The Register

Wanna know a secret?

Whether you're logging into your bank, health insurance, or even your email, most services today do not live by passwords alone. Now commonplace, multifactor authentication (MFA) requires users to enter a second or third proof of identity. However, not all forms of MFA are created equal, and the one-time passwords orgs send to your phone have holes so big you could drive a truck through them.…

Proof of life? Or an active social media presence?

Criminals are altering social media and other publicly available images of people to use as fake proof of life photos in "virtual kidnapping" and extortion scams, the FBI warned on Friday. …

Who needs JavaScript?

Security researcher Lyra Rebane has devised a novel clickjacking attack that relies on Scalable Vector Graphics (SVG) and Cascading Style Sheets (CSS).…

Security community needs to rally and share more info faster, one researcher says

Amid new reports of attackers pummeling a maximum security hole (CVE-2025-55182) in the React JavaScript library, Cloudflare's technology chief said his company took down its own network, forcing a widespread outage early Friday, to patch React2Shell.…

Laptop maker says a vendor breach exposed some phone camera code, but not its own systems

Asus has admitted that a third-party supplier was popped by cybercrims after the Everest ransomware gang claimed it had rifled through the tech titan's internal files.…

State-backed attackers started poking flaw as soon as it dropped – anyone still unpatched is on borrowed time

Amazon has warned that China-nexus hacking crews began hammering the critical React "React2Shell" vulnerability within hours of disclosure, turning a theoretical CVSS-10 hole into a live-fire incident almost immediately.…

Plan would create statutory powers for police use of biometrics, prompting warnings of mass surveillance

The UK government has kicked off plans to ramp up police use of facial recognition, undeterred by a mounting civil liberties backlash and fresh warnings that any expansion risks turning public spaces into biometric dragnets.…

You can improve the odds by combining skepticism, verification habits, and a few technical checks

Opinion  Liars, cranks, and con artists have always been with us. It's just that nowadays their reach has gone from the local pub to the globe.…

Automated software keeps getting better at pilfering cryptocurrency

Anthropic could have scored an easy $4.6 million by using its Claude AI models to find and exploit vulnerabilities in blockchain smart contracts.…

'Dozens' of US orgs infected

Chinese cyberspies maintained long-term access to critical networks – sometimes for years – and used this access to infect computers with malware and steal data, according to Thursday warnings from government agencies and private security firms.…

He's not alone: DoD inspector general says the whole Defense Department has a messaging security problem

US Defense Secretary Pete Hegseth definitely broke the rules when he sent sensitive information to a Signal chat group, say Pentagon auditors, but he's not the only one using insecure messaging, and everyone needs better training.…

And then they asked an AI to help cover their tracks

Vetting staff who handle sensitive government systems is wise, and so is cutting off their access the moment they're fired. Prosecutors say a federal contractor learned this the hard way when twin brothers previously convicted of hacking-related offenses allegedly used lingering access to delete nearly 100 government databases, including systems tied to Homeland Security and other agencies, within minutes of being terminated.…

Silent Patch Tuesday mitigation ends ability to hide malicious commands in .lnk files

Microsoft has quietly closed off a critical Windows shortcut file bug long abused by espionage and cybercrime networks.…

Cloudflare data shows 29.7 Tbps record-breaker landed amid 87% surge in network-layer attacks

The internet has spent the past three months ducking for cover as the Aisuru botnet hurled record-shattering DDoS barrages from an army of up to 4 million infected machines.…

Tricky tradeoffs are hard to avoid when designing systems, but the choice not to use LLMs for some tasks is clear

Systems Approach  As we neared the finish line for our network security book, I received a piece of feedback from Brad Karp that my explanation of forward secrecy in the chapter on TLS (Transport Layer Security) was not quite right.…

Ferrous Systems achieves IEC 61508 (SIL 2) certification for systems that demand reliability

Memory-safe Rust code can now be more broadly applied in devices that require electronic system safety, at least as measured by International Electrotechnical Commission (IEC) standards.…

Finish reading this, then patch

A maximum-severity flaw in the widely used JavaScript library React, and several React-based frameworks including Next.js allows unauthenticated, remote attackers to execute malicious code on vulnerable instances. The flaw is easy to abuse, and mass exploitation is "imminent," according to security researchers.…

Japan’s Askul still can’t run all its sites, but at least the fax line held up OK

Japanese e-tailer Askul has resumed online sales, 45 days after a ransomware attack.…

Extra infosec investments are taxiing towards the runway

India’s Civil Aviation Minister has revealed that local authorities have detected GPS spoofing and jamming at eight major airports.…

Christmas comes early for attackers this year

Two high-severity Android bugs were exploited as zero-days before Google issued a fix, according to its December Android security bulletin. …