German Industrial Giant Victim of Cyber Espionage

German industrial conglomerate ThyssenKrupp disclosed last week that technical trade secrets were stolen in a cyberattack that dates back to February. Adversaries, ThyssenKrupp said, engaged in “organized, highly professional hacker activities” and launched their attack from the Southeast Asian...

Ransomware Gives Free Decryption Keys to Victims Who Infect Others

Researchers say they have uncovered ransomware still under development that comes with a novel and nasty twist. Infected victims of the ransomware known as Popcorn Time, have the option to either pay up, or they can opt to infect two others using a referral link. If the two new ransomware targets...

NYU Students Apply Blockchain Solution to Electronic Voting Security

The contentious U.S. presidential election elevated a number of critical security issues to the forefront, perhaps none more important for the long-term than questions of voter fraud and electronic voting security. If voting is ever to move away from paper ballots, the integrity of the process mu...

On Backdoors in Sony's IP Cameras, a Linux Bug, and More

Mike Mimoso and Chris Brook discuss the news of the week, including the latest Linux bug, Sony closing backdoors in cameras, and Google’s new open source fuzzer. Show notes: Sony Closes Backdoors in IP-Enabled Cameras Old Linux Kernel Code Execution Bug Patched Google Debuts Continuous Fuzzer for...

Yahoo Mail XSS Bug Worth Another $10K to Researcher

The déjà vu is real for Finnish security researcher Jouko Pynnonen. Just shy of a year ago, Pynnonen privately disclosed a stored cross-site scripting vulnerability in Yahoo Mail, and was rewarded with a $10,000 bounty through Yahoo’s HackerOne program. Fast forward to last month, and there was...

Researchers Question Security in AMD's Upcoming Zen Chips

As more computing heads to the clouds, security researchers are questioning the security of virtual machine control panels called hypervisors. One of the first hardware-based solutions to address these concerns will be deployed by chip manufacturer AMD, called Secure Encrypted Virtualization. The...

OpenVPN to Undergo Cryptographic Audit

The next version of the open-source OpenVPN software will be audited by an well-known cryptographer. It was announced Wednesday that Matthew D. Green, PhD, a cryptographer, computer science professor, and researcher at Johns Hopkins University will carry out an audit of the code currently availab...

New Call to Regulate IoT Security By Design

A Washington, D.C. think tank whose mission is critical infrastructure security has joined the call for lawmakers to consider regulating the security of connected devices. In a report published this week, the Institute for Critical Infrastructure Technology pinned the blame for a rash of Mirai...

Old Linux Kernel Code Execution Bug Patched

A critical, local code-execution vulnerability in the Linux kernel was patched more than a week ago, continuing a run of serious security issues in the operating system, most of which have been hiding in the code for years. Details on the vulnerability were published Tuesday by researcher Philip...

Some Solar Power Meters are Vulnerable to Command Injection Attacks

Solar software and analytics firm Locus Energy has pushed out a patch to its residential and commercial power meters to address a vulnerability that could allow hackers to access equipment and remotely execute code. According to independent security researcher Daniel Reich, who privately disclose...

Zeus Variant 'Floki Bot' Targets PoS Data

Researchers have observed an uptick in attacks using the banking malware Floki Bot against U.S., Canadian and Brazilian banks, and insurance firms. Floki Bot, which uses code from the once notorious Zeus banking Trojan, has evolved and unlike its predecessor, is targeting point-of-sale systems vi...

Buffer Overflow in BSD libc Library Patched

The BSD libc library was updated recently to address a buffer overflow vulnerability that could have allowed an attacker to execute arbitrary code. The library is part of the POSIX library, which is used in BSD operating systems, like FreeBSD, NetBSD, OpenBSD. The libc library is also used in...

Critical Vulnerability Patched in Roundcube Webmail

Open source webmail provider Roundcube has released an update that addresses a critical vulnerability in all default configurations that could allow an attacker to run arbitrary code on the host operating system. The flaw is serious because it’s relatively simple to exploit and can allow an...

Hackers Gamifies DDoS Attacks With Collaborative Platform

A Turkish hacking crew is luring participants to join its DDoS platform to compete with peers to earn redeemable points that are exchangeable for hacking tools and click-fraud software. The goal, security researchers say, is to “gamify” DDoS attacks in order to attract a critical mass of hackers...

Flash Exploit Found in Seven Exploit Kits

A nasty Adobe Flash zero-day vulnerability that was remediated in an emergency update in October 2015 was thereafter co-opted by seven exploit kits, according to an analysis published today by researchers at Recorded Future. The Adobe vulnerability, CVE-2015-7645, was also used by the Russian APT...

DailyMotion Hack Leaks Emails, Passwords of 87M Users

DailyMotion, a popular video sharing website, said Tuesday it recently suffered an “external security problem” resulting in the compromise of an unspecified number of its users’ data. LeakedSource.com, a repository of breached data, added DailyMotion to its list of “Hacked Sites” on Monday. The...

Sony Closes Backdoors in IP-Enabled Cameras

Sony, in late November, provided a firmware update for a popular IP-enabled camera line used by enterprises and law enforcement alike that closed off remote administration backdoors. The backdoors could be abused to draft these devices into botnets or allow for manipulation of images and...

Dirty Cow Vulnerability Patched in Android Security Bulletin

The Dirty Cow vulnerability lived in Linux for close to a decade, and while it was patched in October in the kernel and in Linux distributions, Android users had to wait for more than a month for their fix. Today, Google included a patch for CVE-2016-5195 in the monthly Android Security Bulletin,...

Google Debuts Continuous Fuzzer for Open Source Software

A new Google program aimed at continuously fuzzing open source software has already detected over 150 bugs. The program, OSS-Fuzz, currently in beta mode, is designed to help unearth programming errors in open source software via fuzz testing. Fuzz testing, or fuzzing is when bits of randomly...

Distributed Guessing Attack Reels in Payment Card Data

Academics at Newcastle University have proven that an attacker in possession of a minimal amount of existing information can, in an automated way, guess payment card data by exploiting weaknesses in online payment processes. The issue lies in the fact that the global payment system lacks a...

New Large-Scale DDoS Attacks Follow Schedule

A powerful new botnet is being blamed for massive and sustained DDoS attacks that security researchers at CloudFlare compare to Mirai when it comes to intensity and scope. The attacks began Nov. 23 and ran for eight hours daily, similar to an average workday. The consistent attacks occurred for...

EFF Blasts DEA in Ongoing Secret 'Super Search Engine' Lawsuit

The Electronic Frontier Foundation is accusing the Drug Enforcement Agency of improperly withholding documents in a court case that hopes to reveal details about the government’s controversial surveillance program known as Hemisphere. The EFF, which is suing the DEA as part of a Freedom of...

Google Fixes 12 High-Severity Vulnerabilities In Chrome Browser

Google is urging Windows, Mac and Linux users to update their Chrome browsers to fix multiple vulnerabilities that could allow malicious third parties to take control of targeted systems. Released Thursday, Chrome version 55.0.2883.75 for Windows, Mac, and Linux fixes those security issues. It al...

Rule 41 Opponents Vow to Fight Government's New Hacking Powers

A new rule goes into effect Thursday that gives law enforcement the ability to hack millions of computers or smartphones at once with a single search warrant. But opponents of the controversial Rule 41 say they are committed to fight the government’s expanded powers. “The most important thing is...

Mozilla Patches Firefox Zero Day Used to Unmask Tor Browser Users

As expected, Mozilla released a new version of Firefox on Wednesday to address a zero-day vulnerability that was actively being exploited to de-anonymize Tor Browser users. The vulnerability, disclosed on a public Tor Project mailing list late Tuesday night, forced the Tor Project to also issue a...

Gooligan Malware Breaches 1 Million Google Accounts

Android malware called Gooligan is being blamed for 1 million breached Google accounts. The malware is still active, according Check Point Software Technologies, and is responsible for an additional 13,000 new breaches of Android devices daily. “We believe that it is the largest Google account...

Microsoft Silently Fixes Kernel Bug That Led to Chrome Sandbox Bypass

Microsoft appears to have silently fixed a two-year-old bug in in Windows Kernel Object Manager that could have allowed for the bypass of privileges in Google’s Chrome browser. James Forshaw, a researcher with Google’s Project Zero first reported the issue in December 2014. Microsoft responded to...

Tor Patched Against Zero Day Under Attack

Update The Tor Project has provided a browser update that patches a zero-day vulnerability being exploited in the wild to de-anonymize Tor users. “The security flaw responsible for this urgent release is already actively exploited on Windows systems. Even though there is currently, to the best of...

New Cerber Variant Leverages Tor2Web Proxies, Google Redirects

Criminals behind the latest Cerber ransomware variant are leveraging Google redirects and Tor2Web proxies in a new and novel way to evade detection. Researchers with Cisco Talos spotted the shifting tactic last week when it began tracking the latest Cerber 5.0.1 ransomware variant. The technique...

NetWire RAT Back, Stealing Payment Card Data

The remote access Trojan NetWire is back and this time making the rounds pilfering payment card data. The move is a shift for attackers behind notorious NetWire, that was once thought to be the first multi-platform RAT. Over the last couple of years payment card breaches have been mostly synonymo...

New Mirai Variant Targets Routers, Knocks 900,000 Offline

Attackers are targeting DSL routers this week with what’s being called a potent new variant of the Mirai malware that knocked offline major Internet companies like Twitter and Spotify last month. According to Germany’s Deutsche Telekom 900,000 of its DSL router customers have already been targete...

PayPal Fixes OAuth Token Leaking Vulnerability

PayPal fixed an issue that could have allowed an attacker to hijack OAuth tokens associated with any PayPal OAuth application. The vulnerability was publicly disclosed on Monday by Antonio Sanso, a senior software engineer at Adobe, after he came across the issue while testing his own OAuth clien...

Hackers Make New Claim in San Francisco Transit Ransomware Attack

The San Francisco Municipal Transport Agency said by Sunday it had contained a ransomware attack that occurred Friday which impacted its internal computer and payment systems. The public transit system is facing new, unsubstantiated claims on Monday however that the group responsible for launchin...

Uber Portal Leaked Names, Phone Numbers, Email Addresses, Unique Identifiers

A series of vulnerabilities in UberCENTRAL, a portal Uber started during the summer to help businesses facilitate rides for customers, could have leaked the names, phone numbers, email addresses, and unique ID of all Uber users. Kevin Roh, a student who actively hunts for bugs in his spare time,...

InPage Zero Day Used in Attacks Against Banks

A zero-day vulnerability in InPage publishing software used primarily in Urdu, Pashto and Arabic-speaking nations has been publicly exploited in attacks against financial institutions and government agencies in the region. While there are more than 10 million InPage users in Pakistan and India...

Microsoft Cutting Off SHA-1 Support in February for Edge, IE 11

Microsoft confirmed that Feb. 14, 2017 is the cutoff date for SHA-1 support in its Microsoft Edge and Internet Explorer 11 browsers. After that date, neither browser will immediately load sites still running SHA-1 certificates and users will be shown an invalid certificate warning. Users will als...

Exploit Code Released for NTP Vulnerability

A researcher has released a proof-of-concept exploit for a vulnerability in the Network Time Protocol daemon that could crash a server with a single, malformed packet. The Network Time Foundation’s NTP Project on Monday patched the bug and nine others with the release of NTP 4.2.8p9. The...

WordPress Plugins Leave Online Shoppers Vulnerable

Researchers are calling into question the safety of some of the top WordPress e-commerce plugins used on over 100,000 commercial websites prepping for Black Friday and Cyber Monday online sales. In reviewing the top 12 WordPress e-commerce plugins, application security testing firm Checkmarx foun...

DoD Publishes Vulnerability Disclosure Policy

The Department of Defense promised upon the inception of the Hack the Pentagon bug bounty program that it would continue to engage white-hats. Hack the Pentagon set the tone with more than 1,400 participants and 138 vulnerabilities resolved during the 24-day trial during the spring. Two weeks ago...

Backdoor Found in Firmware of Some Android Devices

Nearly three million Android devices are vulnerable to an attack that could allow a hacker to compromise over-the-air OTA updates to the devices and allow adversaries to remotely execute commands with root privileges. The problem stems from what researchers call an insecure implementation of an O...

Office 365 Vulnerability Identified Bogus Email as Valid

Details have been released on a simple Office 365 hack that incorrectly identifies spoofed emails pretending to be from the Microsoft.com domain as valid. The vulnerability being targeted was privately disclosed by Turkish security researcher Utku Sen, and was patched by Microsoft this month...

Credentials Accessible in Siemens-Branded CCTV Cameras

Vanderbilt Industries has provided a firmware update for more than a dozen Siemens-branded IP-based closed circuit TV cameras that patches a serious, remotely exploitable vulnerability. The flaw, CVE-2016-9155, could allow an attacker to gain admin credentials by sending certain crafted requests,...

Nemucod Infections Moving Locky Over Facebook

Update: Facebook has said that some of the Nemucod infections spreading over Facebook Messenger are not dropping Locky ransomware on victims’ computers as was initially reported. A Facebook spokesperson told Threatpost: “We maintain a number of automated systems to help stop harmful links and fil...

Drupal Fixes 'Moderately Critical' Vulnerabilities in Core Engine

The Drupal Security Team fixed a handful of issues in version 7 and 8 of its content management system core engine this week that could have led to cache poisoning, social engineering attacks and a denial of service condition. Drupal SA-CORE-2016-005 – Moderately Critical Update to Drupal core 7....

Qualcomm and HackerOne Partner on Bounty Program

Qualcomm kicked off its first bug bounty program Thursday, opening the door for white hat hackers to find flaws in a dozen Snapdragon mobile chipsets and related software. Rewards for the invite-only bug bounty program top $15,000 each. HackerOne will facilitate Qualcomm’s bounty program; the...

On PoisonTap, Internet of Things Regulation, and Ransomware

Mike Mimoso and Chris Brook discuss the news of the week, including this week’s House hearing on the Internet of Things, Samy Kamkar’s PoisonTap tool, and Windows 10’s ransomware protections. Show notes: Regulation May Be Best Answer to IoT Insecurity PoisonTap Steals Cookies, Drops Backdoors on...

Google Removing SHA-1 Support in Chrome 56

The home stretch for SHA-1 deprecation is in full effect with Google on Wednesday announcing its final deprecation deadlines for the Chrome browser, and a cryptographic services provider warning that there’s still a long way to go to get sites off SHA-1 certificates. Google said it will remove it...

iOS 10 Passcode Bypass Can Access Photos, Contacts

A vulnerability in Apple’s iOS versions 8, 9, and 10 could allow an attacker to access photos and contacts on a locked iPhone, according to two sources that posted videos showing how the password bypass works. According to both sources, the vulnerability also impacts the most recent version of iO...

iPhone Call History Synced to iCloud Without User Consent, Knowledge

iPhone users are being warned that their call history may be synced and stored on their iCloud account without their knowledge, making their personal phone records a target for a determined third party. Under a common configuration scenario, where two iPhones share the same Apple ID and are set t...

Gang Up on the Problem, Not Each Other

Threatpost Op-Ed is a regular feature where experts contribute essays and commentary on what’s happening in security and privacy. Today’s contributor is Katherine Carpenter. The imaginary world in which an artificial intelligence can kill a person by adjusting the insulin from his pump to a deadl...