyib with Facebook thumbs-up

Faux ‪pro-IS Facebook‬ shot down within hours of launch

A pro-Islamic State social network was pulled offline hours after its launch. The network, 5elafabook, was supposedly set up in the wake of a ramp-up in efforts by Twitter to quickly shut down accounts promoting violent jihad. Facebook has likewise applied the ban-hammer on accounts spouting pro-Caliphate propaganda. 5elafabook …
John Leyden, 11 Mar 2015
picard

Android SDK nonce flaw lets hackers fiddle with your Dropbox privates

IBM's security team has found an unsettling flaw that can leave the Dropbox accounts of mobile users wide open to snooping by attackers. The researchers spotted some sloppy coding in Dropbox's SDK Version 1.5.4 for Android. Applications that link to Dropbox accounts using the SDK may be vulnerable, owing to a flaw that can allow …
Iain Thomson, 11 Mar 2015
US Military hacking team

Cyber-whizs partake in mass eye-roll event over latest leaks: CIA spies 'spying on iPhones'

CIA brainiacs at least thought about, or experimented with, breaking the security of Apple's iPhones, iPads and OS X computers, it appears from leaked intelligence documents. The intel agency wanted to crack the encrypted firmware stored on targeted iThings, and spy on selected users via poisoned apps, Snowden newsletter The …
John Leyden, 11 Mar 2015
Don Draper is sad

Ad bidding network caught slinging ransomware

Attackers are using Flash exploits and foisting ransomware through real time advertising bidding networks, FireEye researchers say. The attacks link to malicious or compromised advertising sites which participate in real time bidding systems in which ad inventory is sold to and by publishers. More than 1700 malicious …
Darren Pauli, 11 Mar 2015

CloudFlare launches nameserver DDoS shield

CloudFlare has launched a DNS proxy service it says will help organisations improve DNS resilience by pushing distributed denial of service attacks to the outer edge of its network. The Virtual DNS service is billed as a means for DNS providers to mitigate a potential "massive single point of failure" in their nameservers caused …
Darren Pauli, 11 Mar 2015
Close-up of the flu virus (artist's impression) - Shutterstock

Malware uses Windows product IDs to mix mutex

Malware writers are using Windows unique product numbers to generate mutex values to evade researchers, SANS security boffin Lenny Zeltser says. Mutex values are used as an accurate reference to determine if multiple identical processes are running. Malware including the infamous BackOff credit card stealer has used mutex for …
Darren Pauli, 11 Mar 2015

Stuxnet Redux: Microsoft patches Windows vuln left open for FIVE YEARS

While most of the attention this Patch Tuesday has been focused on the FREAK encryption vulnerability, Microsoft's latest batch of fixes also addresses another longstanding threat to Windows: Stuxnet. What's that you say? You thought Microsoft already issued a patch that stopped the Stuxnet worm from spreading all the way back …
Neil McAllister, 10 Mar 2015

Redmond's Patch Tuesday to kill off the Windows FREAK show

Microsoft has issued 14 security bulletins to protect against a total of 44 different CVE-listed security vulnerabilities in its monthly Patch Tuesday release. The patch bundle includes Microsoft's solution for the now-infamous FREAK security vulnerability and some major fixes for Internet Explorer. Five of the patches are …
Shaun Nichols, 10 Mar 2015
Apple Watch lineup

Hackers' delight? New Apple wrist-puter gives securobods the FEAR

Security pundits are already fretting over the security of the Apple Watch, just hours after the expensive gizmo was launched at a high profile US event. Ken Westin, security researcher at Tripwire, said that the security implications of the wearable device's Wi-Fi connection capabilities create a potential opportunity for …
John Leyden, 10 Mar 2015
WordPress

Pro-ISIS script kiddies deface Dublin Rape Crisis Centre site

The FBI has begun investigating the hack of a number of websites – including the site of Dublin Rape Crisis Centre – by pro-ISIS script kiddies. The Dublin Rape Crisis Centre in Ireland was defaced so that its home page featured the black ISIS flag and the message "Hacked by ISIS, we are everywhere." A Flash audio plug-in …
John Leyden, 10 Mar 2015

ALL comp-sci courses will have compulsory infosec lessons – UK.gov

Cyber-security will appear on the UK curriculum from next year in a bid to get more kids into the industry, the government has announced. The topic will be a key part of UK computing and digital further education qualifications from September 2016, Cabinet Office minister Francis Maude said today. Its inclusion is part of a …
Kat Hall, 10 Mar 2015