Security > More stories

hand gun

Daesh-bag hacker gets 20 years for harvesting US military kill list

A student who hacked into corporate servers to build a kill list for medieval terror bastards Daesh has been sentenced to 20 years in prison after admitting his guilt. Ardit Ferizi, aka Th3Dir3ctorY, broke into the servers of an unnamed Illinois company and downloaded the personal information of tens of thousands of its …
Iain Thomson, 27 Sep 2016

Mozilla wants woeful WoSign certs off the list

Mozilla wants to kick Chinese certificate authority (CA) WoSign out of its trust program. As well as being worried about the certs issued by WoSign, Mozilla accuses the company of buying another CA, StartCom, without telling anyone. In this lengthy analysis posted to Google Docs, Mozilla says its certificate wonks have "... …
Image by Lana839

Suspected Russian DNC hackers brew Mac trojan

Suspected Russian hackers fingered for hacking the United States Democratic National Committee (DNC) have brewed a trojan targeting Mac OS X machines in the aerospace sector, says Palo Alto researcher Ryan Olson. The malware relies on social engineering and exploits a well-known vulnerability in the MacKeeper security software …
Darren Pauli, 27 Sep 2016
Facepalm, photo via Shutterstock

Fax machines' custom Linux allows dial-up hack

Party like it's 1999, phreakers: a bug in Epson multifunction printer firmware creates a vector to networks that don't have their own Internet connection. The exploit requirements are that an attacker can trick the victim into installing malicious firmware, and that the victim is using the device's fax line. The firmware is …

Patch AGAIN: OpenSSL security fixes now need their own security fixes

Sysadmins and devs, fresh from a weekend spoiled by last week's OpenSSL emergency patch, have another emergency patch to install. One of last week's fixes, for CVE-2016-6307, created CVE-2016-6309, a dangling pointer security vulnerability. As the fresh advisory states: “The patch applied to address CVE-2016-6307 resulted in …
Team Register, 26 Sep 2016

Intel, Lenovo officially gone to the dogs – with FIDO fingerprint logins

Lenovo, Intel and others are aiming to make online payments more secure by bringing the Fast Identity Online (FIDO) biometric authentication standard to PCs. The fingerprint scanning technology is implemented in Lenovo’s latest Yoga 910 laptop, which is one of those consumer 2-in-1 convertible gizmos with a fold-back screen …
Dan Robinson, 26 Sep 2016

Security man Krebs' website DDoS was powered by hacked Internet of Things botnet

The huge distributed denial of service (DDoS) attack which wiped security journalist Brian Krebs' website from the internet came from a million-device-strong Internet of Things botnet. "Attack appears to include numerous IoT devices, including security cameras. Still itemizing them," an Akamai spokesman told El Reg by email. …
Gareth Corfield, 26 Sep 2016

Apple to crunch iOS 10 local backup password brute force hole

Apple is brewing a fix to patch an iOS password flaw that allows credentials to be stolen from backups. Elcomsoft researcher Oleg Afonin says the flaws mean cracking efforts against iOS 10 backups are 2500 times faster compared to similar efforts against iOS 9. If successful, the attack will grant access to device keychains. …
Darren Pauli, 26 Sep 2016
Value pack of two tins of Spam

Dev teaches bot to talk spammers' ears off

Brian Weinreich has been trolling spammers for two years using a bot that fires realistic and ridiculous replies to the pervasive online salespeople. The noted security developer created the bot as a means to waste the time of the blowflies of the internet after being affronted by a deluge of unsolicited sales pitches directed …
Darren Pauli, 26 Sep 2016
Image by robodread

Google rushes in where Akamai fears to tread, shields Krebs after world's-worst DDoS

Google has provided free distributed denial of service attack (DDoS) mitigation services to security publication Krebs on Security, stepping in after Akamai withdrew support. The information security site was last week hammered with a 620Gbps DDoS attack, widely rated one of the world's largest by volume of junk data. …
Darren Pauli, 26 Sep 2016
Lawyer up

And! it! begins! Yahoo! sued! over! ultra-hack! of! 500m! accounts!

Just two days after Yahoo! admitted hackers had raided its database of at least 500 million accounts, the Purple Palace is being dragged into court. Two Yahoo! users in San Diego, California, filed on Friday a class-action claim [PDF] against the troubled web biz: Yahoo! is accused of failing to take due care of sensitive …
Iain Thomson, 24 Sep 2016

IBM botched geo-block designed to save Australia's census

Australia's Bureau of Statistics has heavily criticised IBM for the security it applied to the nation's failed online census, which was taken offline after a distributed denial of service (DDoS) attack that battered a curiously flimsy defensive shield. The Bureau also admits it could have done better in a submission (PDF) to a …
Simon Sharwood, 23 Sep 2016

Uni student cuffed for 'hacking professor's PC to change his grades'

A student at Kennesaw State University in Georgia is accused of hacking into his professor's computer to improve his grades. Chase Arthur Hughes, 19, was arrested and charged this week after allegedly raiding the university's computers in May. The teen made a number of alterations to his grades, and those of his friends, for …
Iain Thomson, 23 Sep 2016

Woo hoo, has unveiled yet another tech creche – for infosec

Plans are afoot in Westminster to burn even more taxpayers' cash by launching a new cyber-security startup accelerator in Cheltenham. The accelerator will be the umpteenth vehicle for funnelling money to muppets since the coalition government came to power. Other accelerators have included a military technology free-money …

OpenSSL swats a dozen bugs, one notable nasty

A dozen flaws have been patched in OpenSSL, including one high severity hole that allows denial of service attacks. The OpenSSL Project pushed patches in versions 1.1.0a, 1.0.2i and 1.0.1u, with most of the flaws flagged as low severity risks. The nastiest vulnerability (CVE-2016-6304) results when attackers issue a massive …
Team Register, 23 Sep 2016

Report: NSA hushed up zero-day spyware tool losses for three years

Sources close to the investigation into how NSA surveillance tools and zero-day exploits ended up in the hands of hackers has found that the agency knew about the loss for three years but didn’t want anyone to know. Multiple sources told Reuters last night that the investigation into the data dump released by a group calling …
Iain Thomson, 23 Sep 2016

Sad reality: It's cheaper to get hacked than build strong IT defenses

Whenever mega-hacks like the Yahoo! fiasco hit the news, inevitably the question gets asked as to why the IT security systems weren't good enough. The answer could be that it's not in a company's financial interest to be secure. A study by the RAND Corporation, published in the Journal of Cybersecurity, looked at the frequency …
Iain Thomson, 23 Sep 2016

Cops blasted for relying on IP addresses to hunt down suspects

A new white paper from the Electronic Frontier Foundation argues that police rely too heavily on IP addresses when conducting criminal investigations. The paper [PDF], written by EFF executive director Cindy Cohn along with legal fellow Aaron Mackey and senior staff technologist Seth Schoen, argues that the numerical addresses …
Shaun Nichols, 23 Sep 2016

Safe browsing checks fail as 16,000 WordPress sites hacked this year

At least 15,769 WordPress websites - and probably more - have been compromised this year, half slipping past Google's Safe Browsing checks, says security researcher Daniel Cid. The world's most popular content management system represented the lion's share of some 21,821 sites studied in the second 2016 Sucuri report on …
Darren Pauli, 23 Sep 2016

Malware figures out it's running on VMs and refuses to execute

Malware writers are looking for the absence of documents to figure out which PCs are potential victims and which are virtual machines being used by white hats. SentinelOne senior researcher Caleb Fenton found the novel technique while attempting to coax the malware into activating so it could be analysed. The worm he was …
Darren Pauli, 23 Sep 2016
Image by gyn9037

Valid logins to your workplace are on the net, right now

Enterprises are almost universally open to intrusion attempts with stolen credentials, and are at increased risk from compromised smartphones thanks to a spike in device malware. The findings stem from two separate studies. Digital Shadows research [PDF] reveals 97 percent of the Fortune top 1000 largest companies face …
Team Register, 23 Sep 2016

US Homeland Security launches IoT willy-waving campaign

The US Department of Homeland Security has announced plans to make the internet-of-things just a bit more complicated – by trying to shove itself into the market with a new security framework. On Thursday, assistant secretary for cyber policy at the DHS Robert Silvers told the Security of Things Forum in Cambridge, …
Kieren McCarthy, 22 Sep 2016
A burning dumpster

Half! a! billion! Yahoo! email! accounts! raided! by! 'state! hackers!'

Updated Hackers strongly believed to be state-sponsored swiped account records for 500 million or more Yahoo! webmail users. And who knew there were that many people using its email? The troubled online giant said on Thursday that the break-in occurred in late 2014, and that names, email addresses, telephone numbers, dates of birth, …
Iain Thomson, 22 Sep 2016

DDoS attacks: For the hell of it or targeted – how do you see them off?

Distributed Denial of Service (DDoS) attacks can be painful and debilitating. How can you defend against them? Originally, out-of-band or scrubbing-centre DDoS protection was the only show in town, but another approach, inline mitigation, provides a viable and automatic alternative. DDoS attacks can be massive, in some cases …
Danny Bradbury, 22 Sep 2016
image by Alexander_P

SWIFT warns of more 'sophisticated' attacks, readies anti-fraud tool

The chief information security officer for global money transfer network SWIFT says banks are still under attack from fraudsters hoping to cash in on identified security gaps to steal millions of dollars. Alain Desausoi, security head of the Society for Worldwide Interbank Financial Telecom made the comments at the Financial …
Darren Pauli, 22 Sep 2016

Google automates Apps OAuth token revocation

Google has refined the security controls available to enterprise Gmail users by automatically killing OAuth 2.0 tokens for Apps when users change passwords. The changes will land on October 5th and will not affect users unless they change their password. It is a watered down version of planned security changes offered in …
Team Register, 22 Sep 2016
Joey from the sitcom friends pokes his head around the door (invasively). Photo copyright NBC

Cisco snaps shut remote pwnage hole in Cloud Services Platform

Cisco has provided a patch to address a remote hijacking vulnerability in its Cloud Services Platform (CSP). Switchzilla said that all customers who run CSP 2100 software should install the 2.1.0 update to close a remote code execution flaw it considers to be a high security risk. Designed as an efficient way to manage …
Shaun Nichols, 21 Sep 2016
Police search

US cities promise to crack down on police surveillance tech

A handful of US cities are banding together in an effort to change the way police acquire and use surveillance technology. The cities in the group – including New York, Washington DC, Seattle, and Milwaukee – say they will introduce bills to place additional reporting and approval requirements for the surveillance tools their …
Shaun Nichols, 21 Sep 2016

Wow, RIP hackers ... It's Cyber-Lord Blunkett to the rescue for UK big biz

A high-profile project has been launched with the aim of strengthening UK enterprises' IT security. The Cyber Highway was launched in London on Tuesday by Lord David Blunkett. The resource offers a “user-friendly online portal for large enterprises that want to strengthen the cyber defence of their supply chain.” Corporations …
John Leyden, 21 Sep 2016
USB sticks used in letterbox drops

Victoria Police warn of malware-laden USB sticks in letterboxes

Police in the Australian State of Victoria have warned citizens not to trust un-marked USB sticks that appear in their letterboxes. The warning, issued today, says “The USB drives are believed to be extremely harmful and members of the public are urged to avoid plugging them into their computers or other devices.” “Upon …
Simon Sharwood, 21 Sep 2016
A grey beard

Greybeards beware: Hair dye for blokes outfit Just For Men served trojan

Malware writers have penetrated the website of hair-dye-for-greying-blokes outfit Just For Men, foisting a password-stealing trojan at visitors, Malwarebytes researcher Jerome Segura says. Attackers are using the RIG exploit kit, which recently dethroned Neutrino as the most popular of the off-the-shelf crime kits that make …
Team Register, 21 Sep 2016

BT's Wi-Fi Extender works great – at extending your password to hackers

BT is urging folks to patch the firmware in its Wi-Fi Extender following the discovery of multiple security flaws. Security researchers at Pen Test Partners discovered vulnerabilities with the consumer-grade kit, including cross-site scripting and the ability to change a password without knowing it. Pen Test Partners found it …
John Leyden, 21 Sep 2016

10-second hijack hole could kill any Facebook profile

University student Arun S Kumar has scored US$16,000 (£12,312, A$21,200) for finding and reporting a Facebook vulnerability that led to account hijacking. The flaw in Facebook's Business Manager reported through BugCrowd late last month and since patched was a form of direct object reference vulnerability which bypassed normal …
Darren Pauli, 21 Sep 2016
Sweet32 logo

Citrix swats Sweet32 bug by just turning off old ciphers

Citrix has pushed back a little against the dangers posed to its users by the Sweet32 “birthday attack” against old ciphers. The attack, published in late August, is a birthday attack against 64-bit ciphers like Blowfish and Triple DES. That's prompted various vendors to get patching, but as Citrix explains in this blog post …

CloudFlare offers web encryption up the wazoo

CloudFlare is promising to bring about the encrypted internet by adopting the latest web security protocols and offering a solution to the horror of mixed content. Just over a week since Google warned it would start labeling HTTP websites as "not secure," CloudFlare promises to help the many, many website owners who have a mix …
Kieren McCarthy, 20 Sep 2016
Data breach

Mobile review website MoDaCo coughs to data breach

Smartphone news and reviews site MoDaCo has admitted to a data breach. MoDaCo founder, Paul O’Brien confirmed a security leak (first reported by haveibeenpawned), while playing down its significance. Email and IP addresses together with (hashed) passwords and usernames for up to 875,000 MoDaCo accounts were dumped online. …
John Leyden, 20 Sep 2016
Auctioneer with hammer

Going, going, done: Trio of prolific auction fraud fraudsters jailed

Three men have been jailed yesterday over a conspiracy to commit internet shopping fraud scam that involved taking payments for non-existent goods and services. Calin Serbenescu, 28, a former labourer, was sentenced to five years' imprisonment; Ionut Cotavian Anitescu, 26, unemployed, was sent down for three years; while Dorel …
John Leyden, 20 Sep 2016
Person using a card reader

Hackers claim they breached Aussie point-of-sale tech firm, try to sell 'customer DB'

Exclusive Hackers are claiming to have hacked Australian point-of-sale technology (PoS) company H&L Australia, and have been claiming to potential buyers that they had lifted its customer database. They were already offering it for sale for AU$22,000 ($16,580, £12,723) more than two months ago. If indeed they have hacked into H&L, …
Darren Pauli, 20 Sep 2016
image by JoeBakal

Online scammers speed up: Hit gold every 15 seconds

There were over one million fraud attempts in the UK in the first six months of 2016, or one every 15 seconds - more than 50 per cent higher than the same period of last year. Between January and June 2016 there were 1,007,094 fraud cases in the UK compared to 660,308 in the first six months of 2015. Each case represents a …
John Oates, 20 Sep 2016

Microsoft lets Beijing fondle its bits in new source code audit hub

Microsoft has opened a technology centre in China to reassure Beijing it does not have backdoors in its software. The so-called Transparency Centre is the third Redmond has opened to reassure governments that Microsoft's wares are secure. Redmond's trustworthy computing corporate veep Scott Charney says the centre will allow …
Darren Pauli, 20 Sep 2016

Brits: Can banks do biometric security? We'd trust them before the government

Brits have more faith in their banks than government agencies to roll out authentication technologies based on biometrics, according to a new survey from Visa. Consumers are nearly twice as likely to trust banks to store and keep their biometric information such as fingerprints and iris scans safe (60 per cent), than they are …
John Leyden, 19 Sep 2016

Microsoft snubs alert over Exchange hole

Microsoft has downplayed the seriousness of an alleged Exchange auto-discovery vulnerability, saying that it sees no need to patch the reported security weakness. Redmond contends that its existing security advice covers the issue, a point disputed by flaw-finder Marco van Beek. Van Beek explains: “I recently discovered that …
John Leyden, 19 Sep 2016