There have never been more white-hat researchers hunting for vulnerabilities on internet-facing systems and yet barely any organisations provide a way for them to report the issues they find. In theory, the easiest way is to publish a Vulnerability Disclosure Policy (VDP), yet recent research here and here (PDFs) from bug …

The UK's TV Licensing agency has admitted that 25,000 viewers were induced into sending their bank details over an insecure connection. HTTPS crypto-shame: TV Licensing website pulled offline READ MORE The organisation ran transactional pages for bank debits through an insecure connection before being called out on the …

A computer security breach at Perth Mint first thought to have affected just 13 customers turned out to be more widespread – with more than 3,000 punters now screwed over by hackers. Last week, the Australian Broadcasting Corporation reported barely more than two handfuls of users of the mint's online repository were hit in …

Apple iPhones, iPads, and Mac computers that stray onto websites with malicious CSS code, while using Safari, can crash or fall over – due to a flaw in the web browser. The WebKit rendering engine vulnerability can be triggered by just a few lines of code in a cascading style sheet (CSS). On iOS devices, at least, it all …

Bristol Airport deliberately yanked its flight screens offline for two days over the weekend in response to a cyberattack. Techies took down computer-based flight information systems at the airport in provincial England between Friday morning and the wee hours of Sunday morning. The electronic screens were replaced by …

Who's hacking into university systems? Here's a clue from the UK higher education tech crew at Jisc: the attacks drop dramatically during summer break. A new study from Jisc (formerly the Joint Information Systems Committee) has suggested that rather than state-backed baddies or common criminals looking to siphon off academic …

Comment It has never been easier to conduct a cyber attack. There now exists a range of off-the-shelf tools and services that do all the heavy lifting – you just need to pick an approach and tool you like best. There's ransomware-as-a-service with its "here's one I made earlier" code, search engines that show connected interfaces with …

Equifax was so unsure how much data had been stolen during its 2017 mega-hack that its IT staff spent weeks rerunning the hackers' database queries on a test system to find out. That's just one intriguing info-nugget from the US Government Accountability Office's (GAO) report, Actions Taken by Equifax and Federal Agencies in …

Roundup This was the week of ice cold exploits, re-appearing JavaScript nasties, and of course Patch Tuesday. A few other things happened too… Android gets its monthly patch-up Microsoft and Adobe weren't the only ones to kick out monthly updates recently. Google also issued the September update for Android. This month, fixes …

An infosec bod has documented a remote-code execution flaw in Alpine Linux, a distro that pops up a lot in Docker containers. Max Justicz, researcher and creator of crowd-sourced bug bounty system Bountygraph, said on Thursday that the vulnerability could be exploited by someone with man-in-the-middle (MITM) network access, or …

Motorists tend to believe speed limits are a good idea and that everyone should stick to them. They know that when they break the limit the risk of an accident rises. But they also "know" that it is everyone else breaking the speed limit that pose the real danger. When it comes to cybersecurity insider threats, it appears that …

Veeam has blamed "human error" for the exposure of a marketing database containing millions of names and email addresses. The unencrypted MongoDB resource was left open for anyone to view after a migration between different AWS systems, Peter McKay, co-CEO and president at Veeam, told The Register. The resource – which wasn't …

Details of a locally exploitable but kernel-level flaw in Webroot's SecureAnywhere macOS security software were revealed yesterday, months after the bug was patched. Webroot antivirus goes bananas, starts trashing Windows system files READ MORE The fact that the memory corruption bug (CVE-2018-16962) is locally exploitable …

Video If you can steal someone's laptop, leave it switched on in sleep mode, crack it open, hook up some electronics to alter settings in the BIOS firmware, restart it, and boot into a custom program... you can swipe crypto keys and other secrets from the system. When computers are restarted, the motherboard firmware can wipe the …

A Nigerian scumbag will be spending the next five years in an American clink after pleading guilty to operating an email phishing scam targeting businesses around the world. Onyekachi Emmanuel Opara was given a 60-month sentence and ordered to pay $2.5m in restitution after pleading guilty to charges of wire fraud and …

The former head of IT for the US city of Detroit will spend the next 20 months behind bars for taking bribes while he was in office. Charles Dodd had served as director of the city's Departmental Technology Services (DTS) from 2014 to 2016, during which time he bagged nearly $30,000 in bungs from tech companies. He pleaded …

The US government has provided an online training course on insider threats. To help understand its efforts to stop the spread of leaks, spills, espionage and sabotage, The Reg signed up for a bit of training from the National Insider Threat Task Force (NITTF). Here we learned a lot about, in no particular order: former …

Capital One is facing criticism for using policies on its banking website that prevent the use of password managers. Joseph Carrigan, a Reg reader and senior security engineer at the Johns Hopkins University Information Security Institute in the US, says he was trying to reset the password for his Capital One bank account …

A Javascript library hosted by Feedify and used by e-commerce websites globally has been repeatedly infected this week to potentially siphon off countless victims' bank card details to crooks. The library code is typically embedded into retail webpages by site administrators and developers to add a means for shoppers to leave …

Updated The University of Edinburgh has gone offline from what appears to be a massive distributed denial-of-service attack on the campus network. As a result, the Scottish college's websites and wireless network gateways are down due to a flood of junk traffic during its first week of class. So far no student or faculty data is …

A misconfigured server at data recovery and backup firm Veeam exposed millions of email addresses. Reel talk: You know what's safely offline? Tape. Data protection outfit Veeam inks deal with Quantum READ MORE Security researcher Bob Diachenko discovered the 200GB cache of email addresses, names and (in some cases) IP …

Promo Worried about today’s IT dangers and how they will affect your organisation? Cybersecurity firm Sophos is inviting IT professionals to a free “See the Future” event in London, England, on Tuesday, 9 October. Starting at 8.30am, the day’s schedule will include expert talks and breakout sessions covering the latest trends in …

Video Boffins have sprung the bonnet on the weak crypto used in the keyless entry system in Tesla's Model S car. Researchers from the Computer Security and Industrial Cryptography (COSIC) group – part of the Department of Electrical Engineering at Belgian university KU Leuven – were able to clone a key fob, open the doors, and drive …

Parliament’s influential Public Accounts (PAC) Committee reckons UK Armed Forces need to recruit more digitally able folk to halt a widening skills gap, warning the military does not have a "coherent plan" to do so. With an existing 26 per cent shortfall in the target number of full-time intelligence analysts in the ranks of …

Analysis If Equifax's mother-of-all-security-disasters last year underlined one thing, it was that big companies think they can weather just about anything cybercriminals – and regulators – can throw at them. One unpatched web server, 147 million mostly US customer records swiped, and a political beating that should pulverise a company …

Admins will again be working overtime as Microsoft and Adobe have posted their monthly scheduled security updates for September. This month's Patch Tuesday bundle includes critical fixes for Windows, SQL Server, and Hyper V, as well as Flash and Cold Fusion. Rude guests and ugly images menace Microsoft In total, Microsoft …

A privilege escalation flaw in McAfee's True Key software remains open to exploitation despite multiple attempts to patch it. This according to researchers with security shop Exodus Intel, who claim that CVE-2018-6661 was not fully addressed with either of the two patches McAfee released for it. The flaw is an elevation of …

British Airways faces a £500m lawsuit over its recent mega-breach that exposed payment card details of 380,000 customers. The airliner last week apologised and offered to compensate customers for any direct financial loss for the attack that took place between 21 August and 5 September via its website and app. However, an …

Security experts are debating the cause of the British Airways mega-breach, with external scripts on its payment systems emerging as a prime suspect in the hack. Why infosec folk think it was the payment system Although BA hasn't disclosed the root of the breach, the unusual precision it ascribed to the hack's duration …

In late August, Microsoft announced a free service that arguably reveals more about the future of the email business and its struggles with security than several years' worth of earnest press releases. Called AccountGuard, it's Microsoft's answer to the phenomenon of Russian phishing meddling with the US elections and the …

A security researcher has disclosed a bug that could be abused to spoof website addresses in either Edge or Safari. Rafay Baloch told The Register that while Microsoft has since patched the flaw (CVE-2018-8383) in its browser, Apple has been dragging its feet on a fix for Safari for weeks, and the browser remains vulnerable …

Netgear has irked some security pros by demanding people register accounts before they can use a mobile app to control their Orbi mesh routers. Thus, you'll need a Netgear customer account to manage your network infrastructure, thereby "advertising to hackers everywhere that there’s a nice little honeypot on their servers, …

Bug broker Zerodium has released word of a flaw in the Tor browser that would potentially allow an attack site to bypass security protections and execute malicious code in the supposedly secure internet system. The flaw was disclosed in a Zerodium Tweet Monday morning that provides some detail on the nature of the flaw. …

If you've been looking at SiFive's RISC-V-based chip technology and thinking, y'know what, it's missing an Arm TrustZone-style element to run sensitive code, well, here's some good news. And if you're just into processor design and checking out alternatives to Arm CPU cores, then this may be some interesting news. SiFive …

Updated A bunch of Trend Micro anti-malware tools have vanished from Apple's Mac App Store – after they were spotted harvesting and siphoning off users' browser histories. Dr Cleaner, Dr Antivirus, and App Uninstall – utilities owned by the Japan-headquartered security house and distributed on the Mac App Store – are no longer …

Persistence pays off for crooks when it comes to sextortion-based phishing scams, research into its effectiveness suggests. One variant bombards prospective marks with threats to release non-existent footage of them watching smut unless they give in to demands. Cleverly, these threats are lent an air of authenticity by using …