Security > More stories

Facebook Lite app

Facebook offers end-to-end encrypted chat – if you find the right setting

Facebook is rolling out end-to-end encryption for its messaging service to bring it in line with competitors, including its own WhatsApp. But as ever with Facebook, there's a catch: you'll have to actively select the encrypted version each time, and the service will be limited to a single device. You also won't be able to use …
Confused lost-looking driver with map. Photo by SHutterstock

BMW web portal vulns pose car hack risk – researchers

Two unpatched vulnerabilities in BMW's ConnectedDrive web portal create a mechanism to manipulate car settings, a security researcher warns. The first (and more serious) vulnerability creates a means for a hacker to access another driver’s Vehicle Identification Number (VIN) before changing in-car settings such as lock/ …
John Leyden, 8 Jul 2016

Malaysia-based credit card fraud ring broken, 105 arrested

A total of 105 credit card fraud suspects have been arrested in Asia and Europe following a complex months-long investigation across two continents. The investigation targeted a gang led from Malaysia whose tentacles spread into 14 European countries (including the UK and Germany) and specialised in using counterfeit credit …
John Leyden, 8 Jul 2016
Cymmetria report

Copy paste slacker hackers pop corp locks in ode to stolen code

The ultimate copy paste slacker hacker group has busted security controls in some 2500 corporates and government agencies using nothing but stolen code. The targets focus on those affiliated with military and political assignments around Southeast Asia and the contentious South China Sea, and may have been compromised in a …
Darren Pauli, 8 Jul 2016

CloudFlare pros pen paranoid phone plan for pwn-free peregrination

Travelling executives should use modern iPhones with burner SIMs, no PINs, and minimal apps, CloudFlare security boffin Filippo Valsorda says. Valsorda of the anti- distributed denial of service attack firm's London office says his 'paranoid' guide focuses on iOS because he considers it the most secure operating system …
Darren Pauli, 8 Jul 2016
Philando Castile

Facebook ‘glitch’ that deleted the Philando Castile shooting vid: It was the police – sources

The deadly shooting of 32-year-old Philando Castile by a cop during a routine traffic stop in Minnesota on Wednesday just got murkier. Multiple sources have told The Register that police removed video footage of Castile's death from Facebook, potentially tampering with evidence. Castile, his girlfriend Diamond Reynolds, and …
Iain Thomson, 8 Jul 2016

414,949 D-Link cameras, IoT devices can be hijacked over the net

Shodan has turned up half a million D-Link devices exposed to the internet, and subject to easy hijacking using zero-day vulnerabilities. The stack overflow vulnerabilities affect more than 120 D-Link products, from Wi-Fi cameras to routers and modems, and allow remote attackers to completely hijack the administer account of …
Darren Pauli, 8 Jul 2016

1 in 20 Wendy's burger joints hacked? No, make that 1 in 3 – 1,025 in total

Wendy's has 'fessed up that the malware infection in its cash registers, first thought to have impacted 300 restaurants, hit more like 1,000 outlets, and says an unnamed service provider let the attackers into its systems. The American fast-food chain has owned up that the number of its stores in the US with bank-card snooping …
Image by Anastasia Omelyanenko http://www.shutterstock.com/fr/pic-436311205/stock-photo-mashmellow-and-lollipop.html?src=EXWdanl3s89L0aXGAQTtcQ-1-62

Cafe killer remote code execution affects 140 million MIUI Androids

The most popular stock and third-party Android ROM – used by 170 million people – contains a dangerous since-patched remote code execution hole that could hand attackers total control of handsets. The flaw, found by IBM X-Force researcher David Kaplan (@depletionmode), now of Microsoft, exists in MIUI (pronounced Me, You, I) …
Darren Pauli, 7 Jul 2016
IMage by Vadim Ivanov http://www.shutterstock.com/gallery-771946p1.html

Loose wrists shake chips: Your wrist-job could be a PIN-snitch

Chinese scientists have brewed a way to steal -- with 80 percent accuracy -- automatic teller machine PINs by infecting wearable devices. Five university boffins demonstrated the trick in a laboratory, finding even the slight hand movements a person makes while entering PINs can be captured through infected smart watches. The …
Darren Pauli, 7 Jul 2016

Palo Alto offers $16,000 in looming CTF hack off

In eight days, Palo Alto is launching a capture the flag competition offering a total of US$16000 (£12340, A$21,245) for the first to complete the six trials. The first to solve all six challenges will receive US$5000 (£3866, A$6640), and can score six lots of US$1000 (£773, A$1328) if they are also the first to complete each …
Darren Pauli, 7 Jul 2016

Unmasking malware in TLS connections? It can be done, say Cisco researchers

A group of researchers who work for Cisco* reckons malicious traffic in TLS tunnels can be spotted and blocked – without decrypting user traffic. That's good news in the corporate setting, because today's protection relies on the controversial approach of terminating the encryption to inspect the traffic. In this paper at …

Sysadmins: Use these scripts to fully check out of your conference calls

Rejoice, system admins; Splunk developer Josh Newlan has created a series of scripts that will with the right tools get you out of time-wasting teleconference meetings. The scripts, built on Splunk and IBM Speech to Text Watson but which can be ported to use open source tools, allow over-worked crushed souls to have relevant …
Darren Pauli, 7 Jul 2016

⌘+c malware smacks Macs, drains keychains, pours over Tor

More malware capable of pilfering Mac keychain passwords and shipping them over Tor has been turned up, less than a day after a similar rare trojan was disclosed. Dubbed Keydnap, the malware is delivered as a compressed Mach-O file with a txt or jpg extension, with a hidden space character which causes it to launch in terminal …
Darren Pauli, 7 Jul 2016
A group of people hold out mobile phones in a circle. Photo by Shutterstock

The truth about Silent Circle's super-secure, hyper-privacy phones: No one's buying them

It seems that the Blackphone, the handset created by Silent Circle and Spanish firm Geeksphone, isn't as popular as its makers would like. Geeksphone has sued [PDF] its erstwhile partner for $5m in a New York court, claiming that disappointing hardware sales have crippled the partnership and left the Switzerland-based Silent …
Iain Thomson, 6 Jul 2016
danger

Attention, small biz using Symantec AV: Smash up your PCs, it's the safest thing to do

If you're using Symantec's Endpoint Protection Small Business Edition (SEP SBE) then you can forget about security for a week or so, as the company won't be patching the "as bad as it gets" security holes in its software for a while. A Register reader who wishes to remain anonymous received an email from Symantec confirming …
Iain Thomson, 6 Jul 2016
Qualcomm Snapdragon 820

Huge double boxset of Android patches lands after Qualcomm disk encryption blown open

Google has released two bundles of Android security patches this month: a smaller one to handle bugs in the operating system, and a larger package that tackles a raft of driver-level issues, particularly with Qualcomm's hardware. The first tranche of patches includes eight critical, 11 high severity, and nine fixes that are …
Iain Thomson, 6 Jul 2016
Illustration of a "bitcoin" dissolving into numbers. Photo by SHutterstock

Bitcoin child abuse image pervs will be hunted down by the IWF

Blockchain forensics are being harnessed in an effort to clamp down on the trade in images of child sex abuse on the dark web. The Internet Watch Foundation (IWF) is teaming up with Elliptic, a UK blockchain intelligence start-up, in a bid to track individuals who use Bitcoin to pay for images of child sex abuse. The IWF is …
John Leyden, 6 Jul 2016

'Double speak' squawk users as Silent Circle kills warrant canary

Silent Circle has quietly euthanized its warrant canary for 'business reasons' leading privacy pundits to freak out over double negatives and double speak. The much-loved privacy company offers the hardened BlackPhone geared to business folks who want to frustrate the surveillance state and criminals. Like others, its warrant …
Darren Pauli, 6 Jul 2016
Image composite Titima Ongkantong, Stephen Marques, Shutterstock

Outed China ad firm infects 10m Androids, makes $300k a month

Net scum behind the Hummingbird Android malware are raking in a mind-boggling US$300,000 (£233,125, A$404,261) a month through illegitimate advertising and app downloads from a whopping 10 million infected devices. The offending group, known as Yingmob, is an offshoot of a legitimate Chinese advertising analytics firm with …
Darren Pauli, 6 Jul 2016
Cartoon - Private SNAFU

TP-Link abandons 'forgotten' router config domains

TP-Link, rather than recovering domains it forgot to renew, is going to abandon them. The domains in question are tplinklogin.net and tplinkextender.net. They offered configuration services for buyers of the company's home routers and Wi-Fi link extenders, and are identified on stickers on some devices (not all: two TP-Link …
Compressed version of Log Jam

HPE rushes out patch for more than a year of OpenSSL vulns

HP Enterprise has popped into its Tardis, and gone back in time to patch OpenSSL bugs dating back to 2014 – including the infamous Logjam bug. The bugs are in various network products: Intelligent Management Center (iMC), the VCX unified communications products, and the Comware network operating system. The company's notice …
Image by Iterum http://www.shutterstock.com/gallery-591613p1.html

Gigabyte BIOS blight fright: Your megabytes’ rewrite plight in the spotlight

Gigabyte has been swept into turmoil surrounding low-level security vulnerabilities that allows attackers to kill flash protection, secure boot, and tamper with firmware on PCs by Lenovo and other vendors. Unconfirmed reports suggest the hardware vendor has used the "ThinkPwn" vulnerable code, thought to be born of Intel …
Darren Pauli, 6 Jul 2016
Password screen

Chap fails to quash 'shared password' 'hacking' conviction

A man who used his colleagues' passwords to swipe confidential information from his employer has failed to overturn his computer hacking conviction. In a 2-1 decision [PDF] today, the California 9th Circuit Court of Appeals agreed with a lower court's judgment that David Nosal broke the Computer Fraud and Abuse Act (CFAA). In …
Shaun Nichols, 6 Jul 2016

EasyDoc malware adds Tor backdoor to Macs for botnet control

Security firm Bitdefender has issued an alert about a malicious app that hands over control of Macs to criminals via Tor. The software, called EasyDoc Converter.app, is supposed to be a file converter but doesn't do its advertised functions. Instead it drops complex malware onto the system that subverts the security of the …
Iain Thomson, 5 Jul 2016

EU uncorks €1.8bn in cybersecurity investment. Thirsty, UK?

The EU Commission has launched a public-private partnership on cybersecurity that is expected to trigger €1.8bn ($2bn) of investment by 2020. The EU is promising to invest €450m ($502m) in a bid to spur innovation in cybersecurity with the remainder coming from the private sector. Some security commentators reckon the Brexit …
John Leyden, 5 Jul 2016
By Bob Bob - https://flic.kr/p/914kty

5 years, 2,300 data breaches. What'll police do with our Internet Connection Records?

Police forces across the UK have been responsible for “at least 2,315 data breaches” over the last five years, according to research by Big Brother Watch, prompting concerns about the increasing amount of data they're holding. Titled Safe in Police Hands? the 138-page report is released today after months of requests made by …
Users with laptop, mobile, tablet have tea in a coffee house. Pic via shutterstock

Theft of twenty-somethings' IDs surges

Last year saw a surge in identity fraud against young UK adults, according to official figures published today. Cifas' data reveals identity fraud victims aged 30 and under rose 52 per cent in 2015. Just under 24,000 (23,959) people aged 30 and under were victims of identity fraud, according to figures from the UK’s leading …
John Leyden, 5 Jul 2016

Second celebgate hacker pleads guilty to phishing

A second US man has pleaded guilty to stealing intimate pictures of celebrities using a phishing scam. Edward Majerczyk, 28, who resides in Chicago and Orland Park, Illinois, was charged with hacking into the Apple iCloud and Gmail accounts of more than 300 people, including Hollywood celbrities. In a plea bargaining deal, …
John Leyden, 5 Jul 2016

Word hole patched in 2012 is 'unchallenged' king of Office exploits

Possibly the most exploited unchallenged Microsoft Office vulnerability of the last decade was found and patched in 2012. Sophos threat researcher Graham Chantry says the longevity of the dusty bug affecting Office 2003, 2007, and 2010, is thanks to its constant adaptation by exploit kit authors, and a pervasive unwillingness …
Darren Pauli, 5 Jul 2016

Researcher pops locks on keylogger, finds admin's email inbox

Trustwave researcher Rodel Mendrez has gained access to the inbox of the criminal behind a commercial keylogger used to attack industries including finance, cloud services, logistics, foreign trade, and government. Mendrez's reverse engineering effort found credentials buried within the Hawkeye keylogger that lead through …
Darren Pauli, 5 Jul 2016
Facebook's Mark Zuckerberg, speaking at the 2015 F8 conference

Israel's security minister suckers Zucker for Facebook'ed killings

Israel's Public Security Minister Gilad Erdan has blamed Facebook founder Mark Zukerberg for the killing of Hallel Ariel and Michael Marks. The Minister told local program Meet the Press Facebook does not do enough to alert security forces to terrorist-related posts after Ariel's killer Muhammad Tarari posted to the social …
Darren Pauli, 5 Jul 2016
image byemo http://www.shutterstock.com/gallery-2659924p1.html

Vuln drains energy sector control kit

The US industrial control system computer emergency response team (ICS-CERT) has warned of twin flaws in substation control software. The SICAM Power Automation System contains poorly protected credentials (CVE-2016-5848) and information exposure (CVE-2016-5849) found by Russian researchers Ilya Karpov and Dmitry Sklyarov of …
Team Register, 5 Jul 2016

Mozilla emits nightly builds of heir-to-Firefox browser engine Servo

Mozilla has started publishing nightly in-development builds of its experimental Servo browser engine so anyone can track the project's progress. Executables for macOS and GNU/Linux are available right here to download and test drive even if you're not a developer. If you are, the open-source engine's code is here if you want …
Shaun Nichols, 4 Jul 2016

Klepto Zepto could steal millions in looming ransomware wave

A dangerous new ransomware variant based on the Locky ransomware has security experts worried. The Zepto malware has been carried in nearly 140,000 spam messages sent over four days last week. The ransomware appears to have Locky's capabilities which could make it one of the more dangerous encryption lockers in circulation. …
Darren Pauli, 4 Jul 2016

One in 200 enterprise handsets is infected

If your enterprise has 200 mobile devices at least one is infected, so says security firm Skycure The Palto Alto firm has uncovered previous nasty Apple bugs, including the No iOS Zone flaw reported by El Reg last year. All told about three percent of the locked-down vanilla Cupertino devices are infected, the company says in …
Darren Pauli, 4 Jul 2016
Bug

SQLite developers need to push the patch

SQLite has pushed out an update to fix a local tempfile bug, to address concerns that the bug could be exploitable beyond the merely local. The bug was found by KoreLogic and reported to the popular open source database project, before being published at Full Disclosure. The issue is that SQLite creates its tempfiles in a …
Woman with "crying with laughter" emoji for a head... photo by Shutterstock

Here's how to SMS spam Liberal voters and get away with it

It's easy to spam voters with text messages and get away with it. If you wanted to swing voters ahead of a federal election, as the Australian Labor Party is alleged to have done in a message claiming a rival Liberal Coalition Government would privatise the nation's healthcare provider Medicare, you wouldn't send a text …
Darren Pauli, 4 Jul 2016
Panic button

Lenovo scrambling to get a fix for BIOS vuln

Lenovo, and possibly other PC vendors, is exposed to a UEFI bug that can be exploited to disable firmware write-protection. If the claims made by Dmytro Oleksiuk at Github are correct, an attacker can “disable flash write protection and infect platform firmware, disable Secure Boot, [and] bypass Virtual Secure Mode (Credential …

UEFA's Euro 2016 app is airing football fans’ privates in public

The official UEFA Euro 2016 app is leaking football fans’ personal data, security researchers warn. The app is transmitting user credentials - including usernames, passwords, addresses and phone numbers - over an insecure internet connection, mobile security outfit Wandera discovered. The lack of encryption in the app, which …
John Leyden, 1 Jul 2016

700,000 Muslim Match dating site private messages leaked online

Hackers have leaked the personal details of 150,000 users of the Muslim Match website after breaking into the niche dating portal. Almost 150,000 user credentials and profiles, as well as more than 700,000 private messages between users, were posted online. "These private messages cover a range of subjects from religious …
John Leyden, 1 Jul 2016

Chinese gambling site served near record-breaking complex DDoS

A chinese gambling company has been pulverised with multiple nine-vector, 470 Gbps, 110 million packet-per-second distributed denial of service (DDoS) attacks, some of the biggest and most complex ever recorded. The unnamed company was attacked by DDoS that used nine vectors in a very rare bid to bypass Incapsula's mitigation …
Darren Pauli, 1 Jul 2016