Security > More stories

Hackers cook god-mode remote exploits against Edge, VMware in world-first

Power of Community Hackers have twice completely compromised Microsoft Edge operating on Windows 10 Red Stone 1 and for the first time twice broken VMWare Workstation without user interaction. The bugs landed via SYSTEM-level remote code execution while the second VMware hacks could also be performed remotely. The four hacks were demonstrated …
Darren Pauli, 10 Nov 2016
DDOS

How to avoid DDoSing yourself

In the wake of the last month's distributed denial of service (DDoS) attack against Dyn, a DNS management service, Google engineers want to remind application developers that self-harm represents a more realistic risk. Just as US citizens have a greater chance of being crushed by falling furniture than to dying at the hands of …
Thomas Claburn, 10 Nov 2016
segula_bulb_648

IoT worm can hack Philips Hue lightbulbs, spread across cities

Researchers have developed a proof-of-concept worm they say can rip through Philips Hue lightbulbs across entire cities – causing the insecure web-connected globes to flick on and off. The software nasty, detailed in a paper titled IoT Goes Nuclear: Creating a ZigBee Chain Reaction [PDF], exploits hardcoded symmetric …
Darren Pauli, 10 Nov 2016
Image by LuckyN http://www.shutterstock.com/gallery-1795121p1.html

$10m of Bangladeshi SWIFT heist ended up in Filipino Casino

At least some of the US$81 million lifted from Bangladeshi banks in recent hacks on the Society for Worldwide Interbank Telecommunication (SWIFT) inter-bank transfer network has been tracked down to a casino in the Philippines. The February heist relied on malware dropped on a SWIFT terminal used by Bangladesh's central bank. …
Clint Eastwood bounty hunter

Fatigue fears over bug bounty programs

Bug bounty fatigue means that bounty hunters are only picking up the easy-to-find flaws while leaving more difficult-to-tease-out vulnerabilities undiscovered, according to a security testing organization. High-Tech Bridge said its mix of automated scanning and manual inspection is unearthing problems at organizations that …
John Leyden, 9 Nov 2016
Photo by Windover Way Photography / Shutterstock

Trump's torture support could mean the end of GCHQ-NSA relationship

Comment If comments made on the campaign trail by Donald Trump were sincere, then today's British government will need to do some serious soul-searching very soon. Trump, who was today announced as the president-elect of the United States of America, has been controversially outspoken while seeking to be nominated as the Republican …

UK's 'FBI' hit by DDoS barrage

The public-facing website for the UK's National Crime Agency has wobbled today under a Distributed Denial of Service Attack. The NCA – dubbed Britain's FBI – told The Register its site was "an attractive target" and that "attacks on it are a fact of life." A spokesperson dismissed the skiddies' tool of choice, and branded …
London financial centre gherkin etc. photo by shutterstock

Losses and sales up, shares down at Sophos

Losses at London Stock Exchange-listed Sophos have gone up despite increasing sales. For the six months up to 30 September, revenues were $256.9m (£207.4m) compared to $234.2m in the same period a year ago. Losses, however, widened from $13.4m to $24.6m on rising R&D costs and more recurring business. Unified Threat …
John Leyden, 9 Nov 2016
Bear attack

What do you give a bear that wants to fork SSL? Whatever it wants!

Into a world already crowded with big name alternatives to OpenSSL, an indy project could look like “yet another SSL implementation,” but Vulture South suspects there are good reasons to take a close look at the just-launched BearSSL. One is that its author, Thomas Pornin, has ignored the kinds of legacy protocols that occupy …
Ice, image via Shutterstock

Finns chilling as DDoS knocks out building control system

Residents in two apartment buildings in the Finnish town of Lappeenranta had a chill-out lasting more than a week after a DDoS attack battered unprotected building management systems. The apartments are managed by a company called Valtia. The attack blocked the building management systems' Internet connections, according to …

Computer glitches force US election poll stations to stay open for longer

Polling stations in the swing US state of North Carolina will stay open late after mystery glitches stopped electronic voting systems from working. The board of elections in the political battleground voted within the past hour or so to allow eight precincts in Durham and Columbus counties to stay open past the previously …
Shaun Nichols, 9 Nov 2016

Judge throws out Trump lawyer's demand for poll worker info – because it'll feed Twitter trolls

A judge in Nevada has thrown out a lawsuit from a lawyer representing Donald Trump, arguing that she would not order the release of election poll worker information due to "Twitter trolls." "There will no harassment," argued Brian Hardy, the campaign's lawyer, who wants the details about people present at an early-voting poll …

The big day is here and it's time to decide: Patch Flash, Windows, Office or Android first?

Today is the second Tuesday of the month, and that means a fresh round of security updates from the likes of Microsoft, Adobe and Google. The November edition of Patch Tuesday brings with it fixes for Windows, Flash Player, Internet Explorer, Edge, Office and Android. For Microsoft, the monthly update comprises a total of 14 …
Shaun Nichols, 8 Nov 2016
Spam

SpamTorte botnet gets turbo-charged

A revamped version of the Torte botnet malware is turning insecure CMS servers into spam-spewing zombies. SpamTorte 2.0 is a powerful, multi-layered Spambot that is capable of running large-scale spam campaigns while cleverly masking itself to avoid detection, security firm Verint warns. The SpamTorte botnet relies on …
John Leyden, 8 Nov 2016
Prince philip Thames barrier old control room photo Environment Agency

Definitely not another Stuxnet, researchers claim as they demo industrial control rootkit

Black Hat EU Security researchers have come up with another way to hack Programmable Logic Controllers (PLCs) at industrial plants. Ali Abbasi, a PhD student at the University of Twente, and Majid Hashemi, a research engineer at Quarkslab, have developed an attack that involves tweaking the PIN configuration of a system chip in order to …
John Leyden, 8 Nov 2016

'Trust it': Results of Signal's first formal crypto analysis are in

Encrypted SMS and voice app Signal has passed a security audit with flying colours. As explained in a paper titled A Formal Security Analysis of the Signal Messaging Protocol [PDF], published by the International Association for Cryptologic Research, Signal has no discernible flaws and offers a well-designed and compromise- …
Darren Pauli, 8 Nov 2016

Google to patch Chrome mobile hole after bank trojan hits 318k users

An Android Chrome bug that's already under attack - with criminals pushing banking trojans to more than 300,000 devices - won't get patched until the next release of the mobile browser. The flaw allows malware writers to quietly download Android app installation (.apk) files to devices without requiring approval. Users need …
Darren Pauli, 8 Nov 2016
Mambo Unlimited's gold bug. Pic: Steve Caplin

Netflix flattens bug that allowed account p0wnage via voicemail

Netflix has reworked its password reset function after an Austrian security researcher demonstrated how an attacker could spoof it to take over a victim's account. Fortunately, the bug wasn't universal: it depended on the customer's mobile carrier being one that hasn't properly protected users' voicemail accounts from …

Turn off remote admin, SOHOpeless D-Link owners

It's 2016, and D-Link still can't get its Home Network Automation Protocol (HNAP) implementation right. In a terse advisory, the Carnegie-Mellon CERT says the HNAP service in D-Link's "DIR" range of routers has a stack-based buffer overflow. “Processing malformed SOAP messages when performing the HNAP Login action causes a …

Ransomware repulsion regimes revealed!

Promo Ransomware is a type of malware that sees criminals make your critical business data inaccessible by encrypting it and throwing away the decryption key … until you pay them a ransom. Ransomware is pervasive, evolving fast and hard to combat, not least because the criminals who spread it often take your money without decrypting …
Team Register, 8 Nov 2016
android logo

Android's Hover feature is a data HOOVER

That took a while: Android's had Hover since Ice Cream, but boffins have taken until now to work out how to attack it. Hover is a set of interface calls that let application designers imitate mouse-over behaviours people know from PCs, and it only needs to be implemented on a phone or tablet to be vulnerable - whether or not a …
China cybersecurity

China passes new Cybersecurity Law – you have seven months to comply if you wanna do biz in Middle Kingdom

On Monday, the Chinese government officially passed its 2016 Cybersecurity Law. From June 2017, all companies doing business in the Middle Kingdom will have to obey the new rules. The legislation, approved by the National People's Congress, takes away the last vestiges of anonymity for China's 710 million internet users, and …
Iain Thomson, 7 Nov 2016
A man handcuffed to a briefcase

Chinese chap in the clink for trying to swap US Navy FPGAs with fakes to beat export ban

A Chinese national starts a 15-month stretch behind bars for trying to swap reprogrammable chips destined for the US Navy with fakes, and smuggle the real gear out of the country. Xianfeng Zuo, 38, was sentenced on Friday in Connecticut after he pleaded guilty to conspiracy to traffic in counterfeit goods. Zuo, of Shenzhen, …
Shaun Nichols, 7 Nov 2016

Web security still outstandingly mediocre, experts report

Black Hat EU Cross-site scripting (XSS) vulnerabilities continue to dominate the list of most common vulnerabilities found in real-world tests. In more than a third (37 per cent) of cases, a website vulnerable to XSS is also vulnerable to a more critical flaw such as SQL injection or improper access control, according to web security …
John Leyden, 7 Nov 2016

Boffins turn phone into tracker by abusing pairing with – that's right – IoT kit

Black Hat EU Security researchers have worked out how to hack into a smartphone and turn it into a tracking device by abusing its pairing with a Belkin home automation device. Joe Tanen and Scott Tenaglia of Invincea Labs were able to root a WeMo device before injecting code into the WeMo Android app from a compromised WeMo device. The …
John Leyden, 7 Nov 2016
Fraud

Tesco Bank limits online transactions after fraud hits thousands

Tesco Bank has restricted the operations of current accounts after funds were looted from a reported 20,000 accounts. The UK bank has confirmed a fraudulent attack, which is under investigation. In the meantime it has suspended online transactions from current accounts, including contactless transactions. Customer can still …
John Leyden, 7 Nov 2016

Tech support scammers use denial of service bug to hang victims

Tech support fraudsters have taught an old denial of service bug new tricks to add a convincing layer of authenticity to scams. The HTML5 bug allows sites to chew up a mountain of processor capacity, causing browsers to hang. Scammers deploy the few lines of code needed to trigger the bug, hang browsers and then display a …
Darren Pauli, 7 Nov 2016
Africa Studio http://www.shutterstock.com/gallery-137002p1.html

Cerber ransomware menace now targeting databases

Criminals behind the massive Cerber ransomware enterprise are now targeting businesses as well as individuals with a module that kills and encrypts databases, warns Intel's former security arm McAfee. Cerber had conducted more than 160 campaigns when examined in July targeting 150,0000 users and raking in a cracking US$195,000 …
Darren Pauli, 7 Nov 2016
Boy with a backpack hides his eyes and cries. Pic by Shutterstock

School cyber safety spiel shows smut to 'Strayan students

ENTIRELY SFW VID A school cyber safety spiel delivered by Symantec's Norton brand at Australia's Robina High School has resulted in smut being displayed to the assembled students. The talk was hosted by Symantec security bod Nick Savvides and featured former NFL footballer Jarryd Hayne, who used social media to good effect when making the move …
Team Register, 7 Nov 2016
Image by Alexander_P http://www.shutterstock.com/gallery-493324p1.html

Password reset warrior arrested for popping 1050 student accounts

An Arizona man has been arrested for hacking 1050 email accounts at two united States universities, plus attempts to do so at some 75 other educational institutions. Jonathan Powell, 29, is alleged to have used password reset features to change logins for some 1050 accounts at the universities before breaching connected social …
Darren Pauli, 7 Nov 2016
shutterstock_215940778

Apple, Mozilla kill API to deplete W3C battery-snitching standard

Apple and Mozilla are leading the charge away from a W3C standard, because it's too much of a privacy risk. The Register reported the battery-snitching capability in August 2015. The W3C's idea was that if HTML included properties to look at the state of user's batteries, it could de-cruft the Web pages it served if your …

User danger declines as two thirds of Chromistas now use HTTPS

Two in three web pages served over the world's favourite web browser Chrome are now secured with HTTPS, Google says. The good news applies to Chrome on the desktop and signifies progress in the long-hoped-for decline of insecure cleartext browsing. Chrome security bods Adrienne Porter Felt and Emily Schechter say all …
Darren Pauli, 7 Nov 2016

Cisco's job applications site leaked personal data

Cisco has fixed a vulnerability in its Professional Careers portal that may have exposed truckloads of personal information. The networking giant has sent an email to affected users in which it says a "limited set of job application related information" was leaked from the mobile version of the website, blaming an "incorrect …
Darren Pauli, 6 Nov 2016
Fraud

El Paso city bungs $3.2m to email crooks pretending to be bosses

After keeping quiet for days, the city of El Paso, Texas, has finally admitted that it has fallen prey to "CEO fraud" emails that saw scammers funnel $3.2m from the authorities using bogus invoices. The city is building a $97m streetcar project in its downtown district, but red flags were raised in October when a key …
Iain Thomson, 4 Nov 2016

Brit cops cuff 14 in £11m money-laundering malware ring sting

The UK’s National Crime Agency has arrested 14 people suspected of using the Dridex and Dyre malware to launder £11m in stolen cash. The 13 men and one woman, some of whom were not British nationals, were aged between 23 and 52. A dozen were arrested in London, and the other two in Daventry and West Bromwich. Cash, mobile …
Hillary Clinton, photo by Evan El-Amin via Shutterstock

Computer forensics defuses FBI's Clinton email 'bombshell'

Analysis Since igniting a political firestorm and triggering major changes in US presidential voting intentions by revealing some emails passing through Hillary Clinton's private email server had been found in an unrelated criminal investigation, the FBI has gone to ground. The US criminal investigation bureau has repeatedly refused to …

Mirai IoT botnet blamed for 'smashing Liberia off the internet'

The West African country of Liberia was allegedly flooded offline this week. Early indications are that miscreants blasted the nation's rudimentary net infrastructure using the same method that rendered hundreds of the world's most popular websites inaccessible at the end of October. Once again the Mirai IoT botnet has been …
John Leyden, 4 Nov 2016

Anti-ultrasound tech aims to foil the dog-whistle marketeers

Black Hat EU Marketeers are coming up with ways to invade our privacy in the interests of serving us ads in a way that goes far beyond the dire predictions of films such as Minority Report. Security researchers are already thinking about countermeasures. Cross-device tracking (XDT) technologies allow marketeers to track the user's visited …
John Leyden, 4 Nov 2016
Ransomware, photo via Shutterstock

World-leading heart hospital 'very, very lucky' to dodge ransomware hit

World-leading Papworth Hospital has escaped a full-on zero-day crypto ransomware attack thanks to the "very, very lucky" timing of its daily backup. It's believed that an on-duty nurse at the heart and lung hospital in Cambridgeshire, UK, unwittingly clicked on something in an infected email, activating the attack at about …
SA Mathieson, 4 Nov 2016
band_aid_patching_648

Tokens of terror spark 'major security update' at GitLab

The co-founder of HackerOne, Jobert Abma, has reported a critical GitLab vulnerability that allowed remote code execution on application servers. Abma says the vulnerability allowed anyone who could create projects to pop the servers hosting GitLab if administrators enabled importation of previously-exported GitLab files. …
Team Register, 4 Nov 2016

Microsoft extends support for EMET security tool

Microsoft has extended the support life of its enhanced mitigation toolkit (EMET) affording Windows 8 laggards an extra 18 months of protection. EMET adds extra defences to older versions of Windows, dating all the way back to Vista. Among the improvements it offers are address space layout randomisation and data execution …
Darren Pauli, 4 Nov 2016
Archer cracks the ISIS mainframe's password

Is password security at just $1/month too expensive for most?

With major breaches regularly turning up a prevalence of laughably predictable passwords, you'd think that the likes of password locker LastPass should find it easy to sell its wares for US$1 a month. But even that price looks to be a hard sell: why else would the company have taken features from its Premium product and made …