U.S. Top Law Enforcement Call Strong Encryption a ‘Serious Problem’

BOSTON—Top U.S. law enforcement and policy makers touched the third-rail issue of encryption Wednesday with several high-ranking officials lamenting their inability to crack open phones, laptops and communications protected with strong encryption. U.S. Deputy Attorney General Rod Rosenstein made...

Latin American ATM Thieves Turning to Hacking

MADRID—ATM jackpotting is hardly a novelty act in Latin America where criminals are more than ever connecting with hackers to figure out how to more efficiently steal money from an automated teller than, say, by using a stick of dynamite. No, it’s not uncommon to hear about thefts in Brazil,...

Inside the CCleaner Backdoor Attack

MADRID—As the investigation continues into the backdoor planted inside CCleaner, two members of parent company Avast’s threat intelligence team said today the desktop and cloud versions of the popular software contained different payloads. The revelation was made during a talk at Virus Bulletin...

Pundits Say Attackers Redefining Objectives, Approaches

BOSTON—The nature of cyberattacks is changing and increasingly leveraging social media as they take aim at new targets. That’s the consensus of cybersecurity experts discussing the evolving nature of threats from nation states to hackers for hire. That’s not to say ransomware isn’t going anywhere...

Experts Have Sobering Message on Human Rights, Privacy for Security Pros

MADRID—Continuing a theme that picked up momentum at Black Hat this summer, two influential speakers at Virus Bulletin today painted grim pictures of the threats to physical safety and civil liberties posed by commercial spyware and high-end surveillance software often sold to governments. The ca...

Costin Raiu and Juan Andres Guerrero-Saade on APT Fourth-Party Collection

Costin Raiu and Juan Andres Guerrero-Saade talk to Mike Mimoso live from Virus Bulletin in Madrid about APTs leveraging one anothers’ attacks and compromised machines as their own. The practice, known as fourth-party collection, is wreaking havoc for researchers with regard to attribution...

Cloudflare CTO Goes Inside the Cloudbleed Bug

MADRID—John Graham-Cumming presided over a confessional Wednesday at Virus Bulletin 2017. Cloudflare’s chief technology officer was frank and apologetic about February’s Cloudbleed bug, which leaked memory from the content delivery network that included internal private keys and authentication...

2013 Yahoo Breach Affected All 3 Billion Accounts

A massive breach of Yahoo’s systems in 2013 impacted every account in existence at the time, the company said last night in a new filing with the Securities and Exchange Commission. Yahoo disclosed the breach last December when it revealed that it believed 1 billion accounts were compromised. Las...

Five Critical Android Bugs Get Patched in October Update

Five critical vulnerabilities were reported by Google Monday as part of its October Android Security Bulletin. In all, 14 patches were issued for corresponding vulnerabilities, ranging from critical to high. The relative low bug count for the month of October is due to the fact this month Google...

Equifax Says 145.5M Affected by Breach, Ex-CEO Testifies

Equifax, the credit agency behind this summer’s breach of 143 million Americans, said this week the number of victims implicated in the breach has increased. Paulino do Rego Barros, Jr., the company’s interim CEO, announced Monday that 2.5 million additional Americans were also impacted, bringing...

Google Warns of DoS and RCE Bugs in Dnsmasq

Seven flaws in what is known as Dnsmasq can be exploited by attackers who can use the bugs to carry out remote code execution, information exposure or a denial of service attacks against affected devices. Google researchers identified the flaws in a research paper published Monday, the same day a...

Netgear Fixes 50 Vulnerabilities in Routers, Switches, NAS Devices

Netgear recently issued 50 patches for its routers, switches, NAS devices, and wireless access points to resolve vulnerabilities ranging from remote code execution bugs to authentication bypass flaws. Twenty of the patches address “high” vulnerability issues with the remaining 30 scored as “mediu...

Judge: FBI Can Keep iPhone Crack and Price Secret

The FBI can keep secret the controversial details about how much it paid and who it hired to unlock a terrorist’s iPhone 5C in 2016. In a judgment .PDF released late Saturday, Judge Tanya Chutkan for the United States District Court for the District of Columbia, sided with the FBI’s reasoning tha...

Gary McGraw on BSIMM8 and Software Security

Software security pioneer Gary McGraw talks to Mike Mimoso about the latest iteration of the Building Security In Maturity Model BSIMM report. BSIMM is a snapshot of how some of the world’s biggest tech companies and enterprises are handling secure development practices. Gary talks about some of...

Siemens Patches Improper Access Vulnerability in Ruggedcom Protocol

Industrial manufacturer Siemens is encouraging users running devices that use its Ruggedcom Discovery Protocol RCDP to apply firmware updates this week. The updates resolve a serious and remotely exploitable vulnerability that could let an attacker carry out administrative actions. The issue, an...

ICANN Postpones Scheduled DNS Crypto Key Rollover

ICANN, the overseer of the Internet’s namespace, announced this week that it was postponing a scheduled change to the cryptographic key that protects the Domain Name System. ICANN said in a statement that the change was to occur on Oct. 11, but new data indicates that a “significant number” of...

On the macOS Keychain Attack, Signal’s New Contact Service, the Deloitte Hack, and More

Mike Mimoso and Chris Brook recap the news of the week, including the macOS Keychain attack, Signal’s new private contact discovery service, the Deloitte hack, and a handful of mobile stock trading app vulnerabilities. Download: ThreatpostNewsWrapSeptember292017.mp3 Music by Chris Gonsalves Show...

Macs Not Receiving EFI Firmware Security Updates as Expected

Since the Thunderstrike bootkit attacks targeting Apple firmware were disclosed in 2015, Apple has bundled subsequent EFI updates with its regular macOS security and software updates in an attempt to improve protection around its hardware. Researchers at Duo Security, however, have uncovered that...

Google to Enforce HSTS on TLDs it Operates

Google said this week it would enforce HSTS on 45 Top Level Domains it operates. HSTS, or HTTP Strict Transport Security, forces HTTPS on client connections to webservers and is a key part of the strategy to encrypt the web. Google is the registry for many new TLDs and said that it will start...

Civil Liberties Activists Hit By Phishing Campaign

Digital civil liberties activists were hit with a barrage of phishing emails earlier this summer designed to wrest away business credentials. Activists with Fight for the Future, a nonprofit that’s campaigned against backdoors in mobile phones and for Net neutrality, and Free Press, a group that...

Windows Defender Bypass Tricks OS into Running Malicious Code

Researchers have developed a method for bypassing Windows Defender that will allow any malware to execute on a Windows machine. Microsoft, meanwhile, has told the experts that it does not see this as a security issue and will not address the problem in its native antimalware protection. A request...

Gatekeeper Alone Won’t Mitigate Apple Keychain Attack

Apple’s advice to rely on Gatekeeper as a mitigation against a Keychain attack disclosed this week by researcher Patrick Wardle doesn’t fully address the risk. Experts, Wardle included, said that while Gatekeeper is a solid measure in preventing unsigned code from executing on a macOS machine, it...

Signal Testing New Private Contact Discovery Service

Open Whisper Systems, the company behind the encrypted messaging app Signal, is testing a new private contact discovery service that in theory will allow the app to determine if a user has Signal contacts in their address book but forbid its servers from accessing the users’ address book. Moxie...

Remote Wi-Fi Attack Backdoors iPhone 7

Google on Tuesday disclosed details and a proof-of-concept exploit for a Wi-Fi firmware vulnerability in Broadcom chipsets patched this week in iOS 11. The attack enables code execution and persistent presence on a compromised device. “The exploit gains code execution on the Wi-Fi firmware on the...

Oracle Patches Apache Struts, Reminds Users to Update Equifax Bug

Oracle released fixes for a handful of recently patched Apache Struts 2 vulnerabilities, including a critical remote code execution vulnerability CVE-2017-9805 that could let an attacker take control of an affected system, late last week. The Apache Software Foundation patched the RCE...

macOS High Sierra Available—And Vulnerable to Keychain Attack

Apple made its latest OS update available Monday, but the release of High Sierra was tainted somewhat by the fact it comes replete with a critical vulnerability that allows an attacker to dump plaintext passwords from the macOS Keychain. Researcher Patrick Wardle, chief security researcher at...

Mobile Stock Trading App Providers Unresponsive to Glaring Vulnerabilities

More than 20 of the most popular mobile trading applications used by consumers and day-traders for securities transactions contain glaring vulnerabilities that could allow attackers to sniff personal data or steal money from accounts. Researchers from IOActive today published a report describing...

Deloitte: ‘Very Few Clients’ Impacted by Cyber Attack

Deloitte, one of the “big four” global accounting firms, admitted Monday it fell victim to a cyber attack ,but downplayed the incident saying it only affected a few of its high profile clients. Details around the incident are hazy but according to The Guardian, which broke the news Monday morning...

Android Lockscreen Patterns Less Secure Than PINs

An academic study set out to prove whether it’s better to protect your Android phone with a PIN or a swipe pattern. The answer is PIN. At least when it comes to proximity attacks, namely someone lurking about trying to guess your PIN or unlock pattern. The study PDF, published Friday by researche...

Chris Vickery on Amazon S3 Data Leaks

Mike Mimoso talks to Chris Vickery of UpGuard of the recent rash of Amazon S3 data leaks. Vickery uncovers of the commonalities among these leaks, some of which include AWS misconfigurations and mismanagement of third-party partner relationships. Download: ChrisVickeryonAmazonS3DataLeaks.mp3...

Adobe Private PGP Key Leak a Blunder, But It Could Have Been Worse

Adobe suffered at a minimum a PR black eye on Friday when one of its private PGP keys was inadvertently published to its Product Incident Security Response Team PSIRT blog. The company’s public and private key pair were published together, both of which could be used to either decrypt messages se...

Verizon Wireless Internal Credentials, Infrastructure Details Exposed in Amazon S3 Bucket

Organizations continue to leak data through publicly accessible Amazon S3 buckets, pointing a harsh finger at continued lax attitudes toward the custodianship of sensitive data. Verizon is the latest business affected by this epidemic, leaking in this case files marked confidential from an intern...

EternalBlue Exploit Used in Retefe Banking Trojan Campaign

Criminals behind the Retefe banking Trojan have added a new component to their malware that uses the NSA exploit EternalBlue. The update makes Retefe the latest malware family to adopt the SMBv1 attack against a patched Windows vulnerability, and could signal an emerging trend, said researchers a...

2016 SEC Hack May Have Benefited Insider Trading

The U.S. Securities and Exchange Commission, the watchdog of Wall Street, said this week that hackers infiltrated one of its systems last year, something that likely facilitated insider trading. The SEC waited nearly nine months to disclose the hack. SEC Chairman Jay Clayton devoted four sentence...

Samba Update Patches Two SMB-Related MiTM Bugs

Samba this week released three security updates, including two related to SMB connections that could be abused by an attacker already on the network to hijack connections and manipulate traffic or data sent from a client. The most serious of the bugs is CVE-2017-12150 where with certain...

What's New In Android 8.0 Oreo Security

In addition to the many tweaks and new features in Google’s Android 8.0 Oreo operating system introduced last month, the biggest changes are its security enhancements. Oreo security additions are meaningful and go far beyond what recent OS updates have brought to the table. With Android Oreo...

Threatpost News Wrap, September 22, 2017

Mike Mimoso and Chris Brook recap the news of the week and look back at the Equifax saga so far. They also discuss a Google HTTPS warnings paper, cryptocurrency mining at the Pirate Bay, and bringing machine learning to passwords. Download: ThreatpostNewsWrapSeptember222017.mp3 Show notes: Equifa...

Iranian APT33 Targets U.S. Firms with Destructive Malware

The Iranian group known as APT33 is believed to be behind a cyberespionage campaign targeting aerospace, petrochemical and energy sector firms located in the United States, Saudi Arabia and South Korea. The group’s latest attack leverages a dropper called DropShot that is tied to the StoneDrill...

Joomla Patches Eight-Year-Old LDAP Injection Vulnerability

Joomla on Tuesday patched a critical vulnerability that had lingered in the content management system for eight years. It’s unknown whether the bug had been publicly exploited before it was privately reported in July, but an attacker could have leveraged the flaw to steal administrator login...

What Triggers HTTPS Chrome Browser Warnings?

A lot of hours go into debugging the cause of and tweaking the HTTPS error warnings that pop up in Google’s Chrome browser. Researchers from Google, Purdue University, the International Institute of Information Technology Hyderabad, and the Leibniz University of Hanover Germany have spent the las...

Malware Steals Data From Air-Gapped Network via Security Cameras

Proof-of-concept malware called aIR-Jumper can be used to defeat air-gapped network protections and send data in and out of a targeted network. The technique uses security cameras and infrared LED lights that can blink back and forth to each other transmitting data that has been converted into da...

Deep-Learning PassGAN Tool Improves Password Guessing

Artificial intelligence and deep learning are creeping into information security, and one of the early applications of those approaches has emerged and is focused on passwords. Researchers from the Stevens Institute of Technology and the New York Institute of Technology have recently published so...

Cloud-focused Firms Earn High Marks for Software Security in BSIMM8 Report

Companies pushing the cloud envelope are most likely to run safer cleaner code. On the flip side, as the healthcare industry embraces an increasingly software-driven business model, it is struggling to keep up with its peers when it comes to software security. Those are some of the takeaways from...

iOS 11 Update includes Patches for Eight Vulnerabilities

iOS 11 is out today and along with a new look and feel on the iPad especially comes a handful of patches for the Apple mobile OS. Apple addressed eight CVEs in today’s iOS update, and 15 overall as it also updated Safari and the Xcode development framework. Two Webkit bugs, CVE-2017-7106 and...

Equifax Suffered Earlier Breach in March

In addition to this summer’s massive attack, Equifax suffered an earlier breach of its systems in March, the company revealed Monday. While the company has been relatively transparent around May’s breach related to 143 million U.S. consumers, details around March’s breach, including how its syste...

Risks Limited With Latest Apache Bug, Optionsbleed

Servers running Apache software are susceptible to memory leaks that an attacker could theoretically piece together to learn secrets transmitted during a session. But the risk is most pressing only in shared hosting environments apparently, and only if the software is running a certain rare...

Attackers Use Undocumented MS Office Feature to Leak System Profile Data

An undocumented Microsoft Office feature allows attackers to gather sensitive configuration details on targeted systems simply by tricking recipients to open a specially crafted Word document—no VBA macros, embedded Flash objects or PE files needed. The undocumented feature is being used by...

Pirate Bay Spotted Hosting Monero Cryptocurrency Miner

A cryptocurrency miner surfaced on the world’s largest torrenting site for a day over the weekend, raising the ire of users unaware the tool was there, let alone leveraging their machine’s computing power. Users noticed the miner Friday night on The Pirate Bay, a site that acts as a treasure trov...

Rogue Wordpress Plugin Allowed Spam Injection

A popular WordPress plugin called Display Widgets running on 200,000 sites was removed from the official WordPress.org plugin repository after researchers discovered the plugin had a backdoor that was injecting spam ads into victims’ sites. According to researchers at Wordfence who publicly...

VMware Patches Bug That Allows Guest to Execute Code on Host

Users who run four different types of VMware products, ESXi, vCenter Server, Fusion and Workstation, are being encouraged to update to address a series of vulnerabilities, one critical. The most serious issue, an out-of-bounds write vulnerability, exists in ESXi, and desktop hypervisors...