Security > More stories

John Cleese with mother

Mumsnet founder 'swatted by misogynist griefers'

Update Mumsnet founder Justine Roberts and another user were both targeted in swatting attacks at the apex of a series of hack attacks that may have led to the compromise of user logins at the high-profile, UK-based parenting site. Swatting involves making an emergency call to the police claiming that a crime is taking place at the …
John Leyden, 19 Aug 2015
No junk mail. Pic: gajman, Flickr

Wikiland turns to Shapps and says ‘those emails you wanted, we deleted them, sorry’

Wikimedia UK, the national charity supporting Wikipedia and its sister projects, has told the MP and former Conservative Party chairman Grant Shapps he can't see internal emails he has requested under the Data Protection Act ... because it has deleted them. One of the charity's own staff was censured after being involved in …
Andrew Orlowski, 19 Aug 2015
Woman on phone. Pic: Carolyn Coles

Speaking in Tech: What's that strange rustling sound?

Podcast speaking_in_tech Greg Knieriemen podcast enterprise Hosted by Greg Knieriemen, Ed Saipetch and Sarah Vela. This week it's a full cast as we cover new gadgets, Android messaging, tough work and exposed cheaters. This week, we cast our eye over... (1:50) Eddie checks in from LinuxCon: soda, sweets & sessions (7:00) Dell …
Team Register, 19 Aug 2015
Indian mobile use

Want branchless banking? Live in the developing world? Oops

Branchless banking apps targeted at customers in the developing world are rife with vulnerabilities, according to security researchers. A study by computer scientists from the University of Florida focused on seven of the more high-profile apps, uncovering flaws that created a heightened risk of fraud as well as “unfair” terms …
John Leyden, 19 Aug 2015

Google reveals OnHub WiFi router, complete with GLOWING RING

Google will shortly release its first WiFi router and has made automatic updating a frontline feature. The new "OnHub" is designed to offer a rather more pleasant experience for home users, starting with a cute coffee cup form factor and extending to an app-driven user interface. Google's even banished blinking lights [Heresy …
Darren Pauli, 19 Aug 2015

Microsoft drops rush Internet Explorer fix for remote code exec hole

Microsoft has released an out-of-band patch for Internet Explorer versions 7 through 11, to close a dangerous remote code execution flaw allowing attackers to commandeer machines. The attack will be a highly useful tool in hacker arsenals likely allowing them to build powerful phishing, watering hole, and malvertising …
Darren Pauli, 19 Aug 2015

Adulterers antsy as 'entire' Ashley Madison databases leak online

Hackers at the Impact Team have apparently carried out their threat to publish the customer databases of Ashley Madison – a hookup website designed for those who want to cheat on their partners. In July, the hackers announced that they had successfully scraped the servers of Ashley Madison, and its sister site Established Men …
Iain Thomson, 18 Aug 2015
Internet email sign. Pic: @mattw1lson, Twitter

NSA-resistant email service Lavaboom goes BOOM! (we think)

Snowden-inspired crypto-email service Lavaboom has apparently gone titsup, according to several net sources. Rumours that the German encrypted mail service was no more surfaced through an ex contractor Piotr on the blog of rival ProtonMail, before getting picked up and discussed on Reddit. Attempts by El Reg to reach the firm …
John Leyden, 18 Aug 2015

Trend publishes analysis of yet another Android media handling bug

More details have emerged about yet another Android vulnerability, that, like other recent flaws, revolves around how the Google-backed mobile operating system handles media files. The Android Mediaserver vulnerability might be exploited to perform attacks involving arbitrary code execution, security researchers at Trend Micro …
John Leyden, 18 Aug 2015

Who should be responsible for IT security?

Typically, when a cybersecurity problem arises, it’s the IT department that gets it in the neck. Ostensibly, that makes sense. After all, if someone is in your network mining your database for corporate secrets, it’s hardly the office manager or the accounts receivable department’s lookout, right? Perhaps. On the other hand, …
Danny Bradbury, 18 Aug 2015

You CAN'T jail online pirates for 10 years, legal eagles tell UK govt

The UK government plan to jail online copyright pirates for up to 10 years has been attacked by legal boffins in a public consultation that ended yesterday. The British and Irish Law, Education and Technology Association (BILETA), said the idea was “unacceptable, infeasible and unaffordable”. The public consultation invited …
Jennifer Baker, 18 Aug 2015

Row rumbles on over figures in Oracle CSO’s anti-security rant

Security researchers picking through the entrails of a withdrawn blogpost by Oracle CSO Mary Ann Davidson reckon not even her figures add up. Oracle countered that only it had access to the raw figures, so there. Davidson's 3,000+ word diatribe against bug bounties, security researchers or customers hunting vulnerabilities in …
John Leyden, 18 Aug 2015
Monty Python dead parrot sketch

Parrot drone pwned (and possibly killed) with Wi-Fi log-in

Lack of security in the Wi-Fi link to the Parrot AR drone allows it to be blown out of the sky by telnetting in and killing the process. Ryan Satterfield, who describes himself as an ethical hacker and runs consultancy Planetzuda.com, explains on his YouTube channel that the Parrot drone hack was demonstrated at DEF CON 23. …
Simon Rockman, 18 Aug 2015

Dixons Carphone still has 7.5k Windows XP EPOS systems

Dixons Carphone is still using thousands of EPOS tills running on Windows XP more than a year after Microsoft’s extended support expired, The Register has learned. This is not the Embedded flavour of the OS (though even these would present a heightened risk of attack, say security experts) but 7,000-plus bog standard XP …
Paul Kunert, 18 Aug 2015

Anti-botnet initiatives USELESS in sea of patch-hating pirates

Three Dutch researchers have crunched data gleaned from efforts to battle the Conficker bot and declared anti-botnet initiatives all but useless for clean up efforts. Conficker was born in 2008 spreading aggressively through a since patched remote code execution Microsoft vulnerability (MS08-067) that affected all operating …
Darren Pauli, 18 Aug 2015
Firefox experimental private browsing mode

Mozilla testing very private browsing mode

The Mozilla Foundation has outlined plans for enhanced private browsing in its Firefox browser. The outfit thinks that “when you open a Private Browsing window in Firefox you’re sending a signal that you want more control over your privacy than current private browsing experiences actually provide.” How much more privacy? …
Simon Sharwood, 18 Aug 2015

Veedub flub hubbub stubs car-jack hack flap

Dutch and British researchers Roel Verdult and Baris Ege, the duo behind the revelation that many VW cars have a security flaw, have now revealed that Ferraris, Maseratis, Pontiacs, and Porches that use Megamos Crypto transponders can be stolen. The duo demonstrated how the Megamos engine immobiliser, which unlocks when an …
Darren Pauli, 18 Aug 2015

Another root hole in OS X. We know it, you know it, the bad people know it – and no patch exists

If you're using OS X Yosemite, watch out for malware exploiting a new way to take complete control of your Mac. A vulnerability has been found in Apple's operating system that allows ordinary software on the computer to gain all-powerful root privileges, allowing dodgy apps to install new programs, create users, delete users, …
Chris Williams, 18 Aug 2015

Ransomware blueprints published on GitHub in the name of education

Turkish security bod Utku Sen has published what appears to be the first openly available source code for ransomware – free for people to use and spread. The "Hidden Tear" ransomware, available to GitHub, is a functional version of the malware the world has come to hate; it uses AES encryption to lock down files and can …
Darren Pauli, 18 Aug 2015
Cash in brown paper envelope CC 2.0 attribution StockMonkeys.com

IRS: Tax-record snaffle scam actually 200% worse than first feared

The US Internal Revenue Service (IRS) admitted Monday that the May scam in which criminals tried to use stolen data on more than 114,000 people to collect tax information was far larger than it originally thought. Uncle Sam's taxman now claims that on top of the 100,000 or so people whose data had been used to collect tax …
Shaun Nichols, 17 Aug 2015
Cookie Monster

Anti-privacy unkillable super-cookies spreading around the world – study

At least nine telcos around the world are using so-called super-cookies to secretly monitor citizens' online behavior, according to a new study. A super-cookie is a token unique to each subscriber that is injected into every HTTP request made through a telco's cellphone networks. They can't be stripped by the user: every time …
Iain Thomson, 17 Aug 2015
F-16 falcon fighter jet

US Air Force: 'Loose tweets destroy fleets'

Pic The US Air Force has warned its personnel to keep quiet of their activities on Twitter – or as they put it: "Loose tweets destroy fleets." The notice reminds everyone that terrorist organizations and sympathizers will exploit any military information posted on social networks and other websites. The warning extends not only …
Shaun Nichols, 17 Aug 2015

Surprise! World stunned to learn that AT&T is in the NSA's pocket

It has long been known that AT&T works with the NSA to monitor the internet traffic and call data in the US and overseas. Now, new files leaked by whistleblower Edward Snowden show the company is by far the agency's biggest spying partner. The document trove, published by ProPublica and The New York Times, doesn't mention AT&T …
Iain Thomson, 17 Aug 2015

Choke on it! Brit police squeeze pirate site advertising money trail

The intercepting of advertisements served on dodgy pirate sites has begun to choke their revenue by 70 per cent, according to the City of London police, vindicating the policy of following the “money trail”, rather than an individual infringer, said the police and trade groups. Tactics include harassing the seedy ad networks …
Andrew Orlowski, 17 Aug 2015
android logo

Botched Google Stagefright fix won't be resolved until September

According to security company Rapid7, Google needs to rethink how it patches Android in the wake of initial botched attempts to resolve the Stagefright vulnerability. The criticism comes as Google itself confirmed users of its Nexus devices – who are the first to get security fixes – won't be fully protected until September. …
John Leyden, 17 Aug 2015
shutterstock_271979432-classroom

So unfair! Teachers know what’s happening on students' fondleslabs

Maybe now you don’t want the kids turning off their iPads in class after all. By using VNC remote access, pupils can now instantly share their work with their teacher and the rest of the pupils. The ability has come through the integration of software from Cambridge company RealVNC, which allows screens to be mapped on to …
Simon Rockman, 17 Aug 2015
hacker

Hacking Team mulled stopping Ethiopia sales – because of idiot g-men

Hacking Team failed to take effective action to investigate or stop reported abuses of its technology by the Ethiopian government against dissidents, according to Human Rights Watch. A review of internal company emails leaked as part of a highly-publicised breach against the controversial spyware-for-government firm in July …
John Leyden, 17 Aug 2015

Ten years after the Samy worm its discoverer's voice is lost in the din

It has been 10 years since Sydney security bod Wade Alcorn disclosed how cross-site scripting vulnerabilities could be weaponised, a revelation that would one week later see the proof of concept become the fastest-spreading worm ever. There is no direct link between Alcorn's disclosure and Samy Kamkar's eponymously named worm …
Darren Pauli, 17 Aug 2015

Adobe pays US$1.2M plus settlements to end 2013 breach class action

Adobe has paid an undisclosed amount to settle customer claims and faces US$1.2 million in legal fees after its 2013 data breach which compromised the details of 38 million users. The creative content king was served a November 2013 class action lawsuit filed in California in which it is claimed "shoddy" security practises …
Darren Pauli, 17 Aug 2015
Eugene Kaspersky in Sydney

Kaspersky: Freemasons coded fake malware in the Bermuda Triangle

Eugene Kaspersky has taken to his blog to make another stinging rebuttal of a Reuters report that alleged the company that bears his name deliberately sabotaged rival antivirus packages. “The Reuters story is based on information provided by anonymous former KL employees. And the accusations are complete nonsense, pure and …
Simon Sharwood, 17 Aug 2015

Choc Factory patches zero day Google for Work hack hole

Google has patched a vulnerability in the Google Admin application that could allow attackers to steal enterprise accounts. MWR Labs researcher Rob Miller reported the sandbox-hopping hole, rated medium severity, which can be exploited by malware residing on a user's device. The flaw can be used to steal Google for Work …
Darren Pauli, 17 Aug 2015

Boffins nail 2FA with 'ambient sound' login for the lazy

Internet users who think two taps on a smartphone is two taps too much may soon be able to use seamless second factor authentication that verifies a person is in possession of their phone by matching ambient noise sound prints. Researchers Nikolaos Karapanos, Claudio Marforio, Claudio Soriente, and Srdjan Capkun of the …
Darren Pauli, 17 Aug 2015
Eugene Kaspersky in Sydney

I've seen Kaspersky slap his staff with a walrus penis – and even I doubt the false-positive claims

Comment Eugene Kaspersky is a complex character and capable of many things, but Friday's allegations that he ordered staff to deliberately sabotage rival antivirus packages smells fishy. On the one hand, the problem of AV products flagging up false positives is well known. Signature-file detection of software nasties is dated, and of …
Iain Thomson, 15 Aug 2015
virus_1_648

You've been Drudged! Malware-squirting ads appear on websites with 100+ million visitors

Internet lowlives who used Yahoo! ads to infect potentially countless PCs with malware have struck again – using adverts on popular websites to reach millions more people. Security researchers at MalwareBytes this week discovered the crooks running another massive campaign of ads that use the Angler Exploit Kit to infiltrate …
Shaun Nichols, 14 Aug 2015

Kaspersky Lab denies tricking AV rivals into nuking harmless files

Kaspersky Lab deliberately fed bogus malware to its rivals to sabotage their antivirus products, two anonymous former employees allege. Kaspersky says the accusations are false. Reuters reported today that two ex-Kaspersky engineers claim they were tasked with tricking competing antivirus into classifying benign executables …
John Leyden, 14 Aug 2015
Marc Benioff of Salesforce. Pic: Techcrunch

Salesforce plugs silly website XSS hole, hopes nobody spotted it

A cross-site scripting (XSS) vulnerability on Salesforce's website might have been abused to pimp phishing attacks or hijack user accounts. Fortunately the bug has been resolved, apparently before it caused any harm. Cloud app and security firm Elastica said the issue affected a Salesforce sub-domain – admin.salesforce.com …
John Leyden, 14 Aug 2015

Use QuickTime … and become part of the collective

Two Borg assimilators have discovered five denial of service vulnerabilities in Apple's QuickTime. The five vulnerabilities (CVE-2015-3788 to 3792) affect the latest version of QuickTime up to the patched 7.7.7 for Windows 7. Ryan Pentney and Richard Johnson of Cisco's Talos security talon reported the memory corruption holes …
Team Register, 14 Aug 2015

China laments 'wild guesses and malicious slurs' on state hacking

Chinese president Xi Jinping visits the USA in September, a visit expected to be afforded all the pomp and ceremony of a top-level bilateral leader's meeting. Other diplomatic protocols are meanwhile being observed, including sniping through the media. In China's case, that means state-owned Xinhua, which quoted Chinese …
Simon Sharwood, 14 Aug 2015

Facebook hands hackers $100k for breaking browsers

Four researchers have scored US$100,000 from Facebook for revealing 11 bugs affecting platforms including the Chrome and Firefox browsers using novel vulnerability discovery methods. The Georgia Institute of Technology team of PhD students Byoungyoung Lee and Chengyu Song, and professors Taesoo Kim and Wenke Lee discovered the …
Darren Pauli, 14 Aug 2015
Bug eating an apple

Have an iPhone? Mac? Just about anything else Apple flogs? Patch now

Apple has issued a huge wad of updates to address dozens of CVE-listed security vulnerabilities in iOS, OS X Yosemite, Safari, and OS X Server. The update includes fixes for security flaws that an attacker could exploit to remotely execute code on one's shiny belongings. For newer iOS devices, Apple is putting out the iOS 8.4 …
Shaun Nichols, 13 Aug 2015
android logo

Google flubs patch for Stagefright security bug in 950 million Androids

Google's security update to fix the Stagefright vulnerability in millions of Android smartphones is buggy – and a new patch is needed. The Stagefright flaw is named after a component within the Android operating system that, among other things, processes incoming text messages that contain video clips. By sending a vulnerable …
Iain Thomson, 13 Aug 2015

DNS root zone drama: Follow live the most important dullest ceremony you'll ever see

If you have literally nothing better to do today, we would recommend watching the most important but dullest ceremony you can catch online. The eight-hour event is taking place today in Los Angeles and is being streamed live – just like the Oscars. Although without the music, or famous people, or speeches, or ball gowns. OK, …
Kieren McCarthy, 13 Aug 2015