Shaun Nichols

Contact Mail Follow RSS feed

Did you hear? There's a critical security hole that lets web pages hijack computers. Of course it's Adobe Flash's fault

Adobe has emitted software updates to address a critical vulnerability in Flash Player for Windows, Mac, and Linux. PC owners and admins will want to upgrade their copies of Flash to version or later in order to get the patch – or just dump the damn thing all together. The November 20 security update addresses a …
Shaun Nichols, 20 Nov 2018
IT Crowd's Roy:on the phone

Microsoft confirms: We fixed Azure by turning it off and on again. PS: Office 362 is still borked

Microsoft is recovering somewhat from a bad case of the Mondays that left some of its subscribers unable to use multi-factor authentication to log into their cloud services. The Redmond giant said that around 2130 UTC today it had managed to get its Azure Cloud back up and running as per normal. Meanwhile, Office 364 is still …
Shaun Nichols, 19 Nov 2018

Symantec execs cooked the books to protect their fat bonuses, investor lawsuit alleges

A Symantec shareholder is suing the infosec biz, alleging its top brass fraudulently massaged the company's financial figures. The complaint [PDF], filed last week in a US district court, names Symantec Corporation along with CEO Greg Clark, CFO Nick Noviello, and former accounting head Mark Garfield as defendants. The lawsuit …
Shaun Nichols, 19 Nov 2018
Pennies in a jar. Photo via Shutterstock

Scumbags cram Make-A-Wish website with coin-mining malware

One or more completely feckless scumbags have loaded the Make-A-Wish foundation's international website with crypto-mining malware scripts. Researchers with Trustwave say the (now clean) site was compromised via a Drupal exploit and seeded with malicious JavaScript that enlisted the CPU cycles of visitor's …
Shaun Nichols, 19 Nov 2018
Woman pays for something online with her credit card. Photo by Shutterstock

SMS 2FA database leak drama, MageCart mishaps, Black Friday badware, and more

Roundup What a week it has been: we had the creation of a new government agency, a meltdown flashback, and of course, Patch Tuesday. Here's what else went down: Text message systems exposed online A text-message gateway biz called Voxox reportedly left vital systems open on the internet, allowing any miscreant to inspect it in real …
Shaun Nichols, 17 Nov 2018

Amazon tries to ruin infosec world's fastest-growing cottage industry (finding data-spaffing S3 storage buckets)

Amazon Web Services is taking steps to halt the epidemic of data leaks caused by the S3 cloud buckets it hosts from being accidentally left wide open to the internet by customers. Thus, if you are among the growing bunch of infosec researchers on the hunt for misconfigured public-facing S3 silos packed with slurpable private …
Shaun Nichols, 16 Nov 2018
This is what SOCs do not look like

CISA's Palace: Congress backs new cybersecurity nerve-center for cyber-America's cyber-future

The US House of Representatives has unanimously passed a bipartisan bill that would create a new agency to lead the federal government's cybersecurity efforts. The Cybersecurity and Infrastructure Security Agency (CISA) Act, passed earlier this year by the Senate, would overhaul the Department of Homeland Security (DHS)'s …
Shaun Nichols, 15 Nov 2018

Oracle's JEDI mind-meld doesn't work on Uncle Sam's auditors: These are not the govt droids you are looking for

Oracle's bid to halt the Pentagon's JEDI $10bn winner-takes-all cloud IT contract has been turned down. Uncle Sam's Government Accountability Office (GAO) issued a statement on Wednesday explaining that it would not be taking up Oracle's appeal of the US Department of Defense's stipulation that the entire JEDI technology …
Shaun Nichols, 14 Nov 2018
Chinese computer keyboard

Did you by chance hack OPM back in 2015? Good news, your password probably still works!

More than three years after suffering one of the largest cyber-attacks in US government history, the Office of Personnel Management has yet to adopt dozens of the security measures investigators ordered – including basic stuff like changing passwords. A report issued this week by Government Accountability Office (GAO) …
Shaun Nichols, 14 Nov 2018

Want to hack a hole-in-the-wall cash machine for free dosh? It's as easy as Windows XP

ATM machines are vulnerable to an array of basic attack techniques that would allow hackers to lift thousands in cash. This according to researchers at Positive Technologies, who studied more than two dozen different models of ATMs and found (PDF) nearly all would be vulnerable to network or local access attacks that would …
Shaun Nichols, 14 Nov 2018

OK Google, what is African ISP Main One, and how did it manage to route your traffic into China through Russia?

Updated Monday's prolonged Google cloud and websites outage was triggered by a botched network update by a West Africa telco, it is claimed. Main One, a biz ISP based in Lagos, Nigeria, that operates a submarine cable between Portugal and South Africa, said a misconfiguration at its end caused Google-bound traffic to be redirected to …
Shaun Nichols, 14 Nov 2018
Shutterstock image of a turkey

It's November 2018, and Microsoft's super-secure Edge browser can be pwned eight different ways by a web page

Microsoft and Adobe have delivered the November edition of Patch Tuesday with another sizable bundle of security fixes to install as soon as you're able to. The trick is to test and deploy the fixes before exploits are developed to leverage the vulnerabilities. BitLocker bugs and TFTP troubles for Redmond This month, …
Shaun Nichols, 14 Nov 2018

OK Google, why was your web traffic hijacked and routed through China, Russia today?

Updated People's connections in the US to Google – including its cloud, YouTube, and other websites – were suddenly rerouted through Russia and into China in a textbook Border Gateway Protocol (BGP) hijack. That means folks in Texas, California, Ohio, and so on, firing up their browsers and software to connect to Google and its …
Shaun Nichols, 13 Nov 2018

What's big, blue, and short on Intel? The supercomputer world's podium: USA tops Top500 with IBM Power9

IBM can now officially boast it has built the world's two most powerful publicly known supercomputers. The Big Blue-powered 144 PFLOPS Summit and 95 PFLOPS Sierra systems took the top two spots, first and second respectively, in the biannual Top500 supercomputing list, beating out the massive Chinese 93 PFLOPS Sunway …
Shaun Nichols, 13 Nov 2018

Scare Force: Pakistan military hit by Operation Shaheen malware

The Pakistan Air Force is the apparent target of a complex new state-sponsored attack campaign. Security house Cylance said this week a state-sponsored group – dubbed the White Company by researchers – has been looking to get into the networks of the Pakistani military in a long-term targeted attack campaign known as Operation …
Shaun Nichols, 12 Nov 2018

Irony meters explode as WordPress GDPR tool hacked, cell network hack shenanigans, crypto-backdoors, etc...

Roundup This week we had broken promises in China, broken keys in Steam, and broken ..err, everything in Apache Struts. Here's some other stuff kicking off in infosec beside everything else we've reported since this time last Saturday. FaceTime looks ugly after bug reports A Google researcher punched a trio of holes in Apple's …
Shaun Nichols, 10 Nov 2018

I found a security hole in Steam that gave me every game's license keys and all I got was this... oh nice: $20,000

A bloke has told how he discovered a bug in Valve's Steam marketplace that could have been exploited by thieves to steal game license keys and play pirated titles. Researcher Artem Moskowsky told The Register earlier this week that he stumbled across the vulnerability – which earned him a $20,000 bug bounty for reporting it – …
Shaun Nichols, 9 Nov 2018

Two fool for school: Headmaster, vice principal busted for mining crypto-coins in dorms, classrooms

The headmaster in China is in hot water after being caught using his school to house a crypto-mining operation. Chinese news site HK01 (via CCN this week) reports that principal Lei Hua was fired after authorities found he and vice principal Wang Zhipeng were found to be running a collection of rack-mounted cryptocoin mining …
Shaun Nichols, 9 Nov 2018
Boot print

Bruce Schneier: You want real IoT security? Have Uncle Sam start putting boots to asses

Any sort of lasting security standard in IoT devices may only happen if governments start doling out stiff penalties. So said author and computer security guru Bruce Schneier, who argued during a panel discussion at the Aspen Cyber Summit this week that without regulation, there is little hope the companies hooking their …
Shaun Nichols, 9 Nov 2018
The international uniform of hackers, the hoodie

Guess who's back, back again? China's back, hacking your friends: Beijing targets American biz amid tech tariff tiff

Three years after the governments of America and China agreed not to hack corporations in each other's countries, experts say Beijing is now back to its old ways. And if that's the case, we can well imagine Uncle Sam having a pop back. Speaking at the Aspen Cyber Summit in San Francisco on Thursday, a panel including top NSA …
Shaun Nichols, 9 Nov 2018

GDPR USA? 'A year ago, hell no ... More people are open to it now' – House Rep says EU-like law may be mulled

The rash of high-profile IT security breaches, data thefts, and other hacks that have erupted over the last year or so may push US legislators to consider laws similar to Europe's privacy-protecting GDPR. This is according to Representative Will Hurd (R-TX), who told attendees at the Aspen Cyber Summit in San Francisco today …
Shaun Nichols, 8 Nov 2018
Poison pill

StatCounter fingers cache-poisoning caper for Bitcoin-slurping JavaScript hijack

This week's hijacking of StatCounter's JavaScript to swipe Bitcoins from a crypto-coin exchange was the result of a web cache poisoning attack, apparently. The cyber-heist, in which a malicious snippet of JavaScript code was inserted into StatCounter's tracking script, which websites embed in their pages to monitor visitor …
Shaun Nichols, 8 Nov 2018
Person eating an apple

Premiere Pro bug ate my videos! Bloke sues Adobe after greedy 'clean cache' wipes files

Adobe is being sued after Premiere Pro unexpectedly deleted a snapper's valuable media files. David Keith Cooper on Wednesday sued Adobe in San Jose, USA, on behalf of himself and anyone who purchased Premiere Pro 11.1.0, and, as a result, had their personal media files nuked by the video-editing suite. The sueball claims a …
Shaun Nichols, 8 Nov 2018

Vulns in online shopping toolkit WooCommerce can blast a hole in your WordPress security

Updated A vulnerability in the WooCommerce online store platform, used by over four million vendors, can be exploited to hijack WordPress installations hosting the software. Researchers at RIPSTech discovered and reported the flaw directly to WooCommerce's developers, who cleaned up the bug in version 3.4.6 – so make sure you're …
Shaun Nichols, 7 Nov 2018

Stop us if you've heard this one: Remote code hijacking flaw in Apache Struts, patch ASAP

The Apache Foundation is urging developers to update their Struts 2 installations and projects using the code – after a critical security flaw was found in a key component of the framework. A warning this week from Apache reveals that devs should make sure their websites and other applications are running Struts versions 2.5. …
Shaun Nichols, 7 Nov 2018

Biting the hand that feeds IT © 1998–2018