Boffins from Graz University of Technology in Austria have devised an automated system for browser profiling using two new side channel attacks that can help expose information about software and hardware to fingerprint browsers and improve the effectiveness of exploits. In a paper, "JavaScript Template Attacks: Automatically …

The US Customs and Border Patrol today said hackers broke into one of its bungling technology subcontractors – and made off with images of people and their vehicle license plates as they passed through America's land border. The CBP issued a statement outlining how it learned on May 31 that the unnamed contractor, against …

Symantec is working to restore its Email Security.cloud service following a major slowdown that has lasted throughout the US morning and into the afternoon. The security software giant said unspecified gremlins knackered its cloud-hosted email filtering service, resulting in email flows slowing to a trickle for customers in …

A Welsh man who hacked British ISP TalkTalk in 2015 and siphoned off subscribers' personal data has been sent down for four years. A judge at the Old Bailey in London sentenced Daniel Kelley, 22, of Heol Dinbych, Llanelli, on Monday. Kelley pleaded guilty to 11 computer crime charges in 2016, and has waited more than two and a …

RoundupIt wasn't just fake CIA agents, database mega-hacks and Bing flings in the security world last week. Here are a few tidbits beyond what you've read in El Reg. Exim bug resurfaces with improbable exploit Are you running the latest version (4.9.2) of Exim on your Linux box? If so, you can go ahead and skip down to the next item …

Who, Me?Ah, the sweet, sweet smell of Monday. What better way to start your week than combining it with the latest confession of wrongdoing from The Register readership in the form of our weekly Who, Me? column. Today's blast from the past comes from a somewhat unrepentant reader we shall refer to as "Charles". Take yourself back to …

Fraudsters are posing as CIA investigators gone rogue in emails to marks, offering to take bribes to drop bogus investigations into the recipients and claims of online pedophilia, according to Kaspersky. The security shop says the scammers are spraying out spam messages in which they pretend to be Uncle Sam's agents conducting …

Today is National Fish and Chip* Day, and tech giant Microsoft has wasted no time wading in with the police to school the UK about phishing scams. In what must be one of the industry's most tenuous links, the City of London Police has urged internet pond life to "mullet over" before falling victim to a phishing email on …

Something for the Weekend, Sir? Access denied. Enter Access Code. That's a good start. Just a few moments ago I was handed a card on which is written, in blue ballpoint, a newly compiled string of alphanumerics that is supposed to identify me as a unique user. Oh well, maybe I fumbled the buttons. Let's try again. Access denied. Enter Access Code. I am …

Blockchain biz Komodo this week said it had used a vulnerability discovered by JavaScript package biz NPM to take control of some older Agama cryptocurrency wallets to prevent hackers from doing the same. The digital currency startup said it had socked away 8 million KMD (Komodo) and 96 BTC (Bitcoin) tokens – worth about …

As healthcare companies come forward to confirm hackers would have been able to access millions of patients' personal information from a compromised American Medical Collections Agency (AMCA) database, US senators are demanding answers. Quest Diagnostics was yesterday on the receiving end of an open letter (PDF) issued by …

Pizza Hut has warned members of its loyalty scheme "Hut Rewards" not to re-use passwords after hackers managed to access some customer accounts. The fast-food chain, which also suffered a breach stateside in 2017, believes that miscreants got hold of details from elsewhere and then used them to access Pizza Hut systems. The …

As ransomware infections continue, conventional wisdom on how to respond to threats is going out the window. The idea of agreeing to an extortionist's demand, and paying a ransom to restore your company's scrambled data, long considered a non-starter, is something businesses should mull over as a viable option, according to …

Google has released its June bundle of security vulnerability patches for Android, with fixes for 22 CVE-listed flaws included. This month's update, including eight critical fixes, includes patches to close up four confirmed remote code execution vulnerabilities. Google says none of the bugs have been targeted in the wild, yet …

ExclusivePhishing kits – used by miscreants to build webpages that steal victims' personal information and money by masquerading as legit websites – harbor vulnerabilities that can be exploited by other miscreants to pilfer freshly stolen data. It's not far off burglars breaking into a mafia den to steal loot swiped just hours earlier …

LogowatchThe strategy boutique opened a pop-up shop on the wild steppe of Kaspersky Lab yesterday as the Russian antivirus developer revealed a daring redesign that involves dropping the word "Lab". Gone too are the beautifully random red triangles, the evocative over-sized "SS", and the multiple fonts – thrown overboard in favour of …

Hackers have raided databases containing millions of medical test lab patients' personal and payment information, making off with at least hundreds of thousands of people's banking details. The ransacked data stores were maintained by American Medical Collection Agency (AMCA) on behalf of blood-testing biz LabCorp and medical- …

A devious and baffling new strain of malware intercepts and tampers with internet traffic on infected Apple Macs to inject Bing results into users' Google search results, we're told. A report out this month by security house AiroAV details how its bods apparently spotted a software nasty that configures compromised macOS …

The Australian National University (ANU) today copped to a fresh breach in which intruders gained access to "significant amounts" of data stretching back 19 years. The top-ranked Oz uni said it noticed about a fortnight ago that hackers had got their claws on staff, visitor and student data, including names, addresses, dates …

Owners of Supra Smart Cloud TVs are in danger of getting some unwanted programming: it's possible for miscreants or malware on your Wi-Fi network to switch whatever you're watching for video of their or its choosing. Bug-hunter Dhiraj Mishra laid claim to CVE-2019-12477, a remote file inclusion zero-day vulnerability that …

Application makers are crying foul after some of their programs distributed via the Windows Store popped open tech-support scam ads on users' desktops. A thread in Microsoft's support forum, active since April 28, details the scandal: programmers who use Redmond's Advertising Software Development Kit (SDK) to display ads in …

The US-based Institute of Electrical and Electronics Engineers (IEEE) has lifted its sanctions on Huawei-linked academic reviewers. In an email sent to members, seen by The Register, IEEE president Jose Moura declared the organisation's recent ban on Huawei-linked people peer-reviewing academic papers is over, pleading for the …

Malware can bypass protections in macOS Mojave, and potentially access user data as well as the webcam and mic – by exploiting a hole in Apple's legacy app support. Digita Security chief research officer Patrick Wardle explained during a presentation at the Objective By the Sea conference in Monte Carlo this week how malicious …

Bio-analytical testing biz Eurofins Scientific today admitted it was the subject of a ransomware attack at the weekend. The Paris Stock Exchange-listed group operates in food, environmental, pharmaceutical and cosmetics product testing. It has 800 labs spread across 47 countries. The company said in a statement that its tech …

RoundupHere's a quick summary of news in the world of information security beyond everything we've already covered. Docker containers banished to the coin mines Last week was not a great week for the Docker security team, first with the revelation of a race condition flaw, then with a warning from Trend Micro of active attacks …

Following disquiet over the IEEE's decision to block Huawei-linked researchers from doing various academic tasks, a Chinese computer research body has reportedly severed ties with the IEEE in retaliation. The China Computer Federation (CCF) declared that it is suspending communications with the US-based Institute of Electrical …

UpdatedLeicester City Football Club has quietly told people who bought stuff from its website that their financial details have been stolen by hackers – and those details include credit card numbers and CVVs. Reg reader Yazza, a Foxes follower, received an email from the British club 'fessing up to the hack attack, which affected its …

Mozilla has published a series of objections to web packaging, a content distribution scheme proposed by engineers at Google that the Firefox maker considers harmful to the web in its current form. At its developer conference earlier this month, Google engineers talked up the tech, which consists of several related projects – …

US government workers may be placing America's national security at risk as there is no official policy banning them from running their smartphones' personal and official internet traffic through untrustworthy foreign-hosted VPN services. A letter [PDF] from Homeland Security's Cybersecurity and Infrastructure Security Agency …

Bruce Schneier, Richard Stallman and a host of western tech companies including Microsoft and WhatsApp are pushing back hard against GCHQ proposals that to add a "ghost user" to encrypted messaging services. The point of that "ghost user", as we reported back in 2018 when this was first floated in its current form, is to apply …

More than 50,000 servers around the world have been infected with malware that installs crypto-coin-mining scripts and advanced rootkits, it is claimed. Known as Nanshou, the software nasty, we're told, infects machines by brute-forcing Microsoft SQL Server account passwords and using known exploits to elevate its privileges. …

GitHub can now automagically offer security patches for projects' third-party dependencies. The Microsoft-owned source-code management site announced on Wednesday the new beta-grade feature: when enabled, developers will receive automatically generated pull requests that, when accepted, will apply security fixes to a project's …

UpdatedProtonMail, a provider of encrypted email, has denied claims that it voluntarily provides real-time surveillance to authorities. Earlier this month, Martin Steiger, a lawyer based in Zurich, Switzerland, attended a presentation in which public prosecutor Stephan Walder, who heads the Cybercrime Competence Center in Zurich, …

Compsci academics are startled by how the US-based IEEE is complying with American sanctions on Huawei. That includes halting peer review by anyone connected to the Chinese company – and banning them from buying IEEE-branded coffee mugs. The New York-headquartered Institute of Electrical and Electronics Engineers, one of the …

News aggregation app Flipboard has publicly confessed that hackers accessed personal data about its members. Although the biz did not say how many customers had been affected, the app has been installed more than half a billion times, according to its Google Play Store listing. The databases that got away, according to a …

An irate infosec researcher has accused Pornhub owners Mindgeek of out-of-scoping what he described as "critical" vulns in a cartoon pornography-themed mobile games site. John Sawyer, a mobile app security specialist, had a poke around some of the APKs (Android application package) listed on Nutaku, a highly NSFW Mindgeek site …