Security > More stories

Dropbox launches 'limitless' bug bounty

Dropbox has launched a no-limit bug bounty program, back-paying US$14,875 so far for previously and newly-reported vulnerabilities. The HackerOne bounty, which supplements the company's external penetration testing efforts, is unusual in offering back payment for critical vulnerabilities that white hat hackers had already …
Darren Pauli, 16 Apr 2015
Silhouette of spy discerning password from code uses a command on graphic user interface

'Arkansas cops tried to hack me with malware-ridden hard drive'

A lawyer representing three police whistleblowers has claimed a hard drive sent to him with evidence for his case was deliberately infected with password-stealing malware. Matthew Campbell, a lawyer with the Pinnacle Law Firm in North Little Rock, Arkansas, is working on behalf of three past and present officers of the Fort …
Iain Thomson, 15 Apr 2015
Oracle headquarters

Oracle grunts, grimaces, pushes out 98-flaw security patch batch

Oracle has patched nearly 100 security flaws in Java, Fusion Middleware, Database, MySQL and other products. For Java SE, the update fixes 14 CVE-listed bugs. All of the flaws are remotely exploitable without authentication to compromise a victim's computer, and three were given risk assessment scores of 10 out of 10. (Psst ... …
Shaun Nichols, 15 Apr 2015

There's TOO MANY data-leaking healthcare firms, growls Symantec

Security software company Symantec is being drenched in calls from breached health organisations that have lost devices or suffered an information security snafu. Some 80 per cent of the calls its incident response team has received since December are from healthcare firms, topping the charts for the number of breach incidents …
Darren Pauli, 15 Apr 2015
Cisco 7609 router interface cabling

Troubleshooting feature on Cisco routers is open to data-slurp abuse

Infiltrate A default feature of Cisco routers can readily be abused to collect data, security researchers warn. Embedded Packet Capture (EPC) was designed by Cisco as a troubleshooting and tracing tool. The feature allows network administrators to capture data packets flowing through a Cisco router. Brazilian security researchers Joaquim …
John Leyden, 15 Apr 2015

Don't collect bugs, invest in fly-spray says bug bounty operator

Kate Moussouris says security defenders should spend cash to acquire and build the tools of the bug hunting trade rather than dole out cash for warm bodies or endless zero day. The chief policy officer for bug bounty outfit Hacker One and former Microsoft security boffin says in new research that defenders need to catch up to …
Darren Pauli, 15 Apr 2015
Don Draper is sad

Verizon, NetFlix, KFC ad-men pay traffic cons $500k a month

Gergő Varga reckons Verizon, Fedex, and Smirnoff are being robbed half a million dollars a month by advertising scammers. The risk boffin and founder of advertising security firm outfit Enbrite.ly says the telco, transport and tipple trio which also includes Netflix and KFC are paying for fraudulent ad clicks. "A relatively …
Darren Pauli, 15 Apr 2015

Apple splats Safari flaw affecting a BEELLION iThings

Jouko Pynnönen, a security chap with Finnish firm Klikki Oy, has found a since patched bug he says could affect a billion Apple iDevices. Pynnönensays the cross-domain vulnerability in Safari's file transfer URL schemes allows attackers to modify website HTTP cookies and have documents loaded from malicious sites. "An attacker …
Darren Pauli, 15 Apr 2015

It's 2015 and a RICH TEXT FILE or a HTTP request can own your Windows machine

Microsoft has delivered its latest monthly batch of security updates to address flaws in Windows, Office and Internet Explorer. Redmond's latest Patch Tuesday payload includes 11 bulletins, four of which are rated critical as they allow attackers to execute malicious code on victims' computers from across the internet. The full …
Shaun Nichols, 15 Apr 2015
Good riddance to bad Java

Chrome version 42 will pour your Java coffee down the drain: Plugin blocked by default

The latest release of the Chrome web browser, version 42, will block Oracle's Java plugin by default as well as other extensions that use the deprecated NPAPI. The Chrome 42 – available now – brings about the end of official support for NPAPI, a move that will render various plugins incompatible with the browser. Among those …
Shaun Nichols, 14 Apr 2015

This open-source personal crypto-key vault wants two things: To make the web safer ... and your donations

An open-source hardware project aimed at making the internet "a little bit safer" needs an influx of cash to continue its work. The Cryptech effort was created following revelations from NSA whistleblower Edward Snowden that the US government and its pals are exploiting standards and weak crypto algorithms to gain access to …
Kieren McCarthy, 14 Apr 2015
Game of Thrones Season One Blu-ray disc set

Dev gives HBO free math tips to nail Game of Thrones pirate leakers

Developer Bruno Cauet has offered HBO a series of mathematical equations that could have tracked the Game of Thrones season five leaker, or even killed the leak completely. The massively popular series thought to be HBO's most profitable production was rocked over the weekend when a leaker, thought to be a translator with an …
Darren Pauli, 14 Apr 2015
Hack the planet

Verizon to world: STOP opening dodgy phishing emails, FOOLS

Phishing and web app security problems remain the most common way for hackers to gain access to sensitive information, according to US telco giant Verizon. Two out of three breaches were the result of weak or swiped passwords, making a case for strong two-factor authentication, the latest edition of Verizon’s annual Data Breach …
John Leyden, 14 Apr 2015
money trap conceptual illustration

Russia pulls alleged 'Svpeng' kingpin

Russia's Ministry of the Interior has gone public about the March 24 arrest of a 25-year-old and four others it believes was the leader of a gang of cyber-scum behind the “Svpeng” money-draining malware. The Android malware is believed to have netted a near million-dollar haul within Russia alone (50 million rubles), hitting 350 …

Unpatched 18-year-old Windows man-in-the-middle diddle revived

Security boffin Brian Wallace has revived an 18-year-old Windows bug affecting at least 31 top vendors, which could allow an attacker to steal usernames and passwords from millions of Microsoft boxes. The respun vulnerability, dubbed Redirect to SMB, requires victims to visit or be pushed to a malicious server which could steal …
Darren Pauli, 14 Apr 2015
Ransom note saying "Pay Up" in blackmail type

Welcome to the FUTURE: Maine cops pay Bitcoin ransom to end office hostage drama

Blundering cops in Maine, US, have enriched malware masterminds by paying up to decrypt files held hostage by ransomware. Four city police departments and a sheriff's office in Lincoln County share a common computer network run by Burgess Computer, which hosts the plods' administrative files. Then one day the entire system was …
Iain Thomson, 13 Apr 2015

Backdoor bot brains snatched after cops, white hats raid servers

Microsoft and Interpol have teamed up to derail a malware infection that compromised more than 770,000 Windows PCs worldwide. Simda is a “pay-per-install” software nasty: fraudsters pay miscreants some sum of money for every 1,000 or so machines they compromise. The hackers effectively earn cash by selling access to the infected …
John Leyden, 13 Apr 2015
Non-sleeper

Self preservation is AWS security's biggest worry, says gros fromage

State-sponsored cyber armies, lone-wolf attackers, denial-of-service attacks ... which keep Amazon’s Web Services security boffins awake at night? None of the above. It’s customers – those who don’t protect themselves adequately against hackers and malware. That’s according AWS head of global security programs Bill Murray, who …
Gavin Clarke, 13 Apr 2015

Fancy six months of security nirvana for free? Read on...

Promo If you’re one of the 33 per cent of folks who don’t use antivirus protection, we’ve got an offer for you. In fact, even if you’re one of the other two thirds, you’re still going to want to sit up and pay attention. What are we talking about? The chance to ring-up a free subscription to Bitdefender’s Internet Security 2015, which …
Team Register, 13 Apr 2015

'Chinese hackers' were sniffing SE Asian drawers for YEARS

Security researchers have exposed a decade-long cyber-spying campaign that targeted south-east Asia and India since 2004. The so-called APT 30 hackers are likely to be agents of the Chinese government, according to network security company FireEye. APT 30's primary goal appears to be the theft of sensitive information for …
John Leyden, 13 Apr 2015
curiosity shadow

How big a problem is Cloud security?

To help readers help each other, we have put together a short, sharp temperature check survey on the topic of cloud security. We're asking a bit about you and your organisation for context and then 5 simple questions that we think nail the key issues and possible solutions. We finish off by getting you to tell us the scariest or …
Dale Vile, 13 Apr 2015

Spanish election site in security cert warning screwup snafu

Updated Website crypto problems on the Spanish online voting registration website are causing it to generate all manner of security warnings. Attempts to visit the sede.ine.gob.es site – run by Spain's National Statistics Institute and introduced this year for municipal/regional elections – typically lead to users being confronted with …
John Leyden, 13 Apr 2015

USA is home to largest number of data perves, study finds

The US is home to the largest number of data perverts, according to research. The research Where's Your Data (pdf) reveals more American Tor dark net lurkers had viewed supposedly 1568 legitimate personal details, and credit card and social security numbers in a spreadsheet than any of the other 22 countries where snoops' …
Darren Pauli, 13 Apr 2015
Lock security

Credit card factories given new secure manufacturing rules

The world's payment card producers have released the latest guidelines to help interested businesses to protect payment data. Version 1.1 of the PCI Card Production Security Requirements (pdf) modifies and introduces features for physical and logical security advising on everything from printing PINs to guarding vaults. The …
Darren Pauli, 13 Apr 2015

NSA: 'Back doors are a bad idea, give us a FRONT door key'

“Give me your tired, your poor, your huddled masses yearning for an iPhone, and we'll give you an encryption master key” seems to be the dream of the National Security Agency (NSA). The NSA's latest thought bubble, floated in front of noted cryptography journal The Washington Post, is that a “master key” for all products running …
australian credit cards fraud contactless

Bulgarian Bill Gates blagger busted, banged up, again: report

A Bulgarian carder has been arrested withdrawing money from stolen cards four years after he was accused of plundering the bank account of Microsoft mogul Bill Gates. Bulgarian national Konstantin Simeonov Kavrakov, 31, was arrested last Thursday in the Philippines pulling cash from ATMs, local media report. Kavrakov was jailed …
Darren Pauli, 13 Apr 2015

ɘƨɿɘvɘЯ algo attack cracks Belkin router WPS PINs: researcher

A researcher who last year turned up weak WPS PIN protection in D-Link broadband modems has found the same problem exists on Belkin devices. The writer at embedded systems hacker hangout /dev/ttyS0, who goes by the name of Craig, says the upshot of his latest work is the same as previously: it demonstrates that like D-Link, …
China censorship

China weaponizes its Great Firewall into the GREAT FIRE CANNON, menaces entire globe

China has upgraded the website-blocking systems on its borders, dubbed The Great Firewall, so it can blast foreign businesses and orgs off the internet. Researchers from the University of Toronto, the International Computer Science Institute, the University of California Berkeley and Princeton University, have confirmed what we' …
Shaun Nichols, 10 Apr 2015
FBI badge and gun

Sprint fined $16m for sticking it to The Man: Telco 'overcharged' Feds for phone wiretaps

Sprint has agreed to pay a $15.5m fine after it was accused of overcharging the Feds when carrying out court-ordered wiretaps. The US Department of Justice (DoJ) claimed the American telco had gouged cops and g-men between 2007 and 2010: Sprint allegedly over-billed them by at least $21m for setting up wiretaps to record phone …
Shaun Nichols, 10 Apr 2015
Brute Force

Cisco and Level 3 team up to squash brute force server hijackers

Cisco and service provider Level 3 have teamed up take down netblocks linked to brute-force hack kingpins SSHPsychos, severely degrading (but not destroying) the group's potential to hack servers in the process. Hacker collective SSHPsychos (AKA Group 93) has been running SSH brute force attacks on an industrial scale since June …
John Leyden, 10 Apr 2015
botnet

Cybercrime taskforce collects huge botnet scalp on first go

A sophisticated botnet has been neutered by a consortium starring the Dutch National High Tech Crime Unit and the Joint Cybercrime Action Taskforce. The botnet, known by a number of names, including AAEH and Beebone, was a "polymorphic downloader bot" which installed various forms of malware on victims’ computers. Like an …
Ransom note saying "Pay Up" in blackmail type

Cyber-crypto-criminal-cock-up. Little money and (probably) embarrassed

A newly released crypto-ransomware strain has been broken, thus allowing victims — in over two out of three cases — to get back their data without paying. The Scraper ransomware has a flaw, meaning that in about 70 per cent of cases files can be decrypted, according to Kaspersky Labs, with the Russian security firm publishing a …
John Leyden, 10 Apr 2015

Wi-Fi hotspots can put iPhones into ETERNAL super slow-mo

A vulnerability fixed in this week's Apple patch run can easily brick iPhones, researchers say. The flaw (CVE-2015-1118) dubbed "Phantom" allows attackers who can trick users into changing their iDevice proxy settings to tap into multiple use-after-free vulnerabilities. Doing so causes constant ubiquitous app crashing including …
Darren Pauli, 10 Apr 2015

+5 ROOTKIT OF VENGEANCE defeats forces of gaming good

Security boffins Joel St. John and Nicolas Guigo have developed a rootkit-like gaming cheat system they say bests anti-cheating mechanisms. The iSec Partners hackers say the anti-cheating platforms in use by the world's most popular games cannot stop cheating and actually increase the attack surface open to hackers. In a …
Darren Pauli, 10 Apr 2015

All Mac owners should migrate to OS X Yosemite 10.10.3 ASAP

Swedish hacker Emil Kvarnhammar has reported a since-fixed four-year-old local root 'backdoor' OS X that allows remote attackers to increase the damage of their hacks. Kvarnhammar says the unpublished API, which he dubs a backdoor, grants root access to local users on unpatched boxes. The flaw (CVE-2015-1130) is fixed in Apple's …
Darren Pauli, 10 Apr 2015

Google sticks anti-SQL injection vaccine into MySQL MariaDB fork

Google is dropping encryption into MariaDB, the fork of Oracle’s MySQL, to help shut out SQL injection attacks. Mountain View is credited with developing and testing tablespace encryption in MariaDB Server 10.1 - the community edition of MariaDB. The development has been branded a "major enhancement" for MariaDB security by …
Gavin Clarke, 9 Apr 2015
BrickArms' Toy taliban figure

ISIS: You bomb us, we’ll interrupt your TV transmissions

TV5Monde was prevented from broadcasting last night, and claims to still be working on a return to its regular programming schedule, after "hackers" interrupted its transmissions for a couple of hours. The signal jammers claimed affiliation with ISIS and took to the French broadcaster's social media accounts to spam the world …

Bad news everyone: Cybercrime is getting even easier

The volume of malware threats is actually on the decline despite the increase in breaches, according to a study from Websense Security Labs. Websense Security Labs logged 3.96 billion security threats in 2014, which was 5.1 per cent less than 2013. Despite this, the number of high-profile breaches increased. Hackers have …
John Leyden, 9 Apr 2015

iOS, OS X apps sent into infinite dizzy DoS by this one weird kernel bug

Kenton Varda has found a 'weird' kernel bug used in Apple gear that could result in trivial denial of service by remote attackers. The hacker and LAN gamer bod says the Darwin kernel vulnerability (CVE-2015-1105) now patched by Cupertino for iOS and OS X is "no Shellshock" but could cause apps like Google Chrome to crash and …
Darren Pauli, 9 Apr 2015
Double Facepalm; when one facepalm is not enough.

Oh no, Moto! Cable modem has hardcoded 'technician' backdoor

Researchers at Rapid7 have turned up a set of typically dumb vulnerabilities in Motorola's DOCSIS/EuroDOCSIS 3.0-capable SURFboard SBG 6580 cable broadband modem. The device, which also ships under the Arris brand, has vulnerabilities included hardcoded login credentials that will allow an outside attacker to take control of the …

Ex-cop: Holborn fireball comms outage cover for £200m bling heist gang

Last Wednesday's blaze in Holborn, which knocked out power and internet access across London, could have been sparked by thieves pulling a daring heist to pocket £200m in precious stones and metals. "I think that probably was deliberate," John O’Connor, former head of Scotland Yard's Flying Squad told capital radio station LBC …
Iain Thomson, 9 Apr 2015
pipes

Denial of service attacks pour through rift in Network Time Protocol

Red Hat security chap Miroslav Lichvar has revealed two vulnerabilities in the widely used and open-source Network Time Protocol daemon (NTPd) that allow attackers to mess up people's clocks. Lichvar reported the two since-patched holes in which packets without proper message authentication codes are accepted regardless (CVE- …
Darren Pauli, 9 Apr 2015