Security > More stories

Android 6 Marshmallow Logo

Wait, did Oracle tip off world to Google's creepy always-on location tracking in Android?

Analysis Having evidently forgotten about that Street View Wi-Fi-harvesting debacle, Google has admitted constantly collecting the whereabouts of Android devices regardless of whether or not they have location tracking enabled. Between 2007 and 2010, during the debut of its Street View service, Google gathered all the Wi-Fi network …
Thomas Claburn, 22 Nov 2017

Uber: Hackers stole 57m passengers, drivers' info. We also bribed the thieves $100k to STFU

Uber's CEO Dara Khosrowshahi today revealed hackers broke into the ride-hailing app's databases and stole personal information on 57 million passengers and drivers – information including names, email addresses, and phone numbers. And the cyber-thieves made off with 600,000 US driver records that included their license numbers …

National Cyber Security Centre boss: For the love of $DEITY, use 2FA on your emails, peeps

The chief exec of the National Cyber Security Centre – a branch of the UK's spy nerve-centre GCHQ – has called on everyone to enable two-factor authentication for their emails. This follows revelations that almost the entire population's details are available for sale on the dark web. Speaking at the Parliament and Internet …
Kat Hall, 21 Nov 2017
Cthulu emerges from a printer. Image created by illustrator Andy Davies. Copyright: The Register

Patch on way 'this week' for HP printer vulns

Updated Sysadmins have been advised to watch for a coming HP printer firmware update that will plug a remote code execution vulnerability (among others) in its MFP-586 and the M553 printers. News of the threat emerged from a Foxglove Security deep-dive into printer security that saw the researchers warn HP of problems in August. The …
Dice fail randomness

Microsoft's memory randomization security defense is a little busted in Windows 8, 10

A Carnegie-Mellon CERT researcher has discovered that Microsoft broke some use-cases for its Address Space Layout Randomisation (ASLR) mechanism, designed to severely hamper hackers' attempts to exploit security bugs. The programming blunder is simple: as of Windows 8, a flaw in Microsoft's system-wide mandatory ASLR …
Haswell E5-2600 series die

Intel finds critical holes in secret Management Engine hidden in tons of desktop, server chipsets

Intel today admitted its Management Engine (ME), Server Platform Services (SPS), and Trusted Execution Engine (TXE) are vulnerable to multiple worrying security flaws, based on the findings of external security experts. The firmware-level bugs allow logged-in administrators, and malicious or hijacked high-privilege processes, …
Thomas Claburn, 20 Nov 2017
Police officers in bodu armour mill around in field

Cops jam a warrant into Apple to make it cough up Texas mass killer's iPhone, iCloud files

Texas Rangers have obtained a search warrant for the contents of a blood-splattered iPhone SE belonging to gunman Devin Kelley who killed 26 people in a murder-suicide at a church. Over the weekend, the US state's cops served the Cupertino phone-flinger a warrant demanding photos, messages and other potential evidence on …
Shaun Nichols, 20 Nov 2017
vulture tv reporter

It was El Reg wot won it: Bing banishes bogus Brit bank banner ad

Microsoft has axed a Bing search result advert that masqueraded as a legit online banking website – but was in fact a sophisticated phishing operation. Searching for "TSB" – as in the UK's TSB Bank – on the Great Britain edition of Bing would bring up, right at the top of the page, a search ad for a phishing website described …
Shaun Nichols, 20 Nov 2017
kids in classroom with raised hands

Germany slaps ban on kids' smartwatches for being 'secret spyware'

The German telecoms regulator has banned the sale of children's smartwatches that allow users to secretly listen in on nearby conversations. The move is the latest in a string of actions taken by the Federal Network Agency, or Bundesnetzagentur, against devices that allow people to snoop on each other. The agency said the …
Rebecca Hill, 20 Nov 2017
Container ship docked at port with crystal blue waters.

Container ship loading plans are 'easily hackable'

Security researchers have warned that it might be possible to destabilise a container ship by manipulating the vessel stowage plan or "Bay Plan". The issue stems from the absence of security in BAPLIE EDIFACT, a messaging system used to create ship loading and container stowage plans – for example which locations are occupied …
John Leyden, 20 Nov 2017
Angry man on laptop. Illustration via Shutterstock

It's 2017, and command injection is still the top threat to web apps

The Open Web Application Security Project will on Monday, US time, reveal its annual analysis of web application risks, but The Register has sniffed out the final draft of the report and can report that it has found familiar attacks top its charts, but exotic exploits are on the rise. A late pre-release version of the Project' …
Bell switchboard

DNS resolver 9.9.9.9 will check requests against IBM threat database

The Global Cyber Alliance has given the world a new free Domain Name Service resolver, and advanced it as offering unusually strong security and privacy features. The Quad9 DNS service, at 9.9.9.9, not only turns URIs into IP addresses, but also checks them against IBM X-Force's threat intelligence database. Those checks …
panic

F5 DROWNing, not waving, in crypto fail

If you're an F5 BIG-IP sysadmin, get patching: there's a bug in the company's RSA implementation that can give an attacker access to encrypted messages. As the CVE assignment stated: “a virtual server configured with a Client SSL profile may be vulnerable to an Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) …
Privacy

User experience test tools: A privacy accident waiting to happen

Researchers working on browser fingerprinting found themselves distracted by a much more serious privacy breach: analytical scripts siphoning off masses of user interactions. Steven Englehardt (a PhD student at Princeton), Arvind Narayanan (a Princeton assistant professor) and Gunes Acar (postdoctoral researcher at Princeton …
Linus Torvalds flips the bird

Some 'security people are f*cking morons' says Linus Torvalds

Linux overlord Linus Torvalds has offered some very choice words about different approaches security, during a discussion about whitelisting features proposed for version 4.15 of the Linux kernel. Torvalds' ire was directed at open software aficionado and member of Google's Pixel security team Kees Cook, who he has previously …
Simon Sharwood, 20 Nov 2017
army

Massive US military social media spying archive left wide open in AWS S3 buckets

Three misconfigured AWS S3 buckets have been discovered wide open on the public internet containing "dozens of terabytes" of social media posts and similar pages – all scraped from around the world by the US military to identify and profile persons of interest. The archives were found by UpGuard's veteran security-breach …
Iain Thomson, 17 Nov 2017
closed

Shamed TLS/SSL cert authority StartCom to shut up shop

Controversial certificate authority StartCom is going out of business. Startcom board chairman Xiaosheng Tan told The Register the business will close its doors on January 1, 2018, at which point new certificates will no longer be issued. CRL and OCSP service will continue for two years from then, when StartCom's three key …
Andrew Silver, 17 Nov 2017
Metropolitan police image via Shutterstock

For goodness sake, stop the plod using facial recog, London mayor told

London's Metropolitan Police force's use of "intrusive" technologies "without proper regulation" could put a fundamental principle of policing at risk, the London mayor has been told. In a letter (PDF) to Sadiq Khan, the Greater London Assembly – the group elected to hold the mayor to account – expressed "significant concerns …
Rebecca Hill, 17 Nov 2017
LLOYDS BANK BUILDING opposite royal courts of justice

Lloyds' Avios Reward credit cardholders report fraudulent activity

Thousands of Lloyds Avios Rewards American Express credit card customers have been targeted by fraudsters, the bank has admitted. Reports first emerged on air miles site Head for Points, where readers asked if the credit card had suffered a major data breach. One said: "About a week ago my wife's Lloyds Avios Amex card was …
Kat Hall, 17 Nov 2017
Donald trump reading fake news

Fake news ‘as a service’ booming among cybercrooks

Criminals are exploiting “fake news” for commercial gain, according to new research. Fake news is widely assumed to be political or ideological propaganda published to sway public opinion, but new research conducted by threat intel firm Digital Shadows and released on Thursday suggested fake news generation services are now …
John Leyden, 17 Nov 2017
Hacker

Kaspersky: Clumsy NSA leak snoop's PC was packed with malware

Kaspersky Lab, the US government's least favorite computer security outfit, has published its full technical report into claims Russian intelligence used its antivirus tools to steal NSA secrets. Last month, anonymous sources alleged that in 2015, an NSA engineer took home a big bunch of the agency's cyber-weapons to work on …
Iain Thomson, 16 Nov 2017
Rage

Parity: The bug that put $169m of Ethereum on ice? Yeah, it was on the todo list for months

Alt-coin wallet software maker Parity has published a postmortem of the bug that put millions of dollars of people's Ethereum on ice – and has admitted it knew about the flaw for months. It just hadn't got round to fixing it. Last week, netizens using Parity's multi-signature wallets – which each require more than one person …
Iain Thomson, 16 Nov 2017
Larry Ellison on stage at Oracle's cloud pricing announcement

Oracle scrambles to sew up horrid security holes in PeopleSoft's Tuxedo

Oracle has published an out-of-band software update to address a handful of security flaws in parts of the PeopleSoft HR software. The House of Larry said this week the five CVE-listed vulnerabilities all sit within the Jolt component of Tuxedo, an application server used by PeopleSoft to handle non-Java applications. "Since …
Shaun Nichols, 16 Nov 2017
Image by Maythee Voran https://www.shutterstock.com/gallery-3935591p1.html

Drone maker DJI left its private SSL, firmware keys open to world+dog on GitHub FOR YEARS

Chinese drone maker DJI left the private key for its dot-com's HTTPS certificate exposed on GitHub for up to four years, according to a researcher who gave up with the biz's bug bounty process. DJI also exposed customers' personal information – from flight logs to copies of government ID cards – to the internet from …
Gareth Corfield, 16 Nov 2017

Pawnbroker pwnd: Cash Converters says hacker slurped customer data

Pawnbroking and secondhand goods outlet Cash Converters has suffered a data breach. Customers were notified of the leak on Thursday by email, samples of which have been posted on social media. Cash Converters said it had discovered that a third party gained unauthorised access to customer data within the company's UK webshop …
John Leyden, 16 Nov 2017
Trojan horse photo via Shutterstock

New, revamped Terdot Trojan: It's so 2017, it even fake-posts to Twitter

Terdot, a banking Trojan that has been around since mid-2016, has been re-engineered with updated information and credential thievery as well as social media account monitoring functionality. Built on the Zeus framework, whose code was leaked in 2011, Terdot adds a number of novel techniques to the market, such as leveraging …
John Leyden, 16 Nov 2017

DJI bug bounty NDA is 'not signable', say irate infosec researchers

Chinese drone maker DJI faces questions from infosec researchers about its bug bounty programme. Sources have told The Register that a non-disclosure agreement (NDA) they were invited to sign would result in the company "owning their actions". DJI's scheme to pay those that highlight security weaknesses, announced months ago …
Gareth Corfield, 16 Nov 2017
A piggy bank in a pile of pound coins

Does UK high street banks' crappy crypto actually matter?

The Register's recent story about the failure of most UK high street banks to follow web security best practices has provoked a lively debate among security experts. Tests of six banks revealed sketchy support for HTTP Strict Transport Security (HSTS), a cryptographic technology introduced in October 2012 and designed to …
John Leyden, 16 Nov 2017
Walking Legs by Shutterstock

Q: Why are you running in the office? A: This is my password for El Reg

A trio of Indian boffins have studied the use of smartphone accelerometers as biometric sensors and concluded they could be a handy way to identify users. Unlike the collaboration between American and Hong Kong researchers who want “who are you?” for ad-tracking, the National Institute of Technology, Karnataka boffins' …
Hackers

The four problems with the US government's latest rulebook on security bug disclosures

Analysis The United States government has published its new policy for publicly disclosing vulnerabilities and security holes. The new rulebook [PDF] – and the decision to make it public – comes following a tumultuous 12 months in which Uncle Sam's chief spy agency, the NSA, was devastated to discover part of its secret cache of …
Kieren McCarthy, 15 Nov 2017

Crouching cyber Hidden Cobra: US warns Nork hackers are at it again with new software nasty

The FBI and US Homeland Security have issued an alert about a new strain of malware infecting American corporate systems and stealing sensitive data. The remote access trojan (RAT), dubbed Fallchill, is the work of a North Korean hacking group called Hidden Cobra, which some at US-CERT believe was responsible for the WannaCry …
Iain Thomson, 15 Nov 2017
woman laughs in a freaked-out way. Pic by shutterstock

US govt's 'foreign' spy program that can snoop on Americans at home. Sure, let's reauth that...

Analysis The reauthorization of a controversial US government spying program has made further progress with the Senate's intelligence committee putting forward its recommendations to the whole Senate. This follows a similar move by its counterpart in the House of Representatives last week. The report [PDF] from the Senate committee …
Kieren McCarthy, 15 Nov 2017
Monty Python sketch: Nobody expects the Spanish Inquisition

Confusion reigns over crypto vuln in Spanish electronic ID smartcards

The impact of a recently discovered cryptographic vulnerability involving smartcards is causing issues in Spain similar to those previously experienced in Estonia. RSA keys produced by smartcards, security tokens, laptops and other devices using cryptography chips made by Infineon Technologies are weak and crackable – and …
John Leyden, 15 Nov 2017

Amazon, Google inject Bluetooth vuln vaccines into Echo, Home AI pals

Updated Amazon and Google have automatically patched people's Echo and Home AI assistant devices, respectively, to defend against recently discovered Bluetooth-related security vulnerabilities. BlueBorne – described in the video below – is the collective name for eight exploitable flaws found in Bluetooth stacks used by major hardware …
John Leyden, 15 Nov 2017
Illustration of truck

Coming live to a warzone near you: Army Truck Driver for Xbox!

As recently retired senior officers told UK Parliament that the armed forces are at risk of "institutional failure", the Ministry of Defence told the world's press that soldiers are playing with Xbox controllers. General Sir Richard Barrons, Admiral Sir George Zambellas and Air Marshal Sir Barry North all gave evidence to the …
Gareth Corfield, 15 Nov 2017
lab rat

Uncle Sam to strap body sensors to hackers in nuke lab security study

Exclusive The US Department of Defense is funding research into how hackers hack, with an interesting twist. It wants to wire them up with body monitoring equipment to measure how they react while hunting down and exploiting security flaws. The study is running this month and next at what's described as a high-security nuclear science …
Iain Thomson, 15 Nov 2017

Biting the hand that feeds IT © 1998–2017