Feeds

Security > More stories

Photo of a US Passport

Flying United Airlines? If you could just scan your passport with your phone, that'd be great

United Airlines is testing a passport-scanning feature in its phone app that could speed up the check-in process for international flights. The biz's iOS and Android software will allow passengers to upload an image of their passports within 24 hours of their departure and access their boarding pass. United said the system is …
Shaun Nichols, 7 Aug 2014
australian credit cards fraud contactless

Americans to be guinea pigs in vast chip-and-PIN security experiment

Black Hat 2014 Next year US banks will begin a wide-scale rollout of chip-and-PIN bank cards, just 11 years after the UK made it mandatory. In doing so, Americans will take part in a vast experiment to test chip-and-PIN against chip-and-sign when it comes to stamping out money thieves. Not every US bank is keen on the PIN system, so some …
Iain Thomson, 7 Aug 2014
Brute force

Hey guys. We've got 1.2 BILLION stolen accounts here. Send us your passwords, 'cos safety

The backlash is growing against the infosec firm that claimed it had uncovered a Russia-based gang's stash of 1.2 billion nicked website passwords. Hold Security claimed the gang was hoarding over a one billion unique stolen usernames and passwords, siphoned off from insecure websites vulnerable to SQL injection and other common …
John Leyden, 7 Aug 2014
Edward Snowden

Snowden is FREE to ESCAPE FROM RUSSIA, say officials

Russia has given fugitive NSA whistleblower Edward Snowden a three year residency permit after his previous visa expired at the end of July. Snowden's lawyer, Anatoly Kucherena, told journalists that Snowden's request for a residence permit had been granted. “He will be able to travel freely within the country and go abroad,” …
The chinese characters for China as used in the new .中国  domain

Russia, China could ban western tech if they want to live in the PAST

Russia and China have both, of late, threatened western IT companies with difficult trading conditions or banishment if they can't prove their products are secure. The reason for their ire is, of course, Edward Snowden's many revelations about US intelligence activities. The response to his leaks have been widespread and fierce …
Fraud image

Researcher snaps a Zeus hacker's photo through his webcam

Security researcher Raashid Bhatt has detailed how to bust the security protections of the Zeus banking trojan allowing him to take a webcam photo of the scammer. Bhatt (@raashidbhatt) wrote in a technical blog how he reverse-engineered the malware after a scammer attempted to foist the malware on him through a phishing scam …
Darren Pauli, 7 Aug 2014

Zero-day hits Symantec endpoint products

Get patching, sysadmins, there's a zero-day in Symantec Endpoint Protection (SEP). This US-CERT advisory is alerting anyone who ignored Symatec's note about the issue. CVE-2014-3434 is a local access vulnerability with a public exploit. A client buffer overflow can cause a blue-screen-of-death on the client, which could also …
PureVLC D-Light

Cracker takes control of 200 rooms in Chinese hotel

Black Hat 2014 A security consultant staying in the St Regis hotel in the Chinese city of Shenzhen got bored one night and successfully commandeered the controls of 200 rooms thanks to an insecure automation protocol. Jesus Molina, a former chair of the Trusted Computing Group and independent security consultant, was staying in the hotel and …
Iain Thomson, 7 Aug 2014
ferrari enzo crash

Car hackers build kit to protect you and your motor from fiery death

Black Hat 2014 At last year’s Black Hat USA, Charlie Miller, security engineer at Twitter and Apple-cracker extraordinaire, and Chris Valasek, director of security intelligence at IOActive, showed delegates how to hack a car. This year they demoed a system that can stop any such hacks dead. Over the past 12 months, the duo have been going …
Iain Thomson, 7 Aug 2014
Good riddance to bad Java

Now even Internet Explorer will throw lousy old Java into the abyss

Internet Explorer will soon join its rival browsers by automatically blocking old, insecure add-ons – and it's got its eye set squarely on Java. Microsoft said on Wednesday that starting on August 12, Internet Explorer will begin alerting users when web pages try to launch ActiveX controls that are considered out-of-date and …
Dan Geer

CIA infosec guru: US govt must buy all zero-days and set them free

Black Hat 2014 Computer security luminary Dan Geer has proposed a radical shakeup of the software industry in hope of avoiding total disaster online. Geer played a crucial role in the development of the X Window System and the Kerberos authentication protocol, and is now the chief security officer of the CIA’s VC fund In-Q-Tel. And during the …
Iain Thomson, 7 Aug 2014
Evil Android

Android banking apps vulnerable to cash theft by CAS hole hackers

Hackers can swipe login credentials and other sensitive data from one in 10 Android banking apps, and about six per cent of all Android apps, IBM researchers warn. Users should avoid using the vulnerable apps, which were built using Apache Cordova up to version 3.5.0, until they have been updated to squash the bug. Big Blue's …
John Leyden, 6 Aug 2014

CryptoLocker victims offered free key to unlock ransomed files

Security researchers have released a tool that allows victims of the infamous CryptoLocker ransomware to unlock their computers at no charge. DecryptoLocker from net security firm FireEye and threat intelligence company FoxIT offers a cure for the estimated 500,000 victims of CryptoLocker. Victims need to upload a CryptoLocker- …
John Leyden, 6 Aug 2014
snowden SXSW

Edward Snowden's not a one-off: US.gov hunts new secret doc leaker

It appears former NSA contractor Edward Snowden is not the only leaker of secret US documents around, as the US government searches for another whistleblower in the aftermath of another leak of classified information. CNN reports that leaked documents related to a terrorist watch list and published by The Intercept (a site …
John Leyden, 6 Aug 2014
Car hacking

Watch this Aussie infosec bod open car doors from afar

Silvio Cesare Silvio Cesare has probably spent enough on home alarm systems at hardware stores to buy a small pacific island. The Canberra hacker has over the last three years embarrassed manufacturers by buying remote alarms, baby monitors and locks from eBay and hardware stores and later developing replay attacks that allow …
Darren Pauli, 6 Aug 2014

Target tosses US$148m onto data breach barbecue

Target's infamous 2013 data breach, which resulted in the company being relieved of 40 million credit card numbers, has cost the company another US$148m according to its latest quarterly finance report. The retailer dedicates a whole section of its quarterly statement to the breach, and says that “In second quarter 2014, the …
Telephone

One in 2900 phone calls is an IDENTITY THIEF

One in every 2900 phone calls to contact centres was made by fraudsters attempting to gain customer account details to steal funds or buy merchandise, according to Pindrop Security's Vijay Balasubramaniyan. Researchers canvassed 105 million phone calls and studied the way fraudsters pulled off identity theft by conning phone …
Darren Pauli, 6 Aug 2014
Crime in Russia

Hacker crew nicks '1.2 billion passwords' – but WHERE did they all come from?

Updated Russian hackers have amassed the largest ever cache of stolen website passwords – 1.2 billion, it's claimed – by swiping, one way or another, sensitive data from poorly secured databases. A network of computers quietly hijacked by malware, and controlled from afar by the gang, identified more than 420,000 websites vulnerable to …
Darren Pauli, 5 Aug 2014
US Military hacking team

US cyber-army's cyber-warriors 'cyber-humiliated by cyber-civvies in cyber-games'

The US military held a series of online war games to pit reservist hackers against its active-duty cyber-warriors – and the results weren't pretty for the latter, we're told. US Military hacking team "Have you tried turning it off and then on again?" "The active-duty team didn’t even know how they’d been attacked. They were …
Iain Thomson, 5 Aug 2014
Homer Simpson confronts rigged voting machine

White Hats splat Black Hat chats: Talks on home alarm flaws and Russian spy tools axed

Two further talks have been pulled from this year's Black Hat USA program. A presentation on weaknesses in home security alarms systems, and another about Russian espionage software, have been yanked from the annual hacking conference, which opens today in Las Vegas, Nevada. The move follows the cancellation of a presentation …
John Leyden, 5 Aug 2014
US Secretary of State John Kerry. Credit: Nostri Imago, Flickr

Israel snooped on John Kerry's phone calls during Middle East peace talks

Israeli spies are alleged to have snooped on John Kerry’s phone calls during recent Middle East peace talks. The IDF tapped the US Secretary of State's unencrypted calls while trying to broker a ceasefire between Israel and the Palestinian Authority, Der Spiegel reports sources as saying. Kerry used both encrypted and open …
John Leyden, 5 Aug 2014
flames_fire_destruction

Synology and the NAS-ty malware-flingers: What can be learned

Sysadmin blog The recent Synology Synolocker issue should serve as a splash of cold water to any vendors in the tech industry that design and sell systems that are largely unattended or unmanaged. As described in The Reg yesterday, Synology NAS boxes are being hit by a Cryptolocker-like piece of malware dubbed Synolocker. Like Cryptolocker, …
Trevor Pott, 5 Aug 2014
Remy from Ratatouille

Why no one smells a RAT: Trojan uses YAHOO WEBMAIL to pick up instructions

Cybercrooks commonly run botnet command-and-control networks using servers or (less frequently) a peer-to-peer network, but one gang of scammers has broken the mould by managing a Trojan using Yahoo webmail. The recently discovered IcoScript Trojan is a classic remote administration tool (RAT), but what makes it highly unusual …
John Leyden, 5 Aug 2014
Office Space

Multifunction printer p0wnage just getting worse, researcher finds

It is now easier than ever to hack corporate networks through multifunction printers, which can even offer up access to Active Directory accounts according to security consultant Deral Heiland. The moustachioed Rapid 7 tech veteran said his team now gains access to corporate active directory credentials through credentials …
Darren Pauli, 5 Aug 2014
Flytrap

Leaked docs reveal power of malware-for-government product 'FinFisher'

A string of documents detailing the operations and effectiveness of the FinFisher suite of surveillance platforms appears to have been leaked. The documents, some dated 4 April this year, detail the anti-virus detection rates of the FinFisher spyware which German based Gamma Group sold to governments and law enforcement agencies …
Darren Pauli, 5 Aug 2014
Synology DS410

Ransomware attack hits Synology's NAS boxen

Synology Diskstations and Rackstations are being hit by malware dubbed Synolocker. The malware is a similar to the infamous Cryptolocker ransomware in that it encrypts all your files and then demands a ransom to unlock them. The vulnerabilities that enable the malware appear to rely on hard-coded passwords to recommended …
Trevor Pott, 5 Aug 2014
Thomas Drake

NSA leaker Thomas Drake says Oz security reforms are 'scary'

Thomas Drake and Jesselyn Radack Thomas Drake and Jesselyn Radack National Security Agency whistleblower Thomas Drake says Australia's looming national security reforms makes him 'shudder', labelling them ambiguous and a plot to stamp out legitimate public-interest whistleblowing. Drake, who Edward Snowden said was his …
Darren Pauli, 4 Aug 2014
Orange Credit Card

If you ate at one of these PF Chang's restaurants, your bank card is at risk

US eatery chain P.F. Chang's has named 33 of its restaurants that were compromised by bank card fraudsters this year. The company said payment systems at its Chinese bistros in states from California to Florida were infiltrated, allowing crooks to siphon off victims' credit and debit card details. According to the restaurant …
Shaun Nichols, 4 Aug 2014
Fish and chips lunch before the challenge

Crumbs! Holiday phish based on genuine hotel booking surfaces

Scammers have launched a devious phishing campaign aimed at tricking customers of targeted hotels into transferring funds to a drop account. Securobods suggested cybercrooks either hacked into a Spanish hotel's system or persuaded someone to hand over customer records on a false pretext before using the purloined details to …
John Leyden, 4 Aug 2014
Bus jam

EE rolls out London bus pay-by-bonk app – only fandoids need apply

Riding a London bus is about as pleasurable as trying to saddle a twitchy rhino that has decided to charge at the slightest perceived threat. But the business of bus-based travelling through an ancient city designed with horse and cart in mind might be set to get a teeny bit easier - at least for EE customers with NFC-enabled …
Jasper Hamill, 4 Aug 2014
Great Wall of China

China: Our approved vendor list – Kaspersky, Symantec AREN'T on it

Updated Security firms Kaspersky Labs and Symantec appear to have both been booted off China’s list of approved vendors for government agencies. This development comes as the country continues to tighten up against foreign tech firms in the wake of the NSA surveillance revelations. The People’s Daily reported first in a tweet that the …
Flag of Israel; credit James Emery

Snowden latest: NSA targets Gaza, pumps intelligence to Israel

According to the latest drop of leaks from NSA whistleblower Edward Snowden, the US spy agency provides financial assistance, weapons and signals intelligence to Israel. The Intercept reports that Canadian, British and Jordanian signals intelligence is also shared with Israel. This intelligence relates to Palestinian targets, …
John Leyden, 4 Aug 2014

Windows Registry-infecting malware has no files, survives reboots

Researchers have detailed a rare form of Windows malware that maintains infection on machines and steals data without installing files. The malware resides in the computer registry only and is therefore not easy to detect. It code reaches machines through a malicious Microsoft Word document before creating a hidden encoded …
Darren Pauli, 4 Aug 2014
GCHQ road sign

GCHQ names the Hogwarts for Hackers

The UK's Government Communications Headquarters (GCHQ) has certified six Masters of Cyber Security degrees. The certifications were issued under the UK's Cyber Security Strategy that, among other things, calls for the nation to “Strengthen postgraduate education to expand the pool of experts with in-depth knowledge of cyber.” …
EMET

Microsoft hacks out new EMET, spits out Adobe Flash

Microsoft has emitted a new version of EMET – its Enhanced Mitigation Experience Toolkit. Redmond often recommends deployment of EMET as a frontline defence against attacks, so the release of a new version is noteworthy. The big two enhancements that Microsoft is talking up the loudest are an improved Attack Surface Reduction ( …

Your fitness tracker is a SNITCH says Symantec

If you're the kind of person whose gadgets auto-tweet your exercise, sex or sleep habits – all vanguard applications of the odiously-named “quantified self” movement – you can be tracked, identified and hacked, according to Symantec. In this post, the security outfit explains that the age-old desire for gadget convenience has, …
Data breach image

Mozilla gaffe exposed 76,000 email addresses, 4000 passwords

Mozilla has 'fessed up to accidentally exposing the email addresses for 76,000 members of its Developer Network, along with 4000 encrypted passwords. The breach was caused by a bad script that on July 23 was found to have inadvertently published the records online over the previous month. The offending data sanitisation process …
Darren Pauli, 3 Aug 2014
No Sale

Hey, big spender. Are you as secure as a whitebox vendor?

Sysadmin blog Security flaws are a great source of inter-company marketing FUD, but it is how a company responds to them that determines how trustworthy they are. Can you bet your business – or your personal data – on a company that simply brushes flaws under a rug? Where does the vendor's responsibility end and that of the customer begin? As …
Trevor Pott, 1 Aug 2014
Scotland

Pentagon hacker McKinnon can't visit sick dad for fear of extradition

Pentagon hacker Gary McKinnon is afraid tor visit his sick father in Glasgow after advice from his lawyers about the possibility of extradition. McKinnon's father, Charlie, is in hospital after suffering a stroke. But lawyers for the London-based hacker have advised him against visiting his dad in hospital in Scotland because …
John Leyden, 1 Aug 2014
padlock

IBM snaps up identity access gatekeeper tech

IBM has snapped up privately held security software firm CrossIdeas. Financial terms of the deal, announced Thursday, were undisclosed. Rome, Italy based CrossIdeas has been developing identity access technology since 2011. Its technology allows CISOs and security teams in big companies to automatically detect conflicts in …
John Leyden, 1 Aug 2014
Flytrap

Security chap writes recipe for Raspberry Pi honeypot network

Honeypots are the perfect bait for corporate IT shops to detect hackers targeting and already within their networks and now one security bod has devised a means to build a battalion of the devices from Raspberry Pis. University of Arizona student Nathan Yee (@nathanmyee) has published instructions for building cheap hardware …
Darren Pauli, 1 Aug 2014
Brute Force

Retailers shot up by PoS scraping brute force cannon

The US Computer Emergency Response Team has warned of a new point of sale malware that is targeting retailers. The malware is a RAM-scraper of the kind made infamous by the Target breach that saw attackers plant wares on terminals to nab credit cards while they were temporarily unencrypted. This attack uses a new tool delivered …
Darren Pauli, 1 Aug 2014