Crypto boffins have found a way to exploit side-channel information to downgrade most of the current TLS implementations, thanks to ongoing support for outmoded RSA key exchanges. In a paper published on Friday, "The 9 Lives of Bleichenbacher’s CAT: New Cache ATtacks on TLS Implementations," co-authors Eyal Ronen, Robert …

Did your work printer produce a strange call to action this week, urging you to follow a tasteless twerp on YouTube, and then offer you a "bro fist" made up of punctuation marks? Hopefully not because if it did someone in your IT department has really screwed up and failed to patch a two-year-old security hole. But thousands …

Kaspersky Lab won't be getting its day in court after all, as the Washington DC Court of Appeals rejected its case against Uncle Sam. On Friday, the appeals court panel upheld an earlier district court ruling that Kaspersky could not bring a lawsuit against the US government in hopes of overturning the 2017 order that blocked …

Administrators overseeing lab environments would be well advised to double-check their network setups following the disclosure of serious flaws in a line of oscilloscopes. On Friday, SEC Consult said it had uncovered a set of high-impact vulnerabilities in electronic testing equipment made by Siglent Technologies. In …

Toff tat bazaar Sotheby's Home website has become the latest casualty of Magecart after a breach saw card-skimming code deployed by infosec rotters. The auction house said it "became aware" of the intrusion on 10 October when an "unknown third party" accessed and "inserted malicious code". This "depending on the security …

Boffins from Michigan State University in the US and National Chiao Tung University in Taiwan have found that the Wi-Fi calling services offered by AT&T, T-Mobile US, and Verizon suffer from four security flaws that can be exploited to attack mobile phone users, leaking private information, harassing them, or interfering with …

US hotel chain Marriott has admitted that a breach of its Starwood subsidiary's guest reservation network has exposed the entire database – all 500 million guest bookings over four years, making this one of the biggest hacks of an individual org ever. "On September 8, 2018, Marriott received an alert from an internal security …

A bored trainee secretary at a GP practice has been fined for snooping on the health records of colleagues, friends and strangers. Hannah Pepper has to pay £1,028.75 after she was found to have illegally accessed 231 patient files while working at the Fakenham Medical Practice in Norfolk, an eastern county in the UK (for US …

On CallWelcome once more to On Call, our weekly column where Reg readers share their tales of tech support problems solved. This week, meet "Arron", who told us about a user who got in touch to complain about a broken laptop, requesting a replacement. "I love it when they're vague and immediately go for the new-shiny-shiny approach …

Earlier this year, Akamai warned that vulnerabilities in Universal Plug'N'Play (UPnP) had been exploited by scumbags to hijack 65,000 home routers. In follow-up research released this week, it revealed little has changed. Having revisited its April probing, the web cache biz has come to the conclusion that the security …

AnalysisBritain's surveillance nerve-center GCHQ is trying a different tack in its effort to introduce backdoors into encrypted apps: reasonableness. In an essay by the technical director of the spy agency's National Cyber Security Centre, Ian Levy, and technical director for cryptanalysis at GCHQ, Crispin Robinson, the authors go out …

IBM is advising folks this week to check if they should update their Db2 database installations following the discovery of a potentially serious security vulnerability. Big Blue says that the flaw, designated CVE-2018-1897, is an elevation-of-privilege flaw that, if exploited, would allow a logged-in attacker to execute code …

Miscreants gained access to US healthcare billing vendor AccuDoc Solutions' database for about a week in September, exposing the data of at least 2.65 million people. North Carolina-based Atrium Health, a customer of AccuDoc Solutions, this week said it had been affected by the breach. The firm operates 44 hospitals across …

On the same day that certain types of British state-backed hacking now need a judge-issued warrant to carry out, GCHQ has lifted the veil and given the infosec world a glimpse inside its vuln-hoarding policies. The spying agency's internal Equities Process is the way by which it decides whether or not to tell tech vendors that …

The American Civil Liberties Union (ACLU) has filed a motion to find out what went on in a court case in which the US Department of Justice allegedly tried to make Facebook give it unencrypted access to Messenger calls. Facebook Messenger backdoor demand, bail in Bitcoin, and lots more READ MORE Claims about the secret …

Symantec says the biz that accused it of conspiring with others to avoid independent security audits is "less than honest" and driven by a "thirst for profits." "This is, at bottom, a case where one company’s thirst for profits has led it to brush aside the needs of its customers for more accurate testing of their computer …

Headphone maker Sennheiser is facing the music after being caught compromising the security of its customers. The vendor's Headsetup and Headsetup Pro applications install both a root certificate and its secret private key on Windows and Mac computers, which can be used, for instance, by scumbags to intercept and decrypt users …

Dell is resetting all customer passwords on its website after a hacker or hackers unknown infiltrated its internal network. Big Mike's server and PC biz says that the move is a precautionary measure after someone broke in and tried to get into a database containing customer names, email addresses, and hashed passwords, in what …

US prosecutors have this week charged two people believed to be behind the notorious SamSam ransomware outbreak. The Department of Justice claims Iranian nationals Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri masterminded the infection of more than 200 networks, including a handful of city governments and hospitals …

UK authorities should not be granted access to data held by American companies because British laws don't meet human rights obligations, nine nonprofits have said. In a letter to the US Department of Justice, organisations including Human Rights Watch and the Electronic Frontier Foundation set out their concerns about the UK's …

Microsoft issued a whole bunch of updates last night, including one to deal with an alarming bug in Windows Server 2016. Tucked innocuously among a swathe of fixes ranging from dealing with Russian time zone changes to fixing wobbly Hyper-V servers is the text: "Addresses an issue in File Explorer that sometimes deletes the …

A group of university researchers from around the globe have teamed up to develop what they say is a powerful new tool to root out security flaws. Known as AFLSmart, this fuzzing software is built on the powerful American Fuzzy Lop toolkit. We're told AFLSmart is pretty good at testing applications for common security flaws, …

A collection of cybersecurity companies, Google, and the Feds are sharing details on how they uncovered and dismantled a massive ad-fraud operation known as "3ve" (pronounced "Eve".) Google says that at its peak, the 3ve scam employed as many as 1.7 million hijacked devices to generate fake clicks on adverts, and made its …

ObitBaroness Trumpington, a wartime Bletchley Park transcriber who was part of the push to posthumously pardon Alan Turing, has died aged 96. As the daughter of a society family that had almost been ruined in the Wall Street Crash of 1929, Jean Campbell-Harris left school aged 15 "having never sat an exam but fluent in French, …

UpdatedThe UK’s data watchdog has slapped a £385,000 penalty on app-not-driving-service baddie Uber for security weak spots that attackers exploited to expose the details of millions of customers. Two fiends accessed the data after snatching login credentials for Uber's AWS S3 data stores from the firm's GitHub code repo. The hack, …

An NCC Group graduate trainee who emailed 300 coworkers to ask for help with what she deemed to be "unusual" behaviour from her Kali Linux VM; contacted the firm’s incident response team to complain about a faulty laptop; and said the machine had been "deliberately sabotaged", has had her victimisation claim thrown out by an …

Mark Dreyfus, the Labor opposition's shadow Attorney General, has offered a compromise on Australia's controversial encryption backdooring bill that could see it passed, but with its operation restricted to counter-terrorism agencies. The request for urgency, Dreyfus said, was driven by the government's “short term” concerns …

A widely used Node.js code library listed in NPM's warehouse of repositories was altered to include crypto-coin-stealing malware. The lib in question, event-stream, is downloaded roughly two million times a week by application programmers. This vandalism is a stark reminder of the dangers of relying on deep and complex webs of …

A Glaswegian business has been fined £160,000 for making 1.6 million nuisance calls to people on the UK's opt-out database – five years after it received a £90,000 fine which was also for dodgy dialling. "Bespoke" bedroom, kitchen and bathroom biz DM Design Bedrooms made this round of unsolicited calls between April and …

PromoDefending organisations against security attacks is an ongoing challenge, with new threats constantly emerging to test the beleaguered security professional. Heighten the skills and knowledge you need to square up to the cybercriminals at SANS London 2019 from 11-16 February. The week-long event provides the well-known SANS …

German chat platform Knuddels.de ("Cuddles") has been fined €20,000 for storing user passwords in plain text (no hash at all? Come on, people, it's 2018). The data of Knuddels users was copied and published by malefactors in July. In September, someone emailed the company warning them that user data had been published at …

The "Zip Slip" vulnerability that first emerged in June has claimed another victim – the Apache Hadoop YARN NodeManager daemon. Loose .zips sink chips: How poisoned archives can hack your computer READ MORE Apache's Akira Ajisaka disclosed the bug here. Zip Slip affects all Apache Hadoop versions except 3.1.1, 3.0.3, 2.8.5 …

After faking one's own death to defraud a life insurance company, it's best to avoid being photographed alive and well, particularly when border agents may be reviewing those photos. That's a lesson learned too late by Igor Vorotinov, age 54, who was just arrested in the Republic of Moldova and extradited to the US State of …

Germany has patched a key "e-government" service against possible impersonation attacks, and both private and public sector developers have been told to check their logs for evidence of exploits. In July, SEC Consult warned the country's federal computer emergency team at CERT-Bund that software supporting the government's nPA …

Diligent hackers have decided routers and cameras aren't enough, and have reportedly crafted Mirai variants targeting Linux servers. That unwelcome news came from Netscout, whose Matthew Bing wrote: "This is the first time we've seen non-IoT Mirai in the wild." Bing's post explained that the botmasters are trying to use a …

Boffins from the Netherlands and France claim that the word choices and sentence construction in President Donald Trump's tweets can be used more often than not for lie detection. In a paper distributed through ArXiv earlier this month, researchers Sophie van der Zee, Ronald Poppe, Alice Havrileck, and Aurelien Baillon – from …