Feeds

Security > More stories

Third patch brings more admin Shellshock for the battered and Bashed

A third patch, from Red Hat engineer Florian Weimer, has been released for the vulnerable Bash Unix command-line interpreter, closing off flaws found in two previous fixes. Weimer's unofficial fix was adopted upstream by Bash project maintainer Chet Ramey and released as Bash-4.3 Official Patch 27 (bash43-027) which addressed a …
Darren Pauli, 30 Sep 2014
Bug bounties

Apple finally patches Bash Shellshock vuln that WAS NOT A WORRY, OK?

Apple and F5 are the latest big-name vendors to post responses to the “Shellshock” vulnerability in Bash. Just days after saying “the vast majority of OS X users are not at risk”, Cupertino has posted Bash fixes for OS X Lion, Mountain Lion, and Mavericks. The fix is now available in OS X users' Software Update. It would, …
Edward Snowden

CloudFlare: You get SSL, and you get SSL, EVERYBODY GETS SSL!

CloudFlare announced today it will extend SSL support to customers who use its free cloud-based web hosting service. The firm said its Universal SSL program will allow said customers to encrypt and secure web traffic between visitors and websites cached by CloudFlare. CloudFlare will provide SSL certificates that are valid for …
Shaun Nichols, 29 Sep 2014

Shellshock: 'Larger scale attack' on its way, warn securo-bods

The Shellshock vulnerability has already become the focus for malicious scanning and at least one botnet but crooks are still testing the waters with the vulnerability and much worse could follow, security watchers warn. Net security firm FireEye said it has seen all manner of overtly malicious traffic leveraging the Bash bug, …
John Leyden, 29 Sep 2014
iCloud brute force

Spammer uses innocent hacked blogs to punt NAKED PICS of JLaw, McKayla Maroney

A long established smut spammer is using hacked websites to sell stolen photographs of naked celebrities including Jennifer Lawrence, Kate Upton and McKayla Maroney. The miscreant (who uses compromised web servers to host his landing pages) has altered his pitch to include copies of the recently released stolen photographs of …
John Leyden, 29 Sep 2014

SHELLSHOCKED: Fortune 1000 outfits Bash out batches of patches

The majority of Fortune 1000 and Global 2000 companies have already deployed, or are now deploying, Shellshock patches to fend off code attacks, according to cloud security firm CloudPassage. The Shellshock vulnerability allows remote attackers to execute arbitrary code on servers using a variety of techniques, with the CVE-2014 …
John Leyden, 29 Sep 2014
portcullis

SIEMs like a good idea: How to manage security in real time

Register now for this webcast that explains how security information and event management (SIEM) can work, what it does, and how to fit it into your existing security environment. Watch this live event on today at 13:00 BST (8:00 EST) - if you can't make it, just sign up and we will email you when the recording is available. …
David Gordon, 29 Sep 2014

Fraud shop OVERSTOCKED with stolen credit cards

Infamous carding store Rescator.cc is so chock-full of stolen credit cards from recent high-profile breaches that it's gutting its prices due to overstocking. The fire sale makes a mockery of the security in place at some of the world's biggest retailers, many of which have in recent months been invaded by hackers who have made …
Darren Pauli, 29 Sep 2014

Ruskies use commercial crimeware to mask 'patriotic' Ukraine hacks

Political hack-attacks are being made to look like bread-and-butter financial fleecing scams, according to researcher F-Secure, after watching Russian hacker collective Quedagh's use of the popular BlackEnergy exploit kit.. The group customised the off-the-shelf malware to attack Ukrainian agencies located in Dnipropetrovsk, in …
Darren Pauli, 29 Sep 2014

Pizza stores popped, sandwich stores sacked in PoS plunder

Some 324 restaurants across the United States, including 216 Jimmy John's outlets, have had payment terminals compromised by malware after a breach at vendor Signature Systems. The massive breach occurred when an intruder stole remote log-in credentials for Signature's point of sale (PoS) kit, according to cyber-crime reporter …
Darren Pauli, 29 Sep 2014

Cisco splats Bash bug in busy swatting season

Cisco has begun its response to the Bash “Shell Shocked” vulnerability, the 20-year-old bug that's sent the *nix world into a frenzy. It's going to be a long slog for the Borg, but in its advisory, Cisco has so far identified 31 individual products vulnerable to Shell Shocked, compared to seven confirmed not vulnerable. Another …
ello

Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT

Ello, the social network site intended to serve as something of an antidote to ad-stuffed Facebook, was hit by a suspected Distributed-Denial-of-Service attack today. The outfit, which has gained plenty of press coverage in the past week after employing the classic invite-only marketing trick to lure in more users, said on its …
Kelly Fiveash, 28 Sep 2014
Bug bounties

SMASH the Bash bug! Apple and Red Hat scramble for patch batches

A fresh dump of Shellshock patches were released on Friday night in the latest move to stamp out the Bash shell security vuln that has the potential to blight millions of Linux, Unix and Mac OS X machines. Red Hat said in a blog post that the threat from Shellshock was receding now that patches had been issued for most operating …
Team Register, 28 Sep 2014
Regina Egbert, El Reg's virtual news anchor

Regina Eggbert gives her signature rundown of the week's tech news

Vid Youtube Video Tune in for a brief rundown of the week's eggiest tech tales from The Reg's avatar news anchor Regina Eggbert. Then find out more about this week's stories, including shell-shocked Bash, PC abandonment issues and bent mobes – here, here and here. ® Regina Egbert, El Reg's virtual news anchor

Rackspace to hit GLOBAL CLOUD REBOOT button to flush out Xen security nasty

Rackspace has warned its customers that it plans to reboot all of its servers across the globe to nix a security bug that was first spotted in the Xen virtualisation platform earlier this week. The managed cloud outfit told its customers about the "maintenance work" in an email, seen by The Register, that was sent out early on …
Kelly Fiveash, 27 Sep 2014

Oracle SHELLSHOCKER - data titan lists unpatchables

Oracle has confirmed that at least 32 of its products are affected by the vulnerability recently discovered in the Bash command-line interpreter – aka the "Shellshock" bug – including some of the company's pricey integrated hardware systems. The database giant issued a security alert regarding the issue on Friday, warning that …
Neil McAllister, 27 Sep 2014

Stunned by Shellshock Bash bug? Patch all you can – or be punished

Updated The UK's privacy watchdog is urging organisations to protect their systems against the infamous Shellshock vulnerability in Bash – even though the full scope of the security bug remains unclear. The Shellshock flaw affects Bash up to and including version 4.3. It's a vital component of many Linux and Unix systems, as well as …
John Leyden, 26 Sep 2014

Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'

Security geeks have worked out a formula for determining which of a series of formerly blacklisted domains would be reused in malware attacks. The method combines the domain name with the generic Top Level Domain, IP address alterations and the cost of a domain transfer. Under the right conditions, the researchers sway, the …
Darren Pauli, 26 Sep 2014

Bad boy builds beastly Bash bug botnet, boxen battered

Mere hours after its discovery, the Shell Shock Bash vulnerability was exploited by an attacker to build a botnet. The bot was discovered by researcher known as Yinette, who reported it on her Github account and said it appeared to be remotely controlled by miscreants. Rapid 7 researcher Jen Ellis noted in a blog the discovery …
Darren Pauli, 26 Sep 2014
FBI badge and gun

FBI boss: Apple's iPhone, iPad encryption puts people 'ABOVE THE LAW'

FBI Director James Comey has complained that Apple and Google's use of stronger encryption in smartphones and tablets makes it impossible for cops and g-men to collar criminals. "There will come a day – well it comes every day in this business – when it will matter a great, great deal to the lives of people of all kinds that we …
Iain Thomson, 25 Sep 2014
Now you've done it...

Hackers thrash Bash Shellshock bug: World races to cover hole

Sysadmins and users have been urged to patch the severe Shellshock vulnerability in Bash on Linux and Unix systems – as hackers ruthlessly exploit the flaw to compromise or crash computers. But as "millions" of servers, PCs and devices lay vulnerable or are being updated, it's emerged the fix is incomplete. The flaw affects the …
John Leyden, 25 Sep 2014

FBI: Your real SECURITY TERROR? An ANGRY INSIDE MAN

Disgruntled workers are causing more problems for their employers, the FBI warns. Employees, ex-workers or contractors with a grudge against their former paymasters are abusing cloud storage sites or remote access to enterprise networks to steal trade secrets, customer lists or other sensitive information. Insider threats have …
John Leyden, 25 Sep 2014

Latest Firefox and Thunderbird updates plug CRITICAL SSL vuln

Mozilla Firefox needs patching urgently following the discovery that the open source browser is vulnerable to SSL man-in-the-middle attacks. The critical bug arises because the Network Security Services (NSS) libraries parser built into the browser is capable of being tricked into accepting forged RSA certificate signatures. …
John Leyden, 25 Sep 2014

Bash bug: Shellshocked yet? You will be ... when this goes WORM

Much of the impact of the Shellshock vulnerability is unknown and will surface in the coming months as researchers, admins and attackers (natch) find new avenues of exploitation. The vulnerability, called Shellshock by researcher Robert Graham, existed in the Bash command interpreter up to version 4.3 and affected scores of …
Darren Pauli, 25 Sep 2014

Desperate VXers enslave FREEZERS in DDoS bot

Bad guys are launching denial of service attacks from Windows and Linux boxes and in a sign of desperation even fridges, freezers and Raspberry Pis. The attacks spotted by security company Akamai are based on an updated version of the Chinese language Spike malware that now targets insecure Internet-of-Things things. Akamai's …
Darren Pauli, 25 Sep 2014
Uncle Sam recruiting poster

Feds: Cheeky scammers are impersonating us in criminal capers

The FBI-backed Internet Crime Complaint Center (IC3) has issued an advisory warning that email scammers are impersonating it to extort money from gullible punters. The cyber-cop squad said several victims had been in contact after they received emails spoofed to look as though they are coming from IC3 itself. The emails state …
Iain Thomson, 25 Sep 2014

Patch Bash NOW: 'Shellshock' bug blasts OS X, Linux systems wide open

Updated A bug discovered in the widely used Bash command interpreter poses a critical security risk to Unix and Linux systems – and, thanks to their ubiquity, the internet at large. It lands countless websites, servers, PCs, OS X Macs, various home routers, and more, in danger of hijacking by hackers. The vulnerability is present in …
John Leyden, 24 Sep 2014
Canvas fingerprinting

Apple is too shallow, must go deeper to beat TouchID fingerprint hack, say securo-bods

News that Apple’s iPhone 6 can be spoofed with the same fake fingerprints that tricked its earlier version, the iPhone 5S, has sparked off a lively debate among security researchers. Lookout researcher Marc Rogers demonstrated that the TouchID fingerprint sensor of the latest iPhones could be made to work with a cloned …
John Leyden, 24 Sep 2014
Heatmiser PRS-TS WiFi RF Thermostat

Heatmiser digital thermostat users: For pity's sake, DON'T SWITCH ON the WI-FI

Digital thermostats from Heatmiser are wide open to takeover thanks to default login credentials and myriad other security flaws. The UK-based manufacturer has promised to develop a fix. Pending the arrival of a patch, users are advised to disable the device's Wi-Fi capability. The security flaws were discovered by Andrew …
John Leyden, 24 Sep 2014

Bracelet could protect user herds from lurking PREDATORS

Researchers have developed a fashionable bracelet that could continuously authenticate users preventing snoops from accessing unattended machines. It goes beyond existing continuous authentication mechanisms, the designers say, because it requires users to be active on their machines and not just nearby. The Zero-Effort …
Darren Pauli, 24 Sep 2014

Kali turns Nexus fondleslabs into hacking weapons

Every hacker's favourite operating system, Kali Linux, has been brought to Google Nexus in a move that brings portable popping to a new level. Nexus users running the NetHunter penetration testing platform can now launch their attacks including Teensy keyboard and BadUSB man-in-the-middle (MITM) networking attacks via USB human …
Darren Pauli, 24 Sep 2014

Microsoft sets up bug bounties for online services

Having tasted the fruit of the crowd's tree of knowledge, Microsoft has decided it likes it, and is expanding its bug bounty program to cover a broad range of online services. In this post at Technet, Redmond lists a bunch of domains that are eligible for the expanded bug bounty, including online Outlook, Office365, Sharepoint, …

jQuery site popped to serve malware slop

The jQuery site served credential-stealing malware to scores of users who visited the website on September 18, researcher James Pleger says. The super-popular JavaScript library was used by 30 percent of websites including 70 percent of the 10,000 most popular sites which may have been compromised by the RIG exploit kit. jQuery …
Darren Pauli, 24 Sep 2014
Detail from Chaos Computer Club video

Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack

Apple’s shiny new iPhone 6 can be spoofed with the same fake fingerprints that tricked its older sibling, the iPhone 5S. That's according to mobile security firm Lookout, which said it discovered that it is possible to create a fake fingerprint that's capable of fooling the TouchID fingerprint sensor of the latest iPhones (6 and …
John Leyden, 23 Sep 2014
Files

UK banks hook themselves up to real-time cop data feed

UK banks will receive real-time warnings about threats to their customers' accounts as well as the overall integrity of their banking systems from a new financial crime alert system. Financial Crime Alerts Service (FCAS), which is being rolled out by banking industry association BBA, is designed to allow financial crime …
John Leyden, 23 Sep 2014

Tripadvisor site coughs to card data breach for a potential 800k users

TripAdvisor has suffered a data breach at its Viator tour-booking and review website. An estimated 1.4 million Viator customers are potentially affected by the compromise, which the firm admits may have exposed payment card data. The compromise also potentially aired the email address, password and Viator "nickname" associated …
John Leyden, 23 Sep 2014
Call of Duty: Black Ops 2

BLAM, BLAM, BLAM... nooooo! Hacker crew Lizard Squad spits DDoS venom on Call of Duty

Hackers from the group Lizard Squad have reneged on their promise to quit earlier this month, apparently launching distributed denial-of-service (DDoS) attacks on major gaming industry websites. After an attack on the Playstation Network in August, Lizard Squad has added two uber-popular shoot-'em-up games from Activision …
John Leyden, 23 Sep 2014
iOS 8

Apple slaps a passcode lock on iOS 8 devices, but cops can still inhale your iCloud

Improved security features in iOS 8 prevent Apple from unlocking phones – even when requested to by law enforcement. But search warrant-holding cops can still get almost everything through iCloud backups, according to ElcomSoft. The consumer device manufacturer's attempts at upgrading iOS encryption to "defeat lawful search …
John Leyden, 23 Sep 2014
Mind blown

80 PER CENT of app devs SUCK at securing your data, study finds

Developers are experts in spinning wonderfully-shiny, horribly-insecure apps, according to research from Aspect Security. Social media meeting buttons and go-live dates rate far higher with app developers than the need to ensure the security of private data. Worse, devs couldn't secure apps if they wanted to, according to the …
Darren Pauli, 23 Sep 2014

Game pirates 'donate' compute power to Bitcoin miners

Hundreds of video game pirates have generously, if inadvertently, donated their compute resources to virus writers by downloading Bitcoin miner-infected torrent listings. Dozens of game torrent files identified by Microsoft threat researchers as malicious have been downloaded thousands of times and were continuing to be seeded ( …
Darren Pauli, 23 Sep 2014

Dyslexic, dyspraxic? No probs, says GCHQ

The British Government Communications Headquarters (GCHQ) says it employs 120 dyslexic and dyspraxic staff for code breaking and counter-espionage. Chairman of the dyslexic and dyspraxic committee, known just as Matt, said the neuro-diverse staff had "spiky skills" where they may excel in analytical areas at expense of others …
Darren Pauli, 23 Sep 2014
Targeted Spam

Mushy spam law's IDEAL for toothless watchdog: Spamhaus slams CAN-SPAM

Antispam organisation Spamhaus has reacted phlegmatically to a recent survey that one in 10 of the world’s largest online retailers are still violating the CAN-SPAM Act, a full 10 years after the US anti-spam legislation went into effect. Richard Cox, CIO of The Spamhaus Project, suggested the Online Trust Alliance (OTA)'s …
John Leyden, 22 Sep 2014