Security > More stories

Bond on train Patrice Skyfall

Commuters slam UK rail operator c2c. You slow, late, er... privacy violator

Commuters in the south east of England, already angry about recent timetable changes and delays, have been further incensed by basic security blunders by rail operator c2c as it tried to placate passenger disquiet with a new compensation form on its website. The company, which operates rail service between London Fenchurch …
John Leyden, 25 Jan 2016
Bank vault

Sainsbury's Bank web pages stuck on crappy 20th century crypto

Update Sainsbury's Bank website still relies on insecure cryptography protocols that more security conscious organisations have abandoned as obsolete. The UK supermarket-owned bank’s "secure" site rates an “F” in tests using the industry standard Qualys’ SSL Labs service – chiefly because of the support for protocols security experts …
John Leyden, 25 Jan 2016

Thought you were safe from the Fortinet SSH backdoor? Think again

Fortinet has admitted that many more of its networking boxes have the SSH backdoor that was found hardcoded into FortiOS – with FortiSwitch, FortiAnalyzer and FortiCache all vulnerable. Last week, a Python script emerged that could allow anyone to get administrator-level access to some of Fortinet's firewall devices using …
Iain Thomson, 23 Jan 2016

Airbus, Boeing aero parts maker loses $54m in cyber-stick-up

An Austrian engineering firm is counting the cost of poor IT security after admitting €50m ($54m) has gone missing from its accounts following a "cyber fraud." FACC Operations makes airplane parts for giants like Airbus and Boeing, and is majority owned by a Chinese holding company. It insists its intellectual property, …
Iain Thomson, 22 Jan 2016

Irish government websites hit by widening DDoS attacks

A number of Irish government-related and public sector websites were knocked offline by an apparent DDoS attack on Friday morning. The latest assaults follow apparently similar web attacks on the popular boards.ie discussion boards (bang) and the Irish National Lottery earlier (wallop) this week. At the time of first of the …
John Leyden, 22 Jan 2016
From Under the snow bank by https://www.flickr.com/photos/mike9alive/  cc.20 attribution generic https://creativecommons.org/licenses/by/2.0/

Rust 1.6 released, complete with a stabilised libcore

The latest release of Rust, the secure systems programming language which will hopefully do away with buffer overflows, features a stabilised core library which should encourage developers' confidence in adopting it – at least for some smaller projects at the time being.. Rust (README) was originally developed by Graydon Hoare …

Gotcha: Symantec fires reseller nabbed in tech support scam

An authorised Symantec reseller has been caught hoodwinking users into buying security software by employing underhand marketing tactics. Silurian Tech Support was spotted flinging fake Norton-themed security warnings in an attempt to drum up business by Symantec rival Malwarebytes. The alerts were used to direct users towards …
John Leyden, 22 Jan 2016
Boba Fett

Bounty hunters won't blink until you dangle US$1500 bug reward

Organisations that aspire to operate bug bounty programs should be prepared to pay at least $1500 for impactful vulnerability reports, according to Bug Crowd. A document and questionnaire published today by the managed bug bounty platform offers businesses the ability to pair their current security postures, revenue, and staff …
Darren Pauli, 22 Jan 2016

That one weird trick fails: Google binned 780 million ads last year

Google blocked 780 million malicious and annoying advertisements last year, up from 256 million in 2014. The company says it has destroyed more than 10,000 sites foisting software like download wrappers, which install adware and the like. This, it says, reduced the total unwanted downloads through Google ads by 99 percent. …
Darren Pauli, 22 Jan 2016

RSA asks for plaintext Twitter passwords on conference reg page

Scores of security bods registering for security outfit RSA's Executive Security Action Forum (ESAF) have handed over their Twitter account passwords to the company's website in what is seen something between bad practice and outright compromise. The registration process for the February 29 event asks delegates to enter their …
Team Register, 22 Jan 2016
Black Widow

AMX backdoors US govt's comms system with Batman-inspired surveillance mode

AMX, which supplies communications kit for the White House, US military, and several of the largest corporations, built a superhero-themed surveillance backdoor into its products. An analysis of the AMX NX-1200 communications controller by researchers at SEC Consult showed the device had a "setUpSubtleUserAccount" function. …
Iain Thomson, 21 Jan 2016

GCHQ spies quashed this phone encryption because it was too good against snoopers

The researcher who discovered that the UK government's phone encryption standard has a huge backdoor installed has made another discovery: GCHQ's rejection of a better encryption standard because it didn't allow for undetectable spying. Dr Steven Murdoch has updated his original post on the MIKEY-SAKKE standard, developed by …
Kieren McCarthy, 21 Jan 2016
Samsung Galaxy Alpha

Samsung sued over 'lackadaisical' Android security updates

Samsung is being sued by a Dutch consumer group for its alleged lackadaisical approach to security updates for its Android phones. The Dutch Consumers’ Association (DCA) claims that an incredible 82 per cent of Samsung phones do not have the latest version of Android installed. It blames the Korean giant for failing to prod …
Kieren McCarthy, 21 Jan 2016
karven_648

Ukraine energy utilities attacked again with open source Trojan backdoor

Battered Ukrainian electricity utilities are being targeted with backdoors in attacks possibly linked to those fingered for recent blackouts. The phishing attacks are attempting to get backdoors installed on utility company computers using techniques similar to those seen in the BlackEnergy attacks. BlackEnergy ripped through …
Darren Pauli, 21 Jan 2016
lottery

Bad luck, Ireland: DDoS attack disrupts isle's National Lottery

A DDoS attack disrupted the Irish National Lottery’s website and ticket machines on Wednesday (January 20). The draw took place as normal despite two hours of disruption beforehand. "Indications are that this morning's technical issues were as a result of a DDoS attack affecting our communications networks," a statement from …
John Leyden, 21 Jan 2016

Asda slammed for letting vulns fester on its cyber shelves

Supermarket chain Asda has come under fire for sitting on a potentially serious set of web vulnerabilities on its website for almost two years. As first reported by The Register on Monday, UK security consultant Paul Moore warned Asda about a shopping list of online vulnerabilities in March 2014. Asda upped the grade of its …
John Leyden, 21 Jan 2016

HD Moore exiting Rapid7 for VC-land

HD Moore, the security researcher and hacker whose accomplishments include the Metasploit Framework, the Critical.IO scanning project and a bunch of critical vulnerability discoveries as chief technology officer of Rapid7, has succumbed to the siren song of venture capital. In this post at Rapid7, he's announced that he's …
Android 5.0 "Lollipop"

No, that Linux Keyrings bug isn't in '66 per cent of Android devices'

When the Linux “Keyrings” vulnerability landed yesterday, headlines said it would affect “millions” of devices, partly because it was thought to be widely present in Android as well. El Reg wondered at this, because it's not part of the recommended Android kernel configuration, so we're going to be a little bit smug: however …

FireEye buys iSight Partners for $200M

Security giant FireEye has bought threat company iSight Partners for US$200 million, marking a notable consolidation in the sector. It brings the threat intel company, notable for its research into sophisticated and nation-state attacks, into the fold of the network security mammoth. FireEye will pay another $75 million in …
Darren Pauli, 21 Jan 2016

Drydex malware busting bursting British business bank balances

IBM threat analyst Limor Kessem says the Dridex trojan has been revamped and for the last fortnight has targeted rich UK bank accounts in an expensive and well-resourced campaign. The gang behind the malware, dubbed Evil Corp, released the update to Dridex detected 6 January such that it would go after the richest British …
Darren Pauli, 21 Jan 2016
Young Panda in Chengdu Panda Base by https://www.flickr.com/photos/sujuhyte/  https://creativecommons.org/licenses/by-nd/2.0/ cc 2.0 Attribution-NoDerivs 2.0 Generic

While you pretended to work, Cloud operators fixed two Xen bugs

While lots of the world was easing in to a new year of work in the week of January 4th, big cloud concerns running customer-facing Xen rigs were probably patching two new bugs in the hypervisor. The Xen Project's policy is to let big cloud operators and others on a pre-disclosure list know about bugs two weeks before the rest …
Simon Sharwood, 21 Jan 2016
band_aid_648

Cisco patch day fixes CGI script blunder, hard-coded credentials

If you've got a Cisco Unified Computing System or a Firepower 9000 Series appliance, get busy patching. The Borg says it slipped up and let a CGI script make unprotected calls to shell commands. By fooling around with the URL, an attacker would be able to send arbitrary commands to the affected kit. All versions of UCS …

New open-source ad-blocking web browser emerges from brain of ex-Mozilla boss Eich

A new open-source browser that blocks ads and tracking code and so promises to "fix the Web" by offering a faster, privacy-respecting experience has been released. The Brave browser is the brainchild of former Mozilla (Firefox) CEO and JavaScript inventor Brendan Eich, and version 0.7 is now available to developers on GitHub …
Kieren McCarthy, 20 Jan 2016
Linux password file by https://www.flickr.com/photos/132889348@N07/  CC 2.o attribution sharealike generic https://creativecommons.org/licenses/by-sa/2.0/

It's 2016 and idiots still use '123456' as their password

Put your head in your hands, sysadmins: the usual weak suspects continue to make up the top most used 25 passwords. The ubiquitous ”123456" remains the most popular password among web users, followed by "password" in a list of user credentials leaked online last year. “Qwerty” appears in fourth place of the list of …
John Leyden, 20 Jan 2016
steam_dota_character_648

Trojan-filled Chrome extensions for Steam boil off gamers' assets

Miscreants are slinging fraudulent Chrome extension trojans at gamers that, if installed, will empty victims’ Steam inventory. Security researcher Bart Blaze warned that supposedly "helpful" Chrome extensions for Counter-Strike: Global Offensive (CS:GO) are actually scamware. “Instead of being able to change your CS:GO Double …
John Leyden, 20 Jan 2016

For pity's sake, enterprises, upgrade your mobile OS - report

Nine out of 10 enterprise mobile devices are using out-of-date operating systems, according to a new study, with upgrade issues increasing users' exposure to breaches, Duo Security warns. The analysis of more than one million actual iOS and Android mobile devices users in enterprises revealed that running updates is still hit …
John Leyden, 20 Jan 2016

Hot Potato exploit mashes old vulns into Windows System 'sploit

Shmoocon Foxglove Security bod Stephen Breen has strung together dusty unpatched Windows vulnerabilities to gain local system-level access on Windows versions up to 8.1. The unholy zero-day concoction, reported to Microsoft in September and still unpatched, is a reliable way of p0wning Windows for attackers that have managed to pop …
Darren Pauli, 20 Jan 2016
Sony Xperia Go rugged Android smartphone

Inside Intel's CPU-level multi-factor auth (and why we've got deja vu)

Analysis Intel has baked multi-factor authentication defenses into its sixth-generation Core processors. On Tuesday, the California chip giant sprung this news on the world, revealing what it seemed to be saying was a really big secret: all this time, the sixth-gen Core family, launched in September, has had brand-spanking new multi- …
Chris Williams, 20 Jan 2016

Ad-clicking bots predicted to rip US$7.2 billion from Mad Men

Botnets will inflict a massive US$7.2 billion in damages against online advertisers this year according to research by ad security company White Ops. Last year the industry was said to have lost US$5 billion, close to the $6.3 billion White Ops predicted in December 2014, thanks to the scourge of botnets that hugely inflate …
Darren Pauli, 20 Jan 2016

Oracle drops 248 – count 'em – 248 patches, to fix ... something

Oracle has just pushed out its quarterly batch of critical patches, so sysadmins had best get busy. The bug-splat haul covers a record-setting 248 individual fixes, with the full list here. The Oracle E-Business Suite gets the biggest serve, with a whopping 78 bugs patched, 68 of which are remotely exploitable without …

Fears of fiber cable cuts, rogue drones menacing crowds at Super Bowl 50

A security memo from the FBI and Department of Homeland Security has warned of the dangers from a high-tech attack against crowds flocking to Silicon Valley for this year's Super Bowl jamboree. The climactic game will be held in the San Francisco 49ers stadium in Santa Clara on February 7, although there will be a series of …
Iain Thomson, 20 Jan 2016
band_aid_patching_648

Cisco patches borked web box proxy hole

Cisco has patched a vulnerability in its Web Security Appliance that allows unauthenticated remote attackers to bypass security controls. The bug (CVE-2016-1296) allows attackers to use proxies when such traffic should be restricted. Affected users of versions 8.5.3-055, 9.1.0-000, and 9.5.0-235 should apply the released fix …
Team Register, 20 Jan 2016
spy_eye_648

European human rights court rules mass surveillance illegal

The European Court of Human Rights (ECHR) has ruled that mass surveillance is illegal, in a little-noticed case in Hungary. In a judgment last week, the court ruled that the Hungarian government had violated article 8 of the European Convention on Human Rights (the right to privacy) due to its failure to include "sufficiently …
Kieren McCarthy, 20 Jan 2016

Internet of Things 'smart' devices are dumb by design

Princeton boffins have looked at the networking behavior of a bunch of Internet of Things kit and found – stop me if you've heard this one – device makers aren't paying attention. The pair, PhD student Sarthak Grover and Center for Information Technology Policy fellow Roya Ensafi, say the devices they tested obey the rules of …
Apple iPad Mini 2013

Afraid of getting your iThing pwned? Get yourself iOS 9.2.1

Apple has posted an update for iOS, including patches for 13 CVE-listed security flaws. The Cupertino giant said that the iOS 9.2.1 update bundles the security fixes with a patch for a bug in the Apple Mobile Device manager that had prevented some iOS devices from installing apps. Note that this update will not fix the weird …
Shaun Nichols, 19 Jan 2016
GCHQ as seen on Google Earth

For fsck's SAKKE: GCHQ-built phone voice encryption has massive backdoor – researcher

The UK government's official voice encryption protocol, around which it is hoping to build an ecosystem of products, has a massive backdoor that would enable the security services to intercept and listen to all past and present calls, a researcher has discovered. Dr Steven Murdoch of University College London has posted an …
Kieren McCarthy, 19 Jan 2016

How to get root on a Linux box, step 1: Make four billion system calls

Oh look, it's another Linux kernel bug that allows a local user to escalate themselves to root. In exploiting CVE-2016-0728, discovered by Perception Point, “patience you must have,” because you have to cycle a 32-bit integer in the kernel around to zero. That means making 4,294,967,296 system calls to exploit the …

Prez Obama sends Iranian defense hacker home in prisoner swap

An Iranian hacker who attempted to steal military secrets from an American company has been sent back to the Islamic republic with a pardon, as part of a prisoner exchange program. Nima Golestaneh, 30, was extradited to the US from Turkey last year after being fingered for a hacking attack against US defense contractor Arrow …
Iain Thomson, 19 Jan 2016

Cisco: Businesses are losing the ground war against hackers

Only half (54 per cent) of businesses are confident in their ability to verify and defend against an attack, according to a study by networking giant Cisco. Cisco's latest Annual Security Report concluded that this lack of confidence is mostly down to hackers becoming more nimble, resilient and persistent while businesses are …
John Leyden, 19 Jan 2016
Home Secretary Theresa May introduces draft Investigatory Powers Bill to MPs. Pic credit: Parliament TV

UK govt: No, really, we're not banning cryptography

IPB The UK government has restated it has no desire to ban strong encryption, nor will it require surreptitious access to communications, in a response to several accusations levelled against it. In a response to a parliament.uk petition with over 10,000 signatures, the Home Office repeated that it "is not seeking to ban or limit …

Boards.ie floored by DDoS assault

Productivity in the Emerald Isle may have peaked on Tuesday with an outage of popular forum boards.ie coming on top of Twitter's TITSUP moment. The popular boards.ie discussion board was out for the second day following an apparent denial of service attack. The DDoS, by parties as yet unknown, was confirmed via the official …
John Leyden, 19 Jan 2016
botnet

Microsoft: We’ve taken down the botnets. Europol: Would Sir like a kill switch, too?

Last December, Microsoft intercepted traffic on users’ PCs and helped break up a botnet. And nobody complained. So the company very tentatively asked at a session on ethics and policy in Brussels this week whether it should do more. John Frank, Microsoft's VP of European Government Affairs, explained how Microsoft had helped …
Andrew Orlowski, 19 Jan 2016