Feeds

Security > More stories

Brute Force

Retailers shot up by PoS scraping brute force cannon

The US Computer Emergency Response Team has warned of a new point of sale malware that is targeting retailers. The malware is a RAM-scraper of the kind made infamous by the Target breach that saw attackers plant wares on terminals to nab credit cards while they were temporarily unencrypted. This attack uses a new tool delivered …
Darren Pauli, 1 Aug 2014

Plug and PREY: Hackers reprogram USB drives to silently infect PCs

Researchers say they have managed to reprogram the firmware within some flash drives with malicious code – code executed by the gadget's micro-controller to ultimately install malware on a PC or redirect network traffic without a victim knowing. Karsten Nohl and Jakob Lell, from German security skunkworks SR Labs, spent months …
Iain Thomson, 31 Jul 2014

Microsoft's Euro cloud darkens: US FEDS can dig into foreign servers

Microsoft has lost the first round in its fight to stop the US authorities from seizing customer data stored inside its overseas data centers. Following a two-hour hearing before the US District Court for the Southern District of New York on Thursday, District Judge Loretta Preska ruled that a US warrant ordering Microsoft to …
Neil McAllister, 31 Jul 2014

Grabby baddie scours Paddy Power's towers: 650k punters leaked and it took 4 years to admit it

Irish bookmakers Paddy Power has admitted miscreants copied from its systems more than 649,000 customer records containing personal information. The snaffled dataset contained names, usernames, addresses, email addresses, phone contact numbers, date of birth, and security question and answer pairs. The leaked data comes from …
John Leyden, 31 Jul 2014
Gary McKinnon at Infosec

Pentagon hacker McKinnon reinvents himself as SEO guru

Former hacker and US extradition target Gary McKinnon has found a new career as a search engine optimisation expert. McKinnon - who successfully fought a 10-year campaign against extradition to the US over charges he hacked into Pentagon systems - has launched Small SEO, which specialises in making sure small businesses appear …
John Leyden, 31 Jul 2014
Spying image

Securobods claim Middle East govts' fingerprints all over malware flung at journos

Researchers at Toronto-based Citizen Lab have shot down denials by Syria, Bahrain and the United Arab Emirates regarding attacks against activists, journalists and dissidents, labelling some of the assaults as incompetent. The team gathered tens of thousands of documents and files detailing the malware and social engineering …
Darren Pauli, 31 Jul 2014

AVG stung as search revenue from freebie scanners dries up

Security software firm AVG net income has fallen from $24.7m in Q2 2013 to $13.7mn in Q2 2014, according to financial results out Wednesday. The profits slide is explained by the slip in revenue from $100.4m in Q2 2013 to $88m in the three months running up to 30 June 2014. AVG responded to the results by revising its outlook …
John Leyden, 31 Jul 2014
Random numbers

Fiendishly complex password app extension ships for iOS 8

AgileBits wants more apps to use 1Password's strong passwords, and has released an extension on github to that end. The idea is that app developers can grab the extension, write a few lines of code into their apps, and allow their app users to create strong passwords during registration. Naturally, this would also push users …

Russia to SAP, Apple: Hand over source code to prove you're not spies

Russia has asked SAP and Apple to hand over their products' source code so it can be tested for spyware. The nation's Ministry of Communications and Mass Media announced the request on Wednesday. The shrinkwrapped statement sees Communications minister Nikolai Nikiforov citing the revelations from rogue NSA contractor Edward …
Simon Sharwood, 31 Jul 2014
megaphone loudhailer

BitTorrent launches decentralised crypto-fied chat app

BitTorrent has joined the increasingly crowded post-Snowden market for anonymous online chat services with "Bleep", a decentralised voice and text communications platform. The platform uses the BitTorrent network to spread users' voice and text through nodes rather than a centralised server. Project head Farid Fadaie (@ffadaie …
Darren Pauli, 31 Jul 2014
pipes

Multipath TCP speeds up the internet so much that security breaks

The burgeoning Multipath TCP (MPTCP) standard promises to speed up the internet but will also break security solutions including intrusion detection and data leak prevention, says security researcher Catherine Pearce. MPTCP technology is an update to the core communications backbone of the internet that will allow the …
Darren Pauli, 31 Jul 2014

Tor attack nodes RIPPED MASKS off users for 6 MONTHS

The Tor Project has warned users about a subtle attack aimed at partially uncloaking their activities on the anonymising network. The attack, which ran from late January until early July, when it was thwarted, bears hallmarks attributed to a an attack slated for description in a cancelled Black Hat conference presentation. …
John Leyden, 30 Jul 2014
australian credit cards fraud contactless

iWallet: No BONKING PLEASE, we're Apple

Apple's iWallet mobile money app could be the start of a more general trend that sees web giants such as Facebook pushing into the payment industry, according to online payment experts. iWallet would give iPhone-toting consumers the ability to pay for goods with their smartphones. It is predicted to use the firm's Touch ID …
John Leyden, 30 Jul 2014
Spin

Firm issues soft denial against Iron Dome hack

An Israeli defence firm linked to Israel's Iron Dome missile defence platform has denied reports it was hacked by Chinese attackers who made off with information on the military technology. Israel Aerospace Industries (IAI) spokeswoman Eliana Fishler said in statement emailed to outlets including The Register that reports it had …
Darren Pauli, 30 Jul 2014

DDOS takes down Cirrus Communications

Fixed wireless broadband provider Cirrus Communications has experienced a distributed denial of service (DDOS) attack that incapacitated half its network. Cirrus provides wireless networks to business, apartment complexes, residential colleges and military bases. The company says it is a last mile provider and prides itself on “ …
Simon Sharwood, 30 Jul 2014
Internet of Things

'Things' on the Internet-of-things have 25 vulnerabilities apiece

Ten of the most popular Internet of Things devices contain an average of 25 security vulnerabilities, many severe, HP researchers have found. HP's investigators found 250 vulnerabilities across the Internet of Things (IoT) devices each of which had some form of cloud and remote mobile application component and nine that …
Darren Pauli, 30 Jul 2014

Keep your iPhone calls private, whispers Signal

The crew at Open Whisper Systems has announced Signal, an app offering encrypted voice calls between iPhones. The open source group has been working on its projects ever since Whisper Systems, co-founded by Moxie Marlinspike, was acquired by Twitter in 2011 – an acquisition that took its Redphone Android project offline, amid …
Instasheep

Thwarted dev sets Instasheep to graze on Facebook accounts

London developer Stevie Graham has built an Instagram stealer dubbed Instasheep that can hijack accounts over public networks. Graham (@stevegraham) published Instasheep - a play on the 2010 Facebook stealer Firesheep - after claiming Facebook refused to pay a bug bounty for his reported flaws affecting the Instagram iOS app. …
Darren Pauli, 30 Jul 2014
Hacker image

Canada's boffins need A WHOLE YEAR to recover from China hack attack

Canada's CIO has pointed the finger at China over a security breach at the nation's National Research Council. Ongoing attempts to breach the research agency's computers led the NRC to hit the “off” switch on Monday of this week, according to Canada's CTV News. Those attacks had continued for a month. CTV notes that the …

Senate introduces USA FREEDOM Act to curb NSA spying excesses

Senator Patrick Leahy (D-VT) has introduced the USA FREEDOM Act to the US Senate and claims, that, if passed, the legislation will severely curtail the amount of mass surveillance that can be carried out by the NSA and others – provided you're a citizen of the land of the free. "This is a debate about Americans' fundamental …
Iain Thomson, 29 Jul 2014
LG Optimus 2X

Android busted for carrying Fake ID: OS doesn't check who really made that 'Adobe' plugin

Google Android allows malware to masquerade as legit, trusted apps thanks to weaknesses in the way the operating system checks digital certificates of authenticity. The flaw, dubbed Fake ID by its discoverers at Bluebox Security, affects all versions of Android from 2.1 (released in 2010) up to Android 4.4. Although Google …
Iain Thomson, 29 Jul 2014

BlackBerry: We'll buy Angela Merkel's phone security company. HA!

BlackBerry has bought privately held German firm Secusmart as part of its drive to become the handset provider of choice for security-conscious clients such as government agencies and big businesses. Secusmart, which specialises in voice and data encryption, was already a partner of the one-time business phone giant, providing …

Only '3% of web servers in top corps' fully fixed after Heartbleed snafu

A study of the public-facing web servers run by some of the world's largest firms has suggested only three per cent of the machines have been fully protected against the OpenSSL vulnerability known as Heartbleed. The research, carried out by security specialists at Venafi Labs, examined 550,000 servers belonging to 1,639 …
Iain Thomson, 29 Jul 2014
Blood image

14 antivirus apps found to have security problems

Organisations should get their antivirus products security tested before deployment because the technology across the board dangerously elevates attack surfaces, COSEINC researcher Joxean Koret says. COSEINC is a Singapore security outfit that has run a critical eye about 17 major antivirus engines and products and found …
Darren Pauli, 29 Jul 2014
android tongue

Malware gets your Android blabbering to HACKERS

Researchers from the Chinese University of Hong Kong have developed bizarre malware that dictates contacts, emails and other sensitive text data in order to steal it. In the novel attack a seemingly innocuous app that required no permissions called a bad guy's phone number and blabbered the stolen data out of the speakers and …
Darren Pauli, 29 Jul 2014
Google Chocolate Factory

Google Maps community competition falls foul of Indian regulations

Google has found itself in hot water in India, with the country's Central Bureau of Investigation launching a formal investigation into Google Maps for allegedly publishing the location of sensitive military bases. The problem arose because of a community competition held last year - Google's Mapathon 2013 - in which the …
arrow3china

Israel's Iron Dome missile tech stolen by Chinese hackers

A Chinese hacking team previously accused of being behind raids against US defence contractors has been accused of a new data heist: plundering the tech behind Israel's Iron Dome missile defence system. Beijing's infamous Comment Crew hacking group is thought to have executed the intrusions into the corporate networks of top …
Darren Pauli, 29 Jul 2014
NICTA's seL4 team

Secure microkernel that uses maths to be 'bug free' goes open source

A nippy microkernel mathematically proven to be bug free*, and used to protect drones from hacking, will be released as open source tomorrow. The formal-methods-based secure embedded L4 (seL4) microkernel was developed by boffins backed by National ICT Australia (NICTA). In 2012, the software was enlisted to help stop hackers …
Darren Pauli, 28 Jul 2014
Auscert logo

AusCERT chief Ingram steps down

Graham Ingram, the head of Australia's first Computer Emergency Response Team (AusCERT), has stepped down after 12 years in the role. Ingram joined the University of Queensland's AusCERT in 1993 and was on Friday replaced by the university's current incident response chief Thomas King. The incoming director said he wanted to …
Darren Pauli, 28 Jul 2014

DAYS from end of life as we know it: Boffins tell of solar storm near-miss

Two years ago this week the Sun let off one of its periodic solar flares, and a new analysis of its force shows that human civilization had a very near miss indeed. "If it had hit, we would still be picking up the pieces," said Daniel Baker of the University of Colorado this week. On 23 July 2012, two coronal mass ejections ( …
Iain Thomson, 26 Jul 2014

How long is too long to wait for a security fix?

Sysadmin blog Synology quietly released version 4.2-3250 of its DiskStation Manager (DSM) operating system this month. This squashes critical security bugs in version 4.2 of DSM – bugs that were fixed in version 5.0 in June, so consider this a back port. Version 4.2 is old but still in use in various models, such as the DS109. The update got …
Trevor Pott, 25 Jul 2014
Bug bounties

Roll out the welcome mat to hackers and crackers

A clear and easy to read policy is key to developing a good internal bug bounty program, according to BugCrowd which has published guidelines to help businesses encourage the security community to report vulnerabilities. Bug bounties are an increasingly popular means to provide a legally safe avenue for security researchers to …
Darren Pauli, 25 Jul 2014
Bots

Four fake Google haxbots hit YOUR WEBSITE every day

One in every 24 Googlebots is a imitation spam-flinging denial of service villain that masquerades as Mountain View to sneak past web perimeter defences, according to security chaps at Incapsula. Villains spawn the "evil twins" to hack and crack legitimate websites and form what amounted to the third most-popular type of DDoS …
Darren Pauli, 25 Jul 2014
Scrooge McDuck

Boffins build FREE SUPERCOMPUTER from free cloud server trials

Researchers Rob Ragan and Oscar Salazar have built a free LiteCoin-mining botnet that generates $US1750 a week using free cloud signup promotions. The pair will outline the exploit at Black Hat next month, but have blabbed to Wired about how they used automatic tools and processes to spread a currency-mining botnet across some …
Darren Pauli, 25 Jul 2014
Tor

Putin: Crack Tor for me and I'll make you a MILLIONAIRE

Russia's Interior Ministry has posted a tender seeking parties willing to “study the possibility of obtaining technical information about users (user equipment) TOR anonymous network". The tender appears to be open only to organisations rated to do secret work for the Russian government, but concluding that means the project has …
Simon Sharwood, 25 Jul 2014
yawn

Google devs: Tearing Chrome away from OpenSSL not that easy

Google is trying to migrate its Chrome browser away from the buggy OpenSSL cryptography library toward BoringSSL, its homegrown fork, but swapping out the crypto code is proving more difficult than it sounds. Google engineer David Benjamin posted a revision to the Chromium source code version control system this week with a …
Neil McAllister, 25 Jul 2014
PlayStation Network

Sony tries to make PlayStation Network hack row go away with $15m in cash and games

Sony has offered a $15m settlement to gamers after its PlayStation Network (PSN) was comprehensively pwned, but it refuses to admit that it was at fault. In April 2011 the Japanese giant was forced to shut down PSN after hackers got into its system and pillaged user accounts for information. While credit card information was …
Iain Thomson, 24 Jul 2014
Data breach image

Who has your credit card data? 1 million HOLIDAY-MAKERS' RECORDS exposed

A UK-based online travel firm has been fined £150,000 over a breach of breach of the Data Protection Act after their "insecure" coding reportedly exposed more than a million customer records to cybercrooks. Think W3 Limited was hacked in December 2012 in an attack that relied on what the ICO described as "insecure" coding on the …
John Leyden, 24 Jul 2014
Concert tickets Creative Commons licence by flickr user NZ Hamstar http://www.flickr.com/photos/16982169@N03/

Six charged over StubHub e-ticket heist for Elton John gigs

Six suspected cybercriminals have been indicted over their alleged involvement in a hack attack on eBay-owned ticketing website StubHub. Thieves got into more than 1,600 of StubHub customers' accounts and used their credit card details to fraudulently buy tickets for events through the online ticket reseller. The scam - reckoned …
John Leyden, 24 Jul 2014
BMW Left-turn Assistant

BMW's ConnectedDrive falls over, bosses blame upgrade snafu

BMW's ConnectedDrive car-to-mobe interface has suffered a UK-wide outage that may also affect customers in mainland Europe. A Register reader tipped us off about the problem after he found himself unable to register for ConnectedDrive since around 19 July, getting confronted by an error message instead. In response to his …
John Leyden, 24 Jul 2014
Spam image

'Unsolicited texts' outrage: Man fined £4k for DPA breach

The owner of a marketing company which allegedly sent "millions of unsolicited text messages" was prosecuted for "failing to notify the ICO of changes to his notification" at Willesden Magistrates Court last week. Jayesh Shah, of Pune, India, was fined £4,000 for a breach of the Data Protection Act, and ordered to pay costs of £ …
John Leyden, 24 Jul 2014

Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade

Mozilla has released a bug-and-security update for Firefox, with 11 security fixes, three of them critical. Chief among the security patches is a use-after-free bug the organisation says was discovered by one James Kitchener. From the advisory: “Mozilla community member James Kitchener reported a crash in DirectWrite when …