News

Cyberattackers are targeting a pair of just-patched vulnerabilities that allow remote unauthenticated information disclosure leading to remote code-execution.

The development team of the vulnerable Total Donations plugin appears to have abandoned it, and did not respond to inquiries from researchers.

A. Bad things from 2008 we can't seem to shake

A piece of banking malware that first debuted more than a decade ago is once again wrecking havoc.…

...PHP's PEAR sabotaged for months, and more from the world of infosec

Roundup  This week we saw Hadoop hacks, Exchange exploits, and Deadpool besting scammers.…

LabKey Server version 18.3.0-61806.763, released on January 16, patches all three issues, so users should update as soon as possible.

Takeover leads to consolidation? Unfathomable (adjusted for sarcasm)

Analysis  In an unprecedented decision that has left tech observers struggling to contain their shock, Facebook has decided to create a common software architecture for its three main apps: Facebook Messenger, Instagram, and WhatsApp.…

Theme park's attempt to shoot down lawsuit snubbed by top judges

Analysis  The Illinois Supreme Court on Friday ruled a family's lawsuit that claims downmarket-Disneyland Six Flags broke the US state's Biometric Privacy Act can proceed.…

From a massive GDPR fine on a big tech company, to an emergency government security alert, here are the top security stories of the week.

A spate of phishing emails with Word attachments deliver both the Gandcrab ransomware and Ursnif executable.

The malware targets victims in multiple, sneaky ways as they move around the web.

Ops director talks to El Reg about continential cybersecurity contrivances

Interview  A senior EU cybersecurity official has said he is “optimistic” about information sharing between the UK and the political bloc continuing after Brexit.…

But thousands opting out in 'backlash', says privacy group

HMRC's database of Brits' voiceprints has grown by 2 million since June – but campaign group Big Brother Watch has claimed success as 160,000 people turned the taxman's requests down.…

Think of the ones you leave behind

Something for the Weekend, Sir?  This place is a mess. No, worse than that: it's a disaster area.…

Easily swapped hashed passwords gives Domain Admin rights via API call. Fix may land next month

Microsoft Exchange appears to be currently vulnerable to a privilege escalation attack that allows any user with a mailbox to become a Domain Admin.…

Apple fans lured into installing malware via crafty JavaScript

A strain of malware has been clocked using steganography to run malicious JavaScript on Macs via images in online banner ads, it was claimed this week.…

A look at API attack trends such as the current (and failing) architectural designs for addressing security of these API transactions.

Webex, security, IoT systems also need patches

Cisco's irregular patch cycle has come round again and this time the focus is on the company's SD-WAN product.…

Credential compromise emerged the main target for phishing campaigns in 2018 - rather than infecting victims' devices with malware.

Didn't see that coming

Google is to appeal the €50m data protection fine handed down to it by the French data protection agency earlier this week.…

Perpetrators are using smaller, bit-and-piece methods to inject junk into legitimate traffic, causing attacks to bypass detection rather than sounding alarms with large, obvious attack spikes.