Security > More stories

Trend publishes analysis of yet another Android media handling bug

More details have emerged about yet another Android vulnerability, that, like other recent flaws, revolves around how the Google-backed mobile operating system handles media files. The Android Mediaserver vulnerability might be exploited to perform attacks involving arbitrary code execution, security researchers at Trend Micro …
John Leyden, 18 Aug 2015

Who should be responsible for IT security?

Typically, when a cybersecurity problem arises, it’s the IT department that gets it in the neck. Ostensibly, that makes sense. After all, if someone is in your network mining your database for corporate secrets, it’s hardly the office manager or the accounts receivable department’s lookout, right? Perhaps. On the other hand, …
Danny Bradbury, 18 Aug 2015

You CAN'T jail online pirates for 10 years, legal eagles tell UK govt

The UK government plan to jail online copyright pirates for up to 10 years has been attacked by legal boffins in a public consultation that ended yesterday. The British and Irish Law, Education and Technology Association (BILETA), said the idea was “unacceptable, infeasible and unaffordable”. The public consultation invited …
Jennifer Baker, 18 Aug 2015

Row rumbles on over figures in Oracle CSO’s anti-security rant

Security researchers picking through the entrails of a withdrawn blogpost by Oracle CSO Mary Ann Davidson reckon not even her figures add up. Oracle countered that only it had access to the raw figures, so there. Davidson's 3,000+ word diatribe against bug bounties, security researchers or customers hunting vulnerabilities in …
John Leyden, 18 Aug 2015
Monty Python dead parrot sketch

Parrot drone pwned (and possibly killed) with Wi-Fi log-in

Lack of security in the Wi-Fi link to the Parrot AR drone allows it to be blown out of the sky by telnetting in and killing the process. Ryan Satterfield, who describes himself as an ethical hacker and runs consultancy Planetzuda.com, explains on his YouTube channel that the Parrot drone hack was demonstrated at DEF CON 23. …
Simon Rockman, 18 Aug 2015

Dixons Carphone still has 7.5k Windows XP EPOS systems

Dixons Carphone is still using thousands of EPOS tills running on Windows XP more than a year after Microsoft’s extended support expired, The Register has learned. This is not the Embedded flavour of the OS (though even these would present a heightened risk of attack, say security experts) but 7,000-plus bog standard XP …
Paul Kunert, 18 Aug 2015

Anti-botnet initiatives USELESS in sea of patch-hating pirates

Three Dutch researchers have crunched data gleaned from efforts to battle the Conficker bot and declared anti-botnet initiatives all but useless for clean up efforts. Conficker was born in 2008 spreading aggressively through a since patched remote code execution Microsoft vulnerability (MS08-067) that affected all operating …
Darren Pauli, 18 Aug 2015
Firefox experimental private browsing mode

Mozilla testing very private browsing mode

The Mozilla Foundation has outlined plans for enhanced private browsing in its Firefox browser. The outfit thinks that “when you open a Private Browsing window in Firefox you’re sending a signal that you want more control over your privacy than current private browsing experiences actually provide.” How much more privacy? …
Simon Sharwood, 18 Aug 2015

Veedub flub hubbub stubs car-jack hack flap

Dutch and British researchers Roel Verdult and Baris Ege, the duo behind the revelation that many VW cars have a security flaw, have now revealed that Ferraris, Maseratis, Pontiacs, and Porches that use Megamos Crypto transponders can be stolen. The duo demonstrated how the Megamos engine immobiliser, which unlocks when an …
Darren Pauli, 18 Aug 2015

Another root hole in OS X. We know it, you know it, the bad people know it – and no patch exists

If you're using OS X Yosemite, watch out for malware exploiting a new way to take complete control of your Mac. A vulnerability has been found in Apple's operating system that allows ordinary software on the computer to gain all-powerful root privileges, allowing dodgy apps to install new programs, create users, delete users, …
Chris Williams, 18 Aug 2015

Ransomware blueprints published on GitHub in the name of education

Turkish security bod Utku Sen has published what appears to be the first openly available source code for ransomware – free for people to use and spread. The "Hidden Tear" ransomware, available to GitHub, is a functional version of the malware the world has come to hate; it uses AES encryption to lock down files and can …
Darren Pauli, 18 Aug 2015
Cash in brown paper envelope CC 2.0 attribution StockMonkeys.com

IRS: Tax-record snaffle scam actually 200% worse than first feared

The US Internal Revenue Service (IRS) admitted Monday that the May scam in which criminals tried to use stolen data on more than 114,000 people to collect tax information was far larger than it originally thought. Uncle Sam's taxman now claims that on top of the 100,000 or so people whose data had been used to collect tax …
Shaun Nichols, 17 Aug 2015
Cookie Monster

Anti-privacy unkillable super-cookies spreading around the world – study

At least nine telcos around the world are using so-called super-cookies to secretly monitor citizens' online behavior, according to a new study. A super-cookie is a token unique to each subscriber that is injected into every HTTP request made through a telco's cellphone networks. They can't be stripped by the user: every time …
Iain Thomson, 17 Aug 2015
F-16 falcon fighter jet

US Air Force: 'Loose tweets destroy fleets'

Pic The US Air Force has warned its personnel to keep quiet of their activities on Twitter – or as they put it: "Loose tweets destroy fleets." The notice reminds everyone that terrorist organizations and sympathizers will exploit any military information posted on social networks and other websites. The warning extends not only …
Shaun Nichols, 17 Aug 2015

Surprise! World stunned to learn that AT&T is in the NSA's pocket

It has long been known that AT&T works with the NSA to monitor the internet traffic and call data in the US and overseas. Now, new files leaked by whistleblower Edward Snowden show the company is by far the agency's biggest spying partner. The document trove, published by ProPublica and The New York Times, doesn't mention AT&T …
Iain Thomson, 17 Aug 2015

Choke on it! Brit police squeeze pirate site advertising money trail

The intercepting of advertisements served on dodgy pirate sites has begun to choke their revenue by 70 per cent, according to the City of London police, vindicating the policy of following the “money trail”, rather than an individual infringer, said the police and trade groups. Tactics include harassing the seedy ad networks …
Andrew Orlowski, 17 Aug 2015
android logo

Botched Google Stagefright fix won't be resolved until September

According to security company Rapid7, Google needs to rethink how it patches Android in the wake of initial botched attempts to resolve the Stagefright vulnerability. The criticism comes as Google itself confirmed users of its Nexus devices – who are the first to get security fixes – won't be fully protected until September. …
John Leyden, 17 Aug 2015
shutterstock_271979432-classroom

So unfair! Teachers know what’s happening on students' fondleslabs

Maybe now you don’t want the kids turning off their iPads in class after all. By using VNC remote access, pupils can now instantly share their work with their teacher and the rest of the pupils. The ability has come through the integration of software from Cambridge company RealVNC, which allows screens to be mapped on to …
Simon Rockman, 17 Aug 2015
hacker

Hacking Team mulled stopping Ethiopia sales – because of idiot g-men

Hacking Team failed to take effective action to investigate or stop reported abuses of its technology by the Ethiopian government against dissidents, according to Human Rights Watch. A review of internal company emails leaked as part of a highly-publicised breach against the controversial spyware-for-government firm in July …
John Leyden, 17 Aug 2015

Ten years after the Samy worm its discoverer's voice is lost in the din

It has been 10 years since Sydney security bod Wade Alcorn disclosed how cross-site scripting vulnerabilities could be weaponised, a revelation that would one week later see the proof of concept become the fastest-spreading worm ever. There is no direct link between Alcorn's disclosure and Samy Kamkar's eponymously named worm …
Darren Pauli, 17 Aug 2015

Adobe pays US$1.2M plus settlements to end 2013 breach class action

Adobe has paid an undisclosed amount to settle customer claims and faces US$1.2 million in legal fees after its 2013 data breach which compromised the details of 38 million users. The creative content king was served a November 2013 class action lawsuit filed in California in which it is claimed "shoddy" security practises …
Darren Pauli, 17 Aug 2015
Eugene Kaspersky in Sydney

Kaspersky: Freemasons coded fake malware in the Bermuda Triangle

Eugene Kaspersky has taken to his blog to make another stinging rebuttal of a Reuters report that alleged the company that bears his name deliberately sabotaged rival antivirus packages. “The Reuters story is based on information provided by anonymous former KL employees. And the accusations are complete nonsense, pure and …
Simon Sharwood, 17 Aug 2015

Choc Factory patches zero day Google for Work hack hole

Google has patched a vulnerability in the Google Admin application that could allow attackers to steal enterprise accounts. MWR Labs researcher Rob Miller reported the sandbox-hopping hole, rated medium severity, which can be exploited by malware residing on a user's device. The flaw can be used to steal Google for Work …
Darren Pauli, 17 Aug 2015

Boffins nail 2FA with 'ambient sound' login for the lazy

Internet users who think two taps on a smartphone is two taps too much may soon be able to use seamless second factor authentication that verifies a person is in possession of their phone by matching ambient noise sound prints. Researchers Nikolaos Karapanos, Claudio Marforio, Claudio Soriente, and Srdjan Capkun of the …
Darren Pauli, 17 Aug 2015
Eugene Kaspersky in Sydney

I've seen Kaspersky slap his staff with a walrus penis – and even I doubt the false-positive claims

Comment Eugene Kaspersky is a complex character and capable of many things, but Friday's allegations that he ordered staff to deliberately sabotage rival antivirus packages smells fishy. On the one hand, the problem of AV products flagging up false positives is well known. Signature-file detection of software nasties is dated, and of …
Iain Thomson, 15 Aug 2015
virus_1_648

You've been Drudged! Malware-squirting ads appear on websites with 100+ million visitors

Internet lowlives who used Yahoo! ads to infect potentially countless PCs with malware have struck again – using adverts on popular websites to reach millions more people. Security researchers at MalwareBytes this week discovered the crooks running another massive campaign of ads that use the Angler Exploit Kit to infiltrate …
Shaun Nichols, 14 Aug 2015

Kaspersky Lab denies tricking AV rivals into nuking harmless files

Kaspersky Lab deliberately fed bogus malware to its rivals to sabotage their antivirus products, two anonymous former employees allege. Kaspersky says the accusations are false. Reuters reported today that two ex-Kaspersky engineers claim they were tasked with tricking competing antivirus into classifying benign executables …
John Leyden, 14 Aug 2015
Marc Benioff of Salesforce. Pic: Techcrunch

Salesforce plugs silly website XSS hole, hopes nobody spotted it

A cross-site scripting (XSS) vulnerability on Salesforce's website might have been abused to pimp phishing attacks or hijack user accounts. Fortunately the bug has been resolved, apparently before it caused any harm. Cloud app and security firm Elastica said the issue affected a Salesforce sub-domain – admin.salesforce.com …
John Leyden, 14 Aug 2015

Use QuickTime … and become part of the collective

Two Borg assimilators have discovered five denial of service vulnerabilities in Apple's QuickTime. The five vulnerabilities (CVE-2015-3788 to 3792) affect the latest version of QuickTime up to the patched 7.7.7 for Windows 7. Ryan Pentney and Richard Johnson of Cisco's Talos security talon reported the memory corruption holes …
Team Register, 14 Aug 2015

China laments 'wild guesses and malicious slurs' on state hacking

Chinese president Xi Jinping visits the USA in September, a visit expected to be afforded all the pomp and ceremony of a top-level bilateral leader's meeting. Other diplomatic protocols are meanwhile being observed, including sniping through the media. In China's case, that means state-owned Xinhua, which quoted Chinese …
Simon Sharwood, 14 Aug 2015

Facebook hands hackers $100k for breaking browsers

Four researchers have scored US$100,000 from Facebook for revealing 11 bugs affecting platforms including the Chrome and Firefox browsers using novel vulnerability discovery methods. The Georgia Institute of Technology team of PhD students Byoungyoung Lee and Chengyu Song, and professors Taesoo Kim and Wenke Lee discovered the …
Darren Pauli, 14 Aug 2015
Bug eating an apple

Have an iPhone? Mac? Just about anything else Apple flogs? Patch now

Apple has issued a huge wad of updates to address dozens of CVE-listed security vulnerabilities in iOS, OS X Yosemite, Safari, and OS X Server. The update includes fixes for security flaws that an attacker could exploit to remotely execute code on one's shiny belongings. For newer iOS devices, Apple is putting out the iOS 8.4 …
Shaun Nichols, 13 Aug 2015
android logo

Google flubs patch for Stagefright security bug in 950 million Androids

Google's security update to fix the Stagefright vulnerability in millions of Android smartphones is buggy – and a new patch is needed. The Stagefright flaw is named after a component within the Android operating system that, among other things, processes incoming text messages that contain video clips. By sending a vulnerable …
Iain Thomson, 13 Aug 2015

DNS root zone drama: Follow live the most important dullest ceremony you'll ever see

If you have literally nothing better to do today, we would recommend watching the most important but dullest ceremony you can catch online. The eight-hour event is taking place today in Los Angeles and is being streamed live – just like the Oscars. Although without the music, or famous people, or speeches, or ball gowns. OK, …
Kieren McCarthy, 13 Aug 2015

Misconfigured Big Data apps are leaking data like sieves

More than a petabyte of data lies exposed online because of weak default settings and other configuration problems involving enterprise technologies. Swiss security firm BinaryEdge found that numerous instances of Redis cache and store archives can be accessed without authentication. Data on more than 39,000 MongoDB NoSQL …
John Leyden, 13 Aug 2015
virus_1_648

It's not just antivirus downloads that have export control screening

Export control screening for individuals hoping to purchase everyday consumer technologies extends beyond just antivirus software downloads, according to several sources contacted by The Register. Those who share the name of someone on a blacklist have to go through secondary screening (a bureaucratic process generally …
John Leyden, 13 Aug 2015

John McAfee launches cert authority but it's got a POODLE problem

Eccentric infosec man John McAfee is now the proprietor of a Certificate Authority named BlackCert. Fresh from a shootout friendly discussion with police over drug and firearm possession, the one-time anti-virus boss has made what is badged as a disruptive play into SSL. BlackCert will offer unlimited use of SSL certificates …
Darren Pauli, 13 Aug 2015

Dropbox adds USB two factor authentication for paranoid Chrome users

Dropbox has added dongle-driven two factor authentication to its cloud sharing services for more highly risk-averse users in a bid to foil phishing attempts. The USB authentication dongle will replace the need to manually enter a six digit code sent over insecure SMS or generated by authenticator apps. Punters will need a U2F …
Team Register, 13 Aug 2015

Cisco network kit warning: Watch out for malware in the firmware

Cisco has warned users to watch out who's got admin access to kit, because it's seen malicious ROM images in the wild. The problem is that this isn't something the Borg can just issue a patch for. Admins – with appropriate credentials, naturally – need to be able to drop new ROM images on their kit as a matter of course. "The …

Malvertising set to wreak one BEELLION dollars in damage this year

Records have fallen as malvertising clocked its most prolific month in history, making it one of the biggest threats to endpoint security. If the scourge continues, criminals will have inflicted a billion dollars in damages by the end of the year from a paltry US$12,000 investment, according to researchers at security firm …
Darren Pauli, 13 Aug 2015

New Docker crypto locker is a blocker for Docker image mockers

Docker has tackled the problem of secure application container distribution with a new system that supports signing container images using public key cryptography. The new feature, known as Docker Content Trust, is the main attraction of Docker 1.8, the latest version of the tool suite that was announced on Wednesday. "Before …
Neil McAllister, 13 Aug 2015
Def Con 23 Record Badge

Is this the most puzzling DEF CON attendee badge yet on record?

DEF CON 23 Attending the DEF CON hacking conference in Las Vegas is always an unusual experience, but among the most celebrated features of the event are its unusual attendee badges. Reg man Iain Thomson attended this year's event – the 23rd – and we at Vulture Annex in San Francisco got a kick out of scratching our heads at the mystery …
Neil McAllister, 12 Aug 2015