UpdatedA vulnerability in Broadcom's cable modem firmware has left as many as 200 million home broadband gateways in Europe, and potentially more worldwide, at risk of remote hijackings. Four Danish researchers have demonstrated how a miscreant could exploit the hole, CVE-2019-19494, the wild: essentially, a victim is tricked into …

A Londoner who hacked the National Lottery using Sentry MBA and made off with just £5 will spend up to nine months in prison for his crimes. Anwar Batson, 29, of Lancaster Road in London's Notting Hill, was part of a group of miscreants who hacked into the National Lottery website in 2016. Batson, Crown prosecutor Suki Dhadda …

Cisco has released a fresh batch of security updates for its networking and comms gear lines. The high-priority patch this month is the fix for CVE-2019-16009, a cross-site request forgery, in the web UI of Cisco IOS and Cisco IOS XE that can be exploited to steal credentials from users via malicious links. "A successful …

UpdatedOn Wednesday, more than 50 advocacy groups accused Google of exploiting poor people by failing to police misbehaving Android apps on cheap phones. The advocacy groups, including the American Civil Liberties Union, Amnesty International, the Electronic Frontier Foundation, and Privacy International, to name a few, published an …

ExclusiveA database containing the personal details of 56.25m US residents – from names and home addresses to phone numbers and ages – has been found on the public internet, served from a computer with a Chinese IP address, bizarrely enough. The information silo appears to have been obtained somehow from Florida-based CheckPeople.com, …

Dixons Retail is facing a £500,000 penalty from the Information Commissioner’s Office (ICO) after a hacker installed malware that infected thousands of point of sale tills and scooped up 5.6 million payment card details. A probe by the UK’s data watchdog said the computer system managing the till was compromised, impacting 5, …

SHA-1 stands for Secure Hash Algorithm but version 1, developed in 1995, isn't secure at all. It has been vulnerable in theory since 2004 though it took until 2017 for researchers at CWI Amsterdam and Google to demonstrate a practical if somewhat costly collision attack. Last year, crypto-boffins Gaëtan Leurent, from Inria in …

Malware hunters are sounding the alarm over a new, more effective version of the North Korean "Apple Jeus" macOS software nasty. The team at Kaspersky Lab's Global Research and Analysis Team has dissected what they say is a 'sequel' to the 2018 outbreak that targeted users on cryptocurrency sites for account theft. Believed …

TikTok, a mobile video app popular with teens, was vulnerable to SMS spoofing attacks that could have led to the extraction of private information, according to infosec researchers. The app is used mainly by the youth of today to share and save short videos of themselves and friends, often set to a popular music track, with an …

ColumnSitting quietly in the upper corner of my browser's address bar, a counter rises as Disconnect thwarts requests to track me. Visiting well-behaved sites (such as El Reg), those numbers tick up more slowly. On others - I won't name and shame, except to note that they're a bit tired - the counter ticks up and over the two digits …

More than a week after its website and online services were taken offline by malware, foreign currency super-exchange Travelex continues to battle through what has become an increasingly damaging outage that may have unpatched VPN servers at its heart. London's Metropolitan Police confirmed to El Reg on Tuesday its officers …

CommentThe FBI has asked Apple to unlock two iPhones belonging to a murderer, potentially reviving a tense battle over encryption and the rights of law enforcement to digital devices. Mohammed Saeed Alshamrani, of the Saudi Royal Air Force, shot and killed three people and injured eight others at a US naval base in Pensacola, Florida …

Hackers are taking advantage of unpatched enterprise VPN setups ‒ specifically, a long-known bug in Pulse Secure's code ‒ to spread ransomware and other nasties. British infosec specialist Kevin Beaumont says a severe hole in Pulse Secure's Zero Trust Remote Access VPN software is being used by miscreants as the entry point …

Patting itself on its back for motivating software makers to fix 97.7 per cent of the vulnerabilities it identifies within its 90-day disclosure deadline, Google's bug-hunting unit Project Zero has decided to ease up on those racing to patch their flawed products. This month, Project Zero revised its Disclosure Policy so that …

Symantec’s parent Broadcom has offloaded its Cyber Security Services (CSS) operation to Accenture for an undisclosed sum. The unit flogs and provides global threat monitoring and analysis - among other things - via six security operation centres based in the US, UK, India, Australia, Singapore and Japan. The services, which …

German cycle-maker Canyon Bicycles GmbH has confirmed it was the victim of a security break-in over the holiday period that has all the hallmarks of a ransomware attack with parts of the infrastructure padlocked by the perpetrators. The digital burglars gained access to IT systems “shortly before the turn of the year”, the …

ExclusiveAn SQL injection vulnerability in the Government of Gibraltar's website paved the way for any old Joe to rewrite official web versions of the British Overseas Territory's laws. Security researcher Ax Sharma spotted the vuln while poring over the Gibraltar government's visa rules, which he accessed from the Gibraltar Borders …

At least three malicious apps with device-hijacking exploits have made it onto the Google Play Store in recent weeks. This is according to eggheads at Trend Micro, who found that the since-removed applications were all abusing a use-after-free() flaw in the operating system to elevate their privileges, and pull down and run …

With tensions soaring between America and Iran following the drone strike that killed top Persian general Qassem Soleimani, experts are weighing in on what the US could face should the Mid-East nation fully mobilize its cyber resources. The threat of an online attack from the wannabe-nuclear state was significant enough that …

GCHQ and its cyber-defence offshoot NCSC have both denied that they are investigating a cyber-attack on the London Stock Exchange, contrary to reports. The Wall Street Journal, normally a reliable source for news with a financial flavour, reported that British signals intelligence agency Government Communications Headquarters …

RoundupWelcome to the New Year: here are some security headlines that may have slipped past you during the gorging season. Tesla Wi-Fi taken for a ride by hackers The team at Tencent Keen Security Lab has done it again: hacking Tesla's Model S, in which the security shop's parent company has a significant stake. This time the Tesla …

A now-former senior IT exec has admitted conning his employer out of $6m – by setting up a fake tech services biz that billed his bosses for bogus services. US prosecutors announced on Friday that Hicham Kabbaj, 48, of Floral Park, Long Island, New York, pleaded guilty to one count of wire fraud. He faces up to 20 years in the …

Cisco is kicking off 2020 with the release of a crop of patches for its Data Center Network Manager. The updates address a total of 12 CVE-listed patches and range in severity from moderate to critical, though should all be patched regardless of rating. Nearly all were found within the REST and SOAP APIs. The immediate …

UpdatedIt appears the UK banking system is playing a fiscal game of Top Trumps as both Yorkshire and Clydesdale Bank followed yesterday's example set by Lloyds by not processing payments into customer accounts. Problems followed a similar pattern as customers checked their accounts this morning to find expected payments not turning …

Xiaomi has blamed some post-Christmas cache digestion problems after finding itself plonked on the naughty step by Google – which blocked the Chinese tech conglomerate's devices from its Nest Hub and Assistant last night. This follows a shocking glitch where one Xiaomi Mijia security camera owner was able to peer into the …

Foreign currency mega-exchange Travelex said on Thursday it was forced offline by a "software virus" infection, bring down a number of currency-exchange websites with it. In a statement shared on Thursday, the UK-headquartered biz said the digital nasty, first spotted on New Year's Eve, caused it to unplug its UK site and …

Corellium and Apple are once again trading allegations in a legal brouhaha over the former's virtual-iPhones-as-a-service operation. Over the Christmas break, the Cupertino phone flinger filed an amended complaint [PDF] against Corellium in the US state of Florida regarding the virtualized Arm-based instances Corellium offers …

A small Alaskan airline has suffered a curiously specific "cyber attack" that mostly affected its De Havilland Dash 8 airliners. RavnAir Group declared on 21 December that it had "experienced a malicious cyber attack on our company's IT network" the day before, causing it to cancel all of its flights operated with Dash 8s on …

TikTok is one of the fastest growing social apps, with more than 1.5 billion downloads. However, its Chinese origins have caused controversy in the US, leading some lawmakers to declare it a threat to national security. And now the US Army has banned soldiers from downloading the app on government-issued phones. Speaking to …

On CallFriday is upon us, and with it another On Call story from those poor souls who have to answer the phone when everything goes wrong. Not all heroes wear capes and, as we'll see, remember to ward their Linux servers from an enthusiastic boss. "Hans" is the contributor of today's tale, and his story takes place some 15 years ago …

A 22-year-old Londoner has been given 300 hours of community service and a State-enforced bedtime after trying to blackmail Apple with hundreds of millions of previously compromised login credentials. Kerem Albayrak, 22, demanded Apple give him $75,000 in crypto-currency or a thousand $100 iTunes gift cards. If the maker of …

SponsoredData and code are the lifeblood of digital organisations, and increasingly these are shared with others in order to achieve specific business goals. As such, data and code must be protected no matter where the workloads run, be they in on-premises data centers, remote cloud servers, or edge-of-the-network. Take medical images …

A critical vulnerability found in Citrix Application Delivery Controller and Citrix Gateway (formerly known as Netscaler ADC and Netscaler Gateway) means businesses with apps published using these technologies may be exposing their internal network to unauthorised access. Citrix (NetScaler) ADC is a load balancer and …

A popular UAE messaging app has been reportedly used by the country's government to spy on its population. This app, called ToTok, passed all the usual Google Play and Apple App Store checks. Huawei even promoted it via social media. On its Huawei Mobile Services MENA Facebook page, which has over 1.8 million likes, the …

A pharmacy that left around half a million documents, including customers' personal information and medical data, in unlocked storage at the back of its premises, has been fined £275,000 - a financial penalty the ICO has issued under the General Data Protection Regulation. UK data watchdog, the Information Commissioner’s …

RoundupHere's a catch-up of security news beyond everything else we've covered. Nearly 300 million Facebook profiles scraped, dumped online Once again a huge number of Facebook users have had their details lifted from their profiles, a fact that came to light when security researchers were scanning for open databases online. …