Feeds

Security > More stories

IE8 patch

Microsoft unloads monster-sized can of bug spray on Internet Explorer, again

True to form, Microsoft has released its latest batch of monthly security fixes, although as expected, September's Patch Tuesday update is a relatively light one. As Redmond warned us, the only critical patches this time around are included in a big roll-up of fixes for Internet Explorer, which addresses one publicly disclosed …

Phishing miscreants THWART securo-sleuths with AES-256 crypto

Phishing fraudsters have begun using industry-standard AES-256 encryption to disguise the content of fraudulent sites. Obfuscated phishing sites are nothing new. Various techniques such as JavaScript encryption tools are commonly used but Symantec recently caught what it reckons is the first use of AES-256 encryption in dodgy …
John Leyden, 9 Sep 2014
Flytrap

Use home networking kit? DDoS bot is BACK... and it has EVOLVED

A router-to-router bot first detected two years ago has evolved - and now has the capability to reconfigure the firewalls of its victims. The Lightaidra malware captured by security researcher TimelessP (@TimelessP) is an IRC-based mass router scanner/exploiter that's rare because it spreads through consumer network devices …
John Leyden, 9 Sep 2014
iOS 8

Greater dev access to iOS 8 will put us AT RISK from HACKERS

Increased developer access to iOS 8 could result in decreased security, a mobile security expert warns. Apple's expected iPhone 6 / iOS 8 announcement later on Tuesday is expected to include adding a number of new features to iOS 8 for developers. This will involve opening up more of the underlying architecture – increasing the …
John Leyden, 9 Sep 2014

Ultimate hardware hack: Home Depot nailed by vice merchants

Do-it-yourself kingpin Home Depot has confirmed a report it was breached indicating the compromise occurred in April this year. The US retail chain was working with law enforcement over compromise of payment terminals across stores in the country. Chief executive of the hacked firm Frank Blake admitted the breach in a terse …
Darren Pauli, 9 Sep 2014

Enigmail PGP plugin forgets to encrypt mail sent as blind copies

Enigmail has patched a hole in the world's most popular PGP email platform that caused mail to be sent unencrypted when all security check boxes were ticked. The dangerous hole in the Mozilla Thunderbird extension affected email that was sent only to blind carbon copy recipients on all versions below 1.7.2 released last month. …
Darren Pauli, 9 Sep 2014
adobe

Everyone taking part in Patch Tuesday step forward. NOT SO FAST, Adobe!

Adobe has pushed back the release date for a planned security fix in Acrobat and Reader. The company said that the patch for both Windows and OS X versions of Reader and Acrobat due for tomorrow will instead arrive next week. The delay will give the company time to iron out problems spotted during testing, the company said in …
Shaun Nichols, 9 Sep 2014

China is now 99.8% sure you're you, thanks to world's-best facial recognition wares

Chinese researchers have developed a facial recognition system that can pick faces from a crowd with 99.8 percent accuracy from 91 angles. The platform can distinguish between identical twins, unravel layers of makeup and still identify an individual if they've packed on or shed kilos. Researcher Zhou Xi of the Chinese Academy …
Darren Pauli, 9 Sep 2014

Salesforce: Oh no! Dyre RATs are thirsty for our customers' logins

Salesforce has warned that miscreants are trying to infect its customers with a remote access trojan (RAT) dubbed Dyre that siphons off Salesforce.com login data. "On September 3, 2014, one of our security partners identified that the Dyre malware (also known as Dyreza), which typically targets customers of large, well-known …
Iain Thomson, 8 Sep 2014
Edward Snowden

Snowden shouldn't be extradited to US if he testifies about NSA spying, says Swiss gov

Master spook blabbermouth Edward Snowden should be granted safe passage to and from Switzerland if he testifies about surveillance, the country's attorney general has reportedly said. Last year, the one-time NSA sysadmin leaked files revealing some of the secret spying tactics of UK and US spooks. Snowden currently has …
Team Register, 8 Sep 2014

Celeb nudie iCloud pervs hatched photo-slurping Flappy Bird plot

The hacker ring behind last week's celebrity nude self iCloud privacy flap also planned to use malware to obtain private photographs from compromised Android phones. The hackers swapped snaps on the /stol/ (short for “stolen”) forum on image board AnonIB, a spinoff of the notorious 4chan, including intimate snaps of Jennifer …
John Leyden, 8 Sep 2014

Dodgy Norton update borks UNDEAD XP systems

A dodgy Symantec update brought pain for those remaining Windows XP users who rely on Norton to defend their undead operating system free from viruses. In a statement, Symantec admitted the problem but downplayed its significance. This issue has now been resolved. The limited number of customers affected should run a Live …
John Leyden, 8 Sep 2014

Mozilla certification revocation: 107,000 websites sunk by untrusted torpedo

Over 107,000 websites have been consigned to the depths of the untrusted internet after Mozilla's move last week to allow its 1024-bit certificates to expire. The latest shipment of Firefox 32 improved security by killing support for the 1024-bit certificate authority (CA) certificates within the browser's trusted store. Google' …
Darren Pauli, 8 Sep 2014
One of New Zealand Post's commemorative Hobbit coins

Nude celeb pics wrongly blamed for DDOS at New Zealand's largest ISP

New Zealand's largest ISP, Spark, has spent the weekend fighting off a DDOS incorrectly assumed to have a connection with last week's nude celebrity picture scandal. The ISP hit trouble last Friday, when it Tweeted that some of its subscribers had become infected with malware that was flooding its DNS servers and making it hard …

Doubts cast over FBI 'leaky CAPTCHA' Silk Road rapture

Rather than a conspiracy involving NSA wiretaps, the FBI claims the downfall of Silk Road begun with a leaky CAPTCHA. Responding to a request for information from former kingpin Ross Ulbricht's defence lawyers, the Feds says the CAPTCHA left a trail from the TOR-protected Silk Road servers to the public Internet. That revealed …
Darren Pauli, 8 Sep 2014

Google recommends pronounceable passwords

Google has updated its password manager to recommend pronounceable passwords within its flagship Chrome browser. The experimental feature was the latest development which could make it into the regular versions of Chrome as part of steady improvements to its password capture, storage and generation. Chrome evangelist and …
Darren Pauli, 7 Sep 2014

Reddit wipes clean leaked celeb nudie pics, tells users to zip it

Reddit has finally yanked a page abuzz with private celebrity nude pics that were leaked via anarchic message board 4chan late last Sunday. The subreddit, dubbed TheFappening, disappeared on Saturday - six whole days after the photos of stars including Jennifer Lawrence provocatively posing naked appeared online. But, privacy- …
Kelly Fiveash, 7 Sep 2014

'4chan may be just a sysadmin who knows his way around', claims so-called expert

QoTW This week’s tech news was dominated by the online publication of naked photos of celebrities like Jennifer Lawrence, Kate Upton and Ariana Grande, which were posted online by an anonymous hacker who apparently sourced the images from Apple’s iCloud. The pictures of 17 celebrities were posted to 4chan by the hacker, who claimed …
Spying image

New software ported from Windows to Mac! You'll never guess what. Yes, it's spyware

Miscreants have ported five-year-old spyware XSLCmd to OS X. The Windows version of the malware has been around since 2009, and the Apple Mac edition of XSLCmd shares significant portions of the same code. It can open a reverse shell to its masters, automatically transfer your documents to a remote system, install executables, …
John Leyden, 5 Sep 2014
iCloud brute force

Apple promises iCloud security alerts, better 2FA after, er, NAKED Internet of Thingies flap

Apple plans to roll out new iCloud security alerts as well as extending its two-step authentication technology in the wake of this week's privacy flap over nude selfies of Jennifer Lawrence, Kate Upton and other celebs. Private pictures of disrobed (female) celebrities including Oscar winner Lawrence and swimwear model Upton …
John Leyden, 5 Sep 2014

Robin Hood virus: Chinese hackers target nation's wealthy

It seems China's state-supported hackers are being overshadowed by the black hat scene as the latter appears to have doubled in size – with some brazen crackers turning to carding the nation's wealthiest. A Trend Micro report dubbed The Chinese Underground in 2013 [PDF] issued this week reveals the black hat hacking scene has …
Darren Pauli, 5 Sep 2014
IE8 patch

Back-to-school Patch Tuesday: Critical updates for Internet Explorer, Adobe Reader

Microsoft is planning a light edition of Patch Tuesday for September with just four bulletins, only one of which covers critical vulnerabilities. But an upcoming Adobe critical update for its Reader software around the same time means sysadmins are still likely to have their hands full next Tuesday. The sole critical update for …
John Leyden, 5 Sep 2014

Microsoft, eBay apps open to man-in-the-middle diddle

At least 350 Android apps are open to man-in-the-middle MITM attacks, thanks to code that fails to validate certificates over secure sockets layer (SSL), says US Computer Emergency Response (CERT) security pro Will Dormann. The apps can be found in the Google Play and Amazon stores and have been included in a continually updated …
Darren Pauli, 5 Sep 2014

Cyber-hoodlum tripped, fell, landed in Obama's Healthcare.gov server

Officials at the US Department of Health and Human Services (DHHS) have today confirmed that one of the Healthcare.gov servers was hacked. The system was compromised in July, when an as-yet unidentified miscreant managed to worm his or her way in and install malware. The security breach was spotted and the machine – which was …
Iain Thomson, 5 Sep 2014

Something smells PHISHY: It's the celeb nudie iCloud PERV trap...

Consumers are being warned to be on their guard against phishers' fake Apple emails and texts designed to exploit the publicity about this week's nude celeb picture flap. In addition to scam emails designed to trick gullible recipients into logging into phishing sites, Symantec warns of a likely upsurge in fraudulent text …
John Leyden, 4 Sep 2014
apple mac malware vxer

Mac security packages range from peachy to rancid – antivirus tests

Updated Independent tests of Mac antivirus products have discovered that the effectiveness of these security packages runs from a risible 20 per cent to an unimpeachable 100 per cent. German security lab AV-TEST.org put 18 free and paid-for Mac OS X security products and services to the test, discovering widely differing performances in …
John Leyden, 4 Sep 2014

Scared of brute force password attacks? Just 'GIVE UP' says Microsoft

Sysadmins trying to harden user passwords against brute force attacks, or everyday folk trying to make sure their passwords don't lead to nude selfie leaks may not need to bother, according to the latest research from Microsoft mavericks. Redmond password provocateurs Dinei Florencio and Cormac Herley say password hardening isn' …
Darren Pauli, 4 Sep 2014
VirusTotal

VirusTotal mess means YOU TOO can track Comment Crew!

Security researcher Brandon Dixon has used Google's VirusTotal malware analysis tool to spy on what he claims are state-sponsored Chinese and Iranian elite hacking crews. Dixon (@9bplus) used the paid version of VirusTotal to watch as a subgroup of the Chinese hacker group Comment Crew and an unnamed Iranian mob developed, …
Darren Pauli, 4 Sep 2014

Twitter launches beer-money bug bounty

Twitter has announced it will begin paying for newly-found vulnerabilities under a bug bounty that has quietly run since June. The program, launched through third-party bounty outfit HackerOne, has so far garnered 44 reports, none of which were eligible for payments since they were submitted prior to today. Twitter says it is …
Darren Pauli, 4 Sep 2014

NATO nations 'will respond to a Cyber attack on one as though it were on all'

NATO is set to agree a new cyber defence policy that would mean any severe cyber attack on a NATO member could be considered tantamount to a traditional military attack and invoke the alliance's collective defence provisions. Article V is the collective defence clause of the NATO treaty by which an attack on one member is …
John Leyden, 3 Sep 2014
iPad Psycho image

NUDE SELFIE CLOUD PERV menace: Apple 2FA? Sweet FA, more like

Apple’s two-factor authentication doesn't actually protect iCloud backups or photo streams, contrary to what many iPhone and iPad fondlers might wish to believe. Scores of (mostly female) celebrities, including Oscar winner Jennifer Lawrence, had their iCloud hacked before miscreants siphoned off private nude snaps which …
John Leyden, 3 Sep 2014

CNN 'tech analyst' on NAKED CELEBS: WHO IS this mystery '4chan' PERSON?

Vid "If your password is password, change the 's' to a dollar sign." That's the advice from US news network CNN's "technology analyst" Brett Larson, who also thinks that 4chan is some sysadmin bloke who knew how to "hack things" so he could leak saucy, private photos of Jennifer Lawrence and other female celebrities. The confusion …
Kelly Fiveash, 3 Sep 2014

Are you a HOT CELEB? Think your SEXY PICS are safe? Maybe NOT

Rather than a single iCloud hack, this week's furore over celebrity nude pics looks more like the work of one or many "secret circles" of hackers whose members mingle on anarchic messageboard 4Chan to share their digital loot from computers and phones they've cracked over a period of years. The photos were, according to one …
Darren Pauli, 3 Sep 2014
Cellular basestation antenna

Snooptastic US CELL TOWERS pose man-in-the-middle THREAT

A significant number of cell towers in the US are not what they seem to be. In fact, at least according to a recent report, it’s likely they are snooping on your calls. One of the impressive things about GSM is that despite being a standard that was devised nearly a quarter of a century ago, it’s still pretty secure. If you're …
Simon Rockman, 3 Sep 2014
Firefox OS RHS teaser

Firefox 32 moves to kill MITM attacks

The Mozilla Foundation has stepped up its efforts to improve browser security with the launch of Firefox 32, adding public key pinning to try and protect users from man-in-the-middle and other attacks. The change is among a bunch of enhancements offered in the new version, now available for Windows, Mac, Linux and Android users …
Malware

Car makers, space craft manufacturers infected with targeted recon tool

Researcher James Blasco is warning the auto and aerospace industries against engineering software that's been compromised by keystroke-logging and reconnaissance malware. Blasco says an un-named provider of such software was compromised after a staffer visited a watering hole website that was established specifically to lure …
Darren Pauli, 3 Sep 2014

Hot Celebrity? Stash of SELFIES where you're wearing sweet FA? Get 2FA. Now

Apple has denied any compromise of its systems in relation to this weekend's nude celebrity photo dump. The company said that none of its iCloud or Find My iPhone databases were breached in the attack, which resulted in the release of nude photos of a number of prominent actresses and models. "After more than 40 hours of …
Shaun Nichols, 2 Sep 2014
Hacker baseball cap

Claimed Home Depot credit card hack could be biggest retail breach yet

One of the US's largest home improvement chains is investigating whether its systems have been cracked by hackers, as one security researcher has claimed. "I can confirm that we’re looking into some unusual activity and we are working with our banking partners and law enforcement to investigate," the company told El Reg in a …
Iain Thomson, 2 Sep 2014
Bearded dragon handing out with Spicerex

'Sony and Twitch' hacking crew Lizard Squad: 'We quit'

The Lizard Squad hacking crew appears to have called it quits over the weekend following high profile assaults on Sony as well as online attacks on Blizzard and Twitch, a broadcast platform for gamers, among others. The eight-strong group of trickster hackers posted a notice of their intention to throw in the towel on their …
John Leyden, 2 Sep 2014
Brute force

Gang behind '1.2 billion' megahack ransack is pwning our customers – hosting firm

Anecdotal evidence is emerging that the Russian botnet raiders behind the "biggest-ever" password theft have begun attacks against web services using stolen login credentials. The CyberVor gang is reported to have amassed a vast stockpile of compromised login credentials for "1.2 billion" accounts, Hold Security warned in August …
John Leyden, 2 Sep 2014

Not even CRIMINALS want your tablets, Blighty - but if that's an iPhone you're waving...

UK smartphone thieves prefer iPhones while their light-fingered counterparts in Germany favour Android, according to the results of a new survey. Mobile security firm Lookout's Phone Theft in Europe study found iPhones are the most popular target of theft in the UK. 39 per cent of stolen phones in Blighty are iPhones, …
John Leyden, 2 Sep 2014
anonymity

iOS phone phlaw can UNMASK anonymous users on social media

Apple iThing users can be identified, images of their faces captured and their phones forced to call numbers – all thanks to coding schemes affecting Facebook, Google, and Twitter, among other sites and services, security researchers say. Attackers and pranksters can force iOS coding schemes to send an SMS or an instant message …
Darren Pauli, 2 Sep 2014