News

Building a culture of security

Sponsored  Ask anyone in IT what it is that keeps them awake at night and most will probably reply “security”. Drill down into what specifically worries them and you’ll probably discover that it’s not the technology part but, rather, how to get the workforce to take security more seriously.…

Tales of terrible security, poor compartmentalization, and more, emerge from the Schulte hearings

Analysis  The fate of the man accused of leaking top-secret CIA hacking tools – software that gave the American spy agency access to targets' phones and computer across the world – is now in the hands of a jury. And, friend, do they have their work cut out for them.…

Lax DNS leaves door wide open for miscreants to impersonate Windows giant on its own websites

If you saw a link to mybrowser.microsoft.com, would you have trusted it? Downloaded and installed an Edge update from it? How about identityhelp.microsoft.com to change your password?…

600,000 Clubcards at risk earlier this week, said supermarket

Data stolen from Tesco clubcards could be resold for just £2.70 a pop, reckons a price comparison website that appears to have strayed into the dark web.…

More than a dozen dodgy websites spotted masquerading as the real deal, HTTPS certs and all

What's old is new again as infosec bods are sounding the alarm over a fresh wave of homoglyph characters being used to lure victims to malicious fake websites.…

ICO probe found backup files not password-protected, unpatched web-facing servers, out-of-date OS and more

The Information Commissioner's Office has fined Cathay Pacific Airways £500,000 for leaky security that exposed the personal data of 9.4 million passengers - 111,578 of whom were from the UK.…

Study finds most A320 pilots shrug, ignore dodgy systems and land safely

Airline pilots faced with hacked or spoofed safety systems tend to ignore them – but could cost their airlines big sums of money, an infosec study has found.…

Tons of TLS certs need to be tossed immediately after Go snafu

On Wednesday, March 4, Let's Encrypt – the free, automated digital certificate authority supported by the Internet Security Research Group (ISRG) – will briefly become Let's Revoke, to undo the issuance of more than three million flawed HTTPS certs.…

UK.gov tries the KISS approach to infosec advice for the public

Britain's National Cyber Security Centre (NCSC) wants owners of baby monitors and smart CCTV cameras to take some basic security precautions.…

Owner Troy Hunt staying in the saddle after potential deal falls through

The popular security website Have I Been Pwned (HIBP) will remain independent – despite owner Troy Hunt's decision last year to put the business up for sale.…

Staff found out after seeing their own jobs advertised in India

Exclusive  Maersk is preparing to make 150 job cuts at its UK command-and-control centre (CCC) in Maidenhead – the one that rebuilt the global shipping company's IT infrastructure after the infamous 2017 NotPetya ransomware attack.…

Meanwhile, Sophos finds nasty rootkit, OnlyFans says massive archive not a hack

Roundup  Here's El Reg's fresh slice of all the infosec news – beyond what we've already covered – that you'll need to know as you start your week. Ready? Here we go.…

'We are truly sorry'

Fintech startup Loqbox has fessed up to suffering an "attack" which potentially revealed its customers' names, postal addresses, dates of birth, email addresses and phone numbers.…

UK utility biz suspends internet services

British utility biz Southern Water was the victim of a phishing attack on Wednesday, resulting in a hurried shutdown of some of the company's systems.…

Not OK Google: Android, Siri sink in SurfingAttack

Video  Voice commands encoded in ultrasonic waves can, best case scenario, silently activate a phone's digital assistant, and order it to do stuff like read out text messages and make phone calls, we're told.…

Boring! Where are teh 1337 h4x? We want 1337 h4x

The Iranian cybercrime group that was expected to spearhead the rogue Middle East nation's revenge for the US assassination of General Qasem Soleimani has quite the arsenal at its digital fingertips.…

Due dil 101

Today was meant to be Brit security biz Sophos's last day on the London Stock Exchange following its £3bn purchase by a US venture capital company.…

Merging search and address bar means more data for the tech giants

Microsoft Edge and Yandex are "much more worrisome" compared to Brave, Chrome, Firefox and Safari, according to a paper on browser privacy (PDF) published this week.…

Encryption keys forced to zero by chip-level KrØØk flaw

A billion-plus computers, phones, and other devices are said to suffer a chip-level security vulnerability that can be exploited by nearby miscreants to snoop on victims' encrypted Wi-Fi traffic.…

Section 215 more useless than we suspected yet they still want to keep it

The controversial surveillance program that gave the NSA access to the phone call records of millions of Americans has cost US taxpayers $100m – and resulted in just one useful lead over four years.…