Security > More stories

Stupid computer

AI quickly cooks malware that AV software can't spot

DEF CON Machine-learning tools can create custom malware that defeats antivirus software. In a keynote demonstration at the DEF CON hacking convention Hyrum Anderson, technical director of data science at security shop Endgame, showed off research that his company had done in adapting Elon Musk’s OpenAI framework to the task of …
Iain Thomson, 31 Jul 2017

Facebook COO Sheryl Sandberg: Crypto ban won't help trap terrorists

Facebook's chief operating officer Sheryl Sandberg has reiterated the social network's position that weakening the encryption of messaging apps isn't going to give governments what they want. Governments and law enforcement agencies are increasingly going public with their frustration that encryption prevents them accessing …
Idiot screw loose emoji

Microsoft won't patch SMB flaw that only an idiot would expose

Updated A Windows SMB vulnerability revealed late last week at DEF CON won't be patched because Microsoft says the service should be firewalled off from the internet anyway. The 20-year-old bug is in at least Windows 2000 to Windows 10. It was discovered by RiskSense bods, who combed Redmond's file server code for flaws similar to the …

Azure security boss tells sysadmins to harden up and properly harden Windows Server

DEF CON Windows Server admins keep making mistakes that let criminals into their boxes, according to Microsoft's lead security architect for Azure management Lee Holmes. Redmond therefore wants you to harden up by using PowerShell's Just Enough Administration. “In running Just Enough Administration, the idea is that admins are your …
Iain Thomson, 30 Jul 2017
Pic: Shutterstock

Dark web doesn't exist, says Tor's Dingledine. And folks use network for privacy, not crime

DEF CON A Tor Project grandee sought to correct some misconceptions about the anonymizing network during a presentation at the DEF CON hacking convention in Las Vegas on Friday. Roger Dingledine, one of the three founders of the Tor Project, castigated journos for mischaracterizing the pro-privacy system as a bolthole exclusively used …
Iain Thomson, 29 Jul 2017
Micro:Bit photo

BBC’s Micro:bit turns out to be an excellent drone hijacking tool

DEF CON The BBC’s Micro:bit computer board may be winning over school kids, but hackers have found its wireless capabilities and programmable nature make it an excellent tool for mischief. In a presentation at this year's DEF CON hacking conference in Las Vegas on Friday, Damien Cauquil, senior security researcher at Econocom Digital …
Iain Thomson, 29 Jul 2017
election hacking

It took DEF CON hackers minutes to pwn these US voting machines

DEF CON After the debacle of the 2000 presidential election count, the US invested heavily in electronic voting systems – but not, it seems, the security to protect them. This year at the DEF CON hacking conference in Las Vegas, 30 computer-powered ballot boxes used in American elections were set up in a simulated national White House …
Iain Thomson, 29 Jul 2017
Seagate logo

What's the price for flinging your workers' private info at crooks? For Seagate, it's $6m

Seagate will cough up $5.75m to settle a lawsuit brought after its bungling staff accidentally handed over employees' sensitive information to fraudsters. The storage giant told [PDF] the California Northern US District Court this week that it is willing to cover the cost of identity protection services as a result of that …
Shaun Nichols, 28 Jul 2017
pwnie

Systemd wins top gong for 'lamest vendor' in Pwnie security awards

Black Hat The annual Pwnie Awards for serious security screw-ups saw hardly anyone collecting their prize at this year's ceremony in Las Vegas. That's not surprising: government officials, US spy agencies, and software makers aren’t usually in the mood to acknowledge their failures. The Pwnies give spray-painted pony statues to those …
Iain Thomson, 28 Jul 2017
airplane

Virgin America workers reset passwords after hacker's crash landing

Virgin America's staff and contractors have been told to change their passwords after a hacker raided the airline's systems. The T-Mobile-USA-of-the-skies revealed in a letter to its workforce that its network was compromised by one or more miscreants. A copy of the missive was, as required by law, shared with California's …
Apple

Wallet-snatch hack: ApplePay 'vulnerable to attack', claim researchers

Black Hat USA Security researchers say they have come up with two separate "attacks" against ApplePay, highlighting what they claim are weaknesses in the mobile payment method. One of the attacks developed by the white hats, and presented at Black Hat USA yesterday, requires a jailbroken device to work, but the other assault does not. In …
John Leyden, 28 Jul 2017
Homer Simpson

Flaws in web-connected, radiation-monitoring kit? What could go wrong?

Black Hat Vulnerabilities in widely deployed Radiation Monitoring Devices (RDMs) present a potential mechanism for triggering false alarms and worse, according to research unveiled at Black Hat on Wednesday. RDMs are used to monitor radiation in critical infrastructure such as nuclear power plants, seaports, borders, and hospitals. …
John Leyden, 28 Jul 2017

Should you stay awake at night worrying about hackers on the grid?

Analysis The energy sector across multiple Western countries is under intensified assault by hackers. Security experts warn that industrial systems are wide open to potential exploit once hackers secure a foothold, the most difficult part of the hacking process, using targeted phishing or similar tactics. The UK's government lead cyber …
John Leyden, 28 Jul 2017
Woman in balaclava with shopping bags. Photo by Shutterstock

Ransomware scum straighten ties, invest in good customer service

Ransomware scum are investing in customer service processes to get more people paying, according to McAfee's lead scientist and principal engineer Christiaan Beek. Speaking at the RSA Pacific and Japan conference in Singapore today, Beek said that ransomware victims share stories of their experiences handing over bitcoin. If …
Simon Sharwood, 28 Jul 2017
Sad Android

Inside the ongoing fight to stamp out govt-grade Android spyware

Black Hat A study into government-grade Android spyware led researchers to a new strain of surveillance malware lurking in the Google Play app store – a strain that has now been unceremoniously booted out of the software marketplace. Last month it was revealed that the Mexican government was infecting smartphones with malware to spy on …
Iain Thomson, 28 Jul 2017
Cloudy shopping trolley in the sky (representing cloud sales/procurement). Photo by Shutterstock

Enumeration bug offers five-finger discount on Woolworth Australia loyalty points

The Register has been alerted that Australian retailer Woolworths' customer loyalty points can be filched thanks to a user enumeration bug. A reader alerted us to the simplest user enumeration hole imaginable: you only need to know how Woolworths Rewards numbers are put together. In other words, pick up a card at any …

Hackers can turn web-connected car washes into horrible death traps

Black Hat Forget hijacking smart light bulbs. Researchers claim they can hack into internet-connected car wash machines from the other side of the world and potentially turn them into death traps. In a presentation at the Black Hat conference in Las Vegas on Wednesday, Billy Rios, founder of security shop Whitescope, and Jonathan Butts …
Iain Thomson, 27 Jul 2017

The opsec blunders that landed a Russian politician's fraudster son in the clink for 27 years

Black Hat Uncle Sam's lawyers have revealed the catalog of operational security mistakes that led to the cuffing of one of the world’s most prolific credit-card crooks. Last year, Roman V Seleznev, 32, was found guilty of multiple counts of fraud and hacking by a jury in Washington, USA. He was later thrown in the cooler for 27 years. …
Iain Thomson, 27 Jul 2017

Strong and stable, my arse. UK wobbles when coping with ransomware

A third of businesses have suffered a ransomware attack in the last 12 months, according to a new survey sponsored by Malwarebytes. Globally, most organisations experienced some form of attack or breach during the past year, with 35 per cent suffering a ransomware attack specifically. Ransomware demands are relatively low, …
John Leyden, 27 Jul 2017
Snail on a leaf... looking surprised (yes, that's possible). Photo by SHUTTERSTOCK

'SambaCry' malware scum return with a Windows encore

Malware authors continue to chip away at Samba bugs similar to those that helped spread WannaCry/WannaCrypt. Kaspersky researchers writing at Securelist say they've spotted a Windows variant of SambaCry, which was first spotted in June. The new variant has been dubbed "CowerSnail". The researchers strongly suspect CowerSnail …

Microsoft adds all of Windows – including Server – to extended bug bounty program

Microsoft has extended its bug bounty program for Windows Insider to include the whole of the OS, extended its operation indefinitely and added Windows Server Insider to the eligibility list. Redmond’s previously offered bounties for specific Windows features only. Now you can score sweet Seattle-sourced dollars for finding a …
Simon Sharwood, 27 Jul 2017
Prison

Greek police arrest chap accused of laundering $4bn of Bitcoin

Police in Greece have arrested a Russian national they accuse of running the BTC-e Bitcoin exchange to launder more than US$4bn worth of the cryptocurrency. According to Greek language news outlet the Daily Thess, FBI agents tracked 38-year-old Alexander Vinnik for more than a year before his arrest. Another local outlet, …

Reminder: Spies, cops don't need to crack WhatsApp. They'll just hack your smartphone

Police in Germany will forego seeking decryption keys for secure messaging apps, like WhatsApp, and instead simply hack devices to snoop on suspects. Given the grumblings coming from Australia, the UK, and other Five Eyes states about encrypted messaging, we suspect these nations will follow suit – if they're not there already …
Shaun Nichols, 26 Jul 2017
bank robbery

Details of 400,000 loan applicants spilled in UniCredit bank breach

Italian bank UniCredit admitted on Wednesday that a series of breaches, undetected for nearly a year, exposed the personal data of 400,000 loan applicants. In an English-language statement, UniCredit blamed an unnamed third-party provider for exposing Italian customer data – including International Bank Account Numbers (IBANs …
John Leyden, 26 Jul 2017
police hacking

Revealed: 779 cases of data misuse across 34 British police forces

A freedom-of-information request by Huntsman Security has discovered that UK police forces detected and investigated at least 779 cases of potential data misuse by personnel between January 2016 and April 2017. Despite the high number of cases, the same request also revealed that the vast majority of the 34 police forces …
John Leyden, 26 Jul 2017

Time-rich netizens marshall ballot-stuffing bots against... Radio Times contest

Internet ballot-stuffing has existed for as long as Rickrolling, if not longer, but it used to be a serious endeavour requiring a certain level of commitment, however misguided. Yesterday a Reddit community sprung up dedicated to the proposition that it's worth the trouble to use bots to skew a Radio Times poll. Yes, the TV …
John Leyden, 26 Jul 2017

Beijing police quench scum allegedly behind 'Fireball' fraudware

Chinese police have moved on the developers of the Fireball adware that infected millions of computers earlier this year. Fireball was described by Check Point in June after outbreaks in India, Mexico and Brazil. It bundled itself with legitimate software, and used browser plug-ins to boost its own advertisements. At the time …

US spies hacked our phones over the air, claim pipeline protesters

For the past year or so, protesters in North Dakota, America, have been trying to prevent an oil pipeline from being built through Native Americans’ sacred land. As a result, they’ve gone through an astonishing level of electronic surveillance while there, it is claimed. For instance, fake cellphone towers were used to listen …
Iain Thomson, 26 Jul 2017
Image by infografick https://www.shutterstock.com/g/infografick

Crap gift card security helps crims spend your birthday pressie cash

Gift cards' lousy security makes it easy for crooks to spend marks' money, researchers said Tuesday night. During their presentation at the BSides conference in Las Vegas, William Caput and Sam Reinthaler used an $80 card reader and writer, and some tech savvy, to demonstrate just how easy it is for miscreants to get access to …
Iain Thomson, 26 Jul 2017
Laptop user, photo via Shutterstock

Las Vegas locks down ahead of DEF CON hacking conference

DEF CON Businesses in Las Vegas are locking down their systems as hackers fly into the fetid hell of Sin City for a trio of security conferences. This week the BSides conference, Black Hat, and DEF CON are all in town and folks here are worried that their computers are going to be thoroughly subverted by visiting miscreants. Caesars …
Iain Thomson, 25 Jul 2017

Adobe will kill Flash by 2020: No more updates, support, tears, pain...

Adobe has officially set a kill date for its beleaguered Flash. The Photoshop giant said today it plans to end support for the hacker-prone multimedia browser plugin by the end of 2020. This means no more updates for Flash Player after that date and the end of support on many browsers, including Chrome, Internet Explorer and …
Shaun Nichols, 25 Jul 2017
Usborne intro to programming

ALIS in Blunderland: Lockheed says F-35 Block 3F software to be done by year's end

F-35 software development will be finished by the end of this year, Lockheed Martin has said – which contradicts the view of various American government audit agencies. "We are well positioned to complete air vehicle full 3F and mission systems software development by the end of 2017," said exec veep Jeff Babione, in a …
Gareth Corfield, 25 Jul 2017
Cat attacking

Crappy hacker crew fingered for Bundestag snooping operation

Security researchers have lifted the lid on a new cyber-espionage crew that has targeted the German Bundestag and Turkish diplomats. CopyKittens has attacked government, security and academic institutions, websites in Germany and Turkey, as well as United Nations employees and organisations in Saudi Arabia, Israel and Jordan …
John Leyden, 25 Jul 2017

Kid found a way to travel for free in Budapest. He filed a bug report. And was promptly arrested

The arrest of a Hungarian bloke after he discovered a massive flaw in the website of Budapest's transport authority – and reported it – has sparked a wave of protests. Thousands of users have flooded the Facebook page of the capital city's transport authority Budapesti Közlekedési Központ (BKK) – and its main website was taken …
Kieren McCarthy, 25 Jul 2017
Downloading a patch

Ubiquiti firmware patch stomps nasty redirect bug from login screen

Popular wireless networking hardware vendor Ubiquiti patched a couple of serious vulnerabilities back in March and April – without telling the people who reported the bugs. If sysadmins weren't paying attention, they might not have noticed the importance of the patches. The bug patched in firmware version 6.0.3 was an open …
You had one job ...

G Suite admins have just one button to secure their sites, but don't

G Suite business users: go and check your configuration, and make sure you're not publishing enterprise information to the whole world. That's the warning coming from security outfit Redlock, which says it found “hundreds” of organisations leaking both organisational data and employees' personal data. As the company's …

Pathetic patching leaves over 70,000 Memcached servers still up for grabs

If you're running the caching service Memcached, and particularly if you're exposing it to the public internet for some reason, please make sure you've patched it. Tens of thousands of vulnerable systems haven't. Back in October, researchers at Cisco’s Talos security team found three major security vulnerabilities that would …
Iain Thomson, 24 Jul 2017

China crams spyware on phones in Muslim-majority province

The Chinese government is requiring citizens in Xinjiang province to install spyware on their mobile phones and is enforcing the policy with police spot-checks, according to several online reports. Reflecting a country-wide clampdown on internet usage, users of WeChat in the regional capital of Urumqi received a message on …
Kieren McCarthy, 24 Jul 2017
toto

Crims snatch 5.5 million social security numbers from Kansas govt box

Hackers have lifted not only the social security numbers and personal information of half a million jobseekers in Kansas – but also records on more than five million people from nine other US states. The compromised database belonged to the Kansas Department of Commerce. The server was set up by the department's America's Job …
Iain Thomson, 24 Jul 2017

Cyber arm of UK spy agency left without PGP for four months

UK spy agency GCHQ’s cyber security arm, CESG, was left without PGP encryption for more than four months, according to a government report. This "prevent[ed] direct electronic receipt of evaluation reports", it emerged in the Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board (PDF) annual report. “Internal …
Kat Hall, 24 Jul 2017
hacker

Briton admits to router hack that DDoSed Deutsche Telekom

An as yet unnamed 29-year-old pleaded guilty on Friday to charges relating to the hijacking of more than 1.25 million Deutsche Telekom routers, according to reports in the German press. German news agency DPA and others quoted a court spokesman as saying the accused, who pleaded guilty to "attempted computer sabotage", had " …
John Leyden, 24 Jul 2017
police

AlphaBay and Hansa: About those dark web marketplaces takedowns

Analysis A US Federal Bureau of Investigation veteran has spoken out on the international police ops that led to the takedown of dark web drug souks AlphaBay and Hansa, giving an insider's look at the process. Joseph Campbell served for 25 years in the FBI, where he led criminal investigations into child exploitation and the trade in …
John Leyden, 24 Jul 2017

Biting the hand that feeds IT © 1998–2017