The Register Columnists

Thomas Claburn

Contact Mail Follow RSS feed

New click-to-hack tool: One script to exploit them all and in the darkness TCP bind them

Python code has emerged that automatically searches for vulnerable devices online using Shodan.io – and then uses Metasploit's database of exploits to potentially hijack the computers and gadgets. You set this script running, it crawls the internet looking for machines that are possibly vulnerable to attack – typically due to …
Thomas Claburn, 31 Jan 2018
Red Hard Hat photo via Shutterstock

Red Hat tries CoreOS on for size – and buys

Enterprise Linux biz Red Hat on Tuesday said it has reached an agreement to acquire CoreOS, a maker of open source container software, for $250 million. CoreOS, a 130-person San Francisco company founded in 2013 by CEO Alex Polvi and CTO Brandon Philips, makes Tectonic (an enterprise-oriented Kubernetes platform), Quay (an …
Thomas Claburn, 31 Jan 2018
A piggy bank in a pile of pound coins

Watchdog: Uh, sit down, AriseBank. This crypto-coin looks more like a $600m crypto-con

Updated America's financial watchdog today suspended an initial coin offering (ICO) from AriseBank, claiming it's a scam. The US Securities and Exchange Commission obtained a court order to halt the investment scheme based on a complaint filed under seal last week. According to the regulator, AriseBank – based in Dallas, Texas – and …
Thomas Claburn, 30 Jan 2018
Alexa photo via Shutterstock

When you play this song backwards, you can hear Satan. Play it forwards, and it hijacks Siri, Alexa

Computer science boffins affiliated with IBM and universities in China and the United States have devised a way to issue covert commands to voice-based AI software – like Apple Siri, Amazon Alexa, Google Assistant and Microsoft Cortana – by encoding them in popular songs. They refer to these tweaked tunes, which issue mostly …
Thomas Claburn, 30 Jan 2018

Fella faked Cisco, Microsoft gear death – then sold replacement kit for millions, say Feds

A US bloke allegedly defrauded Cisco and Microsoft by faking problems with computing and networking gear he didn't own to trick the tech giants into sending him replacements. The suspected crook then sold the gear online and through New Jersey-based resellers for millions of dollars, prosecutors claim. Justin David May, 28, …
Thomas Claburn, 29 Jan 2018
Coal miners

Crypto-jackers slip Coinhive mining code into YouTube site ads

The hijacking of CPU cycles through crypto-mining JavaScript code has surged over the past few days, according to security biz Trend Micro. The reason appears to be a distribution campaign that piggybacks on Google's DoubleClick ads that appear on YouTube among other sites. "We detected an almost 285 per cent increase in the …
Thomas Claburn, 27 Jan 2018
Audi TT

Newsflash: Car cyber-security still sucks

In 2015, infosec gurus Charlie Miller and Chris Valasek demonstrated that they could take over and turn off a jeep from afar as it was being driven, a feat that magnified interest in car hacking. Their wireless attack was conducted on an active vehicle. But it turns out the engine doesn't have to be running. This is separate …
Thomas Claburn, 26 Jan 2018

FYI: Processor bugs are everywhere – just ask Intel and AMD

In 2015, Microsoft senior engineer Dan Luu forecast a bountiful harvest of chip bugs in the years ahead. "We’ve seen at least two serious bugs in Intel CPUs in the last quarter, and it’s almost certain there are more bugs lurking," he wrote. "There was a time when a CPU family might only have one bug per year, with serious …
Thomas Claburn, 26 Jan 2018

Matryoshki of news: Tech giants flash code to Russia, Dutch hack Kremlin spies, and more

Roundup Technology companies can't decide whether to take Russian money or run from it – not that they've ever been much good at turning down cash. McAfee, SAP, and Symantec, which make software used by the US government, allowed Russian authorities to scan their source code for backdoors and other flaws, according to Reuters on …
Thomas Claburn, 26 Jan 2018
Raining money

Trebles all round! Intel celebrates record sales of insecure processors

Still dealing with the consequences of security research that demands changes in its processors, Intel on Thursday reported better-than-expected earnings in 2017's final quarter. Chipzilla shrugged off the recently disclosed Meltdown and Spectre design flaws to report record fourth-quarter revenue of $17.1bn, up four per cent …
Thomas Claburn, 25 Jan 2018

Perv raided college girls' online accounts for nude snaps – by cracking their security questions

Jonathan C. Powell, who hacked into over 1,000 email accounts in search of sexually explicit images and videos of college-aged women, was jailed for six months for computer fraud, the US Department of Justice said on Thursday. Arrested in November, 2016, Powell, a resident of Phoenix, Arizona, pleaded guilty last August in a …
Thomas Claburn, 25 Jan 2018
Android Nougat

Google can't innovate anymore, exiting programmer laments

Seven years ago, Google software engineer Steve Yegge, having failed to understand the risk that a private social media rant might become public, lambasted Google for its failure to understand software platforms, with Google+ serving as his whipping boy. Despite calling out Google's leaders by name and highlighting the …
Thomas Claburn, 25 Jan 2018
Spectre graphic

SHL just got real-mode: US lawmakers demand answers on Meltdown, Spectre handling from Intel, Microsoft and pals

Four Republican members of the US House of Representatives sent letters on Wednesday to the leaders of Amazon, AMD, Apple, ARM, Google, Intel and Microsoft seeking answers about how the embargo on the Meltdown and Spectre bugs was handled. The secrecy agreement, put in place by these same companies, demanded silence from June …
Thomas Claburn, 25 Jan 2018
Confiant image of JavaScript fingerprinting code

Maverick internet cop Chrome 64 breaks rules to thwart malvert scum

The largest malvertising campaign in 2017 involved 28 fake ad agencies, which were used to generate about one billion ad views across 62 per cent of ad-supported websites, according to publishing security biz Confiant. By malvertising, we mean ads that try to trick people into installing fake Adobe Flash updates, bogus …
Thomas Claburn, 24 Jan 2018

Stripe in Bitcoin hype flight while fans blindly gobble up crypto-cash

Roundup Payment biz Stripe on Tuesday said it plans to phase out support for Bitcoin payments – citing declining interest among merchants and rising transactions times and fees. "[W]e've seen the desire from our customers to accept Bitcoin decrease," said Stripe product manager Tom Karlo. "And of the businesses that are accepting …
Thomas Claburn, 23 Jan 2018
Twilight Zone, 'Time Enough At Last'

Facebook invents new unit of time to measure modern attention spans: 1/705,600,000 of a sec

Video effects designers who work with C++ code have a new unit of time to work with called a "flick." Short for "frame-tick" if you're willing to overlook the absence of the letter "l" from either word, a flick lasts 1/705,600,000 of a second. It's a bit longer than a nanosecond, which clocks in at one billionth (1/1,000,000, …
Thomas Claburn, 23 Jan 2018

'WHAT THE F*CK IS GOING ON?' Linus Torvalds explodes at Intel spinning Spectre fix as a security feature

Intel's fix for Spectre variant 2 – the branch target injection design flaw affecting most of its processor chips – is not to fix it. Rather than preventing abuse of processor branch prediction by disabling the capability and incurring a performance hit, Chipzilla's future chips – at least for a few years until …
Soaring costs in San Fran. from www.shutterstock.com

In Soviet California, pedestrian hits you! Bloke throws himself in front of self-driving car

While commuter buses ferrying Apple and Google employees have been rerouted to avoid being shot at – reportedly with a pellet gun – GM Cruise has had less success keeping one of its self-driving cars out of harm's way. Earlier this week, the autonomous vehicle subsidiary of automaker General Motors (GM) said that one of its …
Thomas Claburn, 19 Jan 2018

Linux's Grsecurity dev team takes blog 'libel' fight to higher court

Open Source Security, Inc., the maker of the Grsecurity Linux kernel patches, suffered a setback last month when San Francisco magistrate judge Laurel Beeler granted a motion by defendant Bruce Perens to dismiss the company's defamation claim, with the proviso that the tossed legal challenge could be amended. The code biz and …
Thomas Claburn, 19 Jan 2018

Sad-sack Anon calling himself 'Mr Cunnilingus' online is busted for DDoSing ex-bosses

An electronics technician pleaded guilty on Wednesday to orchestrating distributed denial of service (DDoS) attacks on a former employer and other organizations – and to unlawfully possessing a firearm as a former felon. From July 2015 through around March 2017, according to a plea agreement, John Kelsey Gammell, of New Mexico …
Thomas Claburn, 18 Jan 2018

Crypto-cash exchange BitConnect pulls plug amid Bitcoin bloodbath

Amid a cryptocurrency price correction that has seen the price of Bitcoin drop by half from its mid-December peak, UK-based cyber-cash lending and exchange biz BitConnect said it is shutting down. The firm, dogged by accusations that it is a Ponzi scheme, cited bad press, regulatory orders, and cyber attacks for its market …
Thomas Claburn, 18 Jan 2018

Hehe, still writing code for a living? It's 2018. You could be earning x3 as a bug bounty hunter

Ethical hacking to find security flaws appears to pay better, albeit less regularly, than general software engineering. And while payment remains one of the top rationales for breaking code, hackers have begun citing more civic-minded reasons for their activities. A survey of 1,700 bug bounty hunters from more than 195 …
Thomas Claburn, 17 Jan 2018

What do Cali, New York, Hawaii, Maine and 18 other US states have in common? Fighting the FCC on net neutrality

Twenty-two US State Attorneys General filed a lawsuit on Tuesday to undo the Federal Communications Commission's rejection of net neutrality in America. The FCC – the nation's broadband watchdog – late last year approved rules titled Restoring Internet Freedom that free ISPs to discriminate against data as they see fit. The …
Thomas Claburn, 17 Jan 2018

Upset Equation Editor was killed off? Now you can tell Microsoft to go forth and multiply: App back from the dead

Microsoft Equation Editor was sentenced to death on January 9, 2018 at the age of 17, when a software update from Redmond removed five files necessary for the application to function. Only a few months ago, the Windows giant thought its Equation Editor could be saved: its software engineers, lacking access to the ancient app's …
Thomas Claburn, 16 Jan 2018

Let's Encrypt plugs hole that let miscreants grab HTTPS web certs for strangers' domains

Let's Encrypt – a SSL/TLS certificate authority run by the non-profit Internet Security Research Group (ISRG) to programmatically provide websites with free certs for their HTTPS websites – on Thursday said it is discontinuing TLS-SNI validation because it's insecure in the context of many shared hosting providers. TLS-SNI is …
Thomas Claburn, 13 Jan 2018

Biting the hand that feeds IT © 1998–2018