15946 matches found
Boeing Notifies 36,000 Employees Following Breach
A Boeing employee inadvertently leaked the personal information of 36,000 of his co-workers late last year when he emailed a company spreadsheet to his non-Boeing spouse. News of the breach surfaced earlier this month after a letter .PDF from Boeing’s Deputy Chief Privacy Officer Marie Olson, to...
Google Discloses Another 'High Severity' Microsoft Bug
Google Project Zero disclosed Monday a “high severity” vulnerability it found in Microsoft’s Edge and Internet Explorer browsers that could allow remote attackers to execute arbitrary code. The revelation adds yet another vulnerability to a growing list of known bugs Microsoft has been warned...
Katie Moussouris on Bug Bounty Programs, Hack the Army, and Wassenaar
Mike Mimoso talks to Luta Security’s Katie Moussouris at RSA Conference 2017 about how bug bounty programs have gone mainstream, the success around Hack the Pentagon and Hack the Army, and where things stand with the Wassenaar Arrangement. Download:...
Google Releases E2EMail to Open Source
The ongoing struggle to provide encrypted email solutions that aren’t on a PGP level of complexity and difficulty is a real challenge. Google’s attempt at it, called E2EMail, was introduced more than a year ago as an effort to give users a Chrome app that allows for the simple exchange of private...
Necurs Botnet Learns New DDoS Trick
The Necurs botnet has learned a new trick. Instead of spewing spam delivering Locky ransomware, the notorious botnet is now capable of launching DDoS attacks. According to BitSight’s Anubis Labs, the malware was modified in September to include a module that adds DDoS capabilities and new proxy...
Researchers Uncover New Leads Behind Shamoon2
In a fresh analysis of the Shamoon2 malware, researchers from Arbor Networks’ Security Engineering and Response Team ASERT say they have unearthed new leads on the tools and techniques used in the most recent wave of attacks. Shamoon2 surfaced in November, approximately four years after the...
Threatpost News Wrap, February 24, 2017
Mike Mimoso and Chris Brook recap RSA and discuss the news of the week including the impact of Cloudflare’s “Cloudbleed” bug, Google breaking SHA-1, and more. Download: ThreatpostNewsWrapFebruary242017.mp3 Music by Chris Gonsalves...
Cloudbleed Bug Leaks Sensitive Cloudflare Customer Data
The Cloudflare content delivery network for months has been leaking customer data, everything from private messages to encryption keys and credentials belonging to users of some of the Internet’s biggest properties. The vulnerability has been addressed, Cloudflare CTO John Graham-Cumming said, bu...
Policy Experts Push To Make Vulnerability Equities Process Law
The U.S. government’s role in vulnerability disclosures is a vital part of our national security and should be codified in law, said a group of policy experts at a panel discussion last week at the RSA Conference. The panelists argued that the government’s current process of vulnerability use and...
First Practical SHA-1 Collision Attack Arrives
Researchers unveiled on Thursday the first practical collision attack for the 22-year old cryptographic hash function SHA-1. While long expected, news of the attack, dubbed ‘SHAttered,’ should further accelerate the urgency of sunsetting of the maligned algorithm. Researchers from Google, Elie...
Impact of New Linux Kernel DCCP Vulnerability Limited
Linux providers are busy developing and pushing out patches for a vulnerability in an obscure networking protocol that could allow a local attacker to crash the kernel and elevate privileges. Google software engineer Andrey Konovalov privately disclosed the vulnerability on Monday. The...
Java, Python FTP Injection Attacks Bypass Firewalls
Newly disclosed FTP injection vulnerabilities in Java and Python that are fueled by rather common XML External Entity XXE flaws carry the potential to expose sensitive systems to attack. Details about both issues were publicly disclosed this week, but private notifications were made to the Python...
Publicly Disclosed Windows Vulnerabilities Await Patches
As a consequence of skipping its February Patch Tuesday release, Microsoft is leaving two publicly disclosed vulnerabilities unpatched with proof-of-concept exploits available for both. That raises the stakes exponentially on possible attacks, said Tod Beardsley, senior research director at Rapid...
Criminals Monetizing Attacks Against Unpatched WordPress Sites
Criminals have inevitably begun to attempt to monetize attacks against WordPress sites still vulnerable to a severe REST API endpoint vulnerability silently patched in the recent 4.7.2 security update. While more than one million websites have been defaced, researchers are now beginning to see so...
Google Upspin Secure File-Sharing Released to Open Source
Google has released to open source new file-sharing interfaces and protocols it calls Upspin that allow users to securely share files using a global namespace rather than uploading and downloading content or sharing it first with a web-based service. Upspin is largely a consumer tool, Google said...
Intermediate CA Caching Could Be Used to Fingerprint Firefox Users
The way that Firefox caches intermediate CA certificates could open the door to the fingerprinting of users and the leaking of browsing details, a researcher warned this week. Alexander Klink, a security researcher based in Germany, discovered the issue and reported it to Mozilla in January but...
Data Stealing Malware TeamSpy Resurfaces in Spam Campaign
After almost a four-year respite, the data-stealing TeamSpy malware has resurfaced, or at least that’s what a spam campaign detected over the weekend suggests, researchers say. Researchers at the CrySyS Lab in Hungary originally identified the malware back in March 2013 when they traced it back t...
OpenSSL Update Fixes High Severity DoS Vulnerability
The OpenSSL Software Foundation released an update to the OpenSSL crypto library that patches a vulnerability rated high severity that could allow a remote attacker to cause a denial-of-service condition. OpenSSL released the version 1.1.0e update that fixes flaws found in OpenSSL 1.1.0, accordin...
Google Discloses Unpatched Microsoft Vulnerability
Google’s security researchers disclosed details of an unpatched Microsoft vulnerability in Windows’ GDI library that allows attackers to steal sensitive data from program memory. The flaw was first addressed by Microsoft last June, but Google said the patch was incomplete. As part of its 90-day...
Rook Security on Online Extortion
Mat Gangwer, CTO, and Tom Gorup, Security Operations Lead, at Rook Security talk to Mike Mimoso about the aggressive rise in online extortion and how it threatens not only data but physical safety. Download: RookSecurityonOnlineExtortion.mp3 Music by Chris Gonsalves...
Windows Botnet Spreading Mirai Variant
A Chinese-speaking attacker is spreading a Mirai variant from a repurposed Windows-based botnet. Researchers at Kaspersky Lab published a report today, and said the code was written by an experienced developer who also built in the capability to spread the IoT malware to Linux machines under...
Squirrels, Not Hackers, Pose Biggest Threat to Electric Grid
SAN FRANCISCO–The crown jewel of North America’s critical infrastructure is its electric grid. A successful cyberattack on it would be devastating. But according to Marcus Sachs, CSO with the North American Electric Reliability Corporation NERC, fears of a cyberattack are overblown. Sachs told RS...
SMTP STS Coming Soon to Gmail, Other Webmail Providers
Gmail users can expect the introduction of SMTP Strict Transport Security to the email service some time this year, bringing a measure of security similar to certificate pinning to one of the world’s biggest webmail services. Elie Bursztein, the head of Google’s anti-abuse research team, said at...
Divide Between Work, Personal Data on Android Breached
SAN FRANCISCO–Researchers here at the RSA Conference demonstrated Thursday a way a hacker can bypass enterprise mobility management sandboxing tools known as Android for Work that are designed to segregate work and personal data on Android devices. In a proof-of-concept demonstration, researchers...
Cris Thomas on Cyberwar Rhetoric
Cris Thomas of Tenable Networks, aka Space Rogue of the L0pht, talks to Mike Mimoso during RSA Conference about the rhetoric and hype surrounding cyberwar, as well as a quick trip down memory lane with the L0pht and its famous 1998 testimony before Congress. Download:...
Setting Expectations Between States on Cyberwar
A a panel of security experts at the RSA Conference on Wednesday said there is a lack of agreement on a definition of cyberwarfare and of the tools used to fight them. “Words matter and it’s important to have definitions. But one of the challenges is the pace of innovation gets in front of doctri...
Turning Tables on Nigerian Business Email Scammers
SAN FRANCISCO – Traditional takedowns of cybercrime enterprises generally rely on court orders that facilitate either taking servers offline or sending the criminals malware that helps identify them or their locations. Sometimes, however, the technical option is second best. Researchers at Dell...
Google Touts Progress in Android Security in 2016
SAN FRANCISCO–Google has a daunting task of scanning 750 million Android devices daily for threats and checking 6 billion apps for malware each day as part of its management of 1.6 billion active Android devices. The numbers are staggering for Adrian Ludwig, director of Android Security; six year...
No Firewalls, No Problem for Google
SAN FRANCISCO—Google may have sent the tired castle analogy of network security’s soft center protected by a tough exterior out to pasture for good. On Tuesday at RSA Conference, Google shared the seven-year journey of its internal BeyondCorp rollout where it affirms trust based on what it knows...
DHS Chairman Paints Bleak U.S. Cybersecurity Picture
SAN FRANCISCO – The United States is losing ground against its adversaries as illustrated by reports of Russian and Chinese hacking of U.S. interests, and breaches against private companies such as Yahoo, said Rep. Michael McCaul R-TX, chairman of the House Committee on Homeland Security, during ...
Schneier Brings Campaign for IoT Regulation to RSA
SAN FRANCISCO—Bruce Schneier on Tuesday called on technologists to get involved with policy, insisting that as the Internet of things continues to unfold, the knowledge security experts have will become more applicable. Schneier, CTO of IBM Resilient, stressed in a talk here at the RSA Conference...
Cryptographers Dismiss AI, Quantum Computing Threats
SAN FRANCISCO—Cryptographers said at the RSA Conference Tuesday they’re skeptical that advances in quantum computing and artificial intelligence will profoundly transform computer security. “I’m skeptical there will be much of an impact,” Ron Rivest, a MIT professor and inventor of several...
Adobe Patches 13 Code Execution Vulnerabilities in Flash
Adobe patched 13 code execution vulnerabilities in Flash Player today as part of its regular patch update cycle. All of the flaws were rated the highest severity for Windows, macOS and Chrome. Adobe said that Flash version 24.0.0.194 and earlier are vulnerable and that users should update...
Nation States Distancing Themselves from APTs
SAN FRANCISCO – Security researchers say a new trend in privateering is gaining traction among nation states, which are increasingly contracting with private companies to carry out state-sponsored attacks. Typically APT attacks have been the work of internal government spy apparatuses, but...
Updated Firmware Due for Serious TP-Link Router Vulnerabilities
Chinese router maker TP-Link is wrestling with the disclosure of a handful of vulnerabilities in its C2 and C20i routers. The most severe of the flaws lead to remote code execution on a device; the attack, however, would require an attacker first obtain valid credentials. Researcher Pierre Kim...
Open Databases a Juicy Extortion Target
Recent attacks against insecure MongoDB, Hadoop and CouchDB installations represent a new phase in online extortion, born from ransomware’s roots with the promise of becoming a nemesis for years to come. “These types of attacks have grown from ones of opportunity to full-scale automated and...
On Vulnerable iOS Apps, macOS Macros Malware, and More
Mike Mimoso and Chris Brook preview RSA 2017 and discuss the previous week’s news including the report on how a handful of iOS apps are vulnerable to interception attacks, macro malware coming to MacOS, a new Uber open source module. Show notes: Popular iOS Apps Vulnerable to TLS Interception...
1.5M Unpatched WordPress Sites Hacked Following Vulnerability Disclosure
Attackers have taken a liking to a content-injection vulnerability disclosed last week and patched in WordPress 4.7.2 that experts say has been exploited to deface 1.5M sites so far. The issue has evolved into “one of the worst WordPress related vulnerabilities to emerge in some time,” researcher...
High Severity BIND Vulnerability Can Lead to A Crash
The Internet Systems Consortium patched the BIND domain name system this week, addressing a remotely exploitable vulnerability it considers high severity and said could lead to a crash. The issue affects servers that use both the DNS64 and RPZ function simultaneously. DNS64 is a mechanism for...
CryptoShield Infections from RIG EK Picking Up
The RIG Exploit Kit remains fairly active despite an overall decline in such activity, and of late, it’s been spreading a fairly new variant of ransomware called CryptoShield. The main culprit is an attack group known for using EITest to deliver malware; it has been infecting victims’ machines vi...
Dino Dai Zovi on Securing Linux in Modern Workloads
Security researcher Dino Dai Zovi talks to Mike Mimoso about a new company he cofounded called Capsule8—which left stealth mode on Wednesday—that will help IT organizations counter threats to Linux infrastructures in the enterprise and cloud. Dai Zovi also talks about the 10-year anniversary of h...
Fileless Memory-Based Malware Plagues 140 Banks, Enterprises
Attackers have been using well-known, standard utilities to carry out attacks on organizations around the world, and covering their tracks by wiping their activity from the machine’s memory before its rebooted. The attackers, who may be connected to the GCMAN and Carbanak groups, aren’t using...
Valve Patches Trivial XSS Bug in Steam
Valve Corp., has patched a cross-site scripting vulnerability on its popular Steam gaming platform that could be exploited by viewing a maliciously crafted profile. The flaw could allow an attacker to carry out phishing attacks or execute malicious scripts just by opening a crafted profile page. ...
Uber Debuts SSH Key Authentication Module
Developers at Uber have unveiled a new module to help users enable the continuous re-authentication of SSH keys. The company wrote the module in order to work alongside another tool, a SSH Certificate Authority it designed, to keep stock of public SSH keys. While its CA is for its internal use,...
Consortium Publishes Manifesto on Autonomous Vehicle Security
Intel, Uber and IoT company Aeris have joined forces in an effort aimed at fostering industry cooperation when it comes to building safety features into autonomous vehicles and the systems that support them. Today the group, which goes by the name Future of Automotive Security Technology Research...
Macro Malware Comes to macOS
Macro-based malware has crossed the divide between the Windows and Mac platforms. A cybercrime group whose command and control infrastructure resolves to an IP address geo-located in Russia is using a Word document laced with a malicious macro that executes solely on macOS. Following the same...
Attackers Capitalizing on Unpatched WordPress Sites
Attackers didn’t wait long to capitalize on laggards slow in updating their WordPress sites to patch a critical content injection vulnerability addressed in WordPress 4.7.2. The update was made public on Jan. 26 with WordPress disclosing six days later that the update also included a silent fix f...
Popular iOS Apps Vulnerable to TLS Interception Attacks
Dozens of iOS mobile banking, medical and other applications handling sensitive user information are vulnerable to man-in-the-middle attacks where TLS traffic can be intercepted. Of the 76 apps analyzed by Sudo Security Group, 19 are considered high-risk where financial or medical credentials, or...
Smart TV Manufacturer Vizio Fined $2.2M for Tracking Customers
Smart TV manufacturer Vizio tracked data on 11 million of its customers TVs without their knowledge or consent, the Federal Trade Commission announced this week. The Irvine, Calif.-based company agreed on Monday to pay $2.2 million to settle charges that it collected scores of its customers’ data...
St. Jude Patches Additional Cardiac Device
St. Jude Medical has patched a vulnerability in another Merlin@home Transmitter medical device vulnerable to a man-in-the-middle attack. The medical device maker issued an update on Monday for its Merlin@home Transmitter “inductive” models, expanding the number of devices impacted by a...