Richard Chirgwin

Contact Mail Follow Twitter RSS feed

Open AWS S3 bucket leaked hotel booking service data

Another day, another unsecured AWS storage bucket leaking corporate data, this time from hotel booking service Groupize. The find was made by Kromtech Security Center researchers and is detailed at MacKeeper. The find has sparked a spat between Kromtech and Groupize, with the latter denying that anything sensitive had leaked …

Phisherfolk dangle bait at dot-fish domain

Netcraft 'net watchers have cast a fly over the lake of generic TLDs, and turned up the first .fish domain dedicated to – wait for it – phishing. The net-trawling service has previously landed sites on both the .fish and .fishing gTLDs, but parser.fish has earned the distinction of being the first baited with in-plaice …
Bill Murray in the movie Groundhog Day. If you haven't seen it, it's about a man forced to endure reliving the same day over and over. Pic: Columbia Pictures

Groundhog Day! ACCC again calls for truth in broadband advertising

The Australian Competition and Consumer Commission (ACCC) has fired off its latest salvo in its decades-long argument with the telco industry about internet speed claims in Australia, telling them to advertise typical speeds rather than theoretical maxima. Ever since people complained the 56 Kbps modems of the 1990s didn't …

Mirai copycats fired the IoT-cannon at game hosts, researchers find

The Mirai botnet that took down large chunks of the Internet in 2016 was notable for hosing targets like Krebs on Security and domain host Dyn, but research presented at a security conference last week suggests a bunch of high-profile game networks were also targeted. Although Mirai's best-known targets were taken out by the …
Image by elroyspelbos https://www.shutterstock.com/g/elroyspelbos

Foxit PDF Reader is well and truly foxed up, but vendor won't patch

The Zero Day Initiative (ZDI) has gone public with a Foxit PDF Reader vulnerability without a fix, because the vendor resisted patching. The ZDI made the decision last week that the two vulns, CVE-2017-10951 and CVE-2017-10952, warranted release so at least some of Foxit's 400 million users could protect themselves. In both …
Robot AI Woman

Qualcomm slurps Uni of Amsterdam AI spinoff Scyfer

Two years after setting up an artificial intelligence research laboratory with the University of Amsterdam, Qualcomm Technology has acquired one of its a spinoffs - an outfit called "Scyfer". The acqui-hire brings the university's Dr Max Welling into the Qualcomm fold. Dr Welling is a research chair in Machine Learning at the …
The GitHub mascot at GitHub Universe

GitHub's CEO resigns. Again. Without scandal, after fixing messes

Chris Wanstrath plans to end his second stint as GitHub CEO by leading the search for his replacement. Wanstrath confirmed a story which first landed via Forbes' in a brief statement send to media over the weekend: “As GitHub approaches 700 employees, with more than $200M in ARR, accelerating growth, and more than 20 million …
Bitcoin punch cards

Bitcoin-accepting sites leave cookie trail that crumbles anonymity

Bitcoin transactions might be anonymous, but on the Internet, its users aren't – and according to research out of Princeton University, linking the two together is trivial on the modern, much-tracked Internet. In fact, linking a user's cookies to their Bitcoin transactions is so straightforward, it's almost surprising it took …
Cisco logo falling off Cisco building

Cisco security sales disappoint, DRAM drought dents results

For a couple of years now, Cisco has said its future lies in selling more software, but it's not quite working out as planned. In its fourth quarter 2017 (and full-year) results announced today, nobody was particularly surprised that hardware operations shrank (routing and switching both down by nine per cent to US$1.9 billion …
Hammer and Nails

Rowhammer RAM attack adapted to hit flash storage

It's Rowhammer, Jim, but not as we know it: IBM boffins have taken the DRAM-bit-flipping-as-attack-vector trick found by Google and applied it to MLC NAND Flash. Google's Project Zero found Rowhammer in 2015, when they demonstrated that careful RAM bit-flipping in page table entries could let an attacker pwn Linux systems. …
telstra logo on public phone edith falls NT

Following flat financials, Telstra pins hopes on NBN renegotiation

Expect more layoffs at Telstra, happening faster: in response to the changes wrought by the National Broadband Network on its business, Australia's colossal carrier has decided to bring forward its cost-cutting programs by a year. The announcement, that Telstra's previously-announced productivity target of AU$1 billion would …
Xen logos

Xen fixes guest privilege escape and plenty more

Xen admins, get busy: the open source hypervisor's issued fixes for bugs that range from data corruption and leakage up to privilege escalation. Let's start with CVE-2017-12137, which could let a paravirtualized (PV) guest escalate to host privilege. It's down to a mistake in memory allocation when a PV guest is launched. …
Sydney University's zinc-air battery

Batteries that don't burn at the drop of a Galaxy Note 7? We're listening

Sydney University boffins reckon they've got a handle on how to stop batteries catching fire: quit using lithium ions. Apart from being the cheapest current technology with enough energy density to power your flaming hot Galaxy Note 7, fidget spinner, or laptop, Li-ion batteries' other notable characteristic is volatility. …

Love cloudy HPC? Microsoft does, slurps Cycle Computing

Cycle Computing, a twelve-year-old company which has carved out a niche spinning up big-iron-like CPU collections on public clouds, has been acquired for an undisclosed sum by Microsoft. The company first came to our attention in 2011, showing off software that let it spin up 10,000 cores on Amazon's EC2 service, claiming a …
Malware file from Shutterstock

Russian malware scum post new rent-an-exploit

WebEx on Firefox is among the targets of a new exploit kit that's started circulating on Russian nastyware exchanges. The Disdain-based exploit kit is described here by security services outfit IntSights, which says the exploit kit is offered by someone using the handle "Cehceny". David Montenegro (@CryptoInsane) says Disdain …
Beware awkward moments next exit

Intel CEO Krzanich quits Trump's Manufacturing Council over response to Charlottesville rallies

Three big-name CEOs have put some space between themselves and the US President: today they resigned from the American Manufacturing Council, President Donald Trump's panel of advisors formed to create more manufacturing jobs in the United States by bringing together titans of industry to share their experience. On Monday …
CERN visualisation of photon interaction

Photon scattering puts a shine on CERN ATLAS boffins' day

Large Hadron Collider boffins in charge of the ATLAS experiment reckon they've seen photons interacting at the quantum level for the first time. This isn't something that happens at everyday energies: if, for example, you shine two beams through each other in a dark room, you'll see two spots on the wall. However, direct …
Privacy

Australian Bureau of Statistics flip-flops over marriage equality survey

The Australian Bureau of Statistics is being set up for another hot privacy debate. The Bureau (ABS) has been engaged to run Australia's national postal plebiscite on whether or not to adopt same-sex marriage. The job fell into the ABS' lap because the plebiscite has been styled as a "survey", a data-seeking instrument the …

Australia's metadata retention scheme costs telcos $500k per cuffing

The Australian Government's telecommunications data retention scheme is racking up the bills for carriers, but government funding has fallen short of the industry's costs. That's one of the conclusions of the first [PDF] telecommunications interception report since the scheme began, tabled in Federal Parliament yesterday. …
Snow White waves goodbye. Photo copyright Disney

Old Firefox add-ons get 'dead man walking' call

The end of legacy Firefox plugins is drawing closer, with Mozilla's Jorge Villalobos saying they'll be disabled in an upcoming nightly build of the browser's 57th edition. While he didn't specify just how soon the dread date will arrive, Villalobos writes: “There should be no expectation of legacy add-on support on this or …
Shutterstock pickpocket

Sneaky devs could abuse shared libraries to slurp smartphone data

Oxford researchers reckon they've spotted the next emerging trend in Android advertising (and possibly malware): using common libraries to “collude” between apps with different privilege levels. Libraries are a common enough vector for attackers to target, but the trio of boffins (Vincent Taylor, Alastair Beresford and Ivan …
Red teapot

Ancient IETF 'teapot' gag preserved for posterity as a standard

The august and serious folk at the IETF have always had a soft spot for their April Fool's jokes, and so do others – so much that a proposal to deprecate a joke has met with successful resistance. From what feels like the Internet Dark Ages of the 1990s, was the Hyper Text Coffee Pot Control Protocol, a joking anticipation of …

Leaky PostgreSQL passwords plugged

PostgreSQL has released three security patches for versions 9.6.4, 9.5.8, 9.4.13, 9.3.18, and 9.2.22. In CVE-2017-7547, a remote attacker can retrieve others' passwords because of a user mapping bug. The authorisation oopsie derives from the database's handling of pg_user_mappings, allowing an authenticated remote attacker …
Bug detected dialog

Top repo managers clone, then close, a nasty SSH vector

Users of the world's most popular software version control systems can be attacked when cloning a repository over SSH. When first announced by Recurity Labs' Joern Schneeweisz, the vulnerability was attributed to Git, Mercurial and Subversion; and over the weekend, Hank Leininger of Korelogic told the OSS-Sec list the issue …
Cat with a surprised expression. Photo by Shutterstock

Wait. What? The IBM cloud's APIs use insecure TLS1 crypto?

An email has gone out from IBM about its Bluemix cloud: after next Tuesday, the SoftLayer APIs will no longer accept connections encrypted with the ancient TLS 1.0. It's not quite a surprise that the 1990s-era protocol was still accepted: a great many services are still midway through their deprecation plans. To give just one …

Biting the hand that feeds IT © 1998–2017