Security > More stories

Image by Anastasia Omelyanenko http://www.shutterstock.com/fr/pic-436311205/stock-photo-mashmellow-and-lollipop.html?src=EXWdanl3s89L0aXGAQTtcQ-1-62

Cafe killer remote code execution affects 140 million MIUI Androids

The most popular stock and third-party Android ROM – used by 170 million people – contains a dangerous since-patched remote code execution hole that could hand attackers total control of handsets. The flaw, found by IBM X-Force researcher David Kaplan (@depletionmode), now of Microsoft, exists in MIUI (pronounced Me, You, I) …
Darren Pauli, 7 Jul 2016
IMage by Vadim Ivanov http://www.shutterstock.com/gallery-771946p1.html

Loose wrists shake chips: Your wrist-job could be a PIN-snitch

Chinese scientists have brewed a way to steal -- with 80 percent accuracy -- automatic teller machine PINs by infecting wearable devices. Five university boffins demonstrated the trick in a laboratory, finding even the slight hand movements a person makes while entering PINs can be captured through infected smart watches. The …
Darren Pauli, 7 Jul 2016

Palo Alto offers $16,000 in looming CTF hack off

In eight days, Palo Alto is launching a capture the flag competition offering a total of US$16000 (£12340, A$21,245) for the first to complete the six trials. The first to solve all six challenges will receive US$5000 (£3866, A$6640), and can score six lots of US$1000 (£773, A$1328) if they are also the first to complete each …
Darren Pauli, 7 Jul 2016

Unmasking malware in TLS connections? It can be done, say Cisco researchers

A group of researchers who work for Cisco* reckons malicious traffic in TLS tunnels can be spotted and blocked – without decrypting user traffic. That's good news in the corporate setting, because today's protection relies on the controversial approach of terminating the encryption to inspect the traffic. In this paper at …

Sysadmins: Use these scripts to fully check out of your conference calls

Rejoice, system admins; Splunk developer Josh Newlan has created a series of scripts that will with the right tools get you out of time-wasting teleconference meetings. The scripts, built on Splunk and IBM Speech to Text Watson but which can be ported to use open source tools, allow over-worked crushed souls to have relevant …
Darren Pauli, 7 Jul 2016

⌘+c malware smacks Macs, drains keychains, pours over Tor

More malware capable of pilfering Mac keychain passwords and shipping them over Tor has been turned up, less than a day after a similar rare trojan was disclosed. Dubbed Keydnap, the malware is delivered as a compressed Mach-O file with a txt or jpg extension, with a hidden space character which causes it to launch in terminal …
Darren Pauli, 7 Jul 2016
A group of people hold out mobile phones in a circle. Photo by Shutterstock

The truth about Silent Circle's super-secure, hyper-privacy phones: No one's buying them

It seems that the Blackphone, the handset created by Silent Circle and Spanish firm Geeksphone, isn't as popular as its makers would like. Geeksphone has sued [PDF] its erstwhile partner for $5m in a New York court, claiming that disappointing hardware sales have crippled the partnership and left the Switzerland-based Silent …
Iain Thomson, 6 Jul 2016
danger

Attention, small biz using Symantec AV: Smash up your PCs, it's the safest thing to do

If you're using Symantec's Endpoint Protection Small Business Edition (SEP SBE) then you can forget about security for a week or so, as the company won't be patching the "as bad as it gets" security holes in its software for a while. A Register reader who wishes to remain anonymous received an email from Symantec confirming …
Iain Thomson, 6 Jul 2016
Qualcomm Snapdragon 820

Huge double boxset of Android patches lands after Qualcomm disk encryption blown open

Google has released two bundles of Android security patches this month: a smaller one to handle bugs in the operating system, and a larger package that tackles a raft of driver-level issues, particularly with Qualcomm's hardware. The first tranche of patches includes eight critical, 11 high severity, and nine fixes that are …
Iain Thomson, 6 Jul 2016
Illustration of a "bitcoin" dissolving into numbers. Photo by SHutterstock

Bitcoin child abuse image pervs will be hunted down by the IWF

Blockchain forensics are being harnessed in an effort to clamp down on the trade in images of child sex abuse on the dark web. The Internet Watch Foundation (IWF) is teaming up with Elliptic, a UK blockchain intelligence start-up, in a bid to track individuals who use Bitcoin to pay for images of child sex abuse. The IWF is …
John Leyden, 6 Jul 2016

'Double speak' squawk users as Silent Circle kills warrant canary

Silent Circle has quietly euthanized its warrant canary for 'business reasons' leading privacy pundits to freak out over double negatives and double speak. The much-loved privacy company offers the hardened BlackPhone geared to business folks who want to frustrate the surveillance state and criminals. Like others, its warrant …
Darren Pauli, 6 Jul 2016
Image composite Titima Ongkantong, Stephen Marques, Shutterstock

Outed China ad firm infects 10m Androids, makes $300k a month

Net scum behind the Hummingbird Android malware are raking in a mind-boggling US$300,000 (£233,125, A$404,261) a month through illegitimate advertising and app downloads from a whopping 10 million infected devices. The offending group, known as Yingmob, is an offshoot of a legitimate Chinese advertising analytics firm with …
Darren Pauli, 6 Jul 2016
Cartoon - Private SNAFU

TP-Link abandons 'forgotten' router config domains

TP-Link, rather than recovering domains it forgot to renew, is going to abandon them. The domains in question are tplinklogin.net and tplinkextender.net. They offered configuration services for buyers of the company's home routers and Wi-Fi link extenders, and are identified on stickers on some devices (not all: two TP-Link …
Compressed version of Log Jam

HPE rushes out patch for more than a year of OpenSSL vulns

HP Enterprise has popped into its Tardis, and gone back in time to patch OpenSSL bugs dating back to 2014 – including the infamous Logjam bug. The bugs are in various network products: Intelligent Management Center (iMC), the VCX unified communications products, and the Comware network operating system. The company's notice …
Image by Iterum http://www.shutterstock.com/gallery-591613p1.html

Gigabyte BIOS blight fright: Your megabytes’ rewrite plight in the spotlight

Gigabyte has been swept into turmoil surrounding low-level security vulnerabilities that allows attackers to kill flash protection, secure boot, and tamper with firmware on PCs by Lenovo and other vendors. Unconfirmed reports suggest the hardware vendor has used the "ThinkPwn" vulnerable code, thought to be born of Intel …
Darren Pauli, 6 Jul 2016
Password screen

Chap fails to quash 'shared password' 'hacking' conviction

A man who used his colleagues' passwords to swipe confidential information from his employer has failed to overturn his computer hacking conviction. In a 2-1 decision [PDF] today, the California 9th Circuit Court of Appeals agreed with a lower court's judgment that David Nosal broke the Computer Fraud and Abuse Act (CFAA). In …
Shaun Nichols, 6 Jul 2016

EasyDoc malware adds Tor backdoor to Macs for botnet control

Security firm Bitdefender has issued an alert about a malicious app that hands over control of Macs to criminals via Tor. The software, called EasyDoc Converter.app, is supposed to be a file converter but doesn't do its advertised functions. Instead it drops complex malware onto the system that subverts the security of the …
Iain Thomson, 5 Jul 2016

EU uncorks €1.8bn in cybersecurity investment. Thirsty, UK?

The EU Commission has launched a public-private partnership on cybersecurity that is expected to trigger €1.8bn ($2bn) of investment by 2020. The EU is promising to invest €450m ($502m) in a bid to spur innovation in cybersecurity with the remainder coming from the private sector. Some security commentators reckon the Brexit …
John Leyden, 5 Jul 2016
By Bob Bob - https://flic.kr/p/914kty

5 years, 2,300 data breaches. What'll police do with our Internet Connection Records?

Police forces across the UK have been responsible for “at least 2,315 data breaches” over the last five years, according to research by Big Brother Watch, prompting concerns about the increasing amount of data they're holding. Titled Safe in Police Hands? the 138-page report is released today after months of requests made by …
Users with laptop, mobile, tablet have tea in a coffee house. Pic via shutterstock

Theft of twenty-somethings' IDs surges

Last year saw a surge in identity fraud against young UK adults, according to official figures published today. Cifas' data reveals identity fraud victims aged 30 and under rose 52 per cent in 2015. Just under 24,000 (23,959) people aged 30 and under were victims of identity fraud, according to figures from the UK’s leading …
John Leyden, 5 Jul 2016

Second celebgate hacker pleads guilty to phishing

A second US man has pleaded guilty to stealing intimate pictures of celebrities using a phishing scam. Edward Majerczyk, 28, who resides in Chicago and Orland Park, Illinois, was charged with hacking into the Apple iCloud and Gmail accounts of more than 300 people, including Hollywood celbrities. In a plea bargaining deal, …
John Leyden, 5 Jul 2016

Word hole patched in 2012 is 'unchallenged' king of Office exploits

Possibly the most exploited unchallenged Microsoft Office vulnerability of the last decade was found and patched in 2012. Sophos threat researcher Graham Chantry says the longevity of the dusty bug affecting Office 2003, 2007, and 2010, is thanks to its constant adaptation by exploit kit authors, and a pervasive unwillingness …
Darren Pauli, 5 Jul 2016

Researcher pops locks on keylogger, finds admin's email inbox

Trustwave researcher Rodel Mendrez has gained access to the inbox of the criminal behind a commercial keylogger used to attack industries including finance, cloud services, logistics, foreign trade, and government. Mendrez's reverse engineering effort found credentials buried within the Hawkeye keylogger that lead through …
Darren Pauli, 5 Jul 2016
Facebook's Mark Zuckerberg, speaking at the 2015 F8 conference

Israel's security minister suckers Zucker for Facebook'ed killings

Israel's Public Security Minister Gilad Erdan has blamed Facebook founder Mark Zukerberg for the killing of Hallel Ariel and Michael Marks. The Minister told local program Meet the Press Facebook does not do enough to alert security forces to terrorist-related posts after Ariel's killer Muhammad Tarari posted to the social …
Darren Pauli, 5 Jul 2016
image byemo http://www.shutterstock.com/gallery-2659924p1.html

Vuln drains energy sector control kit

The US industrial control system computer emergency response team (ICS-CERT) has warned of twin flaws in substation control software. The SICAM Power Automation System contains poorly protected credentials (CVE-2016-5848) and information exposure (CVE-2016-5849) found by Russian researchers Ilya Karpov and Dmitry Sklyarov of …
Team Register, 5 Jul 2016

Mozilla emits nightly builds of heir-to-Firefox browser engine Servo

Mozilla has started publishing nightly in-development builds of its experimental Servo browser engine so anyone can track the project's progress. Executables for macOS and GNU/Linux are available right here to download and test drive even if you're not a developer. If you are, the open-source engine's code is here if you want …
Shaun Nichols, 4 Jul 2016

Klepto Zepto could steal millions in looming ransomware wave

A dangerous new ransomware variant based on the Locky ransomware has security experts worried. The Zepto malware has been carried in nearly 140,000 spam messages sent over four days last week. The ransomware appears to have Locky's capabilities which could make it one of the more dangerous encryption lockers in circulation. …
Darren Pauli, 4 Jul 2016

One in 200 enterprise handsets is infected

If your enterprise has 200 mobile devices at least one is infected, so says security firm Skycure The Palto Alto firm has uncovered previous nasty Apple bugs, including the No iOS Zone flaw reported by El Reg last year. All told about three percent of the locked-down vanilla Cupertino devices are infected, the company says in …
Darren Pauli, 4 Jul 2016
Bug

SQLite developers need to push the patch

SQLite has pushed out an update to fix a local tempfile bug, to address concerns that the bug could be exploitable beyond the merely local. The bug was found by KoreLogic and reported to the popular open source database project, before being published at Full Disclosure. The issue is that SQLite creates its tempfiles in a …
Woman with "crying with laughter" emoji for a head... photo by Shutterstock

Here's how to SMS spam Liberal voters and get away with it

It's easy to spam voters with text messages and get away with it. If you wanted to swing voters ahead of a federal election, as the Australian Labor Party is alleged to have done in a message claiming a rival Liberal Coalition Government would privatise the nation's healthcare provider Medicare, you wouldn't send a text …
Darren Pauli, 4 Jul 2016
Panic button

Lenovo scrambling to get a fix for BIOS vuln

Lenovo, and possibly other PC vendors, is exposed to a UEFI bug that can be exploited to disable firmware write-protection. If the claims made by Dmytro Oleksiuk at Github are correct, an attacker can “disable flash write protection and infect platform firmware, disable Secure Boot, [and] bypass Virtual Secure Mode (Credential …

UEFA's Euro 2016 app is airing football fans’ privates in public

The official UEFA Euro 2016 app is leaking football fans’ personal data, security researchers warn. The app is transmitting user credentials - including usernames, passwords, addresses and phone numbers - over an insecure internet connection, mobile security outfit Wandera discovered. The lack of encryption in the app, which …
John Leyden, 1 Jul 2016

700,000 Muslim Match dating site private messages leaked online

Hackers have leaked the personal details of 150,000 users of the Muslim Match website after breaking into the niche dating portal. Almost 150,000 user credentials and profiles, as well as more than 700,000 private messages between users, were posted online. "These private messages cover a range of subjects from religious …
John Leyden, 1 Jul 2016

Chinese gambling site served near record-breaking complex DDoS

A chinese gambling company has been pulverised with multiple nine-vector, 470 Gbps, 110 million packet-per-second distributed denial of service (DDoS) attacks, some of the biggest and most complex ever recorded. The unnamed company was attacked by DDoS that used nine vectors in a very rare bid to bypass Incapsula's mitigation …
Darren Pauli, 1 Jul 2016

Cracking Android's full-disk encryption is easy on millions of phones – with a little patience

Android's full-disk encryption on millions of devices can be cracked by brute-force much more easily than expected – and there's working code to prove it. Essentially, if someone seizes your Qualcomm Snapdragon-powered phone, they can potentially decrypt its file system's contents with a friendly Python script without knowing …
Iain Thomson, 1 Jul 2016
Mosasaurs illustration. Image credit: Julius T Csotonyi for the University of Yale

Hydra hacker bot spawns internet of things DDoS clones

Lizard Squad may be mostly behind bars, but their LizardStresser botnet has spawned more than 100 clones. According to Arbor Networks' Matthew Bing, the imitators have lit on the Internet of Things, enslaving thousands of dumb devices with code the hacker group published last year. LizardStresser is an illegal booter service …
Darren Pauli, 1 Jul 2016
lychy 01 http://www.shutterstock.com/gallery-299362p1.html

400 million Foxit users need to catch up with patched-up reader

Makers of popular PDF reader Foxit have patched 12 dangerous vulnerabilities that could have resulted in remote code execution. Some 400 million users run the flagship reader billed as an alternative to Adobe Reader. Thedozen flaws are patched in Windows and Linux variants. Users would need to be conned into opening a …
Darren Pauli, 1 Jul 2016

WA government still hopeless at infosec

Western Australia's Auditor General has panned the state's consistently-awful IT security, delivering its report from a site that Chrome warns isn't doing HTTPS right. The agency has been telling the state government it's security is subpar for years. When it ran hostile scans of agency networks in 2011, 14 out of 15 failed to …

Russia, China fight UN effort to extend human rights onto the internet

Russia and China are fighting an effort at the United Nations (UN) to extend human rights to the internet. The resolution was due to be voted on at the UN Human Rights Council (HRC) on Thursday, but the vote was put off until Friday amid growing tensions and a spotlight put on the vote by a campaign of over 80 organizations, …
Kieren McCarthy, 30 Jun 2016

Encryption, wiretaps and the Feds: THE TRUTH

Figures published this month suggest fewer Americans are using encryption to secure their communications – but if you look into the detail, the opposite is probably closer to reality. The latest Wiretap Report from the US courts system – which counts up the number of requests from investigators to spy on people's chatter in …
Shaun Nichols, 30 Jun 2016

Hackers: Ditch the malware, we're in... Just act like a normal network admin. *Whistles*

Hackers almost exclusively use standard network admin tools to move around a compromised network once they’ve broken in using malware or other hacking techniques. Researchers at security startup LightCyber found that 99 per cent of post-intrusion cyberattack activities did not employ malware, but rather employed standard …
John Leyden, 30 Jun 2016

Big Blue finds big green in derailing transport

The transport sector is a booming lucrative playground for cyber criminals that is increasingly fragmented, IBM researchers say. The findings in a report Security trends in the transportation industry reveal that airlines, trucking, and parking sector companies are being hosed for credit cards and sensitive information. Big …
Team Register, 30 Jun 2016