Fasten your seat belts, secure your tray table, and try not to give away your passwords Australia's Federal Police (AFP) has charged a man with running a fake Wi-Fi network on at least one commercial flight and using it to harvest flier credentials for email and social media services.…

Never risk it when it comes to brisket – make sure those updates are applied Keen meatheads better hope they haven't angered any cybersecurity folk before allowing their Traeger grills to update because a new high-severity vulnerability could be used for all kinds of high jinks.…

Same APT29 crew that hit Microsoft and SolarWinds. How close were we to a mega backdoor situation? Updated  TeamViewer says it was Russian intelligence that broke into its systems this week.…

Dependency manager used in millions of apps leaves a bitter taste CocoaPods, an open-source dependency manager used in over three million applications coded in Swift and Objective-C, left thousands of packages exposed and ready for takeover for nearly a decade – thereby creating opportunities for supply chain attacks on iOS and macOS apps, according to security researchers.…

If you call 'client-side scanning' something like 'upload moderation,' it still undermines privacy, security On Thursday, the EU Council is scheduled to vote on a legislative proposal that would attempt to protect children online by disallowing confidential communication.…

Dopenugget and Zero Angel may face life behind bars if convicted The two alleged administrators of Empire Market, a dark-web bazaar that peddled drugs, malware, digital fraud, and other illegal stuff, have been detained on charges related to owning and operating the illicit souk.…

'TikTag' security folks find anti-exploit mechanism rather fragile In 2018, chip designer Arm introduced a hardware security feature called Memory Tagging Extensions (MTE) as a defense against memory safety bugs. But it may not be as effective as first hoped.…

Because who needs disinformation research at times like these The Stanford Internet Observatory (SIO), which for the past five years has been studying and reporting on social media disinformation, is being reimagined with new management and fewer staff following the recent departure of research director Renee DiResta.…

Cloud storage giant lawyers up against infosec house Analysis  Hudson Rock, citing legal pressure from Snowflake, has removed its online report that claimed miscreants broke into the cloud storage and analytics giant's underlying systems and stole data from potentially hundreds of customers including Ticketmaster and Santander Bank.…

Spammers will probably bid to buy it, so community is trying to find a better home for decades-old service Exclusive  The Spam and Open Relay Blocking System (SORBS) – a longstanding source of info on known sources of spam widely used to create blocklists – has been shuttered by its owner, cyber security software vendor Proofpoint.…

Just doesn't believe it will sort out the mess that saw data leak from LINE messaging app Japan's government has considered the proposed security improvements developed by Yahoo!, found them wanting, and ordered the onetime web giant to take new measures.…

Security world reacts as NIST does a lot less of oft criticized, 'almost always thankless' work Opinion  The United States National Institute of Standards and Technology (NIST) has almost completely stopped adding analysis to Common Vulnerabilities and Exposures (CVEs) listed in the National Vulnerability Database. That means big headaches for anyone using CVEs to maintain their security. …

Operators pack twenty phones into a chassis – then rack 'em and stack 'em ready to do evil Chinese upstarts are selling smartphone motherboards – and kit to run and manage them at scale – to operators of outfits that use them to commit various scams and crimes, according to an undercover investigation by state television broadcaster China Central Television (CCTV) revealed late last week.…

Uncle Sam can use this snooping tool, too, but that's beside the point Updated  There's another Chinese-manufactured product – joining the likes of TikTok, cars and semiconductors – that poses a national security risk to Americans: Electronic locks, such as those used in safes.…

Who knew that unzipping a font archive could unleash a malicious file Online graphic design platform Canva went looking for security problems in fonts, and found three – in "strange places."…

Still 'no evidence' of any compromised customer-facing systems, we're told Microsoft has now confirmed that the Russian cyberspies who broke into its executives' email accounts stole source code and gained access to internal systems. The Redmond giant also characterized the intrusion as "ongoing."…

/* Hope no one ever reads these functions lmao */ NSO Group, the Israel-based maker of super-charged snoopware Pegasus, has been ordered by a federal judge in California to share the source code for "all relevant spyware" with Meta's WhatsApp.…

Surprising third-act twist as Russian case means more freedom for all The European Court of Human Rights (ECHR) has ruled that laws requiring crippled encryption and extensive data retention violate the European Convention on Human Rights – a decision that may derail European data surveillance legislation known as Chat Control.…

Software company's claim of there being no active exploits also being questioned In disclosing yet another vulnerability in its Connect Secure, Policy Secure, and ZTA gateways, Ivanti has confused the third-party researchers who discovered it.…

Windows encryption feature defeated by $10 and a YouTube tutorial We're very familiar with the many projects in which Raspberry Pi hardware is used, from giving old computers a new lease of life through to running the animated displays so beloved by retailers. But cracking BitLocker? We doubt the company will be bragging too much about that particular application.…

'Vault 7' leak detailed cyber-ops including forged digital certs Joshua Schulte, a former CIA employee and software engineer accused of sharing material with WikiLeaks, was sentenced to 40 years in prison by the US Southern District of New York on Thursday.…

Danger of remote account takeovers leaves lead devs scared of releasing many details Mastodon has called admins to action following the disclosure of a critical vulnerability affecting the decentralized social network favored by erstwhile Twitter lovers.…

18,000 customers, including the Pentagon and Microsoft, may have other thoughts SolarWinds – whose network monitoring software was backdoored by Russian spies so that the biz's customers could be spied upon – has accused America's financial watchdog of seeking to "revictimise the victim" after the agency sued it over the 2020 attack.…

Multiple publicly available exploits have since been published for the critical flaw The number of public-facing installs of Jenkins servers vulnerable to a recently disclosed critical vulnerability is in the tens of thousands.…

No need to panic, but grab those updates or mitigations anyway just to be safe A vulnerability in the SSH protocol can be exploited by a well-placed adversary to weaken the security of people's connections, if conditions are right.…

DOM-XSS attacks have become scarce on Google websites since TT debuted Mozilla last week revised its position on a web security technology called Trusted Types, which it has decided to implement in its Firefox browser.…

Seriously, people - please check the stuff you fetch more carefully Security vendor Sonatype believes developers are failing to address the critical remote code execution (RCE) vulnerability in the Apache Struts 2 framework, based on recent downloads of the code.…

Arion Kurtaj will remain hospitalized until a mental health tribunal says he can leave Two British teens who were members of the Lapsus$ gang have been sentenced for their roles in a cyber-crime spree that included compromising Uber, Nvidia, and fintech firm Revolut, and also blackmailing Grand Theft Auto maker Rockstar Games.…

Cleaning up after hackers is easy compared to surviving the politics of consultancy On Call  It’s the last Friday of 2023, but because the need for tech support never goes away neither does On Call, The Register’s Friday column in which readers share their tales of being asked to fix the unfeasible, in circumstances that are often indefensible.…

Fitzpatrick faces potentially decades in prison later this month, so may as well get some foreign Netflix in beforehand The cybercriminal behind BreachForums was this week arrested for violating the terms of his pretrial release and will now be held in custody until his sentencing hearing.…

Emergency comms standard had five nasty flaws but will be opened to academic research A set of encryption algorithms used to secure emergency radio communications will enter the public domain after an about-face by the European Telecommunications Standards Institute (ETSI).…

Terrorist ideology suspected to be motivation A former software developer for Britain's cyberspy agency is facing years in the slammer after being sentenced for stabbing a National Security Agency (NSA) official multiple times.…

Risk of ‘significant data loss’ for on-prem customers Atlassian has told customers they “must take immediate action” to address a newly discovered flaw in its Confluence collaboration tool.…

US outfit scrambles to repair operations, restore processing of online orders Ace Hardware appears to have been the latest organization to succumb to a cyberattack, judging by its website and a message from CEO John Venhuizen.…

FBI agent claims sergeant with top clearance offered access to DoD tech systems A former US Army Sergeant with Top Secret US military clearance created a Word document entitled "Important Information to Share with Chinese Government," according to an FBI agent's sworn declaration.…

It’s bad, folks. Pair of CVEs incoming on October 11 Updated  Start your patch engines – a new version of curl is due tomorrow that addresses a pair of flaws, one of which lead developer Daniel Stenberg describes as "probably the worst curl security flaw in a long time."…

We'd like to say don't panic … but maybe? 35 vulnerabilities in the Squid caching proxy remain unfixed more than two years after being found and disclosed to the open source project's maintainers, according to the person who reported them.…

Seafaring cybercrim's wife faces similar sentence next month A former IT manager for the US Navy is facing a five-and-a-half year prison sentence for selling thousands of people's personal records on the dark web.…

Says logins are safe, as high-profile customers complain they knew about the breach before Okta 1Password is confirming it was attacked by cyber criminals after Okta was breached for the second time in as many years, but says customers' login details are safe.…

Not quite a pound for every one of the 13.8 million affected UK citizens, and it could have been more The UK's Financial Conduct Authority (FCA) has fined Equifax a smidge over £11 million ($13.6 million) for severe failings that put millions of consumers at risk of financial crime.…

From AI to just plain aaaiiiee! Microsoft introduced its Bing Chat AI search assistant in February and a month later began serving ads alongside it to help cover costs.…

X3DH readied for retirement as PQXDH is rolled out Signal has adopted a new key agreement protocol in an effort to keep encrypted Signal chat messages protected from any future quantum computers.…

Momentary lapse in VPN led to stretch in the cooler, $1.6m bill Nickolas Sharp has been sentenced to six years in prison and ordered to pay almost $1.6 million to his now-former employer Ubiquiti – after stealing gigabytes of corporate data from the biz and then trying to extort almost $2 million from his bosses while posing as an anonymous hacker.…

Also, more OEM Android malware, Google's bug reports (mostly) ditch CVEs, and this week's critical vulns in brief  Google has settled another location tracking lawsuit, yet again being fined a relative pittance.…

Staff able to watch customers in the bathroom? Tick! Obviously shabby infosec? Tick! Training AI as an excuse for data retention? Tick! America's Federal Trade Commission has made Amazon a case study for every cautionary tale about how sloppily designed internet-of-things devices and associated services represent a risk to privacy – and made the cost of those actions, as alleged, a mere $30.8 million.…

Also, Finland sentences CEO of breach company to prison (kind of), and this week's laundry list of critical vulns In Brief  We thought it was probably the case when the news came out, but now it's been confirmed: The X_Trader supply chain attack behind the 3CX compromise last month wasn't confined to the telco developer.…

Industry hasn't 'improved much at all' Mandiant's Eric Scales tells us SCSW  Back in 2020, Eric Scales led the incident response team investigating a state-backed software supply-chain attack that compromised application build servers and led to infections at government agencies and tech giants including Microsoft and Intel.…

Personal Gmail users still out of luck Google continued its client-side encryption rollout, the feature generally available to some Gmail and Calendar users who can now send and receive encrypted messages and meeting invites.…

Chainguard CEO explains how to secure code given crims know to poison it at the source SCSW  The vast majority of off-the-shelf software is composed of imported components, whether that's open source libraries or proprietary code. And that spells a security danger: if someone can subvert one of those components, they can infiltrate every installation of applications using those dependencies.…

Schools' laptops are out if this one gets around, tho beware bricking Users of enterprise-managed Chromebooks now, for better or worse, have a way to break the shackles of administrative control through an exploit called SHI1MMER.…

Also: Atlassian says Jira has a 9.4 severity bug and the TSA issues milquetoast no-fly list security advisory When a Texas school district sold some old laptops at auction last year, it probably didn't expect to end up in a public legal fight with a local computer repair shop – but a debate over what to do with district data found on the liquidated machines has led to precisely that.…

Digital sleuths chop through crypto challenge in 'surreal' search A team of codebreakers discovered – and then cracked – more than 50 secret letters written by Mary Stuart, Queen of Scots while she was imprisoned in England by her cousin, Queen Elizabeth I. …

Plus bugs squashed in Server Platform Services and more Intel's Software Guard Extensions (SGX) are under the spotlight again after the chipmaker disclosed several newly discovered vulnerabilities affecting the tech, and recommended users update their firmware.…

Plus: Cracked Piers Morgan spews offensive tweets, not the usual kind Updated  A miscreant this Christmas weekend said they are willing to sell public and private info on more than 400 million Twitter accounts.…

SafeBreach supposedly spots somewhat stealthy subversive software SafeBreach Labs says it has detected a novel fully undetectable (FUD) PowerShell backdoor, which calls into question the accuracy of threat naming.…

Personal info and data safe, stolen code not critical, apparently Dropbox has said it was successfully phished, resulting in someone copying 130 of its private GitHub code repositories and swiping some of its secret API credentials.…

Nefarious schemes included harvesting motherboard components and selling them back to Apple A one-time Apple employee working as a buyer within the iGiant's supply chain department has pleaded guilty to mail and wire fraud charges spanning multiple years, ultimately costing the company $17 million.…

‘This is not what justice looks like’ says official on sanction for leak of 100 million records Convicted wire fraud perpetrator Paige Thompson (aka "erratic") has been sentenced to time served and five years of probation with location and computer monitoring, prompting U.S. Attorney Nick Brown to label the sanctions unsatisfactory.…

And two other security snafus in this web publishing world It's only been a week or so, and obviously there are at least three critical holes in WordPress plugins and tools that are being exploited in the wild right now to compromise loads of websites.…

AWS and G Suite admin accounts likely popped, HackerOne bug bounty page hit, and more Updated  Uber is tonight reeling from what looks like a substantial cybersecurity breach.…

This is why we don't reuse passwords, kids Parents and teachers received a link to an "inappropriate image" this week via Seesaw after miscreants hijacked accounts in a credential stuffing attack against the popular school messaging app.…

Sounds like fair comment Updated  Google and its Youtube domains are being flagged as malicious by Malwarebytes as of Wednesday morning, blocking users from accessing a whole range of websites.…

Also, EA goes kernel-deep to stop cheaters, PuTTY gets hijacked by North Korea, and more. In Brief  OpenAI's popular natural language model GPT-3 has a problem: It can be tricked into behaving badly by doing little more than telling it to ignore its previous orders.…

Also, Authorities seize WT1SHOP selling 5.8m sets of PII, The North Face users face tough security hike In brief  AT&T cybersecurity researchers have discovered a sneaky piece of malware targeting Linux endpoints and IoT devices in the hopes of gaining persistent access and turning victims into crypto-mining drones.…

On the bright side, top devs are getting hardware security keys The Python Package Index, better known among developers as PyPI, has issued a warning about a phishing attack targeting developers who use the service.…

Grab and deploy this backend update if you offer even repo read access A critical command-injection vulnerability in multiple API endpoints of Atlassian Bitbucket Server and Data Center could allow an unauthorized attacker to remotely execute malware, and view, change, and even delete data stored in repositories.…

NIST's nifty new algorithm looks like it's in trouble One of the four encryption algorithms America's National Institute of Standards and Technology (NIST) considered as likely to resist decryption by quantum computers has had holes kicked in it by researchers using a single core of a regular Intel Xeon CPU, released in 2013.…

Broadband giant says it will appeal jury verdict in negligence case Charter Communications must pay out $7 billion in damages after one of its Spectrum cable technicians robbed and killed an elderly woman, a jury decided Tuesday.…

Land of Putin capable of attacking routes in cyberspace as well as real world Apple's internet traffic took an unwelcome detour through Russian networking equipment for about twelve hours between July 26 and July 27.…

Fixes issued, warns it 'has not exhaustively enumerated all potential consequences' Atlassian has warned users of its Bamboo, Bitbucket, Confluence, Fisheye, Crucible, and Jira products that a pair of critical-rated flaws threaten their security.…

All versions are susceptible, there's no patch, so now's a good time to remove this add-on Miscreants have reportedly scanned almost 1.6 million websites in attempts to exploit an arbitrary file upload vulnerability in a previously disclosed buggy WordPress plugin.…

Got no time for that red tape in an emergency, says exec Updated  Amazon's home security wing Ring turned over footage to US law enforcement without permission from the devices' owners and seemingly without a warrant 11 times so far in 2022.…

Physical and IP addresses as well as credit card info revealed in privacy breach The US Supreme Court justices who overturned Roe v. Wade last month may have been doxxed – had their personal information including physical and IP addresses, and credit card info revealed – according to threat intel firm Cybersixgill.…

Digital thieves made off with 20GB of internal documents and customer data Updated  Crooks have reportedly made off with 20GB of data from Marriott Hotels, which apparently included credit card info and internal company documents. …

NIST pushes ahead with CRYSTALS-KYBER, CRYSTALS-Dilithium, FALCON, SPHINCS+ algorithms The US National Institute of Standards and Technology (NIST) has recommended four cryptographic algorithms for standardization to ensure data can be protected as quantum computers become more capable of decryption.…

The fun folk who attacked Solar Winds using a poisoned CV and tools from the murky world of commercial hackware Palo Alto Networks' Unit 42 threat intelligence team has claimed that a piece of malware that 56 antivirus products were unable to detect is evidence that state-backed attackers have found new ways to go about the evil business.…

Already has 'Iron Dome' – does it need another hero? The new head of Israel's National Cyber Directorate (INCD) has announced the nation intends to build a "Cyber-Dome" – a national defense system to fend off digital attacks.…

Could it be Beijing was right about games being bad for China? Chinese web giant Tencent has admitted to a significant account hijack attack on its QQ.com messaging and social media platform.…

Though severity up for debate, and limited chips affected, broken tests hold back previous patch from distribution Updated  The latest version of OpenSSL v3, a widely used open-source library for secure networking using the Transport Layer Security (TLS) protocol, contains a memory corruption vulnerability that imperils x64 systems with Intel's Advanced Vector Extensions 512 (AVX512).…

Boffins devise five attacks to expose private files Mega, the New Zealand-based file-sharing biz co-founded a decade ago by Kim Dotcom, promotes its "privacy by design" and user-controlled encryption keys to claim that data stored on Mega's servers can only be accessed by customers, even if its main system is taken over by law enforcement or others.…

That, and Black Hat, are about to reveal risk assessment skills of our cyber-risk experts RSA Conference  Quick show of hands: who came home from this year's RSA Conference without COVID-19?…

Unrelated to the OAuth token attack, but still troubling as org reveals details of around 100,000 users were grabbed by the baddies GitHub has revealed it stored a "number of plaintext user credentials for the npm registry" in internal logs following the integration of the JavaScript package registry into GitHub's logging systems.…

MIT CSAIL boffins devise PACMAN attack to let existing exploits avoid pointer authentication Apple's M1 chip has been found to contain a hardware vulnerability that can be abused to disable one of its defense mechanisms against memory corruption exploits, giving such attacks a greater chance of success.…

So. Many. BIOS. Bugs Intel has disclosed high-severity bugs in its firmware that's used in datacenter servers, workstations, mobile devices, storage products, and other gear. These flaws can be exploited to escalate privileges, leak information, or stop things from working.…

‘Cooperative mutation’ spots problems that checking code alone will miss Black Hat Asia  Security researchers have devised a tool that detects flaws in the way apps like Microsoft Word and Adobe Acrobat process JavaScript, and it's proven so effective they've found 134 bugs – 59 of them considered worthy of a fix by vendors, 33 assigned a CVE number, and 17 producing bug bounty payments totaling $22,000.…

Users claim lack of transparency following compromise of Github tokens Efforts by Salesforce-owned cloud platform Heroku to manage a recent security incident are turning into a bit of a disaster, according to some users.…

BIG-IP iControl authentication bypass, NFV VM escape, and more Updated  F5 Networks and Cisco this week issued warnings about serious, and in some cases critical, security vulnerabilities in their products.…

Changes story again to say customers weren't in danger, admits it waited for incident report instead of asking tough questions Identity-management-as-a-service outfit Okta has acknowledged that it made an important mistake in its handling of the attack on a supplier by extortion gang Lapsus$.…

Any models made between 2016 and 2020 can have key fob codes sniffed and re-transmitted If you're driving a Honda Civic manufactured between 2016 and 2020, this newly reported key fob hijack should start your worry engine.…

Critical vulns spotted in popular Schneider kit If you're managing a smart model from ubiquitous uninterrupted power supply (UPS) device brand APC, you need to apply updates now – a set of three critical vulnerabilities are making Smart-UPS devices a possible entry point for network infiltration.…

Your processor design fell off the vulnerability tree and hit every branch on the way down Analysis  Intel this month published an advisory to address a novel Spectre v2 vulnerability in its processors that can be exploited by malware to steal data from memory that should otherwise be off limits.…

Bad data can throw vulnerable apps and services for an infinite loop A bug in OpenSSL certificate parsing leaves systems open to denial-of-service attacks from anyone wielding an explicit curve. …

Government agencies impersonated, fake antivirus, another wiper, backdoors As Ukraine fights for survival against invading Russian forces, here's a taste of some of the malware the nation's Computer Emergency Response Team (CERT) is battling.…

As sanctioned Russian infosec firm says it has working exploit code Adobe has put out a warning about another critical security bug affecting its Magento/Adobe Commerce product – and IT pros need to install a second patch after an initial update earlier this week failed to fully plug the first one.…

Or you could think of them as a superuser password reset function The snap-confine tool in the Linux world's Snap software packaging system can be potentially exploited by ordinary users to gain root powers, says Qualys.…

WhiteSource says it spotted 1,300 malicious JavaScript packages in 2021 alone Malware gets spotted in GitHub's npm registry every few months, elevating concerns about the software supply chain until attention gets diverted and worries recede until the next fire drill.…

Patch now An exploit in Samba 4 allowed remote code as root due to a bug in its support for Mac clients. It's fixed in 4.13.17, 4.14.12 and 4.15.5, and in case you can't update, there are patches.…

Now you see a harmless PNG. Now it's a malicious payload. Look into my eyes A security bod scored a $100,500 bug bounty from Apple after discovering a vulnerability in Safari on macOS that could have been exploited by a malicious website to potentially access victims' logged-in online accounts – and even their webcams.…

Blacksmith is latest hammer horror Boffins at ETH Zurich, Vrije Universiteit Amsterdam, and Qualcomm Technologies have found that varying the order, regularity, and intensity of rowhammer attacks on memory chips can defeat defenses, thereby compromising security on any device with DRAM.…

Flaw could have let miscreants slide rootkits onto your iDesktop A vulnerability in MacOS that could let a malicious person install rootkits on Apple Macs has been patched, following its discovery and disclosure by Microsoft.…

Email clients fail over to unexpected domains if they can't find the right resources A flaw in Microsoft's Autodiscover protocol, used to configure Exchange clients like Outlook, can cause user credentials to leak to miscreants in certain circumstances.…

Espionage motive mooted in attacks which hit industry, government too Researchers at security specialist ESET claim to have found a shiny new advanced persistent threat (APT) group dubbed FamousSparrow - after discovering its custom backdoor, SparrowDoor, on hotels and government systems around the world.…

Chief security adviser Roger Halbheer says best protection is to 'get off AD FS' Microsoft has warned of a new tool designed to exfiltrate credentials and introduce a backdoor into Active Directory servers that is under active use by the Nobelium threat actor group.…

Clouds usually fix this sort of thing before bugs go public. This time it's best to assume you need to do this yourself Microsoft Azure users running Linux VMs in the IT giant's Azure cloud need to take action to protect themselves against the four "OMIGOD" bugs in the Open Management Infrastructure (OMI) framework, because Microsoft hasn't raced to do it for them.…

Once dismissed proof-of-concept attack on Microsoft OS through WSL detected in the wild Updated  Linux binaries have been found trying to take over Windows systems in what appears to be the first publicly identified malware to utilize Microsoft's Windows Subsystem for Linux (WSL) to install unwelcome payloads.…

Mitigation: Don't let randomers from the internet log in to your firewall Updated  A command injection vulnerability exists in Fortinet's management interface for its FortiWeb web app firewall, according to infosec firm Rapid7.…

Security not good enough, claims Chocolate Factory engineer Google's open security team has claimed the Linux kernel code is not good enough, with nearly 100 new fixes every week, and that at least 100 more engineers are needed to work on it.…

Patches issued for two CVE-rated vulns Cisco has published patches for critical vulns affecting the web management interface for some of its Small Business Dual WAN Gigabit routers – including a 9.8-rated nasty.…

PrintNightmare? More like Groundhog Day for admins Microsoft has shared guidance revealing yet another vulnerability connected to its Windows Print Spooler service, saying it is "developing a security update."…

What’s another 20 minutes of sudden unplanned downtime between friends? Kaseya has fully restored its SaaS product, then quickly inflicted a little more unplanned downtime on users.…

Now banned from using Tor or VPNs – and 'vanity' handles on social media A British script kiddie who DDoS'd a Labour Party parliamentary candidate's website in the runup to the last general election has been banned from using the Tor browser.…

An Ocean's 11 of exploitation involving guessable random numbers and hostname shenanigans Google Compute Engine virtual machines can be hijacked and made to hand over root shell access via a cunning DHCP attack, according to security researcher Imre Rad.…

Security procedures need documenting, improving, and mandating - though they're better than they used to be A report looking into the security of the Linux kernel's release signing process has highlighted a range of areas for improvement, from failing to mandate the use of hardware security keys for authentication to use of static keys for SSH access.…

And it affects 129 models of PC and laptop... or about 30 million computers A chain of four vulnerabilities in Dell's SupportAssist remote firmware update utility could let malicious people run arbitrary code in no fewer than 129 different PCs and laptops models – while impersonating Dell to remotely upload a tampered BIOS.…

Will be transferred to a halfway house, attorney continues to fight for presidential pardon Reality Winner, the former NSA intelligence contractor who leaked evidence of Russian interference in a US Presidential election to the press, has been released from prison.…

If your IoT kit employs RabbitMQ, EMQ X or VerneMQ, it's time to get patching Synopsys Cybersecurity Research Centre (CyRC) has warned of easily triggered denial-of-service (DoS) vulnerabilities in three popular open-source Internet of Things message brokers: RabbitMQ, EMQ X, and VerneMQ.…

Why? It might reveal whistleblowers' names... British infosec accreditation body CREST has declared that it will not be publishing its full report into last year's exam-cheating scandal after all, triggering anger from the cybersecurity community.…

But beware the SLA: Just how much would an outage actually cost you? Microsoft has added another 9 to its availability guarantee for Azure Key Vault, taking the service to 99.99 per cent availability.…

Cockup has since been patched in latest release Mozilla Thunderbird spent the last couple of months saving some users’ OpenPGP keys in plain text – but that’s now been patched, the author of both the bug and the patch fixing it has told The Register.…

Brit thrown in the clink for 13 years after 'palm-print' lifted from internet photo A drug dealer's ham-handed OPSEC allowed British police to identify him from a picture of him holding a block of cheese, which led to his arrest, guilty plea, and a sentence of 13 years and six months in prison.…

First that IPO and now this Digital Ocean on Wednesday said someone was able to snoop on some of its cloud subscribers' billing information via a now-patched vulnerability.…

Company has a habit of reacting badly to vuln disclosures Updated  A parental webcam targeted at nursery schools was so poorly designed that anyone who downloaded its mobile app gained access to admin credentials, bypassing intended authentication, according to security pros – with one dad saying its creators brushed off his complaints about insecurities six years ago.…

Cough up if you want to use it with your laptop and phone Password manager LastPass has changed its terms and conditions to limit the free version of its code work on a single device type only per user, seemingly in an effort to force free folks into paying for its service.…

Server maker says latest article is 'a mishmash of disparate allegations' Following up on a disputed 2018 claim in its BusinessWeek publication that tiny spy chips were found on Supermicro server motherboards in 2015, Bloomberg on Friday doubled down by asserting that Supermicro's products were targeted by Chinese operatives for over a decade, that US intelligence officials have been aware of this, and that authorities kept this information quiet while crafting defenses in order to study the attack.…

Install your updates pronto If you use Google Chrome or a Chromium-based browser such as Microsoft Edge, update it immediately and/or check it for updates over the coming days: there is a zero-day bug being "actively exploited" in the older version of Chrome that will also affect other vendors' browsers.…

Probably not used by last year's US government-busting attackers, though As if that supply chain attack wasn't bad enough, SolarWinds has had to patch its Orion software again after eagle-eyed researchers discovered fresh vulnerabilities – including one that can be exploited to achieve remote code execution.…

Promising protocol much easier to fingerprint than HTTPS Google's QUIC (Quick UDP Internet Connections) protocol, announced in 2013 as a way to make the web faster, waited seven years before being implemented in the ad giant's Chrome browser. But it still arrived before privacy could get there.…

Has your password been pwned? MS browser will tell you Microsoft has detailed how the Password Monitor feature in Edge works after it pushed version 88 of the browser into the Stable channel.…

Plus: SonicWall hacked, Qualcomm security wobble, warrantless cellphone monitoring by US snoops revealed In brief  One-time ADT security engineer Telesforo Aviles, 35, pleaded guilty to computer fraud in the US after spying on women through their home surveillance cameras.…

Department for Education says: 'We believe this is not widespread' Updated  A shipment of laptops supplied to British schools by the Department for Education to help kids learn under lockdown came preloaded with malware, The Register can reveal.…

Get your updates when you can for gear from scores of manufacturers Seven vulnerabilities have been found in a popular DNS caching proxy and DHCP server known as dnsmasq, raising the possibility of widespread online attacks on networking devices.…

But it's not over yet: Next step is Uncle Sam's appeal to London's High Court Accused hacker and WikiLeaks founder Julian Assange should not be extradited to the US to stand trial, Westminster Magistrates' Court has ruled.…

Plus: Watch out for NTFS-corrupting folder, Mimecast hack, and more In brief  Last week ended with news that the venerable infosec mailing list Bugtraq was being shutdown at the end of the month.…

Post-Flashpocalypse, we stumble outside, hoping no one ever creates software as insecure as that ever again Adobe has finally and formally killed Flash.…

Plus: Yet another UK.gov bod demands end-to-end encryption is broken Tutanota has been served with a court order to backdoor its encrypted email service – a situation founder Matthias Pfau described to The Register as "absurd."…

'solarwinds123' won't inspire confidence, if true Updated  SolarWinds, the maker of the Orion network management software that was subverted to distribute backdoored updates that led to the compromise of multiple US government bodies, was apparently told last year that credentials for its software update server had been exposed in a public GitHub repo.…

'Adopting these may have legal and policy implications' Web infrastructure company Cloudflare is pushing for the adoption of new internet protocols it says will enable a "privacy-respecting internet."…

Vid-chat giant promises never again to make 'misrepresentations about its privacy and security practices' Zoom has been forced to agree to a range of security improvements in a settlement with America's consumer watchdog, the Federal Trade Commission, as a result of earlier wrongly claiming it offered true 256-bit end-to-end encryption.…

And don't forget the paperwork after, says Chocolate Factory Google is offering bug hunters thousands of dollars worth of compute time on its cloud to hammer away at JavaScript engines and uncover new security flaws in the software.…

After he was demoted and fired, idiot logged into office PC from home and wiped storage systems An IT guy, who was tasked with locking out ex-employees from the company network, has been jailed after he logged in after being fired and wiped an office's computer storage drives.…

One thing to let people rent your home, quite another to let them access your private comms Airbnb says it has fixed a baffling bug in its website that briefly caused some of its users to be shown messages belonging to others when viewing their account inboxes.…

Banned merchants restored, rivals’ stores binned, cash sent around town in an Uber, it is alleged US prosecutors claim six people bribed corrupt Amazon insiders to rig the the web giant's Marketplace in their favor and leak terabytes of data including some search algorithms.…

Ugly: And it's all about video game robberies at this stage Two people have been arrested in Malaysia as part of America's crackdown on the Chinese government's hackers.…

Extortionware is bad but it never killed anyo... never mind A woman in Germany died after a ransomware infection prevented her hospital from giving her emergency treatment.…

Sites with WP File Manager should update ASAP – exploits in the wild A critical vulnerability in a popular WordPress plugin called WP File Manager was spotted on Tuesday and was quickly patched by the plugin's developers.…

Atlanta to upgrade software license with more protection, clerk tells us A court hearing on election security in America failed in its own security efforts – when it was zoombombed with porn, swastikas and images of the World Trade Center attacks.…

No way to sugarcoat this: New York AG eclairs the 2015 data theft matter settled Dunkin' Donuts today settled a lawsuit in which it was accused of hushing up the fact hackers siphoned its customers' personal information from its systems in 2015.…

And have you tried simply asking hackers to not hack? The NSA has published online a guide for IT admins to keep systems free of bootkits and rootkits.…

The Orange One was using a password breached four years previously Three “grumpy old hackers” in the Netherlands managed to access Donald Trump’s Twitter account in 2016 by extracting his password from the 2012 Linkedin hack.…

Inflammatory findings from deadly serious investigation Some 3D printers can be flashed with firmware updates downloaded directly from the internet – and an infosec research firm says it has discovered a way to spoof those updates and potentially make the printer catch fire.…

All that money must be wired to the US Treasury immediately Capital One must pay a trivial $80m fine for its shoddy public cloud security – yes, the US banking giant that was hacked last year by a miscreant who stole personal information on 106 million credit-card applicants in America and Canada.…

CRM biz doesn't 'anticipate any kind of material financial impact' but can't say same for those whose data was nicked "We discovered and stopped a sophisticated attempted ransomware attack," Blackbaud CEO Michael Gianoni has told financial analysts – failing to mention the company simply paid off criminal extortionists to end the attack.…

That's one way of speeding up the tech refresh cycle Netgear has quietly decided not to patch more than 40 home routers to plug a remote code execution vulnerability – despite security researchers having published proof-of-concept exploit code.…

Attack came in waves that probed for staff with access to the creds crims craved Twitter has offered further explanation of the celebrity account hijack hack that saw 130 users’ timelines polluted with a Bitcoin scam.…

Browser quitters say they'll return if web goliath lives up to privacy promises A handful of Chrome users have sued Google, accusing the browser maker of collecting personal information despite their decision not to sync data stored in Chrome with a Google Account.…

Plus: Kazakh man charged with corporate mega-hack, and more In brief  With world+dog on Zoom these days, news of a zero-day attack against the videoconferencing app would cause a stir, but relax – it's only if you're on Windows 7 or older.…

Yevgeniy Nikulin faces up to 10 years in a US cooler The Russian hacker accused of raiding LinkedIn, Dropbox and Formspring, and obtaining data on 213 million user accounts, has been found guilty.…

You've got less than 42 hours to regenerate your certs Digicert says, come Saturday, July 11, it will revoke tens of thousands of encryption certificates issued by intermediaries that were not properly audited.…

Proposed Section 230 shake-up passes committee stage with amendments An amended version of America's controversial proposed EARN IT Act has been unanimously approved by the Senate Judiciary Committee – a key step in its journey to becoming law. This follows a series of changes and compromises that appear to address critics’ greatest concerns while introducing fresh problems.…

Last November: These ISPs know too much! June: God bless the ISPs Comcast has agreed to be the first home broadband internet provider to handle secure DNS-over-HTTPS queries for Firefox browser users in the US, Mozilla has announced.…

Then again, cloud providers aren't exactly playing the smart game either Infosec pros and hackers regularly abuse cloud service providers to conduct reconnaissance and attacks, despite efforts by cloud providers to limit such activity.…

Plus: 10nm five-core 3GHz Lakefield system-on-chips announced Analysis  Intel's Software Guard Extensions, known as SGX among friends, consist of a set of instructions for running a secure enclave inside an encrypted memory partition using certain Intel microprocessors.…

Plus: Zoom fixes code-execution security bugs Mozilla has emitted security updates for Firefox to address eight CVE-listed security flaws, five of them considered to be high-risk vulnerabilities.…

Sigh. How many users did it have before it started this stuff? Zoom has outlined more about its efforts to improve its security.…

Microsoft, BIND, Google, Cloudflare, Amazon, others fix up software or offer workarounds A new vulnerability has been found in the design of the world's domain-name system that potentially can be exploited to flood websites off the internet.…

Sigh. How many users did it have before it started this stuff? Zoom has outlined more about its efforts to improve its security.…

Welp, at least that's better than industry averages, says code-hosting biz Code hosting biz GitLab recently concluded a security exercise to test the susceptibility of its all-remote workforce to phishing – and a fifth of the participants submitted their credentials to the fake login page.…

Million-dollar payouts zero out as hackers follow the money en masse Five years ago, Zerodium offered a $1m reward for a browser-based, untethered jailbreak in iOS 9. On Wednesday, the software exploit broker said it won't pay anything for some iOS bugs due to an oversupply.…

Take care what data you enter into apps, it may be stored insecurely Security researchers at Comparitech have reported that an estimated 24,000 Android apps are leaking user data because of misconfigured Firebase databases.…

IT giant admits it made 'a process error, improper response' to flaw finder IBM has acknowledged that it mishandled a bug report that identified four vulnerabilities in its enterprise security software, and plans to issue an advisory.…

Decrypted configuration bitstream can be siphoned from chips via side-channel flaw A newly disclosed vulnerability in older Xilinx FPGAs can be exploited to simplify the process of extracting and decrypting the encrypted bitstreams used to configure the chips.…

Static analyzer proves its worth with discovery of null-pointer error A static analysis feature set to appear in GCC 10, which will catch common programming errors that can lead to security vulnerabilities, has scored an early win – it snared an exploitable flaw in OpenSSL.…

Antisocial network sought surveillance tech to boost its creepy Onavo Protect app, it is claimed NSO Group – sued by Facebook for developing Pegasus spyware that targeted WhatsApp users – this week claimed Facebook tried to license the very same surveillance software to snoop on its own social-media addicts.…

Super-crypto actually normal TLS, lawsuit launched over Facebook API usage, privacy policy rewritten UK Prime Minister Boris Johnson sparked security concerns on Tuesday when he shared a screenshot of “the first ever digital Cabinet” on his Twitter feed. It revealed the country’s most senior officials and ministers were using bog-standard Zoom to discuss critical issues facing Blighty.…

Study finds most A320 pilots shrug, ignore dodgy systems and land safely Airline pilots faced with hacked or spoofed safety systems tend to ignore them – but could cost their airlines big sums of money, an infosec study has found.…

More than a dozen dodgy websites spotted masquerading as the real deal, HTTPS certs and all What's old is new again as infosec bods are sounding the alarm over a fresh wave of homoglyph characters being used to lure victims to malicious fake websites.…

Lax DNS leaves door wide open for miscreants to impersonate Windows giant on its own websites If you saw a link to mybrowser.microsoft.com, would you have trusted it? Downloaded and installed an Edge update from it? How about identityhelp.microsoft.com to change your password?…

Tales of terrible security, poor compartmentalization, and more, emerge from the Schulte hearings Analysis  The fate of the man accused of leaking top-secret CIA hacking tools – software that gave the American spy agency access to targets' phones and computer across the world – is now in the hands of a jury. And, friend, do they have their work cut out for them.…

Tons of TLS certs need to be tossed immediately after Go snafu On Wednesday, March 4, Let's Encrypt – the free, automated digital certificate authority – will briefly become Let's Revoke, to undo the issuance of more than three million flawed HTTPS certs.…

Sir Andrew Parker also claims UK spies are not doing bulk surveillance British spies are once again stipulating that tech companies break their encryption so life is made easier for state-sponsored eavesdroppers.…

Section 215 more useless than we suspected yet they still want to keep it The controversial surveillance program that gave the NSA access to the phone call records of millions of Americans has cost US taxpayers $100m – and resulted in just one useful lead over four years.…

Pair engineer malicious code from public source tweak before official binary releases Google has updated Chrome for Linux, Mac, and Windows to address three security vulnerabilities – and exploit code for one of them is already public, so get patching.…

Shoddy code allegations are just FUD, software maker insists Only a week after the mobile app meltdown in Iowa's Democratic Caucus, computer scientists at MIT have revealed their analysis of the Voatz app used in West Virginia's 2018 midterm election.…

And it only took, er, four and a half months for people to see sense Criminal charges have been dropped against two infosec professionals who were arrested during a sanctioned physical penetration test gone wrong.…

Meanwhile, probe reveals how Avast's 'anonymized' user data can be, er, deanonymized On Saturday, Google temporarily disabled the ability to publish paid Chrome apps, extensions, and themes in the Chrome Web Store due to a surge in fraud.…

NHS working with cops and ICO to determine if patients must be told A Stoke-on-Trent hospital administrator has avoided prison after hacking his NHS trust and helping himself to almost 9,000 heart scan images.…

Rapporteurs call for investigation, technical security report leaks The Crown Prince of Saudi Arabia, Mohammad bin Salman, has been officially fingered as the man responsible for hacking Amazon CEO Jeff Bezos’s iPhone X, causing a massive stir in diplomatic circles.…

Redmond's own security tools could be abused by hard-to-block file-scrambling software nasties The encryption technology Microsoft uses to protect Windows file systems can be exploited by ransomware.…

Mid-East nation slams 'absurd' claim, UN report to emerge Updated  Candid pictures used to threaten Amazon boss Jeff Bezos were exposed not by his current paramour's brother, as some believe, but through a sophisticated hacking operation personally directed by the crown prince of Saudi Arabia, Mohammad bin Salman, The Guardian suggests.…

Another day, another critical set of flaws A pair of widely used WordPress plugins need to be patched on more than 320,000 websites to close down vulnerabilities that can be exploited to gain admin control of the web publishing software.…

House of Larry delivers massive update for 93 products Oracle has released a sweeping set of security patches across the breadth of its software line.…

Good news: There is none. Well, apart from you can at least fully patch the Microsoft blunder Vid  Easy-to-use exploits have emerged online for two high-profile security vulnerabilities, namely the Windows certificate spoofing bug and the Citrix VPN gateway hole. If you haven't taken mitigation steps by now, you're about to have a bad time.…

Congratulations, you've won a secret backdoor Hackers exploiting the high-profile Citrix CVE-2019-19781 flaw to compromise VPN gateways are now patching the servers to keep others out.…

CEO confirms servers, software locked by perps German cycle-maker Canyon Bicycles GmbH has confirmed it was the victim of a security break-in over the holiday period that has all the hallmarks of a ransomware attack with parts of the infrastructure padlocked by the perpetrators.…

Data Center Network Manager bugapalooza with three must-fix flaws Cisco is kicking off 2020 with the release of a crop of patches for its Data Center Network Manager.…

Uni brains pitch smart math for speeding up establishment of circuits in anonymizing onion network Academics in Germany say they've found a way to make Tor and similar onion networks more efficient and lower their latency.…

End 2019 with a Patch Tuesday from Microsoft, Adobe, SAP and Intel With the year winding to a close and the holiday parties set to kick off, admins will want to check out the December Patch Tuesday load from Microsoft, Adobe, Intel, and SAP and get them installed before downing the first of many egg nogs.…

Learning points, not an instruction manual Black Hat Europe  Faking digital evidence during a cyber attack – planting a false flag – is simple if you know how, as noted infosec veteran Jake Williams told London's Black Hat Europe conference.…

Account-draining malware masterminds charged but remain in motherland US prosecutors have slapped a $5m bounty on the heads of two Russian nationals they claim are part of the malware gang behind the banking trojans ZeuS and Dridex.…

Boffins ride the memory bus past Intel's SGX to your data Computer scientists from UC Berkeley, Texas A&M, and semiconductor biz SK Hynix have found a way to defeat secure enclave protections by observing memory requests from a CPU to off-chip DRAM through the memory bus.…

Oracle DBs particularly vulnerable to fake decryptions, say researchers If you're an Oracle database user and are tempted to pay off a Ryuk ransomware infection to get your files back, for pity's sake, don't. The criminals behind it have broken their own decryptor, meaning nobody will be able to unlock files scrambled by the malicious software.…

I was caught in the middle of a memory attack, and I knew there was no turning back Intel on Tuesday plans to release 11 security advisories, including a microcode firmware update to patch a vulnerability in its Software Guard Extensions (SGX) on recent Core microprocessors that allows a privileged attacker to corrupt SGX enclave computations.…

OpenVPN, WireGuard, IKEv2/IPSec also vulnerable to tampering flaw, we're told A bug in the way Unix-flavored systems handle TCP connections could put VPN users at risk of having their encrypted traffic hijacked, it is claimed.…

Protest organizers come under fire from network traffic barrage China is reportedly using the 'cannon' capabilities of its massive domestic internet to try and take down anti-government websites in Hong Kong.…

No passwords, banking details, but enough info to convincingly phish someone Adobe has pulled offline a public-facing poorly secured Elasticsearch database containing information on 7.5 million Creative Cloud customers.…

Netizens' traffic flowing out of box could have been sniffed by miscreants Analysis  NordVPN spent today attempting to downplay a security breach in which someone sneaked into one of its servers for purposes unknown.…

Cupertino in China Syndrome meltdown Responding to concern that its Safari browser's defense against malicious websites may reveal the IP addresses of some users' devices to China-based Tencent, Apple insists that Safari doesn't reveal a different bit of information, the webpages Safari users visit.…

All it takes is -u#-1 ... Wh%& t#e fsck*? It's only Monday, and we already have a contender for the bug of the week.…

Uncle Sam calls on tech giants to open up platforms for government snooping The US government is renewing its efforts to talk tech firms out of using end-to-end encryption methods that would keep police from snooping on conversations.…

Pixel, S-Series, Moto Z3 among vulnerable gear Google is warning owners of some popular Android devices to keep a close eye on their gear following the release of an exploit for an unpatched flaw.…

Update now to stop webpages snooping on recently used credentials LastPass has fixed a security bug that potentially allowed malicious websites to obtain the username and passphrase inserted by the password manager on the previously visited site.…

Flawed code traced to home build system, vulnerability can be attacked in certain configs Updated  The maintainers of Webmin – an open-source application for system-administration tasks on Unix-flavored systems – have released Webmin version 1.930 and the related Usermin version 1.780 to patch a vulnerability that can be exploited to achieve remote code execution in certain configurations.…

Developer account cracked due to credential reuse, source tampered with and released to hundreds of programmers An old version of a Ruby software package called rest-client that was modified and released about a week ago has been removed from the Ruby Gems repository – because it was found to be deliberately leaking victims' credentials to a remote server.…

Install incoming update to avoid having your boxes hijacked The widely used Exim email server software is due to be patched today to close a critical security flaw that can be exploited to potentially gain root-level access to the machine.…

Lawsuit argues event bosses breached deal by failing to prevent audience hostility Crown Sterling, a Newport Beach, California-based biz that calls itself "a leading digital cryptographic firm," is suing UBM, the UK-based owner of the Black Hat USA conference, in America for allegedly violating its sponsorship agreement.…

The fix for the fix is in Apple has issued an update to address a potentially serious security flaw it re-opened in the latest version of iOS.…

Ex-Amazon techie accused of cyber-looting other storage buckets, mining crypto-coins on hacked servers The ex-Amazon engineer who allegedly stole 100 million Capital One credit applicants' personal details from AWS cloud buckets has been formally accused of swiping data from 30 other organizations.…

Plus a Cisco bug, dentists bitten by malware, and France takes down a worm Roundup  This week ended with a bang, thanks to some Twitter hackers.…

You never know, we might figure out how not to screw up in future Analysis  In the clearest possible sign that the US intelligence services live within their own political bubble, the director of national intelligence has asked Congress to reauthorize a spying program that the NSA itself decided to shut down after it repeatedly – and illegally – gathered the call records of millions of innocent Americans.…

Fears of cyber-hijackings? That's plane crazy, says Dreamliner maker Black Hat  A Black Hat presentation on how to potentially hijack a 787 – by exploiting bugs found in internal code left lying around on a public-facing server – was last night slammed as "irresponsible and misleading" by Boeing.…

Beware the denials of service: Netflix warns of eight networking bugs On Tuesday, Netflix, working in conjunction with Google and CERT/CC, published a security advisory covering a series of vulnerabilities that enable denial of service attacks against servers running HTTP/2 services.…

Crooks fail to hijack infosec bloke's site to dress it up as a legit Euro bank login page Exclusive  Think you have bad luck? Imagine being the script kiddie who inadvertently tried and failed to pwn an Akamai security pro.…

Give it a Wray, give it a Wray, give it a Wray now: Big Chris steps in to defend blowing a hole in personal crypto FBI head honcho Christopher Wray is rather peeved that you all think the US government is trying to weaken cryptography, privacy, and online security, by demanding backdoors in encryption software.…

Phishing led to shopping spree with victims' credit cards A man from the US state of Georgia who pleaded guilty in March to breaking into the Apple iCloud accounts of sports and entertainment figures was sentenced on Thursday to three years and one month in federal prison – and ordered to pay almost $700,000 in restitution.…

20 WebKit flaws among latest batch of bug fixes On Monday Apple released a fresh round of security fixes for a load of its operating systems and applications.…

After report claimed its sales pitches boasted of doing that Israeli spyware firm NSO Group has denied it developed malware that can steal user data from cloud services run by Amazon, Apple, Facebook, Google and Microsoft.…

API blunder exposes data, fix incoming from Lenovo Lenovo is emitting an emergency firmware patch for Iomega NAS devices after the network-attached storage boxes were discovered inadvertently offering millions of files to the internet via an insecure software interface.…

Account hijacking claimed by some but it may just be a developer behaving badly Another JavaScript package in the npm registry - the installer for PureScript - has been tampered with, leading project maintainers to revise their software to purge the malicious code.…

Forgive the sins of the fathers: Mozilla to have another go at tackling teenage flaw Mozilla has been sitting on a new variant of an age-old flaw for almost a year, even with public disclosure happening back in January.…

Border cops accused of loading tourists' mobiles up with snoop app in Muslim area Authorities in a tumultuous region of China are ordering tourists and other visitors to install spyware on their smartphones, it is claimed.…

We'll be over there bashing our head on the wall while you read this Roundup  As June turns over to July, here are some additional bits of security news besides our regular infosec coverage.…

Miscreants grabbed sensitive footage belonging to officers in Miami, elsewhere, it is feared In yet another example of absent security controls, troves of police body camera footage were left open to the world for anyone to siphon off, according to an infosec biz.…

Patch, punch, it's the first of the month Google today posted a fresh round of Android security fixes.…

But just imagine Stuxnet: Consumer Edition Comment  Iran claims that recent surges in electricity demand, leading to blackouts and brownouts, were caused by too many cryptocurrency miners’ power-hungry machines being hooked up to the national grid – though all may not be as it seems.…

Windows giant cheered on by Linux Foundation as it seeks membership of private security-focused message board Microsoft's transformation into a fully paid-up member of the Linux love-train continued this week as the Windows giant sought to join the exclusive club that is the official linux-distros mailing list.…

Can't spell SupportAssist without 'ass' and 'u' – other makers may be hit, too Updated  Dell's troubleshooting software SupportAssist, bundled with the US tech titan's home and business computers, has a security flaw that can be exploited by malware and rogue logged-in users to gain administrator powers.…

Tehran's hackers are 'wiping' infected machines as tensions spike, fresh sanctions approved Hackers operating on behalf of the Iranian government have turned destructive, the US Department of Homeland Security has claimed.…

Revealed: Long-running espionage campaign targets phone carriers to snoop on VIPs' location, call records Hackers infiltrated the networks of at least ten cellular telcos around the world, and remained hidden for years, as part of a long-running tightly targeted surveillance operation, The Register has learned. This espionage campaign is still ongoing, it is claimed.…

150,000 personal records on people, including US veterans, upset with their healthcare In what has become a depressingly common occurrence, the personal information of hundreds of thousands of people may have fallen into the wrong hands because yet another organization did not secure a cloud-hosted database.…

Your quick guide to hacks, patches and scandal Roundup  Here's a quick roundup of recent infosec news beyond what we've already reported.…

For FIPS sake! Yubico is recalling one of its YubiKey lines after the authentication dongles were found to have a security weakness.…

Drama between two of the leading secure messaging services Telegram CEO Pavel Durov issued a scathing criticism of Signal, alleging the messaging service is not secure and has ties to US intelligence agencies.…

But China's the most technologically advanced Interview  China remains the biggest cyber threat to the US government, America's critical infrastructure, and its private-sector networks, the nation's intelligence community has assessed.…

Only from its digital doc-signing service, which is isolated from its cloudy storage Dropbox has revealed a major attack on its systems that saw customers' personal information accessed by unknown and unauthorized entities.…

Intrusion investors went through Blount farce trauma, says SEC Jack Blount, the now-ex CEO of Intrusion, has settled with the SEC over allegations he made false and misleading statements about his infosec firm's product as well as his own background and experience.…

Huawei is OK, but Xiaomi, OPPO, and Samsung are in strife. And Honor isn't living its name Many Chinese keyboard apps, some from major handset manufacturers, can leak keystrokes to determined snoopers, leaving perhaps three quarters of a billion people at risk according to research from the University of Toronto’s Citizen Lab.…

The firm 'fessed up to staff misconduct and avoided criminal liability A company contracted to manage an Amarillo, Texas nuclear weapons facility has to pay US government $18.4 million in a settlement over allegations that its atomic technicians fudged their timesheets to collect more money from Uncle Sam.…

Crashes galore, plus especially crafty crims could use it for much worse Infosec researchers are alerting the industry to a critical vulnerability in Fluent Bit – a logging component used by a swathe of blue chip companies and all three major cloud providers.…

In the Navy, no, you cannot have an unauthorized WLAN. In the Navy, no, that's not a good plan The US Navy has cracked down on an illicit Wi-Fi network installed on a combat ship by demoting the senior enlisted leader who ordered it to be set up.…

New infosec intelligence service aims to spread the word about recently discovered vulns in free code Securing open source software may soon become a little bit easier thanks to a new vulnerability info-sharing effort initiated by the Open Source Security Foundation (OpenSSF).…

On the bright side, someone made up to $30,000+ for finding it GitHub has patched its Enterprise Server software to fix a security flaw that scored a 10 out of 10 CVSS severity score.…

Unfading Sea Haze adept at staying under the radar Bitdefender says it has tracked down and exposed an online gang that has been operating since 2018 nearly without a trace – and likely working for Chinese interests.…

An open and shut case, but the perps remain at large – whoever they are Justice is served… or should that be saved now that audio-visual software deployed in more than 10,000 courtrooms is once again secure after researchers uncovered evidence that it had been backdoored for weeks.…

Nothing else can detect attackers with implants designed to foil physical security Sniffer dogs may soon become a useful means of improving physical security in datacenters, as increasing numbers of people are adopting implants like NFC chips that have the potential to enable novel attacks on access control tools.…

Stick an independent probe in our software, you won't find any Putin.DLL backdoor Kaspersky has hit back after the US government banned its products – by proposing an independent verification that its software is above board and not backdoored by the Kremlin.…

Rapid restore tool being tested as Microsoft estimates 8.5M machines went down Updated  CrowdStrike's now-infamous Falcon Sensor software, which last week led to widespread outages of Windows-powered computers, has also been linked to crashes of Linux machines.…

Cybersecurity outfit to go its own way to IPO and $1B ARR On the day of Alphabet's Q2 earnings call, cybersecurity firm Wiz has walked from a $23 billion takeover bid by Google's parent company.…

Are your security and ops teams fighting to pass the buck? Comment  Patching: The bane of every IT professional's existence. It's a thankless, laborious job that no one wants to do, goes unappreciated when it interrupts work, and yet it's more critical than ever in this modern threat landscape.…

Those national security threat claims? 'No evidence,' VP tells The Reg Exclusive  Despite the Feds' determination to ban Kaspersky's security software in the US, the Russian business continues to push its proposal to open up its data and products to independent third-party review – and prove to Uncle Sam that its code hasn't been and won't be compromised by Kremlin spies.…

And the forking Microsoft-owned code warehouse doesn't see this as much of a problem Researchers at Truffle Security have found, or arguably rediscovered, that data from deleted GitHub repositories (public or private) and from deleted copies (forks) of repositories isn't necessarily deleted.…

Now there's an idea – parsing config data in user mode Updated  Microsoft has vowed to reduce cybersecurity vendors' reliance on kernel-mode code, which was at the heart of the CrowdStrike super-snafu this month.…

Needless to say, it backfired in a big way University of California Santa Cruz (UCSC) students may be relieved to hear that an emailed warning about a staff member infected with the Ebola virus was just a phishing exercise.…

Hundreds of thousands of users potentially vulnerable Password manager 1Password is warning that all Mac users running versions before 8.10.36 are vulnerable to a bug that allows attackers to steal vault items.…

Apparently made over 100 fake crime reports and bomb threats The US government has indicted two men for allegedly reporting almost 120 fake emergencies or crimes in the hope of provoking action by armed law enforcement agencies.…

More of a storm in a teacup Today's news that Intel's Software Guard Extensions (SGX) security system is open to abuse may be overstated.…

If you haven't deployed August's patches, get busy before others do Windows users who haven't yet installed the latest fixes to their operating systems will need to get a move on, as code now exists to exploit a critical Microsoft vulnerability announced by Redmond two weeks ago.…

Total revenue for Q2 grew 32 percent CrowdStrike's major meltdown a month ago doesn't look like affecting the cyber security vendor's market dominance anytime soon, based on its earnings reported Wednesday.…

Google revises Chrome Vulnerability Rewards Program with higher payouts for bug hunters Google's Chrome Vulnerability Rewards Program (VRP) is now significantly more rewarding – with a top payout that's at least twice as substantial.…

Crew bragged they could help crooks raid victims' bank accounts Updated  A trio of men have pleaded guilty to running a multifactor authentication (MFA) bypass ring in the UK, which authorities estimate has raked in millions in less than two years. …

Better late than never The White House on Tuesday indicated it hopes to shore up the weak security of internet routing, specifically the Border Gateway Protocol (BGP).…

Unclear if this is a sign controversial service is cleaning up its act everywhere Controversial social network Telegram has co-operated with South Korean authorities and taken down 25 videos depicting sex crimes.…

Allowed access to 150K cameras, some in sensitive spots, but has been done for spamming Physical security biz Verkada has agreed to cough up $2.95 million following an investigation by the US Federal Trade Commission (FTC) – but the payment won’t make good its past security failings, including a blunder that led to CCTV footage being snooped on by miscreants. Instead, the fine is about spam.…

Good news? Security is still getting a growing part of IT budget It looks like security budgets are coming up against belt-tightening policies, with chief security officers reporting budgets rising more slowly than ever and over a third saying their spending this year will be flat or even reduced.…

When maintenance windows are hard to open, a little lubrication helps On Call  The Register understands consuming alcohol is quite a popular way to wind down from the working week, but each Friday we get the party started early with a new and sober instalment of On Call, the reader contributed column in which you share stories about the emotional hangovers you've earned delivering tech support.…