Don’t want to incriminate yourself? Tough luck, you terrorist The Government Reviewer of Terrorism Laws has declared that safeguards protecting Britons from police workers demanding passwords for their devices must be watered down.… Advertise on IT Security News. Read…
Tag: The Register – Security
Ooh, watch out Google. You’ve got competition. Verizon has a new ‘privacy-focused’ search engine
Yep, the Verizon that sold subscribers’ location data Verizon has slung out a new, privacy-focused search engine in an effort to win over customers who prefer not to have their browsing habits tracked by ad-slingers and the like.… Advertise…
Still losing sleep over that awful Citrix bug? This scanner is here to help… you realize you’ve already been pwned
Handy FireEye tool roots out indicators of compromise Citrix and FireEye have released a new security tool to help admins find out if their servers have been hacked via the high-profile CVE-2019-19781 flaw that was disclosed in December but only…
Who honestly has a crown prince in their threat model? UN report officially fingers Saudi royal as Bezos hacker
Rapporteurs call for investigation, technical security report leaks The Crown Prince of Saudi Arabia, Mohammad Bin Salman, has been officially fingered as the man responsible for hacking Amazon CEO Jeff Bezos’ phone, causing a massive stir in diplomatic circles.… …
Safari’s Intelligent Tracking Protection is misspelled, says Google: It should be Dumb Browser Stalking Enabler
Chocolate Factory boffins doubt Apple can fix it, either Google security researchers have published details about the flaws they identified last year in Intelligent Tracking Protection (ITP), a privacy scheme developed by Apple’s WebKit team for the company’s Safari browser.……
Safari’s ‘Intelligent Tracking Protection’ is misspelled, says Google: It should be ‘dumb browser stalking enabler’
Chocolate Factory boffins doubt Apple can fix it, either Google security researchers have published details about the flaws they identified last year in Intelligent Tracking Protection (ITP), a privacy scheme developed by Apple’s WebKit team for the company’s Safari browser.……
WindiLeaks: Microsoft exposes 250 million customer support records dating back to 2005 (Not on purpose though)
Quickly shuttered partially redacted exposed DB, which included ‘internal notes marked as confidential’ Five identical Elasticsearch databases containing 250 million records of Microsoft customer support incidents were exposed on the internet for all to see for at least two days…
Academics call for UK’s Computer Misuse Act 1990 to be reformed
Report suggests public interest defences for infosec professionals, academics and journalists Britain’s main anti-hacker law, the Computer Misuse Act 1990, is “confused”, “outdated” and “ambiguous”, according to a group of pro-reform academics.… Advertise on IT Security News. Read the…
WindiLeaks: Microsoft exposes 250 million customer support records dating back to 2005. (Not on purpose though)
Quickly shuttered partially redacted exposed DB, which included ‘internal notes marked as confidential’ Five identical Elasticsearch databases containing 250 million records of Microsoft customer support incidents were exposed on the internet for all to see for at least two days…
Capita Education Services accidentally spaffs email addresses in Helpdesk snafu
Emailing stuff is hard, m’kay? Capita Education Services had a bit of an oopsie yesterday as a new helpdesk system spurted potentially thousands of email addresses at unsuspecting users.… Advertise on IT Security News. Read the complete article: Capita…
Crown Prince of Saudi Arabia accused of hacking Jeff Bezos’ phone with malware-laden WhatsApp message
Source of Amazon boss’s steamy pics might not be what was first thought Candid pictures used to threaten Amazon boss Jeff Bezos were exposed not by his current parmour’s brother, as some have suggested, but through a sophisticated hacking operation…
No backdoors needed: Apple ditched plans to fully encrypt iCloud backups after heavy pressure from FBI – claim
Convenient timing for this story to emerge Apple ditched plans to fully encrypt its iCloud backups two years ago after being pressured by the FBI, it is claimed.… Advertise on IT Security News. Read the complete article: No backdoors…
WTF, EFS? Experts warn Windows encryption could spawn nasty new ransomware
Redmond’s own security tools could be abused to create hard-to-scrub infections The encryption technology Microsoft uses to protect its own file system could also be turned into a weapon for ransomware attackers.… Advertise on IT Security News. Read the…
Leave your admin interface’s TLS cert and private key in your router firmware in 2020? Just Netgear things
Finding sparks debate over bug disclosure – and how to secure a local gateway’s web control panel Netgear left in its router firmware key ingredients needed to intercept and tamper with secure connections to its equipment’s web-based admin interfaces.… …
Leaving your admin interface’s TLS cert and private key in your router firmware in 2020? Just Netgear things
Finding sparks debate over bug disclosure – and how do you secure a local gateway’s web control panel Netgear left in its router firmware key ingredients needed to intercept and tamper with secure connections to its equipment’s web-based admin interfaces.……
As miscreants prey on thousands of vulnerable boxes, Citrix finally emits patches to fill in hijacking holes in Gateway and ADC
SD-WAN WANOP will have to wait a few days, though Citrix has rushed out official fixes for the well-publicised vuln in some of its server products after miscreants were seen deploying their own custom patches that left a backdoor open…
Citrix emits patches to stop RCE-holes fiddling with Gateway and ADC
SD-WAN WANOP will have to wait a few days, though Citrix has rushed out official fixes for the well-publicised vuln in some of its server products after miscreants were seen deploying their own custom patches that left a backdoor open…
Ubisoft sues handful of gamers for DDoSing Rainbow Six: Siege
Two Germans, a Nigerian, and a Dutchman walk into a bar. What happens next? A lawsuit, of course Game developer Ubisoft has lodged a claim against the owners of a website that allegedly sells DDoS attacks against the servers of…
LastPass stores passwords so securely, not even its users can access them
Login management service sulks in days-long TITSUP* for some Password manager LastPass appears to have had a big night out on Friday, to the point where the service needed a lenghty lie down over the weekend. In fact, for some…
Hospital hacker spared prison after plod find almost 9,000 cardiac images at his home
NHS working with cops and ICO to determine if patients must be told A Stoke-on-Trent hospital administrator has avoided prison after hacking his NHS trust and helping himself to almost 9,000 heart scan images.… Advertise on IT Security News.…
To catch a thief, go to Google with a geofence warrant – and it will give you all the details
Investigators ask Chocolate Factory to help them connect the geographic dots At 1030 on April 27, 2019, four unidentified individuals attempted to rob a Brinks armored truck parked outside of Michaels, an art supply and home decor store at the…
It’s Friday, the weekend has landed… and Microsoft warns of an Internet Explorer zero day exploited in the wild
Plus, WeLeakInfo? Not anymore! Roundup Welcome to another Reg roundup of security news.… Advertise on IT Security News. Read the complete article: It’s Friday, the weekend has landed… and Microsoft warns of an Internet Explorer zero day exploited in…
‘Friendly’ hackers are seemingly fixing the Citrix server hole – and leaving a nasty present behind
Congratulations, you’ve won a secret backdoor Hackers exploiting the high-profile Citrix CVE-2019-19781 flaw to compromise VPN gateways are now patching the servers to keep others out.… Advertise on IT Security News. Read the complete article: ‘Friendly’ hackers are seemingly…
‘Nice guy’ hackers are seemingly fixing the Citrix server hole, but leaving a nasty present behind
Leave the backdoor. Take the exploit. Hackers exploiting the high-profile Citrix CVE-2019-19781 flaw are now patching the servers to keep others out.… Advertise on IT Security News. Read the complete article: ‘Nice guy’ hackers are seemingly fixing the Citrix…
Stolen creds site WeLeakInfo busted by multinational cop op for data reselling
One Irishman and one Dutchman both nicked Two men have been arrested after Britain’s National Crime Agency and its international pals claimed the takedown of breached credentials-reselling website WeLeakInfo.… Advertise on IT Security News. Read the complete article: Stolen…
Unlocking news: We decrypt those cryptic headlines about Scottish cops bypassing smartphone encryption
New perspective on FBI, Interpol demands for backdoors Vid Police Scotland to roll out encryption bypass technology, as one publication reported this week, causing some Register readers to silently mouth: what the hell?… Advertise on IT Security News. Read…
Bad news: Windows security cert SNAFU exploits are all over the web now. Also bad: Citrix gateway hole mitigations don’t work for older kit
Good news: There is none. Well, apart from you can at least fully patch the Microsoft blunder Vid Easy-to-use exploits have emerged online for two high-profile security vulnerabilities, namely the Windows certificate spoofing bug and the Citrix VPN gateway hole.…
Spanking the pirates of corporate security? Try a Plimsoll
Execs don’t care to keep things shipshape if they don’t see a return…. so let’s MAKE them Column On New Year’s Eve 2019, the good ship Travelex struck the iceberg of ransomware. That’s not a good metaphor, to be honest:…
Attention security startup founders: Give your fledgling Brit biz a boost with Tech Nation’s free Cyber 2.0 school
Sign up now: The UK government’s scheme to help new companies grow and scale is back Promo If you need to get your new IT security company noticed, the Tech Nation Cyber programme is back, opening its doors for another…
Top Euro court tells cops, spies that yelling ‘national security’ isn’t enough to force ISPs to hand over massive piles of people’s private data
Decision is preliminary and unenforced, though a good start Analysis In a massive win for privacy rights, a preliminary ruling from the European Court of Justice (ECJ) has made clear that national security concerns do not override citizens’ data privacy.…
What do Brit biz consultants and X-rated cam stars have in common? Wide open… AWS S3 buckets on public internet
Exposed: Intimate… personal details belonging to thousands of folks A pair of misconfigured cloud-hosted file silos have left thousands of peoples’ sensitive info sitting on the open internet.… Advertise on IT Security News. Read the complete article: What do…
Yo, sysadmins! Thought Patch Tuesday was big? Oracle says ‘hold my Java’ with huge 334 security flaw fix bundle
House of Larry delivers massive update for 93 products Oracle has released a sweeping set of security patches across the breadth of its software line.… Advertise on IT Security News. Read the complete article: Yo, sysadmins! Thought Patch Tuesday…
Today’s webcast: Hackers don’t care if you’re big or small. Tune in to find out how to protect your mid-sized biz
EDR is an SMB’s best friend, says F-Secure Webcast We don’t want to spook anyone, but… cyber-criminals have been busy.… Advertise on IT Security News. Read the complete article: Today’s webcast: Hackers don’t care if you’re big or small.…
Updated your WordPress plugins lately? Here are 320,000 auth-bypassing reasons why you should
Another day, another critical set of flaws A pair of widely used WordPress plugins need to be patched on more than 320,000 websites to close down vulnerabilities that can be exploited to gain admin control of the web publishing software.……
Welcome to the 2020s: Booby-trapped Office files, NSA tipping off Windows cert-spoofing bugs, RDP flaws…
Grab your Microsoft, Adobe, SAP, Intel, and VMware fixes now Patch Tuesday In the first Patch Tuesday of the year, Microsoft finds itself joined by Adobe, Intel, VMware, and SAP in dropping scheduled security updates.… Advertise on IT Security…
Welcome to the 2020s: Booby-trapped Office files, NSA tipping off Windows code-signing bugs, RDP flaws…
Grab your Microsoft, Adobe, SAP, Intel, and VMware fixes now Patch Tuesday In the first Patch Tuesday of the year, Microsoft finds itself joined by Adobe, Intel, VMware, and SAP in dropping scheduled security updates.… Advertise on IT Security…
Apple calls BS on FBI, AG: We’re totally not dragging our feet in murder probe iPhone decryption. PS: No backdoors
This isn’t the way to make the Cook(ie) crumble Analysis Apple has responded to a demand from the United States’ Attorney General William Barr that it grant the FBI access to two iPhones used in a recent shooting by carefully…
Apple calls BS on FBI, AG: We’re totally not dragging our feet in murder probe iPhone decryption (PS: No backdoors)
This isn’t the way to make the Cook(ie) crumble Analysis Apple has responded to a demand from the United States’ Attorney General William Barr that it grant the FBI access to two iPhones used in a recent shooting by carefully…
Apple calls BS on FBI, AG Barr after iGiant accused of dragging its heels in murder probe iPhone decryption
That’s not the way to try and make the Cook(ie) crumble Analysis Apple has responded to a demand from the United States’ Attorney General William Barr that it grant the FBI access to two iPhones used in a recent shooting…
US hands UK ‘dossier’ on Huawei: Really! Still using their kit? That’s just… one… step… beyond
American security officials fly to London to ‘brief’ Boris It would be “nothing short of madness” to use Huawei gear in Britain’s 5G mobile networks, an American national security adviser has reportedly told UK Prime Minister Boris Johnson.… Advertise…
Relying on AT&T, Verizon and T-Mob US to protect you from SIM swapping? You better get used to disappointment
Study shows top telcos are naff at fending off cellphone number hijackings Four Princeton University eggheads have published a report showing that the five major US mobile carriers implement weak authentication techniques, leaving customers vulnerable to SIM-swapping attacks that transfer…
Someone needs to go back to school: Texas district fleeced for $2.3m after staff fall for devious phishing email
FBI probes massive fraud A miscreant managed to swipe $2.3m from a Texas school district after staff inadvertently wired large sums of public money to the crook’s bank account.… Advertise on IT Security News. Read the complete article: Someone…
Privacy activists beg Google to ban un-removable bloatware from Android
Open letter to Chocolate Factory’s Sundar Pichai penned by 50 campaign groups For much of Android’s existence, Google has adopted a relatively hands-off approach that lets manufacturers ship units with pre-installed bloatware which, in many cases, cannot be easily removed.…
Whirlybird-driving infosec boss fined after ranty Blackpool Airport air traffic control antics
His helicopter costs £550/hour to fly, don’t you know The managing director of a Manchester-based infosec firm has been fined for flying his helicopter into an air traffic control zone without permission, having first launched a rant at air traffic…
Whirlybird-driving infosec boss fined after ranty Blackpool Airport antics
His helicopter costs £550/hour to fly, don’t you know The managing director of a Manchester-based infosec firm has been fined for flying his helicopter into an air traffic control zone without permission, having first launched a rant at air traffic…
UK data watchdog kicks £280m British Airways and Marriott GDPR fines into legal long grass
Info Commish has £2m annual legal budget to face off with multinationals The UK Information Commissioner’s Office has kicked £280m in data breach fines against British Airways and US hotel chain Marriott into the long grass.… Advertise on IT…
If you haven’t shored up that Citrix hole, you were probably hacked over the weekend: Exploit code now available
Plus: TikTok clocked, Honey in a sticky situation, Arm’s PAN mechanisms sidestepped Roundup Welcome to another Register security roundup. Here are a few stories that caught our eye.… Advertise on IT Security News. Read the complete article: If you…
Hundreds of millions of Broadcom-based cable modems at risk of remote hijacking, eggheads fear
It’s got a name and logo so it’s serious, you guys A vulnerability in Broadcom’s cable modem firmware has left as many as 200 million home broadband gateways in Europe, and potentially more worldwide, at risk of remote hijackings.… …
National Lottery Sentry MBA hacker given nine months in jail after swiping just £5
‘You targeted a large charitable organisation’ thundered judge A Londoner who hacked the National Lottery using Sentry MBA and made off with just £5 will spend up to nine months in prison for his crimes.… Advertise on IT Security…
National Lottery Sentry MBA hacker gets 9 months in jail after swiping just £5
‘You targeted a large charitable organisation’ thundered judge A Londoner who hacked the National Lottery using Sentry MBA and made off with just £5 will spend up to nine months in prison for his crimes.… Advertise on IT Security…
Ding-dong: Cisco delivers your Patch Tuesday warm-up with WebEx, IOS fixes for a few irritating security holes
The main event is next week Cisco has released a fresh batch of security updates for its networking and comms gear lines.… Advertise on IT Security News. Read the complete article: Ding-dong: Cisco delivers your Patch Tuesday warm-up with…
Google scolded for depriving the poor of privacy after Chinese malware bundled on phones for hard-up Americans
To make matters worse, uninstalling it could cause even more pain On Wednesday, more than 50 advocacy groups accused Google of exploiting poor people by failing to police misbehaving Android apps on cheap phones.… Advertise on IT Security News.…
Google scolded for depriving the poor of privacy, accused of preloading malware on phones for hard-up Americans
To make matters worse, uninstalling it could cause even more pain On Wednesday, more than 50 advocacy groups accused Google of exploiting poor people by failing to police misbehaving Android apps on cheap phones.… Advertise on IT Security News.…
Why is a 22GB database containing 56 million US folks’ personal details sitting on the open internet using a Chinese IP address? Seriously, why?
If CheckPeople could take a look at this, that would be great Exclusive A database containing the personal details of 56.25m US residents – from names and home addresses to phone numbers and ages – has been found on the…
Dixons fined £500,000 by ICO for crap security that exposed 5.6 million customers’ payment cards
Malware loaded onto more than 5k cash tills but pre-GDPR screw-up means retailer dodged bigger financial bullet Dixons Retail is facing a £500,000 penalty from the Information Commissioner’s Office (ICO) after a hacker installed malware that infected thousands of point…
Hash snag: Security shamans shame SHA-1 standard, confirm crucial collisions citing circa $45k chip cost
Unsafe hashing algorithm really is unsafe SHA-1 stands for Secure Hash Algorithm but version 1, developed in 1995, isn’t secure at all. It has been vulnerable in theory since 2004 though it took until 2017 for researchers at CWI Amsterdam…
In a desperate bid to stay relevant in 2020’s geopolitical upheaval, N. Korea upgrades its Apple Jeus macOS malware
Nork cash grab nasty gets stealthier Malware hunters are sounding the alarm over a new, more effective version of the North Korean “Apple Jeus” macOS software nasty.… Advertise on IT Security News. Read the complete article: In a desperate…
TikTok on the clock, and the hacking won’t stop: SMS spoofing vuln let baddies twiddle teens’ social media videos
Uploads, deletions, private-to-public switcharoos, all bad stuff TikTok, a mobile video app popular with teens, was vulnerable to SMS spoofing attacks that could have led to the extraction of private information, according to infosec researchers.… Advertise on IT Security…
What if everyone just said ‘Nah’ to tracking?
Privacy is nearly dead, but we’re not even close to getting over it Column Sitting quietly in the upper corner of my browser’s address bar, a counter rises as Disconnect thwarts requests to track me. Visiting well-behaved sites (such as…
The Six Million Dollar Scam: London cops probe Travelex cyber-ransacking amid reports of £m ransomware demand, wide-open VPN server holes
We can rebuild him, we have the backups… er, right? More than a week after its website and online services were taken offline by malware, foreign currency super-exchange Travelex continues to battle through what has become an increasingly damaging outage…
If at first you don’t succeed, pry, pry again: Feds once again demand Apple unlock encrypted iPhones in yet another terrorism case
FBI, open up! Comment The FBI has asked Apple to unlock two iPhones belonging to a murderer, potentially reviving a tense battle over encryption and the rights of law enforcement to digital devices.… Advertise on IT Security News. Read…
That Pulse Secure VPN you’re using to protect your data? Better get it patched – or it’s going to be ransomware time
Plug this security bypass… if you can even find the boxes running it Hackers are taking advantage of unpatched enterprise VPN setups ‒ specifically, a long-known bug in Pulse Secure’s code ‒ to spread ransomware and other nasties.… Advertise…
Yeah, says Google Project Zero, when you think about it, going public with exploit deets immediately after a patch is emitted isn’t such a great idea
The Chocolate Factory’s bug hunters revise 90-day disclosure rules Patting itself on its back for motivating software makers to fix 97.7 per cent of the vulnerabilities it identifies within its 90-day disclosure deadline, Google’s bug-hunting unit Project Zero has decided…
Accenture pays for CSS injection from Symantec parent Broadcom: Yep, it bought its cybersecurity arm
Price tag undisclosed but we’re guessing it won’t have made seller rich Symantec’s parent Broadcom has offloaded its Cyber Security Services (CSS) operation to Accenture for an undisclosed sum.… Advertise on IT Security News. Read the complete article: Accenture…
Wheelie bad end to 2019 for Canyon Bicycles as hackers puncture IT systems
CEO confirms servers, software locked by perps German cycle-maker Canyon Bicycles GmbG has confirmed it was the victim of a security break-in over the holiday period that has all the hallmarks of a ransomware attack with parts of the infrastructure…
I’m the queen of Gibraltar and will never get a traffic ticket… just two of the things anyone could have written into country’s laws thanks to unsanitised SQL input vuln
Run sqlmap, edit online statutes, gain immunity for life? Exclusive A SQL injection vulnerability on the Government of Gibraltar’s website paved the way for any old Joe to rewrite official web versions of the British Overseas Territory’s laws.… Advertise…
Here we go again: Software nasties slip into Google Play, exploit make-me-root Android flaw for maximum pwnage
Apps spotted abusing use-after-free() bug seven months before patch At least three malicious apps with device-hijacking exploits have made it onto the Google Play Store in recent weeks.… Advertise on IT Security News. Read the complete article: Here we…
Cyber-warnings, cyber-speculation over cyber-Iran’s cyber-retaliation cyber-plans post-Soleimani assassination
Experts reckon regional infrastructure is in the cross-hairs With tensions soaring between America and Iran following the drone strike that killed top Persian general Qassem Soleimani, experts are weighing in on what the US could face should the Mid-East nation…
GCHQ: A cyber-what-now? Rumours of our probe into London Stock Exchange ‘cyberattack’ have been greatly exaggerated
Despite ‘people familiar with matter’ claiming otherwise to US news GCHQ and its cyber-defence offshoot NCSC have both denied that they are investigating a cyber-attack on the London Stock Exchange, contrary to reports.… Advertise on IT Security News. Read…
Tune in this month: What every small-to-medium biz can do to fend off cyber-crooks
Watch online and find out how to strengthen your arsenal of security measures with F-Secure Webcast Miscreants are constantly on the lookout for new ways to get at your data, becoming more dangerous all the time as a result.… …
Rowhammer rides again as FPGA attack, RSA again reportedly up for sale, anti-theft kit to nuke laptops, etc
Including: Tesla and a town hit hard by spear-phish bridge scammers Roundup Welcome to the New Year: here are some security headlines that may have slipped past you during the gorging season.… Advertise on IT Security News. Read the…
IT exec sets up fake biz, uses it to bill his bosses $6m for phantom gear, gets caught by Microsoft Word metadata
And now he faces up to 20 years in the slammer A now-former senior IT exec has admitted conning his employer out of $6m – by setting up a fake tech services biz that billed his bosses for bogus services.……
New year, new critical Cisco patches to install – this time for a dirty dozen of bugs that can be exploited to sidestep auth, inject commands, etc
Data Center Network Manager bugapalooza with three must-fix flaws Cisco is kicking off 2020 with the release of a crop of patches for its Data Center Network Manager.… Advertise on IT Security News. Read the complete article: New year,…
Brit banking sector hasn’t gone a single day of 2020 without something breaking
Yorkshire and Clydesdale latest to join ongoing game of TITSUP*manship It appears the UK banking system is playing a fiscal game of Top Trumps as both Yorkshire and Clydesdale Bank followed yesterday’s example set by Lloyds by not processing payments…
Don’t Xiaomi pics of other people’s places! Chinese kitmaker fingers dodgy Boxing Day cache update after Google banishes it from Home
Redditor finds security camera capturing stills from strangers’ cribs Google has plonked Xiaomi on the naughty step, blocking the Chinese tech conglomerate’s devices from its Nest Hub and Assistant, it has confirmed.… Advertise on IT Security News. Read the…
This page is currency unavailable… Travelex scrubs UK homepage, kills services, knackers other sites amid ‘software virus’ infection
Systems still toast since NYE compromise, manual processing only Foreign currency mega-exchange Travelex said on Thursday it was forced offline by a “software virus” infection, bring down a number of currency-exchange websites with it.… Advertise on IT Security News.…
And we now go live to Apple v Corellium, where the iTitan is still lobbing copyright fireballs at the virtual iPhone upstart
Cupertino says its software is being ripped off, virty cloud biz says jailbreaks are under attack Corellium and Apple are once again trading allegations in a legal brouhaha over the former’s virtual-iPhones-as-a-service operation.… Advertise on IT Security News. Read…
Oddly specific ‘cyber attack’ hits Alaskan airline RavnAir and one plane type
Dash 8? More like dash for the maintenance hangar A small Alaskan airline has suffered a curiously specific “cyber attack” that mostly affected its De Havilland Dash 8 airliners.… Advertise on IT Security News. Read the complete article: Oddly…
TikTok boom: US Army bans squaddies from using trendy app on govt-issued phones
Guess they’ll have to attract new recruits on the ‘Gram TikTok is one of the fastest growing social apps, with more than 1.5 billion downloads. However, its Chinese origins have caused controversy in the US, leading some lawmakers to declare…