Security > More stories

sap security vulnerabilities

Most SAP HANA installs poppable with default keys, hacker says

ERPScan technology boss Alexander Polyakov says default security settings are exposing passwords and root keys in SAP HANA to external attackers. Attackers can use universal default keys to decrypt encrypted passwords used by the in-memory, column-oriented, relational database management system. Polyakov says administrators are …
Darren Pauli, 19 Jun 2015
SR-71 'Blackbird' testing. Pic: US Air Force

FBI says in secret that secret spy Cessnas aren't secret

The FBI has told Congress not to worry about its shell-company-owned surveillance aircraft, which are decked out in the best surveillance tech, as they are engaged in an unclassified operation - which they were unwilling to talk about in a Congressional briefing. The snooping Cessnas were spotted over Baltimore during the …
band_aid_patching_648

US National Vulnerability Database contained ... yup, an XSS vuln

The US National Vulnerability Database was itself left vulnerable to cross-site scripting last week. The NVD serves as a definitive source of information on CVE security flaws. The XSS vulnerability meant that a skilled hacker could present surfers with content from arbitrary third-party sites as if it came from the NVD itself …
John Leyden, 18 Jun 2015
Looks like DNA

Protecting users against advanced threats and the human factor

WEBCAST Register now to watch our live Regcast, where we look at why the human factor is an important internet security risk. Watch this video broadcast live today at 11:00 BST. Handy synopsis for you As we reported in April, you build security, and the users muck it up. At a time when productivity growth in many businesses has ground …
David Gordon, 18 Jun 2015

Reddit joins the HTTPS-only stampede

Reddit will soon be served over HTTPS only as part of wider moves to secure the web. The Front Page of the Internet™ began serving its user-curated pages over secure sockets layer last September, in an effort that took some nine months to complete. The site has now decided that as of 29 June it will begin pushing all traffic to …
Darren Pauli, 18 Jun 2015
Michael Hayden

'No evidence' Snowden was working for foreign power says ex-NSA boss

Former National Security Agency director Michael Hayden this week told a conference about how little fallout the NSA has suffered after the Snowden leaks, and detailed how his former agency would hack other governments. He said to his audience at the Wall Street Journal's chief financial officer conference: If somebody would …
Iain Thomson, 18 Jun 2015

Phone scamming up 30 percent last year: Report

Retail and finance call centre phone scamming in the US is up 30 percent according to research. The 2014 findings are based on some 86 million scam calls a month picked up by Pindrop Security in which attackers aimed to obtain personal information on potential victims. The phone security company says one in 2200 calls are …
Darren Pauli, 18 Jun 2015

Chrome, Debian Linux, and the secret binary blob download riddle

The Debian Project thinks it's fixed an issue where Google's Chromium web browser snuck proprietary code into the fiercely Free Software oriented Debian Linux distro. That hasn't stopped Debian users from wondering how the issue got past project maintainers in the first place. Debian user Yoshihito Yoshino first raised the red …
Neil McAllister, 17 Jun 2015
Cloudy sky

Speaking in Tech: LastPass hack was a total HASH, amirite?

Podcast speaking_in_tech Greg Knieriemen podcast enterprise Hosted by Greg Knieriemen, Ed Saipetch and Sarah Vela. This week, Sarah is out while Ed and Greg talk about the LastPass hack, OpenStack training certifications and Facebook privacy concerns in the EU. Our special guest this week is Ashley McNamara, Developer Advocate at …
Team Register, 17 Jun 2015
10 Downing Street. Pic: Sgt Tom Robinson RLC/Crown copyright

Downing Street secretly deletes emails to avoid exposure to FOIeurs

Email records on computers in Downing Street are subject to automatic deletion within three months through a system which makes it almost impossible for the public to view them under the Freedom of Information Act, former staff have disclosed to the Financial Times. Reporters at the salmon-pink broadsheet discovered that this …
The Bundestag in Berlin. Pic: Hernán Piñera

Banking trojan besieges Bundestag … for the second time

Online banking trojan Swatbanker has been brought into play in a second round of attacks against the German Bundestag, reports security software firm G DATA. Investigation of the configuration files embedded in the malware have revealed that the Swatbanker botnet integrated new filter functions for the domain "Bundestag.btg" – …
John Leyden, 17 Jun 2015
facebook_shock_648

Furious Flems fling privacy rule book at Facebook

Belgium has made good on its promise to take action over Facebook’s privacy breaches, and will haul Zuck's ad empire into court on Thursday. A recent report for the Commission de Protection de la Vie Privée (CPVP) said Facebook trampled users’ rights, tracking them across the web whether they want it or not. Unable to fine the …
Jennifer Baker, 17 Jun 2015

British Library publishes Digital Magna Carta – written-by-web-vote because it's 2015

It's the 800th anniversary of the Magna Carta: the document that King John was forced to sign by English barons in 1215, and which has served as the cornerstone for many of the world's judicial systems ever since. And to commemorate it, the British Library has published its crowdsourced version for the digital world. The Digital …
Kieren McCarthy, 17 Jun 2015

Apple CORED: Boffins reveal password-killer 0-days for iOS and OS X

Six university researchers have revealed deadly zero-day flaws in Apple's iOS and OS X, claiming it is possible to crack Apple's password-storing keychain, break app sandboxes, and bypass its App Store security checks. Attackers can exploit these bugs to steal passwords from installed apps, including the native email client, …
Darren Pauli, 17 Jun 2015

Three exposed Brit's privates with sloppy survey code

Hacker Joseph Redfern has reported a privacy flaw at UK telco Three, which exposed names and email addresses in online surveys. The telco shuttered the offending survey site and the exposed API which returned the private information in JSON forms when a user entered data. Refern says the flaw meant any phone number could be …
Darren Pauli, 17 Jun 2015

AdBlock aims to send filthy malverts on one-way LSD trip

Enterprises will be able to stem the remaining revenue stream for online news outlets using a new wide network feature launched today for popular browser extension AdBlock Plus. The extension modified under the ongoing AdBlock Plus for Administrators project will make it easier to deploy across technology device fleets by …
Darren Pauli, 17 Jun 2015
Hammer, spanner and screw

Vapourware no more: Let's Encrypt announces first cert dates

The Mozilla-backed Let's Encrypt effort is moving out of its vapourware phase, announcing general availability for September 2015 and an intention to issue its first certificate in the week of July 27. Launched last year by Mozilla, the Electronic Frontier Foundation (EFF) and Cisco, Let's Encrypt's aim is to create no-charge …

How to hijack MILLIONS of Samsung mobes with man-in-the-middle diddle

Samsung smartphones can be hijacked, infected with malware, and remotely controlled by malicious Wi-Fi hotspots in cafes, hotels, and so on, security researchers claim. According to the bods at NowSecure, millions of handsets have a remote-code execution vulnerability that is a software design flaw. One workaround is to avoid …
Shaun Nichols, 17 Jun 2015

Google to shell out up to $58k for new Nexus epic pwnage

Researchers can score up to US$58,000 for bypassing core Nexus security mechanisms with a remote exploit under an expansion of Google's bug bounty program launched today. The top payments under the Security Rewards program are for bypasses of controls that Google uses to minimise exploitation risks. Hackers can land the most …
Darren Pauli, 17 Jun 2015

Hacked US OPM boss: We'll fix our IT security – just give us $21 million

The boss of the US government's thoroughly ransacked Office of Personnel Management has – rightly – come in for a rough ride from members of the House Committee on Oversight and Government Reform. Politicians on both sides of the trenches tore strips off the lamentable state of security in the agency, which was raided by hackers …
Iain Thomson, 16 Jun 2015
St Louis Cardinals

FBI to 'aggressively' probe St Louis Cardinals in baseball 'hack' storm

The St Louis Cardinals – the perennial good guys of pro baseball – are being investigated by the FBI after someone allegedly gatecrashed computer systems belonging to the Cardinals' former rivals, the Houston Astros. Office staff at the Cardinals may have gained unauthorized access to the Astros' internal databases using nothing …
Iain Thomson, 16 Jun 2015
Glorious future of China

Chinese snoops try tracking VPN users with fiendish JSONP trickery

Snoops are exploiting vulnerabilities in China’s most frequented websites to target individuals accessing web content which state censors have deemed hostile. Even users who run VPN connections to access websites that are blocked by China’s censorship technology, often called the Great Firewall (GFW), are potentially being …
John Leyden, 16 Jun 2015
Laurel and Hardy on the phone

Phone hacking blitz hammers UK.biz's poor VoIP handsets

UK businesses are getting disproportionately targeted by a surge of attacks against Voice over IP (VoIP) systems. The growing use of VoIP technology in business and a greater availability of hacking tools that dumb down the process of hacking into systems has led to an increase in attacks worldwide. UK-based systems are being …
John Leyden, 16 Jun 2015

Blackhats exploiting MacKeeper hole to foist dangerous trojan

Last month's MacKeeper vulnerability is now being exploited in the wild to hijack Apple machines, according to BAE security researcher Sergei Shevchenko. The hacker says criminals are using social engineering to trick users into installing malware capable of exfiltrating data using a then zero-day vulnerability in the notorious …
Darren Pauli, 16 Jun 2015

British banks consider emoji as password replacement

British outfit Intelligent Environments says it in discussions with online banks to sell what it says is the first authentication scheme to replace passwords with emojis. The company claims emojis have 480 times more permutations than four digit passcode equivalents, a statistic we've struggled to verify independently. …
Darren Pauli, 16 Jun 2015

Bing to encrypt search traffic by default

Microsoft product manager Duane Forrester says it will encrypt all Bing search traffic later this year. Forrester says the move follows Cupertino's 2014 decision to allow users to opt-in to HTTPS for web searches. "Beginning this (Northern hemisphere) summer, we will begin the process of encrypting search traffic by default," …
Darren Pauli, 16 Jun 2015
Crypto fingers

Westpac buys stake in Canberra crypto king QuintessenceLabs

Australian banking goliath Westpac will become a substantial stakeholder in Canberra based QuintessenceLabs (QLabs) and use outfit's quantum key distribution technology for its internal infrastructure. QLabs commercialises research from the Australian National University to produce quantum key distribution (QKD) and random key …
Darren Pauli, 16 Jun 2015
White Hat for Hackers by Zeevveez, Flickr under CC2.0

Australia needs MOAR L33T WHITE HATZ, says Federal Police

Australia needs a bunch more experts in disciplines you're barely allowed to discuss here, according to the Australian Federal Police. AFP cyber crime commander David McLean told the Australian Broadcasting Corporation's TV program 730 that “this April alone there was over 3,500 reports from people around Australia in relation …

LastPass got hacked: Change your master password NOW

Password-storing cloud biz LastPass is urging its users to change their master passwords after hackers broke into its network at the end of last week. The intrusion reportedly happened on Friday afternoon, but many LastPass users are only learning about it now. LastPass last had a security scare in 2011. "In our investigation, …
Neil McAllister, 15 Jun 2015
Angela Merkel. Pic: Christliches Medienmagazin

Chancellor Merkel 'was patient zero' in German govt network hack

The recent cyberattack on the German government began with the compromise of Chancellor Angela Merkel's personal computer, it is alleged. German newspaper Bild claims Merkel's computer was one of the first systems to be infected with malware linked to miscreants in Russia. Hackers reportedly used Merkel's computer to send …
Shaun Nichols, 15 Jun 2015

Duqu 2.0‬ malware buried into Windows PCs using 'stolen Foxconn certs'

The super-sophisticated malware that infiltrated Kaspersky Labs is craftier than first imagined. We're told that the Duqu 2.0 software nasty was signed using legit digital certificates issued to Foxconn – a world-leading Chinese electronics manufacturer, whose customers include Microsoft, Dell, Google, BlackBerry, Amazon, Apple …
John Leyden, 15 Jun 2015
Edward Snowden

'Snowden risked lives' fearfest story prompts sceptical sneers

Analysis A row has broken out over claims that Russian and Chinese have reportedly decrypted files of NSA leaker Edward Snowden, identifying British and US secret agents in the process. The Sunday Times used unnamed UK government and intel agency officials1 to support a story that MI6 has withdrawn agents from overseas operations in …
John Leyden, 15 Jun 2015

Uber petitions page p0wned, thanks to textbook code

Uber has pulled its petition sites offline after a hacker exploited web vulnerabilities lodging 100,000 fake votes and redirecting visitors to rival Lyft. The hacker known only as "Austin" could not be reached at the time of writing. Uber has been contacted for comment. Austin says the petition site Uber hoped to use to lobby …
Darren Pauli, 15 Jun 2015

Snapchat slings SMS two-factor authentication

Snapchat has deployed two factor authentication as part of its push to increase security across the popular selfie slinging app. The sexting swap shop allows users to set up SMS log-in verification that makes en-masse account hijacking more difficult, and better protects Snapchat's Snapcash money transfer system. The additional …
Darren Pauli, 15 Jun 2015
Patching celebration

Cisco issues 16 patches to pop pesky peccant packets

Cisco has issued a string of patches for 16 faults including a fix for a possible remote code execution in its IOS and IOS XE routing software. The patches address a generous dollop of security conditions caused by faulty queued packets. One flaw, rated severity 8.3, allows attackers to gain remote code execution in IOS XE by …
Darren Pauli, 15 Jun 2015
I love Wikipedia, because it is devoted to the future by https://www.flickr.com/photos/nojhan/ cc 2.0 attribution sharealike https://creativecommons.org/licenses/by-sa/2.0/

Wikipedia to go all HTTPS, all the time

The Wikimedia Foundation has decided the time is right to implement HTTPS on all its projects, for all users, all the time. It's been possible to access the Foundation's works – notably Wikipedia – with HTTPs for a while if you're willing to jump through some hoops. The Foundation's now decided to go all-HTTPs, all the time, was …
Simon Sharwood, 14 Jun 2015
Amazon data center

Amazon turns up spectacularly late to 'transparency' party, pours a large one

Amazon has finally released details of the info snooping governments from around the world demand of the retail and cloudy biz. The company said in a subdued blog post that it would publish a bi-annual information request report. It comes after Amazon – unlike its tech rivals – spent years resisting going public with the data. …
Kelly Fiveash, 14 Jun 2015

US mega-hack: White House orders govt IT to do what it should have done in the first place

In response to this week's data breach at the US Office of Personnel Management, the White House has ordered federal agencies to immediately deploy state-of-the-art anti-hacker defenses – things like installing security patches, and not giving everyone the admin password. This groundbreaking cyber-edict comes after dossiers …
Chris Williams, 13 Jun 2015

How much info did hackers steal on US spies? Try all of it

Analysis If the latest reports are true and Chinese hackers have managed to pilfer as much data about US government employees in sensitive positions as is thought, the Obama administration may be headed for a serious intelligence crisis. According to an Associated Press report on Friday, hackers linked to China may have compromised …
Neil McAllister, 13 Jun 2015

Dossiers on US spies, military snatched in 'SECOND govt data leak'

A second data breach at the US Office of Personnel Management has compromised even more sensitive information about government employees than the first breach that was revealed earlier this week, sources claim. It's possible at least 14 million Americans have chapter and verse on their lives leaked, we're told. The Associated …
Neil McAllister, 12 Jun 2015

Hey kids, who wants to pwn a million BIOSes?

The overlooked task of patching PC BIOS and UEFI firmware vulnerabilities leaves corporations wide open to attack, a new paper by security researchers warns. Xeno Kovah and Corey Kallenberg argue that the poor state of low-level software security is among the easiest ways for hackers to deeply infiltrate organizations. A …
John Leyden, 12 Jun 2015
Angela Merkel. Pic: Christliches Medienmagazin

Germany drops probe into NSA's Merkel phone-hacking

German attorney general (Generalbundesanwalt) Harald Range has dropped the investigation into spying on German Chancellor Angela Merkel because the allegation could not be proved by “legally watertight means.” In October 2013, media reports suggested that the US National Security Agency (NSA) had snooped on Mutti’s phone. Range …
Jennifer Baker, 12 Jun 2015