Security > More stories

Hole in fence broken through security

C'mon, biz: Give white hats a chance to tell you how screwed you are

There have never been more white-hat researchers hunting for vulnerabilities on internet-facing systems and yet barely any organisations provide a way for them to report the issues they find. In theory, the easiest way is to publish a Vulnerability Disclosure Policy (VDP), yet recent research here and here (PDFs) from bug …
John E Dunn, 18 Sep 2018
couple watches tv.
52

TV Licensing admits: We directed 25,000 people to send their bank details in the clear

The UK's TV Licensing agency has admitted that 25,000 viewers were induced into sending their bank details over an insecure connection. HTTPS crypto-shame: TV Licensing website pulled offline READ MORE The organisation ran transactional pages for bank debits through an insecure connection before being called out on the …
John Leyden, 18 Sep 2018

Just 13 – no, er, make that 3,200 punters hit in Oz's Perth Mint hack

A computer security breach at Perth Mint first thought to have affected just 13 customers turned out to be more widespread – with more than 3,000 punters now screwed over by hackers. Last week, the Australian Broadcasting Corporation reported barely more than two handfuls of users of the mint's online repository were hit in …
Composite image. Image by Syda Productions https://www.shutterstock.com/g/Syda+Productions
30

Check out this link! It's not like it'll crash your iPhone or anything (Hint: Of course it will)

Apple iPhones, iPads, and Mac computers that stray onto websites with malicious CSS code, while using Safari, can crash or fall over – due to a flaw in the web browser. The WebKit rendering engine vulnerability can be triggered by just a few lines of code in a cascading style sheet (CSS). On iOS devices, at least, it all …
John Leyden, 17 Sep 2018
Suitcases
23

Brit airport pulls flight info system offline after attack by 'online crims'

Bristol Airport deliberately yanked its flight screens offline for two days over the weekend in response to a cyberattack. Techies took down computer-based flight information systems at the airport in provincial England between Friday morning and the wee hours of Sunday morning. The electronic screens were replaced by …
John Leyden, 17 Sep 2018
university students hanging out
12

Who's hacking into UK unis? Spies, research-nickers... or rival gamers living in res hall?

Who's hacking into university systems? Here's a clue from the UK higher education tech crew at Jisc: the attacks drop dramatically during summer break. A new study from Jisc (formerly the Joint Information Systems Committee) has suggested that rather than state-backed baddies or common criminals looking to siphon off academic …
John Leyden, 17 Sep 2018
27

Tick-tock, tick-tock. Oh, that's just the sound of compromised logins waiting to ruin your day

Comment It has never been easier to conduct a cyber attack. There now exists a range of off-the-shelf tools and services that do all the heavy lifting – you just need to pick an approach and tool you like best. There's ransomware-as-a-service with its "here's one I made earlier" code, search engines that show connected interfaces with …
Dave Cartwright, 17 Sep 2018
44

Equifax IT staff had to rerun hackers' database queries to work out what was nicked – audit

Equifax was so unsure how much data had been stolen during its 2017 mega-hack that its IT staff spent weeks rerunning the hackers' database queries on a test system to find out. That's just one intriguing info-nugget from the US Government Accountability Office's (GAO) report, Actions Taken by Equifax and Federal Agencies in …
John E Dunn, 17 Sep 2018
Swiss cheese
16

Kronos crims go retro, Apple builds cop portal, Swiss cheesed over Russian hack bid, etc

Roundup This was the week of ice cold exploits, re-appearing JavaScript nasties, and of course Patch Tuesday. A few other things happened too… Android gets its monthly patch-up Microsoft and Adobe weren't the only ones to kick out monthly updates recently. Google also issued the September update for Android. This month, fixes …
Shaun Nichols, 15 Sep 2018
mountain

Docker fave Alpine Linux suffers bug miscreants can exploit to poison containers

An infosec bod has documented a remote-code execution flaw in Alpine Linux, a distro that pops up a lot in Docker containers. Max Justicz, researcher and creator of crowd-sourced bug bounty system Bountygraph, said on Thursday that the vulnerability could be exploited by someone with man-in-the-middle (MITM) network access, or …
Shaun Nichols, 15 Sep 2018
Businessman relaxes sitting in the office and looking in window
31

Security procedures are good – follow them and you get to keep your job

Motorists tend to believe speed limits are a good idea and that everyone should stick to them. They know that when they break the limit the risk of an accident rises. But they also "know" that it is everyone else breaking the speed limit that pose the real danger. When it comes to cybersecurity insider threats, it appears that …
David Gordon, 14 Sep 2018
Sceptic wears an incredulous expression, scrunches eyes
10

Veeam holds its hands up, admits database leak was plain 'complacency'

Veeam has blamed "human error" for the exposure of a marketing database containing millions of names and email addresses. The unencrypted MongoDB resource was left open for anyone to view after a migration between different AWS systems, Peter McKay, co-CEO and president at Veeam, told The Register. The resource – which wasn't …
John Leyden, 14 Sep 2018
three execs worried in office

Kernel sanders: Webroot vuln creates route to root Macs

Details of a locally exploitable but kernel-level flaw in Webroot's SecureAnywhere macOS security software were revealed yesterday, months after the bug was patched. Webroot antivirus goes bananas, starts trashing Windows system files READ MORE The fact that the memory corruption bug (CVE-2018-16962) is locally exploitable …
John Leyden, 14 Sep 2018
86

You'll never guess what you can do once you steal a laptop, reflash the BIOS, and reboot it

Video If you can steal someone's laptop, leave it switched on in sleep mode, crack it open, hook up some electronics to alter settings in the BIOS firmware, restart it, and boot into a custom program... you can swipe crypto keys and other secrets from the system. When computers are restarted, the motherboard firmware can wipe the …
John Leyden, 14 Sep 2018
prison
19

Princely five years in US big house for Nigerian biz email scammer

A Nigerian scumbag will be spending the next five years in an American clink after pleading guilty to operating an email phishing scam targeting businesses around the world. Onyekachi Emmanuel Opara was given a 60-month sentence and ordered to pay $2.5m in restitution after pleading guilty to charges of wire fraud and …
Shaun Nichols, 13 Sep 2018
bribe
12

Former Detroit IT boss sent down 20 months for bathroom bung bonanza

The former head of IT for the US city of Detroit will spend the next 20 months behind bars for taking bribes while he was in office. Charles Dodd had served as director of the city's Departmental Technology Services (DTS) from 2014 to 2016, during which time he bagged nearly $30,000 in bungs from tech companies. He pleaded …
Shaun Nichols, 13 Sep 2018
47

The Reg takes the US government's insider threat training course

The US government has provided an online training course on insider threats. To help understand its efforts to stop the spread of leaks, spills, espionage and sabotage, The Reg signed up for a bit of training from the National Insider Threat Task Force (NITTF). Here we learned a lot about, in no particular order: former …
David Gordon, 13 Sep 2018
bank robbery
54

Solid password practice on Capital One's site? Don't bank on it

Capital One is facing criticism for using policies on its banking website that prevent the use of password managers. Joseph Carrigan, a Reg reader and senior security engineer at the Johns Hopkins University Information Security Institute in the US, says he was trying to reset the password for his Capital One bank account …
Shaun Nichols, 13 Sep 2018
People playing whack-a-mole game
65

Card-stealing code that pwned British Airways, Ticketmaster pops up on more sites via hacked JS

A Javascript library hosted by Feedify and used by e-commerce websites globally has been repeatedly infected this week to potentially siphon off countless victims' bank card details to crooks. The library code is typically embedded into retail webpages by site administrators and developers to add a means for shoppers to leave …
Shaun Nichols, 12 Sep 2018
ddos
16

Whisky business: Uni of Edinburgh servers Irn-Scru'd by cyber-attack

Updated The University of Edinburgh has gone offline from what appears to be a massive distributed denial-of-service attack on the campus network. As a result, the Scottish college's websites and wireless network gateways are down due to a flood of junk traffic during its first week of class. So far no student or faculty data is …
Shaun Nichols, 12 Sep 2018
Man vs paperwork. Paper-pusher loses control. Photo by Shutterstock
12

Back up a minute: Veeam database config snafu exposed millions of customer records

A misconfigured server at data recovery and backup firm Veeam exposed millions of email addresses. Reel talk: You know what's safely offline? Tape. Data protection outfit Veeam inks deal with Quantum READ MORE Security researcher Bob Diachenko discovered the 200GB cache of email addresses, names and (in some cases) IP …
John Leyden, 12 Sep 2018
security

Explore the threat landscape at Sophos 'See the Future' event

Promo Worried about today’s IT dangers and how they will affect your organisation? Cybersecurity firm Sophos is inviting IT professionals to a free “See the Future” event in London, England, on Tuesday, 9 October. Starting at 8.30am, the day’s schedule will include expert talks and breakout sessions covering the latest trends in …
David Gordon, 12 Sep 2018
Photo by Kaspars Grinvalds / Shutterstock
118

2-bit punks' weak 40-bit crypto didn't help Tesla keyless fobs one bit

Video Boffins have sprung the bonnet on the weak crypto used in the keyless entry system in Tesla's Model S car. Researchers from the Computer Security and Industrial Cryptography (COSIC) group – part of the Department of Electrical Engineering at Belgian university KU Leuven – were able to clone a key fob, open the doors, and drive …
John Leyden, 12 Sep 2018
Maurice Moss IT crowd
69

Brit armed forces still don't have enough techies, thunder MPs

Parliament’s influential Public Accounts (PAC) Committee reckons UK Armed Forces need to recruit more digitally able folk to halt a widening skills gap, warning the military does not have a "coherent plan" to do so. With an existing 26 per cent shortfall in the target number of full-time intelligence analysts in the ranks of …
Gareth Corfield, 12 Sep 2018
Speed
51

Generally Disclosing Pretty Rapidly: GDPR strapped a jet engine on hacked British Airways

Analysis If Equifax's mother-of-all-security-disasters last year underlined one thing, it was that big companies think they can weather just about anything cybercriminals – and regulators – can throw at them. One unpatched web server, 147 million mostly US customer records swiped, and a political beating that should pulverise a company …
John E Dunn, 12 Sep 2018
Flyswatter picture from Shutterstock
27

It's September 2018, and Windows VMs can pwn their host servers by launching an evil app

Admins will again be working overtime as Microsoft and Adobe have posted their monthly scheduled security updates for September. This month's Patch Tuesday bundle includes critical fixes for Windows, SQL Server, and Hyper V, as well as Flash and Cold Fusion. Rude guests and ugly images menace Microsoft In total, Microsoft …
Shaun Nichols, 11 Sep 2018
11

When is a patch not a patch? When it's for this McAfee password bug

A privilege escalation flaw in McAfee's True Key software remains open to exploitation despite multiple attempts to patch it. This according to researchers with security shop Exodus Intel, who claim that CVE-2018-6661 was not fully addressed with either of the two patches McAfee released for it. The flaw is an elevation of …
Shaun Nichols, 11 Sep 2018
29

Law firm seeking leak victims to launch £500m suit at British Airways

British Airways faces a £500m lawsuit over its recent mega-breach that exposed payment card details of 380,000 customers. The airliner last week apologised and offered to compensate customers for any direct financial loss for the attack that took place between 21 August and 5 September via its website and app. However, an …
John Leyden, 11 Sep 2018
British Airways website
87

British Airways hack: Infosec experts finger third-party scripts on payment pages

Security experts are debating the cause of the British Airways mega-breach, with external scripts on its payment systems emerging as a prime suspect in the hack. Why infosec folk think it was the payment system Although BA hasn't disclosed the root of the breach, the unusual precision it ascribed to the hack's duration …
John Leyden, 11 Sep 2018
Woman looks sceptical at laptop
65

Email security crisis... What email security crisis?

In late August, Microsoft announced a free service that arguably reveals more about the future of the email business and its struggles with security than several years' worth of earnest press releases. Called AccountGuard, it's Microsoft's answer to the phenomenon of Russian phishing meddling with the US elections and the …
John E Dunn, 11 Sep 2018
phishing
13

Safari, Edge fans: Is that really the website you think you're visiting? URL spoof bug blabbed

A security researcher has disclosed a bug that could be abused to spoof website addresses in either Edge or Safari. Rafay Baloch told The Register that while Microsoft has since patched the flaw (CVE-2018-8383) in its browser, Apple has been dragging its feet on a fix for Safari for weeks, and the browser remains vulnerable …
Shaun Nichols, 11 Sep 2018
wifi
28

Register-Orbi-damned: Netgear account order irks infosec bods

Netgear has irked some security pros by demanding people register accounts before they can use a mobile app to control their Orbi mesh routers. Thus, you'll need a Netgear customer account to manage your network infrastructure, thereby "advertising to hackers everywhere that there’s a nice little honeypot on their servers, …
John Leyden, 10 Sep 2018

Tor(ched): Zerodium drops exploit for version 7 of anonymous browser

Bug broker Zerodium has released word of a flaw in the Tor browser that would potentially allow an attack site to bypass security protections and execute malicious code in the supposedly secure internet system. The flaw was disclosed in a Zerodium Tweet Monday morning that provides some detail on the nature of the flaw. …
Shaun Nichols, 10 Sep 2018
Room with many locks on door

Arms race: SiFive, Hex Five build code safe houses for RISC-V chips

If you've been looking at SiFive's RISC-V-based chip technology and thinking, y'know what, it's missing an Arm TrustZone-style element to run sensitive code, well, here's some good news. And if you're just into processor design and checking out alternatives to Arm CPU cores, then this may be some interesting news. SiFive …
Thomas Claburn, 10 Sep 2018
Man being kicked by oversized leg with city in background
32

Trend Micro tools tossed from Apple's Mac App Store after spewing fans' browser histories

Updated A bunch of Trend Micro anti-malware tools have vanished from Apple's Mac App Store – after they were spotted harvesting and siphoning off users' browser histories. Dr Cleaner, Dr Antivirus, and App Uninstall – utilities owned by the Japan-headquartered security house and distributed on the Mac App Store – are no longer …
Shaun Nichols, 10 Sep 2018
Monty Python's Terry Gilliam as the nude organist in Monty Python's Flying Circus
39

Sextortion scum armed with leaked credentials are persistent pests

Persistence pays off for crooks when it comes to sextortion-based phishing scams, research into its effectiveness suggests. One variant bombards prospective marks with threats to release non-existent footage of them watching smut unless they give in to demands. Cleverly, these threats are lent an air of authenticity by using …
John Leyden, 10 Sep 2018

Biting the hand that feeds IT © 1998–2018