Security > More stories

Cryptolocker 3.0 scum bounce victims over Invisible net

Cryptowall 3.0 uses Tor and its little sister I2P to carry chatter between victims and controllers keeping it away from researchers and law enforcement, French anti-malware crusaders say. Researchers Kafeine (@Kafeine) and Horgh (@Horgh_RCE) have released a technical analysis on the malware identified by Microsoft late last year …
Darren Pauli, 15 Jan 2015
IEEE 1905.1 home

It's 2015 and home routers still leave their config web servers wide open

Broadband routers from ADB Pirelli – used by Movistar in Spain and an ISP in Argentina – are vulnerable to at least two nasty security weaknesses, it's claimed. The ADB Pirelli ADSL2/2+ Wireless Routers can be trivially controlled remotely from across the internet, allowing someone to surreptitiously monitor or disrupt home …
John Leyden, 15 Jan 2015
padlock

ISO floats storage security standard

The International Standards Organisation reckons the world needs help securing its data, so has published a new storage security standard to cover it. Because The Register isn't about to shell out 198 Swiss Francs to read the whole thing, we're constrained in our ability to tell you exactly what it contains, but we note that the …
Obama outlines NSA reforms

Mr President, is this a war on hackers – or a war on people stopping hackers?

Analysis This week, President Obama unveiled three new fronts in his war on scary computer hackers – but so far very few people are impressed, and a lot of folks are very worried about the direction he is taking. Obama outlined three areas he is looking to concentrate on in the coming legislative session: better information sharing …
Iain Thomson, 15 Jan 2015
Sign outside the National Security Agency HQ

NSA: SO SORRY we backed that borked crypto even after you spotted the backdoor

The NSA's former director of research Michael Wertheimer says it's "regrettable" that his agency continued to support Dual EC DRBG even after it was widely known to be hopelessly flawed. Writing in Notices, a publication run by the American Mathematical Society, Wertheimer outlined the history of the Dual Elliptic Curve …
Iain Thomson, 14 Jan 2015

Australia tries to ban crypto research – by ACCIDENT

While the world is laughing at UK PM David Cameron for his pledge to ban encryption, Australia is on the way to implementing legislation that could feasibly have a similar effect. Moreover, the little-debated Defence Trade Control Act (DTCA) is already law - it's just that the criminal sanctions it imposes for sending knowledge …

Warning: Using encrypted email in Spain? Do not pass go, go directly to jail

Seven people have been detained for, among other allegations, using encrypted email, a civil-rights group has said. Spanish cops investigating bomb attacks raided 14 homes and businesses across the country last month and arrested 11 people: seven women and four men, aged 31 to 36, from Spain, Italy, Uruguay, and Austria. Since …
Jennifer Baker, 14 Jan 2015
anonymity

It's hacker jihad: Islamist skiddies square up to Anonymous

An online spat is developing between Islamist and pro-Western hacktivists. Sections of infamous hacker collective Anonymous launched #OpCharlieHebdo last week in responses to terrorist attacks that killed 17 in Paris, including 10 cartoonists and journalists and two police constables in and around the offices of French satirical …
John Leyden, 14 Jan 2015
blackmail

DANGER: Is that 'hot babe' on Skype a sextortionist?

North Yorkshire police have issued a general warning after three men in the York area fell victim to sextortionists. Someone posing as a woman called Cathy Wong befriended each of the victims on Facebook before asking them to Skype her. During the online chat session, she enticed each of them into performing an indecent act, …
John Leyden, 14 Jan 2015

Change the plan for Sat night, hackers. No more biz meetup eavesdrop LOLs

Cisco has patched four holes in WebEx that allowed attackers to gain access to video conferences and gain other administrative functions. The popular platform contained a cross site request forgery in versions 1.5 and below. Cisco slapped a moderate severity rating on the bug (CVE-2014-8031). "A vulnerability in the web …
Darren Pauli, 14 Jan 2015

Euro security agency says MORE crypto needed in gov policy

Governments need to build more privacy into legislation,technology vendors need to step up and compliance cops should crack down to push privacy-enhancing technologies out of the labs, says the European Union Agency for Network and Information Security (ENISA). The agency has issued a report, Privacy and Data Protection by …
Darren Pauli, 14 Jan 2015

AMD plugs firmware holes that allowed command injection

VID Chip maker AMD has patched holes across its firmware lines that could allow hackers to inject malware. Czech programmer Rudolf Marek reported the holes in the Trinity, Richland, Kaveri, and Kabini silicon series ahead of a disclosure at the Chaos Communications Congress. AMD's System Management Unit (SMU) firmware code within …
Darren Pauli, 14 Jan 2015
Instagram logo

Instagram FLASHED YOUR PRIVATES to picture pervs

Instagram has plugged a flaw that allowed private pictures to be seen by anyone, under certain conditions. The flaw, reported by Quartz and since closed, meant all photos from formerly public accounts later marked private remained open. Photos on other social networks shared through Instagram could also be accessed, as the flaw …
Darren Pauli, 14 Jan 2015
Dread Pirate Roberts

Ross Ulbricht trial Day One: 'I DID invent Silk Road ... but I'm innocent'

During the first day of the trial of Ross William Ulbricht on Tuesday, a lawyer representing the accused Silk Road mastermind once again proclaimed his client's innocence of all charges against him. Attorney Joshua Dratel said that although Ulbricht "did invent Silk Road" – the first time either Dratel or Ulbricht has ever …
Neil McAllister, 14 Jan 2015
Smilin' Marv

Are you running a Telnet server on Windows? Oh thank God. THANK GOD

It's that time of the month again, when Microsoft scrambles to plaster over the latest crop of vulnerabilities in Windows and Internet Explorer. The first Patch Tuesday of 2015 brings eight security updates, one of which is rated Critical in severity, while the rest are rated Important. The Critical patch (MS15-002) addresses a …
Neil McAllister, 13 Jan 2015

'80s hacker turned journo, IT crime ace Steve Gold logs off

Obit Steve Gold, a former hacker who became a respected information security journalist, has died following complications from heart surgery. Tributes to Gold from the tight-knit UK security and publishing communities have been pouring in following his death, aged 58. Gold unwittingly became famous in the mid '80s when he …
John Leyden, 13 Jan 2015

Insert 'Skeleton Key', unlock Microsoft Active Directory. Simples – hackers

Miscreants have forged a strain of malware which is capable of bypassing authentication on Microsoft Active Directory (AD) systems. Hackers can use arbitrary passwords to authenticate as any corporate user, Dell SecureWorks warns. The malware, dubbed Skeleton Key, is deployed as an in-memory patch on a victim’s AD domain …
John Leyden, 13 Jan 2015
Boeing's CST-100 space capsule

Big Yellow brings in Boeing bods to bolster Big data bid

Symantec is acquiring 65 security engineers from Boeing as a part of a deal to beef up its expertise in Big Data, prior to a split between its security and storage divisions later this year. As part of the deal Big Yellow is also licensing technology from Boeing's Narus security division, which develops network-monitoring …
John Leyden, 13 Jan 2015

Attackers planting banking Trojans in industrial systems

Trend Micro researcher Kyle Wilhoit says the latest attacks on SCADA and industrial control networks are turning out to carry rather pedestrian banking Trojans, and have been on the rise since October 2014. Talking to DarkReading, Wilhoit said rather than Stuxnet-style attacks, ne'er-do-wells are dropping banking Trojans into …

Remember Corel? It's just entered .DLL hell

Local zero day vulnerabilities have been disclosed in Corel applications, potentially affecting more than 100 million users. The holes were dropped by Marcos Accossatto of Core Security after the doodleware company did not respond to his private disclosure. Corel has been contacted for comment. "Given that this is a client- …
Darren Pauli, 13 Jan 2015

Router creds admin/admin? Lizard Squad thanks you

Console DDoSers Lizard Squad are using insecure home routers for a paid service that floods target networks, researchers say. The service crawls the web looking for home and commercial routers secured using lousy default credentials that could easily be brute-forced and then added to its growing botnet. Researchers close to a …
Darren Pauli, 13 Jan 2015

Facebook hackers work blue on Crayola coloring page

Kids' art supplier Crayola is apologizing after hackers compromised its Facebook account and used the company's feed to spread NSFW images. The coloring kingpin acknowledged on Sunday that its page had fallen victim to hackers who took over the page and began sharing the raunchy cartoons and NSFW pictures with any who visited …
Shaun Nichols, 13 Jan 2015
FBI badge and gun

FBI has its fingers deep in NSA surveillance pie, declassified report shows

The FBI had, and most likely still has, a much closer involvement with the NSA’s mass surveillance programs than previously thought – with access to raw foreign intelligence and data on Americans gleaned from the PRISM program. The 231-page report, from the Department of Justice’s Inspector General, was obtained – albeit in a …
Iain Thomson, 13 Jan 2015

What do UK and Iran have in common? Both want to outlaw encrypted apps

Encrypted communications will be backdoored or banned in the UK if the Conservatives win the next election, Prime Minister David Cameron has pledged. Youtube Video The UK government has always had the power, “in extremis,” to read Brits' personal post and eavesdrop on electronic chatter, he repeatedly insisted on Monday in a …
Iain Thomson, 12 Jan 2015
Hacked US CENTCOM Twitter account

'American soldiers, we are coming...' US CENTCOM military in Twitter hijack shame

Updated Hackers calling themselves the "CyberCaliphate" briefly seized control of the official Twitter account of US Central Command (CENTCOM) on Monday, and used it to post what appeared to be sensitive government documents. The group first posted to the CENTCOM account at around noon, Eastern Time, with a message threatening US …
Neil McAllister, 12 Jan 2015
Pwned

Had a data breach? Well, SPEAK UP, big biz – Obama

The White House is lobbying Congress to pass a breach disclosure law, forcing firms to admit security breaches within 30 days in cases where customer data has leaked. The legislative push comes in the wake of high-profile breaches at retailers including Target and Home Depot, highlighting a lack of uniform breach disclosure …
John Leyden, 12 Jan 2015

Security's revamped index of pain readies for release

The great unwashed has been afforded an opportunity to comment on a new scheme for classifying the severity of infosec vulnerabilities issued by the National Institute of Standards and Technology. The Common Vulnerability Scoring System (CVSS) is a pain-assessment index that offers a one-to-ten scale to describe vulnerabilities …
Darren Pauli, 12 Jan 2015
Fight sticker

DAMN YOU! Microsoft blasts Google over zero-day blabgasm

Microsoft has slammed Google for disclosing a security vulnerability in Windows a mere two days before Redmond planned to fix the bug. Google revealed the flaw on 11 January, 90 days after reporting it to Microsoft; the ad giant said the bug can elevate a user's privileges to administrator-level, thanks to some inelegant action …
Simon Sharwood, 12 Jan 2015

Google crashes supposedly secure Aviator browser

A spat between Google and Whitehat Security has erupted after engineers at the search giant revealed dangerous vulnerabilities found in the latter's anti-Google privacy-centric Chrome spin-off browser. The holes in the Aviator browser reported by Google security bods Justin Schuh and Tavis Ormandy described include a remote code …
Darren Pauli, 12 Jan 2015
Docker Logo

Docker's just a bit dodgy, but ready for rollout says Gartner

Analyst outfit Gartner has assessed Docker's security – and found the containerisation tool is sound but immature. Gartner's report, Security Properties of Containers Managed by Docker, published last week, finds “Linux containers are mature enough to be used as private and public PaaS” but “disappoint when it comes to secure …
Simon Sharwood, 12 Jan 2015

Malware coders adopt DevOps to target smut sites

Linux-served porn sites may offer devs more than they bargained for after villains behind one of 2014's nastiest malware campaigns changed tactics to hit adult sites with stealthier wares. The Windigo campaign was revealed in March 2014 to have over the previous two years infected 25,000 Unix and Linux servers, with some 10,000 …
Darren Pauli, 12 Jan 2015
Azure icon

Size matters, says Microsoft, as it flops out fat cloud VMs

Microsoft has introduced a new virtual machine type to Azure: the G-series instances run on Xeon E5 v3 CPUs and Redmond reckons they “provide the most memory, the highest processing power and the largest amount of local SSD of any Virtual Machine size currently available in the public cloud.” Here's Microsoft's list of the new …
Simon Sharwood, 12 Jan 2015
Photo of Kim Jong-un using an archaic computer

SURPRISE: Norks' Linux distro has security vulns

Well, that didn't take long: mere days after North Korea's Red Star OS leaked to the west in the form of an ISO, security researchers have started exposing its vulnerabilities. According to this post at Seclists, the udev rules in version 3.0 of the US and the rc.sysint script in version 2.0 are both world-writable. Both of …
Montage of front covers from Charlie Hebdo magazine

Paris terror attacks: ISPs face pressure to share MORE data with governments

Government ministers from European states, who met in Paris today in the wake of the atrocious attacks that stunned the French capital's population last week, have called on internet firms to do a better job of cooperating with spooks and police to help them fight terrorism. In a joint statement (PDF) from a number of Europe's …
Kelly Fiveash, 11 Jan 2015

Mr Cameron goes to Washington for PESKY HACKERS chinwag with Pres Obama

U.S. President Barak Obama will end his week of lobbying for more powers to fight hackers online, by hosting Britain's Prime Minster David Cameron on Thursday and Friday, when the two leaders will discuss internet security. Thwarting malefactors who attack companies' computer systems, such as the recent, devastating assault on …
Kelly Fiveash, 11 Jan 2015
Hacker image

Sony post-mortem: Obama lobbies for new legal powers to thwart hackers

In the aftermath of the massive hack attack on Sony Pictures – which the US government continues to insist was carried out by North Korea – President Barak Obama is expected to lobby hard for legislative overhauls to battle online threats. He will reveal those proposals early next week, an unnamed White House spokesperson told …
Kelly Fiveash, 10 Jan 2015
Nigel Farage, leader of UKIP. Pic: Jennifer Jane Mills

It's LUNACY, you SWINE! Er, what, security? Moonpig DOT GONE

Quotw This was the week when London-based tacky, personalised card biz Moonpig exposed three million customers' personal records and partial credit card details for almost 18 months, after the security flaw in its system had been reported. The mega cockup was first spotted by developer Paul Price, who quietly flagged up the glitch to …
Kelly Fiveash, 10 Jan 2015
Apple unveils OS X Yosemite

OS X search tool Spotlight runs roughshod over Mail privacy settings

Spotlight, the desktop search engine for OS X computers, will ignore privacy settings in Apple's Mail client when showing messages in its search results. The programming booboo means pictures and possibly other files linked to in HTML emails will automatically show up even if you've told Apple's supplied client to not load …
Shaun Nichols, 10 Jan 2015
NSA Director Admiral Michael Rogers

FBI fingering Norks for Sony hack: The TRUTH – by the NSA's spyboss

The head of the NSA has confirmed his agency gave the FBI top-secret intelligence that led the Feds to blame North Korea for the Sony Pictures mega-hack. The bureau has been strangely silent on how it came to finger the Nork government for the comprehensive ransacking of the Hollywood movie studio. So silent, in fact, seasoned …
Iain Thomson, 9 Jan 2015

Anonymous vows to avenge Charlie Hebdo massacre by blitzing jihadist sites

Some members of Anonymous have vowed to avenge the Charlie Hebdo killings in Paris by taking down jihadist websites. A video uploaded to the web by the group's Belgian wing also promises to scrub social networks of accounts promoting violent jihad. A statement announcing Op Charlie Hebdo, addressed to “enemies of freedom of …
John Leyden, 9 Jan 2015
Don't Panic towel

No, the Linux leap second bug WON'T crash the web

There’s a reason space missions don’t launch on the day a leap second is added to international clocks. Scientists don’t want to run the risk that the computer systems running things might hiccup on the new time and then malfunction, sending their multi-million dollar lifetime’s investment into a fatal nose dive. The rest of us …
Gavin Clarke, 9 Jan 2015

Microsoft patch batch pre-alerts now for paying customers ONLY

Microsoft is facing fierce criticism over its decision to make pre-notification of upcoming patches available only to paid subscribers. The Advance Notification Service (ANS) formerly made information on upcoming software patches available to the public but from now on the information will be restricted to “premier” customers …
John Leyden, 9 Jan 2015