Security > More stories

ALL comp-sci courses will have compulsory infosec lessons – UK.gov

Cyber-security will appear on the UK curriculum from next year in a bid to get more kids into the industry, the government has announced. The topic will be a key part of UK computing and digital further education qualifications from September 2016, Cabinet Office minister Francis Maude said today. Its inclusion is part of a …
Kat Hall, 10 Mar 2015
GCHQ as seen on Google Earth

Bulk comms spying is not mission creep, insists UK foreign sec

The minister responsible for the oversight of GCHQ has today defended the interception of bulk communications data, saying it does not amount to mission creep by Blighty's intelligence agencies. Speaking at the Royal United Services Institute, Foreign Secretary Philip Hammond said it was necessary to address public concerns …
Kat Hall, 10 Mar 2015
TOR Logo

UK Gov SciTech advice bureau suggests keeping Tor alive to reduce street crime

The UK Parliamentary Office of Science and Technology (POST) has issued a POSTnote titled “The darknet and online anonymity” in which it assesses the threats posed by anonymity technologies like Tor and concludes there's not much governments or law enforcement agencies can do about them. The bulk of the four-page document …
Simon Sharwood, 10 Mar 2015
ElasticSearch_ELK_stack

Attackers targeting Elasticsearch remote code execution hole

Attackers are targeting a patched remote code execution vulnerability in Elasticsearch that grants unauthenticated bad guys access through a buggy API. The flaw (CVE-2015-1427) within the world's number two enterprise search engine was patched last month. It relates, for folks at Mitre say, to the Groovy scripting engine in …
Darren Pauli, 10 Mar 2015

Yes our NAS boxen have a 0day, says Seagate: we'll fix it in May

Owners of some Seagate NAS boxen will be exposed to a remote execution zero day flaw until a patch drops in May unless they kill some external services. The company learned of flaw in its Business Storage 2-bay NAS products on 18 October, 2014. Australian Beyond Binary hacker OJ Reeves alleged the company failed to fix the flaw …
Darren Pauli, 10 Mar 2015

OpenSSL audit kicks off for post-Heartbleed strengthening program

A major audit of the ubiquitous OpenSSL web security protocol is set to commence under a US$1.2 million industry commitment to harden open source technologies. OpenSSL is first off the rank under the Linux Foundation’s Core Infrastructure Initiative given its popularity and lack of in-depth security review. "OpenSSL has been …
Darren Pauli, 10 Mar 2015
A hammer and bent screw

Ouch! Google crocks capacitors and deviates DRAM to root Linux

Last summer Google gathered a bunch of leet security researchers as its Project Zero team and instructed them to find unusual zero-day flaws. They've had plenty of success on the software front – but on Monday announced a hardware hack that's a real doozy. The technique, dubbed "rowhammer", rapidly writes and rewrites memory to …
Iain Thomson, 10 Mar 2015

White-listed phish slip through Google Apps

Security probers Patrik Fehrenbach and Behrouz Sadeghipour have found a (since-patched) flaw in Google Apps that allowed criminals to register corporate domains and send white-listed phishing emails from admin addresses. The Choc Factory patched the flaw and handed the duo US$500 by way of thanks. the flaw meant attackers could …
Darren Pauli, 10 Mar 2015

Apple slips out security patches while world goes gaga over watches

While everyone was losing their mind over expensive watches, Apple sneaked out security fixes for iOS phones and tablets, and OS X computers. Both the OS X Security Update 2015-002 and iOS 8.2 address critical flaws. Leading the charge is a patch to squish the FREAK bug in the two operating systems' SSL/TLS code. Disclosed last …
Shaun Nichols, 10 Mar 2015

We have no self-control: America's most powerful men explain why they're scared of email

Two of the most powerful men in the United States have revealed they don't use email - because they're scared of what they might say. "I don't email. You can have every email I've ever sent. I've never sent one," Senator Lindsey Graham told NBC's Meet the Press yesterday. Graham's statement follows a similar admission by Senator …
Air traffic control at NATS

US air traffic control 'vulnerable to hackers' says watchdog

US air traffic control systems are potentially vulnerable to hackers, according to an audit by the American government. A report [46 pages, PDF] by the Government Accounting Office (GAO) faults the Federal Aviation Administration (FAA) for failing to meet compliance with the relevant government standards, specifically the …
John Leyden, 9 Mar 2015
Nutanix_view_of_datacentre

Whoops! AVG data centre KO'd by 'unplanned' outage

Security biz AVG has been hit by an outage at its US data centre, possibly affecting its customers' email security services across all regions. The US data centre hosting the AVG Business CloudCare Email Security Service was the subject of an unplanned maintenance outage this morning, the company confirmed in a statement. "[The …
Kat Hall, 9 Mar 2015
Shot of a girl with a mask biking through Beijing

Web protection: A flu mask for the internet

The internet is no longer optional for organisations. It is where business lives. Unfortunately, it is also probably the worst neighbourhood on the planet, filled with cybercriminals, hacktivists, and corporate and state spies. And the internet is both the largest and the smallest neighbourhood. All of these people live just …
Central Intelligence Agency

CIA re-orgs to build cyber-snooping into all investigations

The United States Central Intelligence Agency (CIA) has decided to re-invent itself for the digital age, promising to “place our activities and operations in the digital domain at the very center of all our mission endeavours.” The re-org was announced last Friday by CIA director John Brennan, who has made an unclassified …
Darren Pauli, 9 Mar 2015

Litecoin-mining code found in BitTorrent app, freeloaders hit the roof

μTorrent users are furious after discovering their favorite file-sharing app is quietly bundled with a Litecoin mining program. The alt-coin miner is developed by distributed computing biz Epic Scale, and is bundled in some installations of μTorrent, which is a Windows BitTorrent client. Some peeps are really annoyed that Epic' …
Shaun Nichols, 7 Mar 2015
Spam

BILLION email address spam scam: Feds collar two blokes, hunt another

The US Department of Justice (DoJ) has shed light on what it's calling the largest computer security breach in American history – after three men were charged with hacking email hosting firms, stealing email addresses, and then using the businesses' data centers to run a spam operation. "These men — operating from Vietnam, the …
Iain Thomson, 6 Mar 2015
Minority report precogs

Mind-reading DNS security analysis offers early warning for APT attacks

The application of predictive algorithms to DNS data may be able to spot malware sites before they serve up nasties. Security firm OpenDNS is applying ideas from natural language processing to automatically identify malicious domains using a prototype tool called NLPRank, as a blog post by the firm explains. Utilising natural …
John Leyden, 6 Mar 2015

Pentagon 'network intruder', dozens more cuffed in British cops' cyber 'strike week'

A "strike week" against suspected hackers by the UK's National Crime Agency has resulted in 57 arrests. Those arrested are suspected of being involved in a wide variety of cybercrimes such as fraud and virus writing. The suspects – arrested in 25 operations across the UK – face charges including network intrusion and data theft …
John Leyden, 6 Mar 2015
Headshot of Trojan horse

Fareit trojan pwns punters with devious DNS devilry

DNS tricks used by the Fareit trojan mean users are tricked into downloading malware, seemingly from Google or Facebook The latest variants of Fareit are infecting systems via malicious DNS servers, Finnish security firm F-Secure warns. These servers push bogus Flash updates that actually come packed with malicious code, as a …
John Leyden, 6 Mar 2015
The fashion world’s most privileged urchin lounges in a luxury hotel in Paris, 1993. © Geoff Wilkinson/RexUSA

Mandarin Oriental coughs to credit card breach

Upmarket hotel chain Mandarin Oriental has admitted to a credit card breach. Investigative journalist Brian Krebs uncovered evidence of a breach before extracting an admission of the problem from the hotel group. The root cause of the security spill – as well as the number of credit cards exposed – remains unclear, pending the …
John Leyden, 6 Mar 2015

France fingered as source of Syria-spying Babar malware

France's spy agency has been fingered as the likely author of complex reconnaissance malware, researchers say. The Casper malware is one of a handful with links to the Babar spy program which leaked NSA documents revealed last month to be the handiwork of France's Direction Générale de la Sécurité Extérieure (General Directorate …
Darren Pauli, 6 Mar 2015
GoPro HD Hero

GoPro cameras' WiFi security is GoAmateur

Net nuisances can harvest the cleartext SSIDs and passwords of wireless networks accessed by sports selfie box GoPro. The GoPro app collects and siphons wireless credentials so it can be used to log on to and manage cameras. Security researcher Ilya Chernyakov says the credentials which give access to the cameras could be mass …
Darren Pauli, 6 Mar 2015
Bug bounties

Adobe launches cashless bug bounty

Adobe has launched a bug bounty program that hands out high-fives, not cash. The web application vulnerability disclosure program announced today and launched last month operates through HackerOne used by the likes of Twitter, Yahoo!, and CloudFlare, some of which provide cash or other rewards to those who disclose security …
Darren Pauli, 6 Mar 2015

US Senators hope to crack down on the trade of private information

Four US senators are introducing legislation aimed at turning the screws on businesses that gather up and sell citizens' personal information. Senators Edward Markey (D-MA), Richard Blumenthal (D-CT), Sheldon Whitehouse (D-RI) and Al Franken (D-MN) have teamed up to introduce the Data-broker Accountability and Transparency Act ( …
Shaun Nichols, 6 Mar 2015

FREAKing hell: ALL Windows versions vulnerable to SSL snoop

Microsoft has confirmed that its implementation of SSL/TLS in all versions of Windows is vulnerable to the FREAK encryption-downgrade attack. This means if you're using the company's Windows operating system, an attacker on your network can potentially force Internet Explorer and other software using the Windows Secure Channel …
Darren Pauli, 6 Mar 2015
Telstra phone booth by Ed Dunens from Flickr https://www.flickr.com/photos/blachswan/

Telstra to let customers access their own metadata for AU$25

Australia's dominant carrier, Telstra, will give its customers the chance to access their metadata, for a fee. The new policy, explained in a post from chief risk officer Kate Hughes, is based on the principle that “offering the same access to a customer’s own metadata as we are required to offer to law enforcement agencies.” “ …
Keep out sign with deleted expletive

US watchdog: Anthem snubbed our security audits before and after enormous hack attack

A year or so before American health insurer Anthem admitted it had been ruthlessly ransacked by hackers, a US federal watchdog had offered to audit the giant's computer security – but was rebuffed. And, after miscreants looted Anthem's servers and accessed up to 88.8 million private records, the watchdog again offered to audit …
Shaun Nichols, 5 Mar 2015

Canadian bloke refuses to hand over phone password, gets cuffed

A 38-year-old Canadian citizen has been arrested for refusing to hand over his smartphone's password to border agents. Alain Philippon, of Sainte-Anne-des-Plaines in Quebec, arrived at Halifax international airport in Canada from the Dominican Republic on Wednesday – and was selected by the Canada Border Services Agency for …

Sales up at NSA SIM hack scandal biz Gemalto

Sales at the world's biggest SIM card maker, Gemalto, which was last month revealed to have been hacked by the NSA and GCHQ, rose by five per cent to €2.5bn (£1.8bn) in 2014. Following the hack, the company's share price fell by $470m last month. However, the latest results do not appear to have appeased investors, with shares …
Kat Hall, 5 Mar 2015

PATCH FREAK NOW: Cloud providers faulted for slow response

Hundreds of cloud providers are still vulnerable to the serious FREAK cryptographic vulnerability. Skyhigh Networks found that 766 cloud services are still at risk 24 hours after FREAK was made public, based on an analysis of more than 10,000 different services. The average company is using 122 potentially vulnerable services. …
John Leyden, 5 Mar 2015

‪Obama criticises China's mandatory backdoor tech import rules

US prez Barack ‪Obama has criticised China's new tech rules‬, urging the country to reverse the policy if it wants a business-as-usual situation with the US to continue. As previously reported, proposed new regulations from the Chinese government would require technology firms to create backdoors and provide source code to the …
John Leyden, 5 Mar 2015

Symantec: Corporate divorce starts on April Fool's Day

Symantec is to operate as two separate storage and security organisations from April Fool’s Day, as the deadly serious game of long-term survival begins in earnest. “We have begun to realign the sales and marketing organisations to support both businesses, starting with two new global sales leaders: Adrian Jones for Symantec and …
Paul Kunert, 5 Mar 2015

Broadband routers: SOHOpeless and vendors don't care

Feature It is far more common to find routers with critical flaws than without – Craig Young It's sad that end-user education about strong passwords, password safes, and phishing can be undone by something as innocuous as the blinking box in the corner of your room. – Peter Adkins Introduction Home and small business router …
Darren Pauli, 5 Mar 2015
Web browsers

Choc Factory splatters 51 bugs, Mozilla bumps cert checker

Google and Firefox have upgraded their flagship browsers, crushing bugs and cracking down on bad certificates along the way. The Choc Factory's Chrome 41 swats 51 bugs of which at least 13 are classified as high severity and six considered medium risks. Google engineer Penny MacNeil thanked security researchers for the effort …
Darren Pauli, 5 Mar 2015

'Domain shadowing' hijacks registrar accounts to spawn attack sites

Fiends behind the world's most infamous exploit kit Angler are stealing login credentials to create tens of thousands of pop-up domains used in hit-and-run -style attacks. The new attacks are dubbed 'Domain Shadowing' and represent the latest evolution of online crime in which scores of web sites are set up to compromise victims …
Darren Pauli, 5 Mar 2015

Snowden, NSA spying, hard drive malware ... what we need is a UN privacy watchdog!

The Electronic Frontier Foundation thinks the United Nations needs to get its arse in gear and safeguard people's privacy from government snoops. The activist group (EFF) said an independent expert should be appointed by the UN's Human Rights Council (HRC) to tackle blanket surveillance and the gathering of people's private and …
Shaun Nichols, 4 Mar 2015
Deflated dome at Waihopai Base

Complicit Kiwis sniffed Pacific comms says Snowden

New Zealand snooped on friendly Pacific island nations' communications to hand the haul to the NSA, according to the latest nugget to pop out of Edward Snowden's PR machine. Snowden newsletter The Intercept has shared its latest drop with the New Zealand Herald, saying in 2009 the country's Government Communications Security …

'Security, privacy' main barrier to 'government cloud' rollout in EU

Security and privacy issues are holding back "the cloudification of governmental services" in the EU, according to a new report. The European Union Agency for Network and Information Security (ENISA) said concerns about how sensitive data is protected in a cloud computing environment have not been resolved. It said data security …
OUT-LAW.COM, 4 Mar 2015

D-Link removes fingers from ears, preps mass router patch

Domestic router Daddy D-Link is patching dangerous remote access flaws in several models of its networking gear. The patches follow a round of zero-day disclosures by Canadian researcher Peter Adkins early this week, after D-Link allegedly cut communication while he quietly disclosed the flaws. The most severe flaw allowed …
Darren Pauli, 4 Mar 2015
Digital Globe's 30cm satellite imagery vs. 70cm snaps

Bigfoot now visible in commercial satellite images

Last March the USA noticed a market disparity: French companies could sell higher-resolution satellite images than American companies. By June of the same year bans on US companies selling sharper space snaps were lifted. And last week the US company agitating for that change, DigitalGlobe, started to sell 30cm-resolution snaps …
French fries

Sysadmins: Step away from the Big Mac. No more Heartbleed-style 2am patch dashes

Patching is a necessary evil for network administrators. Unfortunately, an awful lot of them have been burning not only the midnight oil, but also the weekend oil to keep up with patches such as – but not limited to – Heartbleed and Shellshock. The bad news is that this is only the start. As software vendors move towards a more …
Stuart Burns, 4 Mar 2015
Flytrap

Outbreak! Fake Amazon voucher offer seeds mobile malware attack

Spoofed Amazon vouchers are being used to spearhead a campaign to contaminate Android mobiles with malware, messaging security firm AdaptiveMobile warns. The attack, dubbed "Gazon", sends messages to victims’ mobile phone contacts linking to supposed offers for (non-existent) Amazon vouchers fictitiously promising a gift of $200 …
John Leyden, 4 Mar 2015