On the same day that certain types of British state-backed hacking now need a judge-issued warrant to carry out, GCHQ has lifted the veil and given the infosec world a glimpse inside its vuln-hoarding policies. The spying agency's internal Equities Process is the way by which it decides whether or not to tell tech vendors that …

The American Civil Liberties Union (ACLU) has filed a motion to find out what went on in a court case in which the US Department of Justice allegedly tried to make Facebook give it unencrypted access to Messenger calls. Facebook Messenger backdoor demand, bail in Bitcoin, and lots more READ MORE Claims about the secret …

Symantec says the biz that accused it of conspiring with others to avoid independent security audits is "less than honest" and driven by a "thirst for profits." "This is, at bottom, a case where one company’s thirst for profits has led it to brush aside the needs of its customers for more accurate testing of their computer …

Headphone maker Sennheiser is facing the music after being caught compromising the security of its customers. The vendor's Headsetup and Headsetup Pro applications install both a root certificate and its secret private key on Windows and Mac computers, which can be used, for instance, by scumbags to intercept and decrypt users …

Dell is resetting all customer passwords on its website after a hacker or hackers unknown infiltrated its internal network. Big Mike's server and PC biz says that the move is a precautionary measure after someone broke in and tried to get into a database containing customer names, email addresses, and hashed passwords, in what …

US prosecutors have this week charged two people believed to be behind the notorious SamSam ransomware outbreak. The Department of Justice claims Iranian nationals Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri masterminded the infection of more than 200 networks, including a handful of city governments and hospitals …

UK authorities should not be granted access to data held by American companies because British laws don't meet human rights obligations, nine nonprofits have said. In a letter to the US Department of Justice, organisations including Human Rights Watch and the Electronic Frontier Foundation set out their concerns about the UK's …

Microsoft issued a whole bunch of updates last night, including one to deal with an alarming bug in Windows Server 2016. Tucked innocuously among a swathe of fixes ranging from dealing with Russian time zone changes to fixing wobbly Hyper-V servers is the text: "Addresses an issue in File Explorer that sometimes deletes the …

A group of university researchers from around the globe have teamed up to develop what they say is a powerful new tool to root out security flaws. Known as AFLSmart, this fuzzing software is built on the powerful American Fuzzy Lop toolkit. We're told AFLSmart is pretty good at testing applications for common security flaws, …

A collection of cybersecurity companies, Google, and the Feds are sharing details on how they uncovered and dismantled a massive ad-fraud operation known as "3ve" (pronounced "Eve".) Google says that at its peak, the 3ve scam employed as many as 1.7 million hijacked devices to generate fake clicks on adverts, and made its …

ObitBaroness Trumpington, a wartime Bletchley Park transcriber who was part of the push to posthumously pardon Alan Turing, has died aged 96. As the daughter of a society family that had almost been ruined in the Wall Street Crash of 1929, Jean Campbell-Harris left school aged 15 "having never sat an exam but fluent in French, …

UpdatedThe UK’s data watchdog has slapped a £385,000 penalty on app-not-driving-service baddie Uber for security weak spots that attackers exploited to expose the details of millions of customers. Two fiends accessed the data after snatching login credentials for Uber's AWS S3 data stores from the firm's GitHub code repo. The hack, …

An NCC Group graduate trainee who emailed 300 coworkers to ask for help with what she deemed to be "unusual" behaviour from her Kali Linux VM; contacted the firm’s incident response team to complain about a faulty laptop; and said the machine had been "deliberately sabotaged", has had her victimisation claim thrown out by an …

Mark Dreyfus, the Labor opposition's shadow Attorney General, has offered a compromise on Australia's controversial encryption backdooring bill that could see it passed, but with its operation restricted to counter-terrorism agencies. The request for urgency, Dreyfus said, was driven by the government's “short term” concerns …

A widely used Node.js code library listed in NPM's warehouse of repositories was altered to include crypto-coin-stealing malware. The lib in question, event-stream, is downloaded roughly two million times a week by application programmers. This vandalism is a stark reminder of the dangers of relying on deep and complex webs of …

A Glaswegian business has been fined £160,000 for making 1.6 million nuisance calls to people on the UK's opt-out database – five years after it received a £90,000 fine which was also for dodgy dialling. "Bespoke" bedroom, kitchen and bathroom biz DM Design Bedrooms made this round of unsolicited calls between April and …

PromoDefending organisations against security attacks is an ongoing challenge, with new threats constantly emerging to test the beleaguered security professional. Heighten the skills and knowledge you need to square up to the cybercriminals at SANS London 2019 from 11-16 February. The week-long event provides the well-known SANS …

German chat platform Knuddels.de ("Cuddles") has been fined €20,000 for storing user passwords in plain text (no hash at all? Come on, people, it's 2018). The data of Knuddels users was copied and published by malefactors in July. In September, someone emailed the company warning them that user data had been published at …

The "Zip Slip" vulnerability that first emerged in June has claimed another victim – the Apache Hadoop YARN NodeManager daemon. Loose .zips sink chips: How poisoned archives can hack your computer READ MORE Apache's Akira Ajisaka disclosed the bug here. Zip Slip affects all Apache Hadoop versions except 3.1.1, 3.0.3, 2.8.5 …

After faking one's own death to defraud a life insurance company, it's best to avoid being photographed alive and well, particularly when border agents may be reviewing those photos. That's a lesson learned too late by Igor Vorotinov, age 54, who was just arrested in the Republic of Moldova and extradited to the US State of …

Germany has patched a key "e-government" service against possible impersonation attacks, and both private and public sector developers have been told to check their logs for evidence of exploits. In July, SEC Consult warned the country's federal computer emergency team at CERT-Bund that software supporting the government's nPA …

Diligent hackers have decided routers and cameras aren't enough, and have reportedly crafted Mirai variants targeting Linux servers. That unwelcome news came from Netscout, whose Matthew Bing wrote: "This is the first time we've seen non-IoT Mirai in the wild." Bing's post explained that the botmasters are trying to use a …

Boffins from the Netherlands and France claim that the word choices and sentence construction in President Donald Trump's tweets can be used more often than not for lie detection. In a paper distributed through ArXiv earlier this month, researchers Sophie van der Zee, Ronald Poppe, Alice Havrileck, and Aurelien Baillon – from …

Researchers in the Netherlands have confirmed that error-correcting code (ECC) protections can be thwarted to perform Rowhammer memory manipulation attacks. The Vrije Universiteit Amsterdam crew of Lucian Cojocar, Kaveh Razavi, Cristiano Giuffrida, and Herbert Bos today said they have developed a viable method to precisely …

UpdatedAmazon has suffered a data snafu just days before Black Friday – and the company was tight-lipped about whether it had notified the British data protection authorities. Multiple Register readers forwarded us emails sent from Amazon's UK tentacle informing them that the online sales site had "inadvertently disclosed [their] …

Russian state-backed hacking crew Fancy Bear (aka APT28) is distributing malware-riddled files with a suggested link to the recent Lion Air crash in order to dupe government workers into downloading software nasties – and has developed a new remote-access trojan called Cannon, according to Palo Alto Networks. Researchers from …

Stop us if you've heard this one, but Microsoft has pulled a couple of buggy patches in Office. It also left a crash-worthy Outlook security fix in place. The two non-security patches were part of this month's Patch Tuesday, both for Office 2010. The patches in question were supposed to support Japan's upcoming epochal …

Oh the irony. A channel account rep trying to drum up business for security awareness training scored an own goal this week when he pressed the send to all option on an email to prospective clients. The rep, Charlie Hollinrake, works for KnowBe4, which describes itself as the "world's most popular integrated Security Awareness …

Special reportComputer science boffins have demonstrated a side-channel attack technique that bypasses recently-introduced privacy defenses, and makes even the Tor browser subject to tracking. The result: it is possible for malicious JavaScript in one web browser tab to spy on other open tabs, and work out which websites you're visiting. …

Get patching: data protection offerings in the Dell EMC Avamar range have four exploitable security bugs – one enabling remote code execution – and VMware's inherited the vulnerabilities, with fixes now available. The first two bugs were described in this post on the Full Disclosure mailing list on Tuesday. There's one remote …

RoundupAs America prepares for Thursday's Thanksgiving rituals of turkey, football, and awkward conversations with extended family, three organisations are going to have admins working overtime to clean up security messes. White House staffer Ivanka Trump joins tech icons Tesla and Tumblr in reporting embarrassing security-related- …

Australia's home affairs minister Peter Dutton wants the parliamentary inquiry into his proposed crypto-busting law to wind up its work, and send the draft rules back to legislators to approve, stat. This is the law that will let Aussie cops and intelligence agents pressure communication service providers into coughing up …

It's every sysadmin's worst nightmare: discovering that someone has planted a device in your network, among all your servers, and you have no idea where it came from nor what it does. What do you do? Well, one IT manager at a college in Austria decided the best bet was to get on Reddit and see what the tech hive mind could …

LastPass's cloud service suffered a five-hour outage today that left some people unable to use the password manager to log into their internet accounts. Its makers said offline mode wasn't affected – and that only its cloud-based password storage fell offline – although some Twitter folks disagreed. One claimed to be unable to …

Adobe has emitted software updates to address a critical vulnerability in Flash Player for Windows, Mac, and Linux. PC owners and admins will want to upgrade their copies of Flash to version 31.0.0.153 or later in order to get the patch – or just dump the damn thing all together. The November 20 security update addresses a …

Last week, in a attempt to address broadband router security, the German government published its suggestions for minimum standards – and came under immediate criticism that its proposals didn't go far enough. Germany's federal office for Information Security, the BSI, made its recommendations in this document (PDF), saying it …