Security > More stories

casino_security_648

Want to get around app whitelists by pretending to be Microsoft? Of course you can...

DerbyCon A sprinkle of code and an understanding of the Windows digital certificate process is all that's needed for a miscreant to sneak malware past Microsoft's application whitelist within a corporate environment. In a keynote address at the DerbyCon hacking conference in Kentucky, USA, on Friday, Matt Graeber, a security researcher …
Iain Thomson, 22 Sep 2017
Businessman with unlocked padlock - shutterstck

Aw, not you too, Verizon: US telco joins list of leaky AWS S3 buckets

Yet another major company has burned itself by failing to properly secure its cloud storage instances. Yes, it's Verizon. Researchers with Kromtech Security say they were able to access an AWS S3 storage bucket that contained data used by the US telco giant's billing system and the Distributed Vision Service (DVS) software …
Shaun Nichols, 22 Sep 2017

NBD: Adobe just dumped its private PGP key on the internet

Updated An absent-minded security staffer just accidentally leaked Adobe's private PGP key onto the internet. The disclosure was spotted by security researcher Juho Nurminen – who found the key on the Photoshop giant's Product Security Incident Response Team blog, ironically. That contact page should have only included the public PGP …
Shaun Nichols, 22 Sep 2017
Spam musubi

IoT botnet Linux.ProxyM turns its grubby claws to spam rather than DDoS

An IoT botnet is making a nuisance of itself online after becoming a conduit for spam distribution. Linux.ProxyM has the capability to engage in email spam campaigns with marked difference to other IoT botnets, such as Mirai, that infamously offered a potent platform for running distributed-denial-of-service attacks (DDoSing …
John Leyden, 22 Sep 2017
Litter

Finance sector is littered with vulns, and guess what – most can be resolved by patching

Security vulnerabilities across the finance sector have increased more than fivefold (418 per cent) in the last four years, according to a study by NCC Group. The most common high and medium-risk vulnerabilities were found in customer-facing web apps. NCC categorised vulnerabilities found in 168 financial services …
John Leyden, 22 Sep 2017

Ethereum-backed hackathon excavates more security holes

An Ethereum-backed contest has revealed a few new tricks for disguising malware as the harmless code the network uses to transfer and manipulate funds: digital smart contracts. Since Ethereum was introduced in 2015, its security risks have been no secret in the blockchain community. After a $50m hack in 2016, the community …
Andrew Silver, 22 Sep 2017

Mini-Heartbleed info leak bug strikes Apache, airborne malware, NSA algo U-turn, and more

Roundup As ever, it's been a doozy of a week for cybersecurity, or lack thereof. The Equifax saga just keeps giving, the SEC admitted it was thoroughly pwned, and Slack doesn't bother to sign its Linux versions. We do spoil you so, Reg readers. And that was only yesterday. Here's the rest of the week's shenanigans we didn't get round to …
John Leyden, 22 Sep 2017

IT plonker stuffed 'destructive' logic bomb into US Army servers in contract revenge attack

An IT contractor is facing a possible decade behind bars in America for planting a ticking "destructive" time bomb in US military systems. After a three-day trial this week, Mittesh Das, 48, of Atlanta, Georgia, was found guilty by a jury in North Carolina of knowingly transmitting malicious code with the intent of causing …
Iain Thomson, 22 Sep 2017
Judge with gun

Slain: Unions' US OPM mega-hack lawsuit against Uncle Sam

A lawsuit brought against the hacker-ransacked Office of Personnel Management on behalf of US federal employees has been killed. On Wednesday, Judge Amy Berman Jackson ruled in a District of Columbia court that the case, brought by the American Federation of Government Employees and the National Treasury Employees Union, could …
Iain Thomson, 21 Sep 2017
Stock traders

SEC 'fesses to security breach, says swiped info likely used for dodgy stock-market trading

The US Securities and Exchange Commission (SEC) has admitted that hackers broke into its corporate filling system last year. As-yet unidentified miscreants may have profited from financial tip-offs and other data obtained after hacking into its online EDGAR filing system, the US government's financial trading watchdog admitted …
John Leyden, 21 Sep 2017

Researchers claim ISPs are 'complicit' in latest FinSpy snooping rounds

A surveillance campaign utilising a new variant of FinFisher, the infamous spyware also known as FinSpy, has been tracked by security researchers. Seven countries have been affected, and in two of them, major internet providers have most likely been involved in infecting surveillance targets, according to security researchers …
John Leyden, 21 Sep 2017
Image: Seinfield. Credit: NBC.

Equifax fooled again! Blundering credit biz directs hack attack victims to parody site

You'd have thought that Equifax staff would be on their toes ever since the megahack that exposed the private data of over 143 million Americans but the corporation's social media certainly haven't got the message. When news of the hack was published on September 7, over a month after its scale had been discovered, Equifax set …
Iain Thomson, 21 Sep 2017

You lost your ballpoint pen, Slack? Why's your Linux version unsigned?

Slack is distributing versions of its chatroom app for Linux machines that are not digitally signed, contrary to industry best practice. The absence of a digital signature creates a means for miscreants to sling around doctored versions of the software that users wouldn't easily be able to distinguish from the real thing. El …
John Leyden, 21 Sep 2017
Homer Simpson

CCleaner targeted top tech companies in attempt to lift IP

Cisco's security limb Talos has probed the malware-laden CCleaner utility that Avast so kindly gave to the world and has concluded its purpose was to create secondary attacks that attempted to penetrate top technology companies. Talos also thinks the malware may have succeeded in delivering a payload to some of those firms …
Simon Sharwood, 21 Sep 2017
A Windows 10 DVD

Orland-whoa! Chap cops to masterminding $100m Microsoft piracy racket

A Chinese national has admitted he coordinated a massive piracy ring that shifted more than $100m in bootleg Microsoft gear. Orland Liu, 37, was said to be part of an international operation that included himself and at least seven other counterfeiters and resellers in the US who knowingly shifted knock-off copies of software …
Shaun Nichols, 20 Sep 2017

FedEx: TNT NotPetya infection blew a $300m hole in our numbers

FedEx has estimated this year's NotPetya ransomware outbreak cost it $300m in lost business and cleanup costs. Most of the victims of June’s NotPetya epidemic were based in Ukraine, but several global corporations were also infected by the software nasty – including shipping giant Maersk, ad behemoth WPP, pharmaceutical beast …
John Leyden, 20 Sep 2017
man in suit clutches briefcase full of cash. Photo by Shutterstock

IT fraudster facing four years' bird time for $10k blackmail

An IT contractor who sabotaged a client's website and demanded $10,000 to restore it was this week convicted of wire fraud and sentenced to four years behind bars. Tavis Tso, 40, from Arizona, was also ordered by US District Judge David Campbell to pay $9,145 in restitution to the unnamed victim of his crime. Tso had …
Kat Hall, 20 Sep 2017

Manchester plod still running 1,500 Windows XP machines

Cops in Manchester, England, have 1,518 PCs running on Microsoft's dusty operating system Windows XP, according to a Freedom of Information response. This equates 20.3 per cent of the total PC fleet that GMP has in use, despite Microsoft ending support for the much loved operating systems back in April 2014. A spokesman for …
Kat Hall, 20 Sep 2017
Person using a card reader

Lloyds Bank payments glitch frustrates merchants

Lloyds Bank has admitted that unspecified technical problems affected the operation of its Cardnet payment system on Tuesday. The UK bank denied suggestions that it had suffered a cyber attack. The Register learnt of a potential issue after a reader got in touch to say that many chip-and-PIN terminals were not working for …
John Leyden, 20 Sep 2017

More data lost or stolen in first half of 2017 than the whole of last year

More data records were leaked or stolen by miscreants during the first half of 2017 (1.9 billion) than all of 2016 (1.37 billion). Digital security company Gemalto's Breach Level Index (PDF), published Wednesday, found that an average of 10.4 million records are exposed or swiped every day. During the first half of 2017 there …
John Leyden, 20 Sep 2017
Image by Vaniato http://www.shutterstock.com/gallery-2619637p1.html

Equifax's disastrous Struts patching blunder: THOUSANDS of other orgs did it too

Thousands of companies may be susceptible to the same type of hack that recently struck Equifax. The Equifax breach was the result of a vulnerable Apache Struts component. Software automation vendor Sonatype warns that 3,054 organisations downloaded the same Struts2 component exploited in the Equifax hack in the last 12 months …
John Leyden, 20 Sep 2017
Johnny English

Inept bloke who tried to sell military sat secrets to Russia gets 5 years

A contractor who tried to sell trade secrets on military communication satellites to the Russians has been sent down for five years. Incredibly, it could have been longer after prosecutors alleged that he was also planning to kill his wife. On Monday, California District Judge George Wu threw Gregory Allen Justice, 50, behind …
Iain Thomson, 19 Sep 2017
bucket

Viacom exposes crown jewels to world+dog in AWS S3 bucket blunder

Updated Media monster Viacom has been caught with its security trousers down. Researchers found a wide-open, public-facing misconfigured AWS S3 bucket containing pretty much everything a hacker would need to take down the company's IT systems. The data store, found by Chris Vickery, director of Cyber Risk Research at security shop …
Iain Thomson, 19 Sep 2017
dumb_and_dumber_648

What's that, Equifax? Most people expect to be notified of a breach within hours?

Equifax hasn't found time for a houseclean and is making claims of authority and competence about security breaches that, following its own recent high profile breach, come off as pretty cringeworthy. An autumn 2016 whitepaper from Equifax - still available here at the time of publication – attempts to position the credit …
John Leyden, 19 Sep 2017
Jean-Claude Juncker speaking in front of EU flag

European Commission proposes more powers for EU's infosec agency

The European Commission has proposed an expansion in the role of ENISA, the EU's cybersecurity agency. During his State of the Union speech on Wednesday, Jean-Claude Juncker outlined plans to widen ENISA's remit through a Cybersecurity Act. Under a revised mandate, ENISA would be tasked with introducing an EU-wide …
John Leyden, 19 Sep 2017

Pirate Bay digs itself a new hole: Mining alt-coin in slurper browsers

Bittorrent search engine and mortal enemy of intellectual property lawyers, The Pirate Bay, has upset the one group of people that actually likes it: its users. Over the weekend, visitors to the infamous file-sharing watering hole were surprised to find their browsers working overtime, with their computers' CPU usage rocketing …
Kieren McCarthy, 19 Sep 2017
prison

Sexploitation gang thrown in clink for 171 years after 'hunting' kids online and luring them in front of webcams

Four men have joined their two accomplices behind bars for tricking young girls into performing sex acts online so they could film them. The six were charged in Michigan, USA, with 28 counts [PDF] of producing and viewing child abuse images, engaging in a child exploitation enterprise, conspiracy to access with intent to view …
Iain Thomson, 19 Sep 2017

Someone checked and, yup, you can still hijack Gmail, Bitcoin wallets etc via dirty SS7 tricks

Once again, it's been demonstrated that vulnerabilities in cellphone networks can be exploited to intercept one-time two-factor authentication tokens in text messages. Specifically, the security shortcomings lie in the Signaling System 7 (SS7) protocol, which is used to by networks worldwide to talk to each other to route …
John Leyden, 18 Sep 2017

DRM now a formal Web recommendation after protest vote fails

Anti-piracy and anti-copying protections are now formally part of the World Wide Web after an effort to vote down content controls at the WWW's standards body failed. The World Wide Web Consortium (W3C) has been embroiled in controversy for five years over the introduction of the Encrypted Media Extensions (EME) specification …
Kieren McCarthy, 18 Sep 2017

Downloaded CCleaner lately? Oo, awks... it was stuffed with malware

Antivirus firm Avast has admitted inadvertently distributing a trojanised version of CCleaner, a popular PC tune-up tool, for nearly a month, infecting an estimated 2.27 million users. Cisco Talos discovered that servers distributing the program were leveraged to deliver malware to unsuspecting victims. "For a period of time …
John Leyden, 18 Sep 2017

TfL hackathon showed data can keep transport running and people safe

Sponsored If software is eating the world, then hackathons are its fast-food restaurants. Groups of developers come together for short periods to try to solve pressing problems. This happens in sectors from healthcare to retail, and now it's happening in transportation too. London, the UK's capital, is a city groaning under its own …
Danny Bradbury, 18 Sep 2017
Humiliation banishment ostracism

Equifax's IT leaders 'retire' as company says it knew about the bug that brought it down

Equifax's chief information officer and chief security officer “are retiring” and the company has admitted it knew Apache Struts needed patching in March, but looks to have fluffed attempts to secure the software. The retirements and more details about the company's mega-breach are revealed in a new entry to …
Simon Sharwood, 17 Sep 2017
Data breach

Equifax UK admits: 400,000 Brits caught up in mega-breach

Equifax UK has surfaced to say that British systems were not affected by a recently disclosed megahack, however 400,000 UK people were affected due to a “process failure.” The credit reference agency is saying that UK dedicated systems were not affected by the security breach at its US parent firm that exposed the personal …
John Leyden, 15 Sep 2017

Equifax mega-breach: Security bod flags header config conflict

Further evidence has emerged regarding the insecurity of Equifax’s web setup, as independent security researcher Scott Helme reports having uncovered all manner of problems with Equifax’s security header configuration. The finding from Helme comes as a date was confirmed for the Equifax CEO to appear before Congress earlier …
John Leyden, 15 Sep 2017

NCC hires three Bank of England cyber experts to beef up assurance business

Three of the Bank of England’s cyber specialists have joined NCC Group to lead a newly established threat assurance unit at the UK-based security consultancy firm. In their new roles within NCC’s new Centre for Evolved Next-generation Threat Assurance (CENTA), Phillip Larbey, Anthony Long and Fiona Paterson will be advising …
John Leyden, 15 Sep 2017
FTP

Chrome to label FTP sites insecure

Google's Chrome browser will soon label file transfer protocol (FTP) services insecure. Google employee and Chrome security team member Mike West yesterday announced the plan on the Chromium.org security-dev mailing list. “As part of our ongoing effort to accurately communicate the transport security status of a given page, …
Simon Sharwood, 15 Sep 2017

Biting the hand that feeds IT © 1998–2017