InterContinental Hotels Confirms Credit Card Breach

InterContinental Hotels Group IHG, parent company to Crowne Plaza, Holiday Inn and Kimpton Hotels and Resorts, confirmed on Friday a breach of payment card systems used in 12 of its hotels located in North America and the Caribbean. According to IHG, which operates 5,000 hotels worldwide, malware...

ICS, SCADA Security Woes Linger On

A handful of worrisome vulnerabilities in Honeywell building automation system software disclosed last week are case in point of how far the industry continues to lag in securing SCADA and industrial control systems. Honeywell published in September new firmware that patches vulnerabilities...

Honeywell SCADA Controllers Exposed Passwords in Clear Text

A series of remotely exploitable vulnerabilities exist in a popular web-based SCADA system made by Honeywell that make it easy to expose passwords and in turn, give attackers a foothold into the vulnerable network. The flaws exist in some versions of Honeywell’s XL Web II controllers, systems...

Locky Ransomware, Kovter Click-Fraud Malware Spreading in Same Campaigns

Researchers at Microsoft’s Malware Protection Center have spotted malicious email campaigns using .lnk attachments to spread Locky ransomware and the Kovter click-fraud Trojan, the first time criminals have simultaneously distributed both pieces of malware. According to Microsoft, the .lnk file n...

On the Microsoft SMB Zero Day, the Netgear Vulnerability and More

Mike Mimoso and Chris Brook recap the news of the week, including a Microsoft SMB zero day, the latest Netgear router vulnerability, a new HTTPS milestone, and more. Download: ThreatpostNewsWrapFebruary32017.mp3 Music by Chris Gonsalves...

Cisco Patches Authentication Bypass in Cisco Prime Home

Cisco has patched a critical vulnerability in its Cisco Prime Home remote management software used by service providers to oversee and provision subscribers’ home devices. The flaw, found by Cisco engineers, is in the product’s web-based GUI and allows remote attackers to bypass authentication an...

Microsoft Waits for Patch Tuesday to Fix SMB Zero Day

Microsoft will not rush out an emergency patch for a zero-day vulnerability disclosed on Wednesday in the Windows implementation of the Server Message Block protocol. Researcher Laurent Gaffie announced in a tweet, below, that he’d found a zero-day vulnerability in SMBv3 and released a...

WordPress Silently Fixed Privilege Escalation Vulnerability in 4.72 Update

WordPress silently fixed a serious content injection vulnerability when it pushed out its latest security release, 4.7.2, last week. Sucuri, the firm that found the vulnerability, disclosed it Wednesday and said that if exploited, it could have let an attacker modify the content of any WordPress...

Printing and Marketing Firm Leaks High-Profile Customers' Data

Franchise Services, the parent company of a number of large print and design companies, said it is investigating claims that sensitive customer data stored by one of its franchisees is accessible online. The data dates back to 2010 and ranges from sensitive health records belonging to a former...

Google Adds Security Key Enforcement to G Suite Apps

Google on Wednesday pumped more life into the use of physical keys as a second form of authentication when it added Security Key enforcement support to G Suite. Admins inside enterprises managing deployments of the suite of cloud-based productivity apps, formerly known as Google Apps, can now...

HTTPS Hits 50 Percent Traffic Milestone

This week HTTPS hit another big milestone. According to a two-week survey of telemetry data from the Mozilla Firefox browser, 50 percent of page loads used HTTPS. “For the first time, the running average crested the 50 percent HTTPS page load mark,” said Sarah Gran, director of communications for...

Ubuntu Update Includes OpenSSL Fixes

Ubuntu users are being urged to update their operating systems to address a handful of recently patched OpenSSL vulnerabilities which affect Ubuntu and its derivatives. Developers with Canonical, the company that oversees the Linux distribution, announced the updates on Tuesday, encouraging users...

Zimperium Program Buys Exploits for Patched Mobile Vulnerabilities

Mobile security company Zimperium said Tuesday that it will start buying exploits, but in a departure from most other programs, it will not be buying zero-days. The company’s N-Days Exploit Acquisition Program will pay researchers from a pool of $1.5 million for exploits targeting vulnerabilities...

Trump Cyber Executive Order Calls for 60-Day Review

President Donald Trump cited the hack of the Democratic National Committee as a “good example” for the need of a stronger cyber security measures for both the private and public sector. “The Democratic National Committee was hacked successfully, very successfully, and terribly successfully,” Trum...

Flaws Found in Popular Printer Models

Vulnerabilities in popular printer models made by HP, Dell and Lexmark expose the devices to attackers who can steal passwords, shut down printers and even steal print jobs. Academic researchers at the University Alliance Ruhr on Monday published a series of advisories and an informational wiki...

Ugly Password Gaffe Plagues Cryptkeeper Encryption App

A longtime Debian developer has recommended that the Cryptkeeper Linux encryption app be removed from the distribution. The advice came after the disclosure of a bug where the app sets the universal password “p” to decrypt any directory created with the program. Simon McVittie, a programmer at...

Nicolas Brulez on Malware Reverse Engineering Tips and Tricks

Kaspersky Lab Principal Security Researcher Nico Brulez talks with Ryan Naraine about his upcoming SAS 2017 training on the ins and outs of malware reverse engineering and how attendees can benefit for a wide range of tips and tricks. Download:...

Nested, Targeted Attacks Built for Reconnaissance

Researchers say members of the North Atlantic Treaty Organization were targeted during the holidays by a unique document-based attack that evades discovery by lying dormant when it detects a security researcher’s test environment. Characteristics of this attack, according to researchers at Cisco...

Hundreds of Thousands of Netgear Routers Vulnerable to Password Bypass

Hundreds of thousands–potentially more than one million–Netgear routers are susceptible to a pair of vulnerabilities that can lead to password disclosure. Researchers said that while anyone who has physical access to a router can exploit the vulnerabilities locally, the real threat is that the fl...

Facebook Tackles Account Recovery with Delegated Recovery Protocol

Account recovery, the second fiddle to authentication, still largely hinges on insecure schemes such as security questions or email-based verification for password resets and the like. Facebook today at the Enigma Conference in Oakland, Calif., offered a more modern solution called Delegated...

Telemarketing Firm Leaks 400,000 Recorded Calls

More than 400,000 audio files associated with a Florida company’s telemarketing efforts were stored online in the clear, and were discovered earlier this month by researchers at MacKeeper. More than 17,600 of those audio recordings were customer transactions that included names, addresses, and...

Many Android VPN Apps Breaking Privacy Promises

An alarming number of Android VPNs are providing a decidedly false sense of security to users, especially those living in areas where communication is censored or technology is crucial to the privacy and physical security. A study published recently identified a number of shortcomings common to...

Cisco Warns of Critical Flaw in Teleconferencing Gear

Cisco Systems is warning customers of a critical vulnerability affecting three of its TelePresence MCU platform models. The flaw could give attackers the ability to remotely execute code on impacted systems or create conditions favorable to a denial-of-service DoS attack. According to an advisory...

WordPress Update Fixes XSS, SQL Injection Vulnerabilities

Developers with WordPress fixed three security issues this week, including a cross-site scripting and a SQL injection vulnerability, with the latest version of the CMS. The update, 4.7.2, was pushed Thursday, only two weeks after developers released the previous version. Aaron Campbell, a WordPre...

Dridex Returns With Windows UAC Bypass Method

After a six-month hiatus, the Dridex banking malware is back and targeting large financial institutions in the U.K with a new technique that can bypass Windows User Account Control UAC. Researchers at Flashpoint said they have seen small phishing and spear-phishing campaigns targeting specific...

On the Star Wars Twitter Botnet, the Return of Lavabit, Ransomware and More

Mike Mimoso and Chris Brook discuss the news of the week, including the Star Wars Twitter botnet, the return of Lavabit, a critical Cisco Webex flaw, and the St. Louis Library ransomware story. Download: ThreatpostNewsWrapJanuary272017.mp3 Music by Chris Gonsalves...

Google to Operate its Own Root CA

Google has inevitably become its own root Certificate Authority, allowing it to issue digital certificates for its products rather than rely on third party certs to validate Google properties. The move was announced Thursday, along with the creation of a new entity called Google Trust Services th...

Facebook Touts 'Safer' Security Key Login

Facebook is giving privacy-minded users looking to fortify their accounts yet another layer of security. Brad Hill, a security engineer with the social network, announced on Facebook’s Security page on Thursday that effective immediately, it would let users tie a physical security key to their...

Bill Calls for Study of Cybersecurity Standards for Cars

A House bill was introduced Tuesday that could accelerate the federal government’s involvement in regulating automobile cybersecurity. The Security and Privacy in Your Car Study Act of 2017, authored by Reps. Ted Lieu D-Calif. and Joe Wilson R-SC, calls on the National Highway Traffic Safety...

Uber.com Backup Bug Nets Researcher $9K

A researcher netted a $9,000 payday last summer after digging up a XML external entity XXE vulnerability in a third-party backup software system used by Uber. The vulnerability, which could have given an attacker access to the user backup data of any company using the software, including Uber, wa...

Google to Block .js Attachments in Gmail

Spammers and cybercriminals have revived email-based attacks in the last year, giving new life to macro-based malware hidden in Word documents, and with greater intensity of late, .js files that run JavaScript on infected clients, largely to download malware from an attacker’s site. Google...

Four High-Severity Chrome Vulnerabilities Earn Researcher $32K in Rewards

For the second time in less than a year, researcher Mariusz Mlynski has earned more than $30,000 through Google’s Chrome Rewards program. Google on Wednesday released Chrome 56.0.02924.76 for Windows, Mac and Linux platforms, and Mlynski was credited with finding and disclosing four high-severity...

Half of Ransomware Victims Pay Criminals' Demands to Recover Data

A report on ransomware sheds new light on attacks in 2016, starting with the fact that 48 percent of businesses hit by ransomware said they paid the ransom. That’s in spite of pleas from cyber security experts and the FBI not to do so. Other insights include the average ransom payment was $2,500...

Default Credentials Found in Schneider Electric Wonderware Historian

The Industrial Control System Cyber Emergency Response Team ICS-CERT on Tuesday published an advisory warning of a critical vulnerability in Schneider Electric Wonderware Historian, a platform used to capture, store and manage big data. The vulnerability, CVE-2017-5155, can be exploited to target...

Firefox 51 Begins Warning Users of Insecure HTTP Connections

Mozilla Foundation took steps with the release of Firefox 51 on Tuesday to communicate more clearly to users when they land on a HTTP website collecting personal information such as passwords that the site may not be secure. Going forward, Firefox will display a gray lock icon with a red...

Charger Mobile Ransomware Removed from Google Play

Security researchers have identified a new and evasive mobile ransomware strain called Charger on the Google Play app store. The Charger malware was bundled with an SMS-snooping app called EnergyRescue that pawned itself off as a battery management utility, according to Check Point security...

SpyNote RAT Now Disguised As Netflix App

A new version of the SpyNote Trojan is designed to trick Android users into thinking it’s a legitimate Netflix application. Once installed, the remote access Trojan RAT essentially hands control of the device over to the hacker, enabling them to copy files, view contacts, and eavesdrop on the...

AG Nominee Backs Law Enforcement's Ability to 'Overcome' Encryption

President Donald Trump’s attorney general pick Jeff Sessions has amplified the encryption debate with comments he made during Senate Judiciary Committee confirmation hearings last week stating law enforcement should be able to “overcome” digital locks in criminal investigations. Sessions’ positio...

St. Louis Public Library Recovers from Ransomware Attack

Services are being restored to the St. Louis Public Library computer system after a ransomware attack last Thursday impacted access to machines and data at all 17 branches. Library management refused to pay the $35,000 demanded as ransom, and IT staff wiped affected servers and restored them from...

Cisco Patches Critical Flaw in WebEx Chrome Plugin

A vulnerability in the Cisco WebEx Chrome Plugin, used by tens of millions for web conferencing in business environments, exposed computers to remote code execution. Cisco has begun releasing updates that patch the flaw, details of which were disclosed Monday by Google Project Zero researcher Tav...

Apps Carrying HummingBad Variant Booted From Google Play

Android malware known as HummingBad, that infected as many as 10 million devices in 2016, has resurfaced with several new features allowing it to perform ad fraud even more efficiently than its predecessor. Researchers said the variant, known as HummingWhale, was being distributed via 20 camera,...

Apple Patches Critical Kernel Vulnerabilities

Apple today released new versions of iOS and macOS Sierra and addressed some overlapping code execution vulnerabilities in both its mobile and desktop operating systems. The updates were part of a bigger release of security updates from Apple that also included Safari, iCloud for Windows, and...

Secure Email Service Lavabit Relaunches

Lavabit, the secure email provider that suspended operations in 2013 after the U.S. government asked for its users’ SSL keys, relaunched Friday under a new architecture. Ladar Levison, the service’s owner and operator, announced Lavabit’s return on Inauguration Day, acknowledging that values such...

Heartbleed Persists on 200,000 Servers, Devices

Almost 200,000 servers and devices are still vulnerable to Heartbleed, the OpenSSL flaw patched nearly three years ago. The numbers come from search engine Shodan, which released data showing U.S. servers hosted on Amazon AWS are disproportionately vulnerable to the flaw. “There’s a lot to be...

Sage and Satan Ransomware, Double Trouble

A spam campaign known for spreading the Cerber ransomware has changed its payload just as a new ransomware-as-a-service offering popped up. While the two happenings aren’t related, they are an indicator of the relentless development and investment continuing around ransomware, and the ongoing...

Massive Twitter Botnet Dormant Since 2013

A sizable and dormant Twitter botnet has been uncovered by two researchers from the University College London, who expressed concern about the possible risks should the botmaster decide to waken the accounts under his control. Research student Juan Echeverria Guzman and his supervisor and senior...

Mozilla's First Internet Health Report Tackles Security, Privacy

In its first-ever Internet Health Report, the non-profit Mozilla Foundation warned of the dangers of concentrated power among too few internet companies, cyber snooping by nosey governments and new threats posed by connected devices that can further erode privacy. Mozilla released the report this...

Coalition of Cryptographers, Researchers Urge Guardian to Retract WhatsApp Story

A coalition of some of the globe’s top researchers and cryptographers are pleading with The Guardian to retract a story it published last week in which it suggested the encrypted messaging app WhatsApp contained a backdoor. The article, citing research by Tobias Boelter, a cryptography and securi...

Hadoop, CouchDB Next Targets in Wave of Database Attacks

Insecure Hadoop and CouchDB installations are the latest targets of cybercriminals who are hijacking and deleting data. Last week, security researchers said 28,000 MongoDB and Elasticsearch installations were hacked in a new wave of attacks against unprotected open source data management platform...

Hack the Army Bounty Pays Out $100,000

The U.S. Army on Thursday shared the outcome of its first bug bounty, which concluded a three-week trial on Dec. 21, calling the program a success. The Hack The Army bounty, announced last fall, was the second such government rewards program, debuting months after the conclusion of the Hack the...