IBM Opens Attack Simulation Test Center

CAMBRIDGE, Ma. – IBM cut the ribbon on its new global security headquarters Wednesday that will also serve as command center for its just announced X-Force Incident Response and Intelligence Services. The centerpiece of the new 153,000-sqft facility is the company’s Cyber Range which IBM bills as...

Mozilla Patches 29 Vulnerabilities, Prevents MIME Confusion Attacks, in Firefox 50

Mozilla addressed 29 vulnerabilities, three rated critical, when it released the latest iteration of its flagship browser, Firefox 50 and Firefox ESR 45.5, on Tuesday. Firefox developers said this week that it might take some effort, but at least two of the critical bugs could be exploited to run...

Regulation May Be Best Answer to IoT Insecurity

One thing technologists overtly shun is the prospect of government regulation. But recent DDoS attacks carried out by botnets of connected things have spooked some people of influence in security to the point where intervention by lawmakers may be inevitable. Testifying before subcommittees of th...

PoisonTap Steals Cookies, Drops Backdoors From Password Protected Computers

Even locked, password-protected computers are no rival for Samy Kamkar and his seemingly endless parade of gadgets. His latest, PoisonTap, is a $5 Raspberry Pi Zero device running Node.js that’s retrofitted to emulate an Ethernet device over USB. Assuming a victim has left their web browser open,...

Carbanak Attacks Shift To Hospitality Sector

The Carbanak cybercrime gang, best known for allegedly stealing $1 billion from financial institutions worldwide, have shifted strategy and are targeting the hospitality and restaurant industries with new techniques and malware. According to security researchers at Trustwave, over the last severa...

Cryptsetup Vulnerability Grants Root Shell Access on Some Linux Systems

A vulnerability in cryptsetup, a utility used to set up encrypted filesystems on Linux distributions, could allow an attacker to retrieve a root rescue shell on some systems. From there, an attacker could have the ability to copy, modify, or destroy a hard disk, or use the network to exfiltrate...

Lobbyists Press Trump to Support Strong Encryption, Surveillance Reform

A lobbying organization that includes some of the Internet’s most valuable entities made a plea to President-Elect Donald Trump to support the expansion of strong encryption and reform government surveillance activities. The Internet Association on Monday sent a letter to Trump’s transition team...

VMware Patches Virtual Machine Escape Vulnerability

VMware quickly turned around a patch for a critical code execution flaw that was worth $150,000 to the researchers who found it. While there have been no reported public exploits, the vulnerability is serious because it could allow an attacker to access a virtual instance and run code on the host...

Microsoft Bolsters Ransomware Protection in Windows 10

Microsoft says it hardened its ransomware defenses in Windows 10 Anniversary Update in the face of skyrocketing infection rates and a doubling in the number ransomware variants released into the wild over the past 12 months. In a whitepaper PDF released last week, Microsoft explained its latest...

CrySis Ransomware Master Decryption Keys Released

The threat posed by a ransomware family known as CrySis was diminished considerably on Sunday when the master decryption keys were released to the public. Researchers at Kaspersky Lab said they have already folded the keys into the company’s Rakhni decryptor and victims of CrySis versions 2 and 3...

Adult FriendFinder Vulnerability Leaves 400 Million Exposed

Account data for more than 400 million users of adult-themed FriendFinder Network has been exposed. The breach includes personal account data from five sites including Adult FriendFinder, Penthouse.com and Stripshow.com. FriendFinder Network did not confirm the breach and is investigating reports...

Hack the Army Bug Bounty Focuses on Recruiting Websites

The backdrop to the U.S. government’s first public-facing bug bounty program announced earlier this year was that the Hack the Pentagon program was a way to connect with legitimate researchers and make a subtle plea for help. On Friday, Veterans Day, the U.S. Army became the second critical agenc...

BlackNurse Low-Volume DoS Attack Targets Firewalls

A type of denial of service attack relevant in the 1990s has resurfaced with surprising potency against modern-day firewalls. Dubbed a BlackNurse attack, the technique leverages a low-volume Internet Control Message Protocol ICMP -based attack on vulnerable firewalls made by Cisco, Palo Alto,...

OpenSSL Patches High-Severity Denial-of-Service Bug

OpenSSL on Thursday patched three vulnerabilities in its latest update, and reminded users running version 1.0.1 of the cryptographic library that that security support will end Dec. 31. Of the three bugs, only one was rated high severity and could lead to OpenSSL crashes. Only OpenSSL 1.1.0 is...

Signal Audit Reveals Protocol Cryptographically Sound

Academics from three different continents recently audited the popular end-to-end encryption app Signal and their findings, for the most part, are encouraging. The protocol, which boasts over a billion users, including those via apps such as Facebook, WhatsApp and Google’s Allo services, has no...

Siemens Discloses Local Privilege Escalation Bug in SCADA Gear

German engineering giant Siemens is warning operators of a local privilege escalation vulnerability that leaves more than a dozen models of its SCADA equipment open to attack. Some of the issues have been patched, or in other cases, Siemens has provided a workaround. The vulnerability was disclos...

Yahoo Tells SEC It Knew About Data Breach in 2014

Yahoo fessed up in its latest SEC filing that it knew in 2014 that attackers were on its network and stole information from 500 million accounts. The breach was disclosed in September and Yahoo blamed state-sponsored attackers, a claim that was challenged by some experts who instead said a crimin...

OAuth 2.0 Hack Exposes 1 Billion Mobile Apps to Account Hijacking

Third-party applications that allow single sign-on via Facebook and Google and support the OAuth 2.0 protocol, are exposed to account hijacking. Three Chinese University of Hong Kong researchers presented at Black Hat EU last week a paper called “Signing into One Billion Mobile LApp Accounts...

Locky Targets OPM Breach Victims

A phishing campaign pushing Locky ransomware is targeting some of the 22 million victims of the massive United States Office of Personnel Management breaches of 2014 and 2015. According to researchers at PhishMe Intelligence, the campaign involves attackers impersonating OPM representatives who a...

Google to Red Flag 'Repeat Offender' Web Sites

Google upped the ante on Tuesday on its Safe Browsing efforts to warn users of questionable websites with the introduction of a Repeat Offender designation. The designation, Google says, builds on the company’s existing Safe Browsing warning system that blocks access to sites that are in violatio...

iOS WebView Problem Allows Attackers to Initiate Phone Calls

iOS developers who have embedded Apple’s WebView into mobile apps need to be aware of an exploitable issue that could allow phone calls to a number of the attacker’s choosing. Researcher Collin Mulliner said the vulnerability is trivial to exploit, requiring at a minimum one line of HTML code. Th...

TrickBot Banking Trojan Adds New Browser Manipulation Tools

The TrickBot banking Trojan, a close relative to Dyre, has a growing target list and new browser manipulation techniques, experts at IBM X-Force said. “We expect to see it amplify infection campaigns and fraud attacks, sharpen its aim on business and corporate accounts,” wrote Limor Kessem,...

Microsoft Patches Zero Day Disclosed by Google

Microsoft followed through and today patched a zero-day vulnerability being exploited in public attacks that was disclosed by Google researchers nine days ago. The victims have yet to have been identified, but Microsoft did accuse the Sofacy APT gang of carrying out the attacks. Sofacy is general...

Google Releases Supplemental Patch for Dirty Cow Vulnerability

Google’s November Android Security Bulletin, released Monday, patched 15 critical vulnerabilities and addressed 85 CVEs overall. But conspicuously absent is a fix for the Linux race condition vulnerability known as Dirty Cow Copy-on-Write that also impacts Android. While Google didn’t issue an...

Adobe Patches Nine Code Execution Flaws in Flash Player

Two weeks after rushing out an emergency patch for a zero-day vulnerability, Adobe today released another Flash Player security update. The new release patched nine vulnerabilities, all of which expose the host system to remote code execution. Adobe said it is not aware of public exploits against...

Risk of Election Day Cyberattacks Low According To Cyber Chatter

Security experts monitoring cyber-chatter for virtual and real-world threats against U.S. Election Day targets say so far, so good. They don’t believe there will be cyberattack or al-Qaeda terror attack come Election Day. That’s not to say the U.S. government isn’t ready for the worst. The White...

Tesco Bank Stops Online Transactions

Tesco Bank, a U.K. retail bank, today put a halt to online transactions from current accounts after some customers reported over the weekend money missing from their accounts. The bank, which has more than seven million customers, told the BBC that 40,000 accounts were accessed and half of which...

Microsoft Tears off the Band-Aid with EMET

Microsoft last week extended the end-of-life expiration date to July 2018 on its exploit mitigation add-on, the Enhanced Mitigation Experience Toolkit EMET. But for some time, the once-useful tool has been well on its way out to pasture. While EMET was never meant to be anything more than stopgap...

Clever Gmail Hack Let Attackers Take Over Accounts

Google patched a hole in its Gmail verification system last week that allowed an attacker to hijack a targeted Google Gmail account. The discovery was made by Ahmed Mehtab, a security researcher and founder of Security Fuse. The hack is simple to execute and requires less than dozen steps to pull...

Inside the RIG Exploit Kit

Today’s most prolific exploit kit is RIG, which has filled a void left by the departure of Angler, Neutrino and Nuclear. That has made it public enemy No. 1 when it comes exploit kits. Now Cisco Talos researchers are hoping to shed new light into the ongoing development of the potent EK in hopes ...

Commodity 'Exaspy' Spyware Targets High-Level Execs

Researchers say they have discovered commodity Android spyware called Exaspy being used to spy on executives. The spyware, according to Skycure Research Labs, is being sold as a $15-a-month turnkey service online and can be used to intercept nearly all phone-based communications including phone...

Half of Chrome Pageloads are HTTPS

First it was Mozilla, and now Google is the latest to confirm that encryption is inching closer toward becoming a standard building block for websites and web applications. Google reported yesterday that more than half of pages loaded on desktop versions of the Chrome browser are being done so ov...

Test-Run DDoS Attacks Against Liberia Cease

Intermittent DDoS attacks powered by the largest of the many Mirai-powered botnets targeting the African nation of Liberia have ceased today. Researcher Kevin Beaumont who disclosed the attacks on Thursday said also that the domain controlling the attacker’s command and control infrastructure was...

DMCA Exemptions Lift Hacking Restriction

White hat hackers can breathe a little easier for the next two years because of a temporary removal of restrictions imposed on hacking of everything from cars, medical devices, to smart home appliances. Last week the U.S. Copyright Office temporarily removed certain restrictions imposed by the...

Outlook Web Access Two-Factor Authentication Bypass Exists

Enterprises running Exchange Server have been operating under a false sense of security with regard to two-factor authentication implementations on Outlook Web Access OWA adding an extra layer of protection. A design weakness has been exposed that can allow an attacker to easily bypass 2FA and...

GitLab Patches Command Execution Vulnerability

Developers with GitLab this week fixed a critical vulnerability in the open source repository management software that could have led to command execution and allowed an authenticated user to gain access to sensitive application files, tokens, or secrets. HackerOne cofounder Jobert Abma unearthed...

Cisco Patches Critical Bugs in 900 Series Routers, Prime Home Server

Cisco Systems has issued two critical advisories addressing flaws in a variety of enterprise-class products ranging from its 900 Series Routers to its Cisco Prime Home server and cloud-based network management platform. Service providers running Cisco ASR 900 Series routers are being warned that ...

Unpatched Vulnerability on Wix.com Puts Millions of Sites at Risk

Update Cloud-based web host Wix.com is vulnerable to a DOM-based cross-site scripting vulnerability that can give attackers control over any of the millions of websites hosted on the platform. “Simply by adding a single parameter to any site created on Wix, the attacker can cause their JavaScript...

Mitigations Available for PanelShock Vulnerabilities in Schneider HMIs

One week after addressing a critical vulnerability in its industrial controller management software, Schneider Electric is in the midst of handling two more serious flaws in a number of its Magelis HMI products. HMI is short for human machine interface, a graphical visualization of an industrial...

Critical MySQL Vulnerabilities Can Lead to Server Compromise

Critical vulnerabilities in MySQL and vendor deployments by database servers MariaDB and PerconaDB have been identified that can lead to arbitrary code execution, root privilege escalation and server compromise. Dawid Golunski of Legal Hackers published details around two proof-of-concept exploit...

Belkin's WeMo Gear Can Hack Android Phones

A SQL injection vulnerability is present in Belkin’s WeMo home automation firmware that could allow a third party with local access to a network to gain root access to devices such as light switches, lightbulbs, security cameras and coffee makers. Researchers at Invincea Labs, who discovered the...

Sundown Exploit Kit 'Larger Threat Than People Realize'

It’s been a tumultuous summer for exploit kits with the demise of Angler, Neutrino and Nuclear, for years each responsible for massive amounts of dollar losses and malware infections. Now, Cisco Talos security researchers are bracing for new entrants to fill the void, starting with the Sundown...

Microsoft Says Russian APT Group Behind Zero-Day Attacks

Microsoft has singled out Sofacy, an APT group long thought to have ties to Russia’s military intelligence arm GRU, as the entity behind targeted attacks leveraging Windows kernel and Adobe Flash zero days in targeted attacks. The group, which Microsoft calls Strontium, is also known as APT28, Ts...

Google to Distrust WoSign, StartCom Certs in 2017

Google announced Monday that when it ships Chrome 56 in January 2017 the browser will distrust certificates issued by Chinese certificate authoritiesWoSign and StartCom that have made headlines over the past month. The move was somewhat expected after Mozilla announced last week the company would...

New IoT Botnet Malware Borrows From Mirai

Researchers have thrown back the covers on more malware infecting IoT devices for the purposes of building a botnet that carries out DDoS attacks. This sample has its roots in other IoT botnets such as Aidra, Bashlite and Mirai in that it attacks weak telnet credentials guarding devices and it’s...

Phony Android Flash Player Installs Banking Malware

Security researchers warn that a bogus Flash Player app aimed at Android mobile devices has surfaced and is luring victims to download and install banking malware that steals credit card information and can defeat two-factor identification schemes. Wells Fargo, Discovery Financial and Chase...

Google Reveals Windows Kernel Zero Day Under Attack

A Windows zero-day vulnerability is being used in an unknown number of attacks, Google disclosed today, 10 days after it privately reported the issue to Microsoft. Google’s disclosure follows its internal policy, which states that companies should fix or publicly report flaws that are under attac...

Nymaim Dropper Updates Delivery, Obfuscation Methods

A new variant of the Nymaim dropper has been identified that includes updated delivery and obfuscation methods, and the use of PowerShell routines to download its payloads. The updated dropper, used primarily to download banking Trojans in the past, has also been spreading ransomware, according t...

ShadowBrokers Dumps List of Equation Group Hacked Servers

The ShadowBrokers’ last two bits of outreach to the world lacked the oomph of August’s showstopper dump of Equation Group zero days, but the group is more than making up for it in severely broken English political banter, and another plea to buy the full boat of NSA exploits it allegedly has...

WhatsApp Blasted by EU Data Protection Group Over Facebook Sharing

Yet another privacy coalition is urging WhatsApp to clarify that user information shared between the company and Facebook is compliant with data protection laws on the books in Europe. The Article 29 Working Party, comprised of representatives from data protection authorities from each EU member...