Security > More stories

Azure icon

Size matters, says Microsoft, as it flops out fat cloud VMs

Microsoft has introduced a new virtual machine type to Azure: the G-series instances run on Xeon E5 v3 CPUs and Redmond reckons they “provide the most memory, the highest processing power and the largest amount of local SSD of any Virtual Machine size currently available in the public cloud.” Here's Microsoft's list of the new …
Simon Sharwood, 12 Jan 2015
Photo of Kim Jong-un using an archaic computer

SURPRISE: Norks' Linux distro has security vulns

Well, that didn't take long: mere days after North Korea's Red Star OS leaked to the west in the form of an ISO, security researchers have started exposing its vulnerabilities. According to this post at Seclists, the udev rules in version 3.0 of the US and the rc.sysint script in version 2.0 are both world-writable. Both of …
Montage of front covers from Charlie Hebdo magazine

Paris terror attacks: ISPs face pressure to share MORE data with governments

Government ministers from European states, who met in Paris today in the wake of the atrocious attacks that stunned the French capital's population last week, have called on internet firms to do a better job of cooperating with spooks and police to help them fight terrorism. In a joint statement (PDF) from a number of Europe's …
Kelly Fiveash, 11 Jan 2015

Mr Cameron goes to Washington for PESKY HACKERS chinwag with Pres Obama

U.S. President Barak Obama will end his week of lobbying for more powers to fight hackers online, by hosting Britain's Prime Minster David Cameron on Thursday and Friday, when the two leaders will discuss internet security. Thwarting malefactors who attack companies' computer systems, such as the recent, devastating assault on …
Kelly Fiveash, 11 Jan 2015
Hacker image

Sony post-mortem: Obama lobbies for new legal powers to thwart hackers

In the aftermath of the massive hack attack on Sony Pictures – which the US government continues to insist was carried out by North Korea – President Barak Obama is expected to lobby hard for legislative overhauls to battle online threats. He will reveal those proposals early next week, an unnamed White House spokesperson told …
Kelly Fiveash, 10 Jan 2015
Nigel Farage, leader of UKIP. Pic: Jennifer Jane Mills

It's LUNACY, you SWINE! Er, what, security? Moonpig DOT GONE

Quotw This was the week when London-based tacky, personalised card biz Moonpig exposed three million customers' personal records and partial credit card details for almost 18 months, after the security flaw in its system had been reported. The mega cockup was first spotted by developer Paul Price, who quietly flagged up the glitch to …
Kelly Fiveash, 10 Jan 2015
Apple unveils OS X Yosemite

OS X search tool Spotlight runs roughshod over Mail privacy settings

Spotlight, the desktop search engine for OS X computers, will ignore privacy settings in Apple's Mail client when showing messages in its search results. The programming booboo means pictures and possibly other files linked to in HTML emails will automatically show up even if you've told Apple's supplied client to not load …
Shaun Nichols, 10 Jan 2015
NSA Director Admiral Michael Rogers

FBI fingering Norks for Sony hack: The TRUTH – by the NSA's spyboss

The head of the NSA has confirmed his agency gave the FBI top-secret intelligence that led the Feds to blame North Korea for the Sony Pictures mega-hack. The bureau has been strangely silent on how it came to finger the Nork government for the comprehensive ransacking of the Hollywood movie studio. So silent, in fact, seasoned …
Iain Thomson, 9 Jan 2015

Anonymous vows to avenge Charlie Hebdo massacre by blitzing jihadist sites

Some members of Anonymous have vowed to avenge the Charlie Hebdo killings in Paris by taking down jihadist websites. A video uploaded to the web by the group's Belgian wing also promises to scrub social networks of accounts promoting violent jihad. A statement announcing Op Charlie Hebdo, addressed to “enemies of freedom of …
John Leyden, 9 Jan 2015
Don't Panic towel

No, the Linux leap second bug WON'T crash the web

There’s a reason space missions don’t launch on the day a leap second is added to international clocks. Scientists don’t want to run the risk that the computer systems running things might hiccup on the new time and then malfunction, sending their multi-million dollar lifetime’s investment into a fatal nose dive. The rest of us …
Gavin Clarke, 9 Jan 2015

Microsoft patch batch pre-alerts now for paying customers ONLY

Microsoft is facing fierce criticism over its decision to make pre-notification of upcoming patches available only to paid subscribers. The Advance Notification Service (ANS) formerly made information on upcoming software patches available to the public but from now on the information will be restricted to “premier” customers …
John Leyden, 9 Jan 2015
Silhouette of spy discerning password from code uses a command on graphic user interface

MI5 boss: We NEED to break securo-tech, get 'assistance' from data-slurp firms

MI5's recently appointed boss has placed the ability to intercept communications at the centre of the security agency's counter-terrorism efforts. Andrew Parker's most detailed justification of the controversial surveillance programmes by GCHQ and the NSA, came in a pre-planned speech (transcript here) to the Royal United …
John Leyden, 9 Jan 2015
Sony smartband talk

Will hottest CES gadgets be HOT TARGETS for hackers?

This year, more than any other, personal technology dominated the conversation at consumer electronics shindig CES. Wearable and mobile technology was showcased at the expo, and many vendors touted the width and breadth of data collected and managed by these devices, What, then, is going to keep hackers from lifting all that …
Shaun Nichols, 9 Jan 2015
Cloud security image

ASUS router-popping exploit on the loose

ASUS routers contain a vulnerability that turns users into admins, researcher Joshua Drake says. The boxes could be exploited by malicious local users, but not those on the wider internet, re-rerouting all users on the network to malicious sites, among other attacks. Drake wrote in an advisory that several popular models were …
Darren Pauli, 9 Jan 2015

Post-POODLE, OpenSSL shakes off some fleas

OpenSSL has squashed eight low severity vulnerabilities bugs that could result in denial of service or the removal of forward secrecy. The holes, two graded "moderate", were addressed in OpenSSL updates 1.0.0p, 0.98zd, and 1.0.1k. Maintainers wrote in an advisory that Cisco warned last October that a crafted Datagram Transport …
Darren Pauli, 9 Jan 2015
President Putin on horseback

Ukraine PM: Hacktivists? C'mon! Russian spies attacked Gov.DE

A pro-Russian group has claimed responsibility for attacks that floored German government websites on Wednesday, although Ukraine's PM is pointing the figure at Russia itself. ‪Hacktivists from CyberBerkut‬1 blockaded the websites of the Bundestag and Chancellor Merkel's office, demanding Berlin end support for the Ukrainian …
John Leyden, 8 Jan 2015

Euro Parliament: Time to rethink DRIP, other snoop laws

Blanket data retention is illegal - or that's the unvarnished view of the legal department of the European Parliament at least. Last year, the European Court of Justice (ECJ) ruled that the EU’s own Data Retention Directive, a law that required telco service providers to store information about their customers’ activity, …

Sony boss: Nork megahack won't hurt our bottom line

Sony’s chief exec Kazuo Hirai has predicted no major financial impact on the entertainment conglomerate after the recent cyber-attack on its Sony Pictures movie studio division. "We are still reviewing the effects of the cyber attack," Hirai told reporters at the Consumer Electronics Show in Las Vegas, Reuters reports. "However …
John Leyden, 8 Jan 2015
Airwave has given the police reliable comms

Police radios will be KILLED soon – yet no one dares say 'Huawei'

In less than 18 months' time the police radio network will be switched off. There is no obvious replacement and the looming omnishambles is turning into a bonanza for Arqiva, the only company brave enough to offer a solution. Peter Neyroud CBE, former head of the National Policing Improvement Agency and now at the University of …
close up of glowing green binary in the symbol of contaminent. By Robert van der Steeg

Pastebin: The remote backdoor server for the cheap and lazy

Malware writers are using the Pastebin web clipboard to host backdoor code, researcher Denis Sinegubko suggests. The code-sharing site was used to store code that was later tapped in attacks against websites running a vulnerable instance of the popular RevSlider plugin. Sinegubko, a Sucuri staffer known for his whitehat malware …
Darren Pauli, 8 Jan 2015

Cryptowall's ransomware's tough layers peeled

Cryptowall's 2.0 incarnation is hidden in a tough shell crafted by developers paranoid about the security research community, technical analysis reveals. The ransomware has matured much since it emerged last year, encrypting victims' files and demanding money for the supply of a decryption key. It's superior design lead to …
Darren Pauli, 8 Jan 2015

Thunderstrike shocks OS X with firmware bootkit

Reverse engineer Trammell Hudson has created an attack dubbed Thunderstrike which can quietly, persistently and virally compromise Apple Macs from boot. The Thunderstruck attack uses 35 year-old legacy option ROMs to replace the RSA keys in a Mac's extensible firmware interface (EFI) to allow malicious firmware to be installed …
Darren Pauli, 8 Jan 2015
Department of Homeland Security

Top senator blasts US Homeland Security for leaving cyber-drawbridge down

A member of the US Senate's Homeland Security Committee has slammed the Department of Homeland Security over America's cyber-defenses: Tom Coburn (R-OK) said the agency is failing to protect the nation's IT infrastructure despite at least $700m in funding. "The nature of cybersecurity threats – and the ability of adversaries to …
Iain Thomson, 8 Jan 2015

Australia ignores data retention in summer slack-off

The Australian federal government's strategy of conducting inquiries on a short time-scale approaching holidays is paying off in spades when it comes to data retention. The Register has already noted the government's rushed Christmas-eve questionnaire to the telecommunications industry about the costs of data retention. There's …
The North Korean computer system

FBI boss: Sony hack was DEFINITELY North Korea, haters gonna hate

The director of the FBI has defended his bureau's claim that the hacking attack against Sony Pictures was the work of the North Korean government – saying skeptics "don't have the facts that I have." Speaking at a cybersecurity conference at Fordham University in New York City on Wednesday, FBI boss James Comey said he has "very …
Pretty woman looks miffed. Copyright: Danil Nevsky via Shutterstock http://www.shutterstock.com/pic.mhtml?id=149618984&src=id

Aw, don't be iDict! Apple kills brute force iCloud cracker

Apple has applied a security update that breaks a recently distributed iCloud hacking tool that took advantage of the flaw that led to the mass hack of nudie pics belonging to celebs including Jennifer Lawrence and Kate Upton. iDict was purportedly created to force Cupertino into belatedly fixing a wide open security flaw most …
John Leyden, 7 Jan 2015
The MSN Santa (unconfirmed)

Cyber crims put feet up for Chrimbo: 2014's seasonal retail breaches fell

Shoppers flocked online for retail bargains during Black Friday and Cyber Monday 2014, but cyber criminals seemingly decided not to join the scrum. Despite a record-breaking surge in online shopping during late November’s online discount binge, cyber breaches actually fell, according to IBM. That’s the good news. The bad? …
Gavin Clarke, 7 Jan 2015

Burglars' delight no more: Immobilise UK secures property list

Security flaws that left millions of records on the Immobilise UK National Property Register website wide open to snooping have been identified and removed. Security consultant Paul Moore uncovered flaws that meant it was possible to access other members' records. The Immobilise site allows consumers to add details of valuables …
John Leyden, 7 Jan 2015

It's 2015 and ATMs don't know when a daughterboard is breaking them

Carders have jackpotted an ATM by inserting a circuit board into the USB ports of an ATM, tricking it into spitting out cash. The technique was thought to have emulated the cash dispenser of the ATM so the brains of the machine thought everything was normal, buying additional time for the brazen crooks to make off with the cash …
Darren Pauli, 7 Jan 2015
Bitcoin bloodbath

Hackers pilfer $5 MEELLION in BTC from Bitstamp

Criminals have made off with a whopping US$5 million after raiding bitcoin exchange Bitstamp. The attack, in the early hours of Monday, pilfered the site's online operation wallets used for rapid currency exchange. Administrators called police and moved to assure customers their bitcoins would be refunded provided they did not …
Darren Pauli, 7 Jan 2015

Buffer overflow reported in UEFI EDK1

A pair of security researchers have found a buffer overflow vulnerability within the implementation of the unified extensible firmware interface (UEFI) within the EDK1 project used in firmware development. Bromium researcher Rafal Wojtczuk and MITRE Corp's Corey Kallenberg said the bug in the FSVariable.c source file was linked …
Darren Pauli, 7 Jan 2015
imation usb flash wristbands

FTC chair worries about IoT privacy in CES speech

CES 2015 US Federal Trade Commission chair Edith Ramirez has used CES 2015 to explore the downside of the Internet of Things (IoT). “The IoT could improve global health, modernize city infrastructures, and spur global economic growth,” Ramirez said in a speech (PDF) at the gadget-fest, before adding “Connected devices that provide …

Brandis and PwC silent on Xmas Eve metadata quiz

Neither the Attorney-General’s department nor PricewaterhouseCoopers (PwC) will comment on why a questionnaire sent to carriers and internet service providers on Christmas Eve asked about the cost of storing metadata for either 12 or 36 months, rather than the 24 months suggested in draft legislation. As Vulture South reported …
Morgan Stanley

Morgan Stanley fires rookie for stealing thousands of fat cats' financial files

Morgan Stanley has confirmed it sacked one of its financial advisers after he allegedly stole confidential data on up to 350,000 clients – information which then appeared online. According to the New York Times, in mid-December Morgan Stanley found on Pastebin sensitive information regarding 1,200 accounts belonging to 900 …
Iain Thomson, 6 Jan 2015
Two Playmobil figurines hassled by airport security

Ex-Microsoft Bug Bounty dev forced to decrypt laptop for Paris airport official

Paris airport security went one step further than simply asking a security expert to power up her laptop - they requested she type in her password to decrypt her hard drive and log into the machine. Katie Moussouris, chief policy officer at HackerOne, and best known as the woman behind Microsoft's Bug Bounty Program, was en …
John Leyden, 6 Jan 2015

Dev put AWS keys on Github. Then BAD THINGS happened

Bots are crawling all over GitHub seeking secret keys, a developer served with a $2,375 Bitcoin mining bill found. DevFactor founder Andrew Hoffman said he used Figaro to secure Rails apps which published his Amazon S3 keys to his GitHub account. He noticed the blunder and pulled the keys within five minutes, but that was …
Darren Pauli, 6 Jan 2015
Snowden image

Snowden leaks lack context says security studies professor

With the wash-up from December's Snowden leaks still sloshing around the 'net, The Register decided to discuss how to interpret the leaked documents with Thomas Rid of King's College London. In November, Rid (Professor of Security Studies) and colleague Robert Lee (currently undertaking his PhD at King's) published a piece …
Virgin America plane in flight

GoGo in-flight WiFi creates man-in-the-middle diddle

In-flight wifi service GoGo, once accused of facilitating excessive interception access for US law enforcement, has now been spotted using fake Google SSL certificates to spy on net traffic and prevent passengers from accessing video streaming services. Google engineer Adrienne Porter Felt (@__apf__) noticed the fake SSL …
Darren Pauli, 6 Jan 2015
eyeofSauron

HTTPS bent into the next super-cookies by researcher

A UK consultant has demonstrated how a feature of the secure Web protocol HTTPS can be turned into a tracking feature that is, in the case of some browsers, ineradicable. HTTP Strict Transport Security (HSTS), described in RFC 6797 (here), is a mechanism that helps sites redirect users from the insecure HTTP version to the …
Miss Piggy

THREE MILLION Moonpig accounts exposed by flaw

Custom mugs and tat outfit Moonpig has a signficant flaw that exposes personal records and partial credit card details for some three million customers, almost 18 months after it was reported. The failure, discovered and privately reported by developer Paul Price, meant every account and the names, birth dates, and email and …
Darren Pauli, 6 Jan 2015
Shaun of the dead zombies cricket bat movie still. Copyright Universal Pictures

Finnish bank takes cricket bat to wave after wave of DDoS varmints

Finnish bank OP is continuing to fight off a cascading series of distributed denial of service (DDoS) attacks that began on New Year's Eve. OP was forced to restrict access to its services from outside the Nordic country as a result of the attack. The motive for the attack, much less the perpetrators' identity, remain unclear. …
John Leyden, 5 Jan 2015

Snooker WPA secrets with this Wi-Fi tool

Crypto geek George Chatzisofroniou has published a WiFi social engineering tool used to steal credentials and credit cards from users of secure wireless networks. The administrator at the University of Greece developed the WiFiPhisher tool which sought out and then replicated WPA-protected networks, sans password. The tool, …
Darren Pauli, 5 Jan 2015