Articles about Security

South Korea targeted by cyberspies (again). Kim, got something to say?

The South Korean public sector is once again in the firing line of a sophisticated – and likely government-backed – cyberattack. The campaign was active between November 2016 and January 2017 and relied on exploiting vulnerabilities in a Korean language word processing program and a spoofed document from the Korean Ministry of …
John Leyden, 24 Feb 2017

Cloudbleed: Big web brands leaked crypto keys, personal secrets thanks to Cloudflare bug

Big-name websites leaked people's private session keys and personal information into strangers' browsers, due to a Cloudflare bug uncovered by Google security researchers. Cloudflare helps companies spread their websites and online services across the internet. Due to a programming blunder, for several months Cloudflare's …
Iain Thomson, 24 Feb 2017

US 'security' biz trio Sentinel Labs, Vir2us, SpyChatter accused of lying about certification

Three US companies have settled with the FTC after they were accused of lying about the security safeguards on their customer information. Sentinel Labs, SpyChatter, and Vir2us have all agreed to adhere to the US trade regulator's settlement terms after they were formally charged with falsely claiming certification with the …
Shaun Nichols, 23 Feb 2017

'First ever' SHA-1 hash collision calculated. All it took were five clever brains... and 6,610 years of processor time

Google researchers and academics have today demonstrated it is possible – albeit with a lot of computing power – to produce two different documents that have the same SHA-1 hash signature. This is bad news because SHA-1 is used across the internet, from Git repositories to file deduplication systems to HTTPS certificates used …
Free range chicken and farmer photo via Shutterstock

Become a blockchain-secured space farmer with your hard drive

Startup Storj (pronounced storage oddly enough) has an open source, distributed cloud object storage platform using blockchain technology and end-to-end cryptography across a peer-to-peer network to secure files. The network consists of the internet and a shared community of “farmers”, users who rent out their spare desktop …
Chris Mellor, 23 Feb 2017

Microsoft catches up to Valentine's Day Flash flaw massacre

Microsoft's popped out a Security Update for Adobe Flash. Adobe did likewise last week, celebrating hackers' love for Flash by releasing it on Valentine's Day. That dump addressed no fewer than 13 CVEs that allowed code execution due to: Type confusion vulnerability Integer overflow vulnerability Use-after-free …
Simon Sharwood, 23 Feb 2017
Semaphore hello

Boffins exfiltrate data by blinking hard drives' LEDs

That roll of tape you use to cover the Webcam? Better use some of it on your hard-drive LED, because it can be a data exfiltration vector. Exfiltration experts from Ben-Gurion University of the Negev's Cyber Security Research Center have added to previous techniques like fan modulation, GSM transmissions, or listening to the …
Stegosaurus

Linux kernel gets patch for 11-year-old local-root-hole security bug

Eleven years ago or thereabouts, the Linux kernel got support for the Datagram Congestion Control Protocol – and also got a privilege escalation bug that has just been fixed. Like basically every root hole, this flaw can be potentially exploited by software on a vulnerable device, or logged-in users, to gain root-level access …
People whispering

Firefox certificate cache leaks user information

Firefox's intermediate certificate cache can be tricked into leaking to a deliberately mis-configured server, creating yet-another chance to fingerprint users (including those who think they're protected by Private Browsing). The data leak identified by security researcher Alexander Klink could also let a malicious attacker …
warrant

US judge halts mass fingerprint harvesting by cops to unlock iPhones

Analysis An Illinois judge has rejected a warrant sought by the US government to force everyone in a given location to apply his or her fingerprints to any Apple electronic device investigators happen to find there, a ruling contrary to a similar warrant request granted last year by a judge in California. Under current law, the …
Thomas Claburn, 23 Feb 2017
Boeing 787 10x

Blundering Boeing bod blabbed spreadsheet of 36,000 coworkers' personal details in email

Global aerospace firm Boeing earlier this month sent a notification to Washington State Attorney General Bob Ferguson, as required by law, about a company employee who mistakenly emailed a spreadsheet full of employee personal data to his spouse in November, 2016. The spreadsheet, sent to provide the employee's spouse with a …
Thomas Claburn, 22 Feb 2017

Privacy concerns over gaps in eBay crypto

eBay uses HTTPS on its most critical pages, such as those where payment or address information is entered, but a lack of encryption on several sensitive pages still poses a concern for the privacy conscious. Many pages on the site, which require user input or contain their personal info, are not HTTPS encrypted, according to …
John Leyden, 22 Feb 2017
Falling profits

Infosec firm NCC Group launches review over crap financials

Cybersecurity firm NCC Group has launched a strategic review after issuing a profit warning. The company announced on Tuesday that the performance of its assurance division will be significantly lower than anticipated. This will hit its overall financial results for the full year ending 31 May, 2017. NCC now expects that the …
John Leyden, 22 Feb 2017
Snooping image via Shutterstock

London Internet Exchange members vote no to constitution tweak

Members of LINX, the London Internet Exchange – the UK's largest net peering point – have rejected proposals that would reshape the company’s constitution and could block members from being consulted about government tapping instructions. The vote, on Tuesday, followed a Reg report revealing that members had been given less …
Duncan Campbell, 22 Feb 2017
Clone army star wars

Clone it? Sure. Beat it? Maybe. Why not build your own AWS?

You can't move without IT companies telling you about the "amazing" new technologies and features they've just launched, how you can't live without them, and what a shock it is that you've managed all these years before they were developed. And of course the bigger the company, the more new stuff they tend to pump out and the …
Dave Cartwright, 22 Feb 2017
shutterstock_197375177-doctor

Netflix treats security ills with Stethoscope: Open-source self-probing tool

Netflix has released the source code of a web application called Stethoscope for evaluating the security of mobile and desktop computing devices. The software, covered by the Apache 2.0 license, intended for employees of organizations that use a device management service. Netflix hopes that employees using the toolkit will …
Thomas Claburn, 22 Feb 2017

How's your online bank security looking? The Dutch studied theirs and... yeah, not great

The Dutch banking industry is doing a terrible job of online security, according to the company that runs the country's .nl internet domains. In a new report published Tuesday, the internet registry SIDN was surprised to find that just six per cent of banks using .nl internet addresses have the security protocol DNSSEC in …
Kieren McCarthy, 22 Feb 2017

Cisco edits DNA for even softer switches

Hard on the heels of a second-quarter result in which software subscriptions provided one of the few bright spots, Cisco's revealed a slew of new software-based systems. Today's announcements are for a bunch of software-based routing and security offerings at the branch, colocation, and cloud level. Network Function …
Upspin's mascot, Augie

Google devs try to create new global namespace

Wouldn't it be nice if there was a universal and consistent way to give names to files stored on the Internet, so they were easy to find? A universal resource locator, if you like? The problem is that URLs have been clunkified, so Upspin, an experimental project from some Google engineers, offers an easier model: identifying …
OpenStack 404

OpenStack Ocata announced – then briefly withheld

The OpenStack Foundation has announced Ocata, its fifteenth edition. And then tried to un-announce it again. The minor mess came about after the Foundation sent an email to reveal the update, complete with a download link to the new release. About 30 minutes later came an email apologising “for the inconvenience” because “In …
Simon Sharwood, 22 Feb 2017
plasters cover arm. photo by shutterstock

Talos opens box, three Aerospike vulns fly out

Aerospike NoSQL server DBAs, make sure you've rolled out version 3.11.1.1, because the vulnerabilities it fixes have been made public. Cisco Talos made the three-vuln disclosure after the fix landed, including one denial-of-service and two code execution bugs – all easy to trigger by sending crafted packets. In the DoS bug, …
Access denied

US Homeland Security is so secure even its own staff can't log in

US Department of Homeland Security staff returning to work on Tuesday after the Presidents' Day holiday have apparently had a tough time getting computer systems to function. DHS staff say they weren't able to log into computer systems at their offices in Washington DC, when clocking on this morning. Staff in at least four …
Iain Thomson, 21 Feb 2017

Big Blue's big blunder: IBM accidentally hands over root access to its data science servers

IBM left private keys to the Docker host environment in its Data Science Experience service inside freely available containers. This potentially granted the cloud service's users root access to the underlying container-hosting machines – and potentially to other machines in Big Blue's Spark computing cluster. Effectively, Big …
Thomas Claburn, 21 Feb 2017

'Hey, Homeland Security. Don't you dare demand Twitter, Facebook passwords at the border'

Over 50 human rights and civil liberties groups, nearly 100 law professors and security experts, and lawmakers have launched a campaign against digital searches at the US border. An open letter condemns recent comments by Homeland Security secretary John Kelly in which he proposed requiring selected non-citizens entering the …
Kieren McCarthy, 21 Feb 2017
Paul Berg, at the Open Source Leadership Summit

Meet the chap open-sourcing US govt code – Paul, an ex-Microsoft anti-piracy engineer

Interview In the months ahead, Idaho National Laboratory aims to open-source software for analyzing the quality of cow manure. "It runs a whole bunch of scenarios and numbers and determines what is the most profitable use of the manure that comes out of cows," explained Paul Berg, senior research and development software licensing …
Thomas Claburn, 21 Feb 2017
Ben Mezrich, Once Upon a Time in Russia: The Rise of the Oligarchs and the Greatest Wealth in History

Hacking group RTM able to divert bulk financial transfers with malware

Cybercrime group RTM is deploying complex malware based in the Delphi programming language to target Remote Banking Systems (RBS), a type of business software used to make bulk financial transfers. The problem was severe enough to warrant an advisory from FinCERT, a Russian CERT responsible for fighting cybercrime targeting …
John Leyden, 21 Feb 2017
Kubernetes Logo

Kubernetes and Prometheus flesh out CLL deep dive lineup

We’ve added the final session to our workshop lineup for Continuous Lifecycle London, giving you six options for diving deep into the technologies and tools driving cutting edge software development and deployment. Weaveworks’ Luke Marsden will not just show you how to get up and running with Kubernetes, but how to use …
Team Register, 21 Feb 2017

TeamSpy hackers get the crew back together after four-year hiatus

Updated Cybercrooks have once again begun slinging malware that subverts elements of the legitimate TeamViewer remote control app to snoop on victims. The tactic was previously seen in 2013. Attacks typically begin with booby-trapped emails harbouring malicious attachments that pose as eFax messages. If installed, the malicious code …
John Leyden, 21 Feb 2017
Hadoop

You're doing Hadoop and Spark wrong and they will probably fail

Your attempt at putting Hadoop or Spark to work probably won't work, and you'll be partly to blame for thinking they are magic. That's the gist of a talk delivered by Gartner research director Nick Heudecker at the firm's Sydney Data & Analytics Summit 2017. Heudecker opened with the grim prediction that 70 per cent of Hadoop …
Simon Sharwood, 21 Feb 2017
Sulphur-crested cockatoo

Australia commences critical infrastructure protection consultation

Last month, Australia's federal government established a Critical Infrastructure Centre. Now it's decided to ask what the centre should protect. Attorney-General George Brandis has announced a month-long consultation into the security of the country's critical infrastructure. The statement says the consultation includes …
Shutterstock - Giant bug destroys ciy

Java and Python have unpatched firewall-crossing FTP SNAFU

Stop us if you've heard this one: Java and Python have a bug you can exploit to cross firewalls. Since neither are yet patched, it might be a good day to nag your developers for a bit. The Java vulnerability means protocol injection through its FTP implementation can fool a firewall into allowing TCP connections from the …
hacker

Is your child a hacker? Liverpudlian parents get warning signs checklist

Hot on the heels of Liverpool being awarded the European Capital of Culture for 2008 comes a charity programme, run by YouthFed, titled Hackers to Heroes. The programme, which encourages youngsters to develop useful computer skills, is also informing parents of the signs they may encounter if their children are on the path to …
Sad Android

Beeps, roots and leaves: Car-controlling Android apps create theft risk

Insecure car-controlling Android apps create a heightened car theft risk, security researchers at Kaspersky Lab warn. Boffins at the security software maker made the warning after putting Android apps from seven (unnamed) car makers through their paces, uncovering a raft of basic security flaws in the process. During recent …
John Leyden, 20 Feb 2017
Used car on laptop

Connected car in the second-hand lot? Don't buy it if you're not hack-savvy

Cars are smart enough to remember an owner, but not smart enough to forget one – and that's a problem if a smart car is sold second-hand. The problem is as simple as you could imagine: people shovelling apps and user services into cars forget that the vehicle nearly always outlives its first owner. The global head of IBM's X- …
POTUS

Probe President Trump and his crappy Samsung Twitter-o-phone, demand angry congressfolk

Fifteen members of US Congress have asked the House Oversight Committee to investigate whether President Trump is putting national security at risk by using an insecure phone and holding sensitive meetings in public. In a letter to the committee, the congressfolk say [PDF] they were inspired by reports that the Commander in …
Iain Thomson, 17 Feb 2017

Huge if true: iPhone 8 will feature 3D selfies, rodent defibrillator

With the exciting news that Apple is going to hold a conference in June where it will announce new products – only the 15th time it has done so since 2003 – we felt it was time to write down some wild speculation because, like lemmings, you will click on it and we make money when you do. Of course the big news is that June …
Kieren McCarthy, 17 Feb 2017
My Friend Cayla and i-Que robot

Smash up your kid's Bluetooth-connected Cayla 'surveillance' doll, Germany urges parents

Germany's Federal Network Agency, or Bundesnetzagentur, has banned Genesis Toys' Cayla doll as an illegal surveillance device. "Items that conceal cameras or microphones and that are capable of transmitting a signal, and therefore can transmit data without detection, compromise people's privacy," said agency president Jochen …
Thomas Claburn, 17 Feb 2017
US Flag and money

US account holders more likely to switch banks following fraud

Account holders in the US are more likely to switch banks in the aftermath of fraud, according to a new study. Researchers at Carnegie Mellon University found that people who had their information compromised were more likely to terminate their relationship with the bank within six months of a fraudulent event, even if they …
John Leyden, 17 Feb 2017
Wire wastepaper bin filled with scrunched up paper. Photo by Shutterstock

Round-filed 'paperless' projects: Barriers remain to Blighty's Digital NHS

It was hard to hear UK health secretary Jeremy Hunt’s recent backtracking over his plans for a paperless NHS by 2018, without wondering to what extent digital health documents have contributed to global forest depletion over the last decades. To some extent all tech programmes in the NHS are still overshadowed by the …
Kat Hall, 17 Feb 2017
Official gag photo via Shutterstock

UK Snoopers' Charter gagging order drafted for London Internet Exchange directors

Exclusive London Internet Exchange (LINX) – Europe's major internet traffic hub – faces a growing backlash over changes to its rules that would gag its directors applying secret government orders to monitor networks, under Britain's Investigatory Powers Act. LINX members – hundreds of internet companies – have been given less than two …
Duncan Campbell, 17 Feb 2017

Microsoft makes cheeky bid for MongoDB devs on Azure security grounds

Microsoft is attempting to capitalise on a recent spate of ransom attacks on unsecured MongoDB instances by encouraging developers to switch to working with its own Azure-based DocumentDB system. The free version of MongoDB ships with the default TCP port 27017, and with so many administrators failing to run port to change it …

Mystery deepens over Android spyware targeting Israeli soldiers

Hackers are continuing to target Israeli Defence Force (IDF) personnel with Android spyware but doubts have emerged that Hamas is behind the cyber-spying operation. ViperRAT has been specifically designed to exfiltrate information of high value from compromised devices. "Many of these samples are still active and are …
John Leyden, 17 Feb 2017
Facebook Lite app

US visitors must hand over Twitter, Facebook handles by law – newbie Rep starts ball rolling

A newbie congressman has floated his first ever US law bill – one that demands visitors to America hand over URLs to their social network accounts. House Rep Jim Banks (R-IN) says his proposed rules – dubbed the Visa Investigation and Social Media Act (VISA) of 2017 – require visa applicants to provide their social media …
Shaun Nichols, 17 Feb 2017
ISIS

Don’t panic over cyber-terrorism: Daesh-bags still at script kiddie level

RSA USA There’s no need to panic about the threat of a major online terrorist attack, since ISIS and their allies are all talk and no trousers. That's according to the former head of the US National Counterterrorism Center. Matt Olsen, who has also served as the NSA’s top lawyer, told the RSA security conference today that the levels …
Iain Thomson, 16 Feb 2017
zombie_648

Corpse of US anti-spying law unearthed, reanimated, pushed blinking into the sunlight

US Congressional lawmakers on Wednesday reintroduced legislation to establish rules limiting how American government agencies can obtain a person's whereabouts. The Geolocation Privacy and Surveillance Act (GPS Act), sponsored by Sen. Ron Wyden (D-Ore.), Rep. Jason Chaffetz (R-Utah), and Rep. John Conyers, Jr. (D-Mich), was …
Thomas Claburn, 16 Feb 2017
Eric Schmidt

THE SCHMIDT HITS THE BAN: Keep your gloves off AI, military top brass

RSA USA Alphabet exec chairman Eric Schmidt is worried that the future of the internet is going to be under threat once the world’s militaries get good at artificial intelligence. Speaking at the RSA security conference in San Francisco, Google's ultimate supremo said he is worried the internet will be balkanized if countries lock …
Iain Thomson, 16 Feb 2017
Sherlocks

Analyse this: IBM moves Watson machine learning to mainframes

IBM is adding the machine learning technology from Watson to its z/OS mainframe for smarter, faster analytics of transaction data. Big Data analytics is typically applied to unstructured data in the Hadoop world. By contrast, older data warehousing and business intelligence (DW/BI) products are applied to structured data in …
Chris Mellor, 16 Feb 2017
Conchita Wurst. Editorial use only: Credit: Yulia Reznikov / Shutterstock, Inc.

Nul points for Ukraine's Eurovision ticket site fail

Eurovision fans purchasing tickets to the event in Ukraine this year were left frustrated due to a number of technical and payment issues with the website last night. One reader got in touch to report that the Ukrainian ticketing site concert.ua had experienced a "spectacular failure in payment process, security and ticket …
Kat Hall, 16 Feb 2017
Cookie Monster

Haven't deleted your Yahoo account yet? Reminder: Hackers forged login cookies

Yahoo! is reminding folks that hackers broke into its systems, and learned how to forge its website's session cookies. That allowed the miscreants to log into user accounts without ever typing a password. In warnings emailed out this week, the troubled web biz said accounts were infiltrated in 2015 and 2016 using forged …
John Leyden, 16 Feb 2017

Sigfox leads with its chin on security for internet-connected things

Comment French Internet of Things bods Sigfox have published a “Universal Declaration of IoT Rights”, which, as well as being a bit awful, sheds light on a wider boredom with proper security. Hopefully published tongue-in-cheek, the declaration was written by Sigfox’s “vice president imagineering” (not a typo), opening: “We have a …
Gareth Corfield, 16 Feb 2017