Feeds

Security > More stories

Big Retail: We don't hate Apple, we hate the credit card companies

The Merchant Customer Exchange (MCX) went on a PR offensive on Wednesday to explain what happened in the hacking attack that saw its testers' emails exposed, why its member retailers banned Apple Pay and Google Wallet, and what makes its CurrentC mobile payment system so great. Dekkers Davidson, CEO of MCX, which represents 50 …
Iain Thomson, 30 Oct 2014

The NO-NAME vuln: wget mess patched without a fancy brand

Sysadmins: another venerable and nearly-ubiquitous *nix tool, wget, needs patching because of a bug first reported by HD Moore. As the Red Hat Bugzilla report describes, the bug was a beauty: a recursive directory fetch over FTP would let an attacker “create arbitrary files, directories or symbolic links” due to a symlink flaw …
Breach

Australian E-Health records breached twice in the last year

Australia's Office of the Information Commissioner (OAIC) has released its Annual report of the Information Commissioner’s activities in relation to eHealth 2013–14, complete with a report on two data breaches in the systems used to store personally controlled electronic health records (PCEHRs). The first was notified in …
Simon Sharwood, 29 Oct 2014

Naked and afraid: that's how Telstra's Wi-Fi security makes you feel

Sit down, open up the laptop, join the advertised SSID, and go online. Free Wi-Fi makes working at the cafe a breeze. Free Wi-Fi transformed Sydney’s libraries into some of the most sought-after spots in town. Cities blanket themselves in free Wi-Fi to encourage tourists and business and residents to spend more time - and money …
Mark Pesce, 29 Oct 2014

Bad dog: Redmond's new IE tool KILLS POODLE with one shot

Microsoft has issued new guidance on the POODLE (Padding Oracle On Downgraded Legacy Encryption) SSL vulnerability, including a one-click utility that can automatically disable SSL 3.0 in Internet Explorer. The Fix It utility, which was released on Wednesday, is a reversible workaround for all versions of Redmond's browser from …
Neil McAllister, 29 Oct 2014
Fail and You

Big Retail's Apple Pay killer CurrentC HACKED, tester info nicked

CurrentC, the mobile payments system being pushed by some of the biggest retailers in the US, has been hacked – before the system is even fully up and running. "Within the last 36 hours, we learned that unauthorized third parties obtained the e-mail addresses of some of our CurrentC pilot program participants and individuals who …
Iain Thomson, 29 Oct 2014
Photo of the White House at dusk

WHITE HOUSE network DOWN: Nation-sponsored attack likely

Hackers have disrupted computer operations at the White House after breaking into its unclassified internal network. The attack, blamed by US government sources on Russian hackers, has resulted in the disruption of some services while incident response teams work to contain the intrusion. The White House network is under …
John Leyden, 29 Oct 2014

BlackEnergy crimeware coursing through US control systems

Industrial control systems in the United States have been compromised by the BlackEnergy malware toolkit for at least three years in a campaign the US Computer Emergency Response Team has dubbed "ongoing" and sophisticated. Attackers had compromised unnamed industrial control system operators and implanted BlackEnergy on …
Darren Pauli, 29 Oct 2014

Cisco: We made UCS secure but need your help to finish the job

Cisco has released a hardening guide for its unified computing system (UCS) that reveals the company's servers do most things right - all manner of potentially-insecure services are off by default - but also offers plenty of suggestions to make sure risks don't increase during production. The document centres on hardening the …
Darren Pauli, 29 Oct 2014

Find My Phone does just one thing but Samsung's messed it up

Researcher Mohamed Baset has reported a zero day flaw that allows hackers to lock a host of Samsung phones with the lost device feature. Baset (@SymbianSyMoh) uploaded a proof of concept video to YouTube showing how to lock a Samsung phone using a cross site request forgery vulnerability in the Find My Mobile feature. Phones …
Darren Pauli, 29 Oct 2014
Pierce Brosnan in Tomorrow Never Dies

'GCHQ's surveillance data gulp is BULKY and WARRANTLESS', human rights groups moan

Britain's spooks routinely rummage through reams of intelligence data from the NSA and other foreign spy agencies without first having to request a warrant, it has been claimed. According to the human rights groups that brought the UK's snooping agency GCHQ to court in July this year, secret internal policies unveiled during a …
Kelly Fiveash, 29 Oct 2014
Q and Bond, Skyfall

Security Avengers team up to take down Chinese hacking group

Security firms are claiming credit for putting the skids under a Chinese cyber-espionage crew thought to have been operating for at least six years. The so-called Axiom Threat Actor Group allegedly victimised pro-democracy non-governmental organisations (NGO) and other groups and individuals that would be perceived as a …
John Leyden, 28 Oct 2014

FBI impersonated newspaper to finger school bomb threat suspect

A US newspaper has reacted angrily after it emerged that the FBI impersonated its website in order to locate a target using snoopware. The Feds set up a fake Seattle Times news story on a counterfeit website in order to entice a bomb-threat suspect to disclose his location back in 2007. Links to the doctored story were sent to …
John Leyden, 28 Oct 2014

Feds seek potential 'second Snowden' gov doc leaker – report

A worker at a US government contractor is suspected of being the second leaker who turned over sensitive documents on the US government's terrorist watch list to journalist Glenn Greenwald, according to recent reports. The FBI reportedly searched the suspect's home and opened a criminal case, according to unnamed law enforcement …
John Leyden, 28 Oct 2014

EvilToss and Sourface hacker crew 'likely' backed by Kremlin – FireEye

Russia is "likely" sponsoring a hacking outfit that targets foreign governments and security organisations, the US intelligence firm FireEye claims. "APT28", a group operating for possibly more than a decade, has attacked governments in Georgia, Eastern Europe, as well as NATO and the Organisation for Security and Co-operation …
Darren Pauli, 28 Oct 2014

Intel bods to detail RSA birko crypto man-in-the-middle diddle

A pair of Intel security researchers will tomorrow delve into a class of dangerous vulnerabilities they found last month that allowed forged RSA certificates to be created by abusing the Mozilla Network Security Services (NSS) cryptographic library. Attendees at a Buenos Aires event will be walked through the fine points of how …
Darren Pauli, 28 Oct 2014

Knock Knock tool makes a joke of Mac AV

Security research and development bod Patrick Wardle has released a tool to reveal executables that automatically boot in Mac OS X. The Knock Knock tool was open source and built on an extensible framework to encourage the community to evolve the platform. Wardle, of consultancy Synack, said he designed the tool because he was …
Darren Pauli, 28 Oct 2014

Shellshock over SMTP attacks mean you can now ignore your email

Yet another round of Shellshock attacks is emerging, according to the SANS Internet Storm Center – this time, botnets are tapping hosts over SMTP. At the moment, the report is sparse, with the ISC diary post stating merely that Shellshock exploit attempts are travelling over the mail protocol because “the sources so far have all …
Parliament House Canberra by Flickr user OzMark17 used under CC Share and Share alike licence

AWS scores same Oz gov sec creds as Azure

Microsoft yesterday pressed the ON button for Azure Australia, and one of the things the Redmondian outpost was keen to point out was that it was the only cloud in Australia to have earned the Australian federal government's Industry Security Registered Assessors Program (IRAP) certification. IRAP is run by Australia's sigint …
Simon Sharwood, 28 Oct 2014

Why weasel words might not work for Whisper

Analysis Whisper's CEO has attempted to undercut criticism of his company by suspending its editorial team and penning a lengthy response to accusations of privacy abuses and user tracking. Editor-in-chief Neetzan Zimmerman, as well as an undisclosed number of staff have been put on leave "pending the results of our internal review," CEO …
Kieren McCarthy, 27 Oct 2014

Planning to fly? Pour out your shampoo, toss your scissors, RENAME TERRORIST WI-FI!

A US airline delayed a flight on Sunday evening after an unidentified person somewhere in or around Los Angeles International Airport picked a rather unfortunate name for a Wi-Fi hotspot. American Airlines Flight 136 from Los Angeles to London was grounded for nearly a day after a passenger spotted a Wi-Fi network named "Al- …
Shaun Nichols, 27 Oct 2014
Kindle Big Brother

Schneier, Diffie, ex-MI5 bod, privacy advocates team up on Code Red

Security experts including Bruce Schneier and Whitfield Diffie are teaming up with privacy advocates to form a new privacy group that aims to champion privacy against the growing tide of intrusive government surveillance. The project, Code Red, is due to begin in January with the aim of becoming a "strategic think tank and …
John Leyden, 27 Oct 2014

Tor exit node mashes malware into downloads

A Tor exit node has been found slapping malware onto downloads as users exit the hidden network and enter the public web. Leviathan Security Group researcher Josh Pitts found the operator of the Russia-based node compromising binaries only a month after raising concerns of the possible attack. He created the Backdoor Factory …
Darren Pauli, 27 Oct 2014

Verizon Wireless token tracker triggers tech transparency tempest

Verizon Wireless is monitoring users' mobile internet traffic, using a token slapped onto web requests, to facilitate targeted advertising even if a user has opted out. The unique identifier token header (UIDH) was launched two years ago, and has caused an uproar in tech circles after it was re-discovered Thursday by Electronic …
Darren Pauli, 27 Oct 2014
Hacked sarcasm

Pesky POS poison won't Backoff

Infections from the Backoff point-of-sale malware are still rising in America, according to security bods from Damballa. The company reckons it spotted a 57 per cent rise in Backoff detections in August and September 2014, and a 27 per cent rise in September alone. In August, the malware had already hit 1,000 US businesses, …

Knocking Knox: Samsung DENIES vuln claims, says mysterious blogger is a JOKER

A damning security critique against Samsung's US government-approved Knox system has been dismissed by the South Korean tech giant. Earlier this week, Knox was given the green light for use on classified Stateside government networks and data. Samsung had became the "first consumer mobile device manufacturer validated to handle …
John Leyden, 26 Oct 2014
Angry woman on mobile

Cheapo telcos fined for their cheapo security: Financial records on 305,000 people spilled

American watchdog the FCC is fining a pair of US mobile operators for an astonishing lack of security in handling customer information. The commission said that TerraCom Wireless and YourTel Wireless improperly stored information on 305,000 customers and will have to pay a joint fine of $10m split between the two firms as a …
Shaun Nichols, 25 Oct 2014
iMessage

iMessage SPAM floods US mobile networks

China-based counterfeiters are spamvertising knock-off designer goods using Apple iMessage instead of using conventional email spam runs. iMessage has been hit with the single largest US mobile spam campaign this year. The campaign, which has been going on for months, was large enough to account for more than 80 per cent of all …
John Leyden, 24 Oct 2014

We chat to CloudFlare about its 'EVERYBODY GETS SSL' venture

Interview CloudFlare boss Matthew Prince is hoping the firm's project to roll out SSL support to customers who use its free cloud-based web hosting service will inspire other internet firms to build out a fully encrypted web. The Universal SSL program from CloudFlare allows its customers to encrypt and secure web traffic between visitors …
John Leyden, 24 Oct 2014

Cisco patches three-year-old remote code-execution hole

A three-year-old dangerous remote code execution hole affecting Cisco kit has been patched. Researcher Glafkos Charalambous discovered the Telnet vulnerability (CVE-2011-4862), which was first reported by the FreeBSD Project in 2011. It was left unpatched up prior to 15 October this year in Cisco appliances. The International …
Darren Pauli, 24 Oct 2014
Image of HAL eye from 2001 movie with Chrome logo in eye

Google absorbs Oxford Uni boffins in artificial intelligence boost quest

Google has hired seven academics from Oxford University and signed partnerships with the engineering and computer science facilities to help it develop its DeepMind artificial intelligence system. "We are thrilled to welcome these extremely talented machine learning researchers to the Google DeepMind team and are excited about …
Iain Thomson, 24 Oct 2014

Yahoo! Timestamps! Now! Block! Facebook! Email! Snoops!

Facebook has begun using a Yahoo! email standard created in August last year to prevent snooping through the acquisition of old addresses. The standard dubbed dryly Require-Recipient-Valid-Since (RRVS) informs Facebook and others of the last point in time ownership of an email address was known. Facebook software engineer …
Darren Pauli, 24 Oct 2014

Moscow, Beijing poised to sign deal on joint cyber security ops

Moscow and Beijing will next month sign a deal to commence joint information security projects and operations, and to increase cooperation in the space, according to a popular Russian newspaper with ties to President Vladimir Putin. Kommersant owned by Russia's richest man and President Putin ally Alisher Usmanov reported ( …
Darren Pauli, 24 Oct 2014

Adobe spies on readers: EVERY DRM page turn leaked to base over SSL

Adobe has tweaked its Digital Editions 4 desktop ebook reader to now encrypt the data it secretly sends back to headquarters – data that details a user's reading habits. Previously, information on every single tome accessed by Digital Editions 4 was phoned home unencrypted, allowing anyone eavesdropping on a network to intercept …
Iain Thomson, 23 Oct 2014
Zombies, credit: Wikimedia from Night of The Living Dead

Ad-borne Cryptowall ransomware is set to claim FRESH VICTIMS

Security watchers are warning of a surge in CryptoWall ransomware victims this month that will coincide with a campaign to spread a new variant of the malware though advertising networks. More than 830,000 victims worldwide have been infected with the malware, a 25 per cent increase in infections since late August when there …
John Leyden, 23 Oct 2014

Xen says its security policies might be buggier than its software

The Xen project has asked for help to ensure future bugs aren't as disruptive as the XSA-108 flaw that saw major cloud operators reboot an awful lot of servers. XSA-108 emerged in late September and saw the likes of AWS, SoftLayer and Rackspace patch and reboot many servers. Such reboots are just the kind of thing that cloud …
Simon Sharwood, 23 Oct 2014

Quick PHP patch beats slow research reveal

Patches have been flung out to cover vulnerabilities in PHP that led to remote code execution and buffer overflows. The flaws were detailed this week by Swiss researchers High-Tech Bridge in versions 5.4.33, 5.5.17 and 5.6.1 on a machine running Ubuntu 14.04.1 LTS and the Radamsa fuzzer. A patch issued last month for CVE-2014- …
Darren Pauli, 23 Oct 2014
padlock

NIST to hypervisor admins: Pro-tip, secure your systems

US standards body the National Institute of Standards and Technology (NIST) has laid out the basics of hypervisor security in a draft publication released for comment on 20 October. The sysadmin guide presents 22 security recommendations, under the key headings of isolating VMs from each other and the host hypervisor; …
Qualcomm Atheros hybrid network

Is your home or office internet gateway one of '1.2 MILLION' wide open to hijacking?

Hundreds of thousands of routers, firewalls and gateways used by small offices and homes are said to be vulnerable to hijacking due to bungled NAT settings. The networking devices are, we're told, commonly misconfigured to allow remote attackers to reprogram how network traffic flows to PCs, servers, tablets and other machines …
John Leyden, 22 Oct 2014

Guns don't scare people, hackers do: Americans fear identity theft more than shooting sprees

A survey into what Americans fear most has shown that fears of identity theft and being unsafe online outweigh the fear of being shot. The poll of 1,500 Americans conducted by Chapman University in Orange, California, found that walking alone down a dark street is the situation that has Americans most fearful – beating the fear …
Iain Thomson, 22 Oct 2014

DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides

Hackers are exploiting a zero-day vulnerability in Windows using malicious PowerPoint documents, Microsoft and security firms warn. An advisory from Microsoft warns that the as-yet-unpatched flaw is present in all supported versions of Windows except Windows Server 2003 and has already been abused in "limited, targeted attacks …
John Leyden, 22 Oct 2014

APPLE support doc CONFIRMS 'ORGANIZED NETWORK ATTACKS'

Apple is warning its iCloud users over heightened spying risks following the discovery of attacks which security watchers have claimed are down to crude snooping by the Chinese government. Without naming China directly, Apple said it was "aware of intermittent organised network attacks" on its iCloud service designed to obtain …
John Leyden, 22 Oct 2014