Feeds

Security > More stories

IRONY ALERT: Former MI6 chief warns of 'mass snooping' - by PAEDOS

The former head of MI6 has warned parents that paedophile predators are capable of using location-based services to find and abuse their kids. In a warning that might sound a bit rich coming from a former chief spook, Sir John Scarlett said he was worried about how easily a youngster's movements could be traced. Young girls are …
Jasper Hamill, 2 Oct 2014

Etsy security rule #1: Don't be a jerk to devs

Businesses should deploy bug bounty programs, phish their staff and launch intelligent attacks against their networks, Zane Lackey says. The now chief security officer of SignalSciences ran through the experience of building and adapting Etsy's security team. Lackey (@zanelackey) and his colleagues, who left the hipster bazaar …
Darren Pauli, 2 Oct 2014

VMWare virtually in control of Shellshock

VMware is plugging away at Shellshock holes in 37 virtual appliance products, but has so far shipped clean code for just a handful of appliances. The company released a fix for cloud analytics kit vCenter Log Insight and offered updates on four others. The advisory said a variety of VMware appliances shipped with Shellshock- …
Darren Pauli, 2 Oct 2014

Researchers bypass Redmond's EMET, again

Researchers have again disarmed Microsoft's lauded Enhanced Mitigation Experience Toolkit (EMET) defence tool, and criticised Redmond for not improving its security controls by much. Offensive Security researchers, the brains behind the Kali Linux security platform and the gents that popped Version 4, examined the advanced …
Darren Pauli, 2 Oct 2014

Bash bug flung against NAS boxes

Hackers are attempting to exploit the BASH remote code injection vulnerability against Network Attached Storage (NAS) systems. Miscreants are actively exploiting the time-to-patch window in targeting embedded devices, security firm FireEye warns. We have evidence that attackers are actively exploiting the time-to-patch window …
John Leyden, 1 Oct 2014

Xen sticks pin in bug behind Rackspace GLOBAL CLOUD REBOOT

Details of the mysterious Xen vulnerability, which prompted the Amazon AWS/Rackspace cloud reboots late last week, have been revealed, with patches already available. The CVE-2014-7188 vulnerability creates a way to trick the hypervisor into reading unallocated memory. "A buggy or malicious HVM [hardware virtual machine] guest …
John Leyden, 1 Oct 2014
Taxi Driver

Wide Open Data: NYC taxi dump catches strip club Johns

Open Data zealots rarely give an individual’s privacy a thought – it’s just another obstacle to be driven over in their desire to provoke a data-powered revolution. But a gigantic dump of journeys made by licensed New York City taxis gives a vivid reminder of the dangers of careless data drops. Earlier this year a Freedom of …
Hacked sarcasm

Biz coughs up even less for security, despite mega breach losses

Information security budgets are falling despite a continuing rise in the number of attacks, according to a new report by management consultants PwC. Detected security incidents have increased 66 per cent year-over-year since 2009, reaching the equivalent of 117,339 attacks per day, according to PwC's "The Global State of …
John Leyden, 1 Oct 2014

You dirty RAT! Hong Kong protesters infected by iOS, Android spyware

Hong Kong activists who have taken to the streets to demand electoral freedom are being targeted by mobile spyware – an Android and iOS remote-access Trojan to be precise. Israeli security firm Lacoon Mobile Security spotted the Xsser mRAT spyware being distributed under the guise of an app to help coordinate the Occupy Central …
Darren Pauli, 1 Oct 2014

Researcher details nasty XSS flaw in popular web editor

A tool that's popular with Microsoft's in-house developers, the RadEditor HTML editor, contains a dangerous cross-site scripting (XSS) vulnerability, researcher GS McNamara says. The editor was developed by Telerik and used in trusted in-house code in many big enterprises and across Redmond products including MSDN, CodePlex, …
Darren Pauli, 1 Oct 2014

Xbox hackers snared US ARMY APACHE GUNSHIP ware - Feds

Hackers from the US, Canada and Australia have been arrested over a sting that took in the US Army, gaming companies and Microsoft. The Department of Justice accuses the alleged perps of copying software worth more than US$100m. The thieves pinched data and source code relating to then unreleased titles Call of Duty Modern …
Darren Pauli, 1 Oct 2014
hands waving dollar bills in the air

Google promises MORE CHOCOLATE to squish Chrome bugs

Google has announced an uptick to what it'll pay for Chrome bugs, under its bug bounty program. The Chocolate Factory's bumping up the top published payment under the bounty to US$15,000 (while noting that for particularly spectacular bugs it's been known to pay out as much as US$30,000 under the old rules). The starting price …

OpenVPN open to pre-auth Bash Shellshock bug – researcher

The Shellshock Bash bug, the gift that just keeps on taking, could also sting OpenVPN users, according to researcher Fredrick Stromberg. Pre-authentication vectors affect communication through the popular and formerly secure VPN platform, he says. Shellshock affected the crucial and ubiquitous *nix component Bash up to and …
Darren Pauli, 30 Sep 2014

PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai

Broadband and IPv6 are hot – and distributed denial-of-service attacks and IPv4 are not. Well, that's according to Akamai. The cache-and-carry-on biz said in its latest State of the Internet report that, for the first time ever, the average connection speed for netizens is more than 4Mbps, meaning your average punter has a " …
Shaun Nichols, 30 Sep 2014

George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests

George Clooney and his new wife – a human rights lawyer who has represented six-fingered embassy dweller Julian AssangeTM – went to extreme lengths to safeguard the privacy of their wedding, even issuing guests with "burner phones" under their control. Guests at last weekend's nuptials between George Clooney and top lawyer Amal …
John Leyden, 30 Sep 2014

Bloke accused of making phone spyware StealthGenie is cuffed by feds

Allegedly building and selling spyware has landed a Pakistani man in trouble with the Feds: the g-men collared 31-year-old Hammad Akbar, of Lahore, on Monday for flogging StealthGenie, it's claimed. The US Department of Justice says Akbar was indicted in the Eastern District of Virginia for operating a company called InvoCode, …

FBI opens Malware Investigator portal to industry

The Federal Bureau of Investigations has released a formerly in-house malware-analysing portal to help speed up incident responses and help industry and law enforcement with investigations. The G-men hope the Malware Investigator portal can let businesses build responses to new malware without such heavy reverse-engineering …
Darren Pauli, 30 Sep 2014

Third patch brings more admin Shellshock for the battered and Bashed

A third patch, from Red Hat engineer Florian Weimer, has been released for the vulnerable Bash Unix command-line interpreter, closing off flaws found in two previous fixes. Weimer's unofficial fix was adopted upstream by Bash project maintainer Chet Ramey and released as Bash-4.3 Official Patch 27 (bash43-027) which addressed a …
Darren Pauli, 30 Sep 2014
Bug bounties

Apple finally patches Bash Shellshock vuln that WAS NOT A WORRY, OK?

Apple and F5 are the latest big-name vendors to post responses to the “Shellshock” vulnerability in Bash. Just days after saying “the vast majority of OS X users are not at risk”, Cupertino has posted Bash fixes for OS X Lion, Mountain Lion, and Mavericks. The fix is now available in OS X users' Software Update. It would, …
Edward Snowden

CloudFlare: You get SSL, and you get SSL, EVERYBODY GETS SSL!

CloudFlare announced today it will extend SSL support to customers who use its free cloud-based web hosting service. The firm said its Universal SSL program will allow said customers to encrypt and secure web traffic between visitors and websites cached by CloudFlare. CloudFlare will provide SSL certificates that are valid for …
Shaun Nichols, 29 Sep 2014

Shellshock: 'Larger scale attack' on its way, warn securo-bods

The Shellshock vulnerability has already become the focus for malicious scanning and at least one botnet but crooks are still testing the waters with the vulnerability and much worse could follow, security watchers warn. Net security firm FireEye said it has seen all manner of overtly malicious traffic leveraging the Bash bug, …
John Leyden, 29 Sep 2014
iCloud brute force

Spammer uses innocent hacked blogs to punt NAKED PICS of JLaw, McKayla Maroney

A long established smut spammer is using hacked websites to sell stolen photographs of naked celebrities including Jennifer Lawrence, Kate Upton and McKayla Maroney. The miscreant (who uses compromised web servers to host his landing pages) has altered his pitch to include copies of the recently released stolen photographs of …
John Leyden, 29 Sep 2014

SHELLSHOCKED: Fortune 1000 outfits Bash out batches of patches

The majority of Fortune 1000 and Global 2000 companies have already deployed, or are now deploying, Shellshock patches to fend off code attacks, according to cloud security firm CloudPassage. The Shellshock vulnerability allows remote attackers to execute arbitrary code on servers using a variety of techniques, with the CVE-2014 …
John Leyden, 29 Sep 2014
portcullis

SIEMs like a good idea: How to manage security in real time

Register now for this webcast that explains how security information and event management (SIEM) can work, what it does, and how to fit it into your existing security environment. Watch this live event on today at 13:00 BST (8:00 EST) - if you can't make it, just sign up and we will email you when the recording is available. …
David Gordon, 29 Sep 2014

Fraud shop OVERSTOCKED with stolen credit cards

Infamous carding store Rescator.cc is so chock-full of stolen credit cards from recent high-profile breaches that it's gutting its prices due to overstocking. The fire sale makes a mockery of the security in place at some of the world's biggest retailers, many of which have in recent months been invaded by hackers who have made …
Darren Pauli, 29 Sep 2014

Ruskies use commercial crimeware to mask 'patriotic' Ukraine hacks

Political hack-attacks are being made to look like bread-and-butter financial fleecing scams, according to researcher F-Secure, after watching Russian hacker collective Quedagh's use of the popular BlackEnergy exploit kit.. The group customised the off-the-shelf malware to attack Ukrainian agencies located in Dnipropetrovsk, in …
Darren Pauli, 29 Sep 2014

Pizza stores popped, sandwich stores sacked in PoS plunder

Some 324 restaurants across the United States, including 216 Jimmy John's outlets, have had payment terminals compromised by malware after a breach at vendor Signature Systems. The massive breach occurred when an intruder stole remote log-in credentials for Signature's point of sale (PoS) kit, according to cyber-crime reporter …
Darren Pauli, 29 Sep 2014

Cisco splats Bash bug in busy swatting season

Cisco has begun its response to the Bash “Shell Shocked” vulnerability, the 20-year-old bug that's sent the *nix world into a frenzy. It's going to be a long slog for the Borg, but in its advisory, Cisco has so far identified 31 individual products vulnerable to Shell Shocked, compared to seven confirmed not vulnerable. Another …
ello

Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT

Ello, the social network site intended to serve as something of an antidote to ad-stuffed Facebook, was hit by a suspected Distributed-Denial-of-Service attack today. The outfit, which has gained plenty of press coverage in the past week after employing the classic invite-only marketing trick to lure in more users, said on its …
Kelly Fiveash, 28 Sep 2014
Bug bounties

SMASH the Bash bug! Apple and Red Hat scramble for patch batches

A fresh dump of Shellshock patches were released on Friday night in the latest move to stamp out the Bash shell security vuln that has the potential to blight millions of Linux, Unix and Mac OS X machines. Red Hat said in a blog post that the threat from Shellshock was receding now that patches had been issued for most operating …
Team Register, 28 Sep 2014
Regina Egbert, El Reg's virtual news anchor

Regina Eggbert gives her signature rundown of the week's tech news

Vid Youtube Video Tune in for a brief rundown of the week's eggiest tech tales from The Reg's avatar news anchor Regina Eggbert. Then find out more about this week's stories, including shell-shocked Bash, PC abandonment issues and bent mobes – here, here and here. ® Regina Egbert, El Reg's virtual news anchor

Rackspace to hit GLOBAL CLOUD REBOOT button to flush out Xen security nasty

Rackspace has warned its customers that it plans to reboot all of its servers across the globe to nix a security bug that was first spotted in the Xen virtualisation platform earlier this week. The managed cloud outfit told its customers about the "maintenance work" in an email, seen by The Register, that was sent out early on …
Kelly Fiveash, 27 Sep 2014

Oracle SHELLSHOCKER - data titan lists unpatchables

Oracle has confirmed that at least 32 of its products are affected by the vulnerability recently discovered in the Bash command-line interpreter – aka the "Shellshock" bug – including some of the company's pricey integrated hardware systems. The database giant issued a security alert regarding the issue on Friday, warning that …
Neil McAllister, 27 Sep 2014

Stunned by Shellshock Bash bug? Patch all you can – or be punished

Updated The UK's privacy watchdog is urging organisations to protect their systems against the infamous Shellshock vulnerability in Bash – even though the full scope of the security bug remains unclear. The Shellshock flaw affects Bash up to and including version 4.3. It's a vital component of many Linux and Unix systems, as well as …
John Leyden, 26 Sep 2014

Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'

Security geeks have worked out a formula for determining which of a series of formerly blacklisted domains would be reused in malware attacks. The method combines the domain name with the generic Top Level Domain, IP address alterations and the cost of a domain transfer. Under the right conditions, the researchers sway, the …
Darren Pauli, 26 Sep 2014

Bad boy builds beastly Bash bug botnet, boxen battered

Mere hours after its discovery, the Shell Shock Bash vulnerability was exploited by an attacker to build a botnet. The bot was discovered by researcher known as Yinette, who reported it on her Github account and said it appeared to be remotely controlled by miscreants. Rapid 7 researcher Jen Ellis noted in a blog the discovery …
Darren Pauli, 26 Sep 2014
FBI badge and gun

FBI boss: Apple's iPhone, iPad encryption puts people 'ABOVE THE LAW'

FBI Director James Comey has complained that Apple and Google's use of stronger encryption in smartphones and tablets makes it impossible for cops and g-men to collar criminals. "There will come a day – well it comes every day in this business – when it will matter a great, great deal to the lives of people of all kinds that we …
Iain Thomson, 25 Sep 2014
Now you've done it...

Hackers thrash Bash Shellshock bug: World races to cover hole

Sysadmins and users have been urged to patch the severe Shellshock vulnerability in Bash on Linux and Unix systems – as hackers ruthlessly exploit the flaw to compromise or crash computers. But as "millions" of servers, PCs and devices lay vulnerable or are being updated, it's emerged the fix is incomplete. The flaw affects the …
John Leyden, 25 Sep 2014

FBI: Your real SECURITY TERROR? An ANGRY INSIDE MAN

Disgruntled workers are causing more problems for their employers, the FBI warns. Employees, ex-workers or contractors with a grudge against their former paymasters are abusing cloud storage sites or remote access to enterprise networks to steal trade secrets, customer lists or other sensitive information. Insider threats have …
John Leyden, 25 Sep 2014

Latest Firefox and Thunderbird updates plug CRITICAL SSL vuln

Mozilla Firefox needs patching urgently following the discovery that the open source browser is vulnerable to SSL man-in-the-middle attacks. The critical bug arises because the Network Security Services (NSS) libraries parser built into the browser is capable of being tricked into accepting forged RSA certificate signatures. …
John Leyden, 25 Sep 2014

Bash bug: Shellshocked yet? You will be ... when this goes WORM

Much of the impact of the Shellshock vulnerability is unknown and will surface in the coming months as researchers, admins and attackers (natch) find new avenues of exploitation. The vulnerability, called Shellshock by researcher Robert Graham, existed in the Bash command interpreter up to version 4.3 and affected scores of …
Darren Pauli, 25 Sep 2014

Desperate VXers enslave FREEZERS in DDoS bot

Bad guys are launching denial of service attacks from Windows and Linux boxes and in a sign of desperation even fridges, freezers and Raspberry Pis. The attacks spotted by security company Akamai are based on an updated version of the Chinese language Spike malware that now targets insecure Internet-of-Things things. Akamai's …
Darren Pauli, 25 Sep 2014