Google Handles Record Number of Government Requests for Data

Google fielded a record number of government requests for user data during the first half of 2016, according to its updated Transparency Report. It was also able to report that it received at least one National Security Letter during the six months between July and December 2015. “Pursuant to the...

Facebook Bug Bounty Program Pays Out $5 Million in 5 Years

Facebook announced this week that it’s paid out more than $5 million to 900 researchers in the five years since it implemented its bug bounty program. The social network announced the figures, including some preliminary statistics around how the program has fared so far this year, in a blog post...

Cisco Patches Critical Bug In Video Conferencing Server Hardware

On Wednesday Cisco Systems patched a critical vulnerability found in its Cisco Meeting Server hardware, a key component in its enterprise audio, web and video conferencing service. The flaw, according to a Cisco Security Advisory, could allow an unauthenticated remote attacker to masquerade as a...

Old SSH Vulnerability at Center of Credential-Stuffing Attacks

Connected devices aren’t just for DDoS attacks anymore. Researchers at Akamai this week exposed how attackers are using a 12-year-old SSH vulnerability in combination with weak or default credentials to compromise an array of IOT and home networking devices. Those connected things are then being...

Android Fragmentation Sinks Patching Gains

It’s been 13 months since Google began releasing Android security bulletins and software patches on a scheduled, monthly basis. So far, the benefits of the new strategy to shore up Android’s defenses are mixed at best. Compared to Apple’s patching track record, Google’s is significantly lacking...

Vera Bradley Retail Chain Breached

Retailer Vera Bradley warned customers on Wednesday of a compromise of its point-of-sale system that allowed hackers to make off with an undisclosed number of credit card records. The breach impacts only retail customers who shopped at one of 159 Vera Bradley locations between July 25 and Sept. 2...

Disappearing Messages Added to Signal App

The Signal encrypted messaging application on Tuesday added disappearing messages to its array of privacy features. Disappearing messages gives users the ability to designate how long conversations live on respective devices. And while developer Moxie Marlinspike said the feature won’t necessaril...

Gary McGraw on BSIMM7 and Secure Software Development

Mike Mimoso talks to Cigital CTO and software security pioneer Gary McGraw about the latest results pulled from the Building Security In Maturity Model BSIMM. The framework measures the secure development activities of some of the world’s largest software companies and enterprises and can be used...

Nuclear Power Plant Disrupted by Cyber Attack

The head of an international nuclear energy consortium said this week that a cyber attack caused a “disruption” at a nuclear power plant at some point during the last several years. Yukiya Amano, the head of the International Atomic Energy Agency IAEA didn’t go into detail about the attack, but...

Microsoft Patches Five Zero Days Under Attack

Update: Microsoft today said it mislabeled CVE-2016-7189 in bulletin MS16-119 as exploited. “There is no evidence of any active attacks using this vulnerability and the bulletin text has been corrected.” – a Microsoft spokesperson said. Microsoft today patched a handful of zero-day vulnerabilitie...

Adobe Fixes 81 Vulnerabilities in Acrobat, Reader, Flash

Adobe patched 81 vulnerabilities across Acrobat, Reader, and Flash on Tuesday, including a handful of critical bugs that if exploited, could allow an attacker to take control of a system. The lion’s share of vulnerabilities – 71 in total – exist in the company’s Acrobat and Reader platforms...

IoT Botnet Uses HTTP Traffic to DDoS Targets

The IoT botnet behind some of the largest publicly recorded DDoS attacks is flooding its targets with HTTP traffic, generating more than one million requests per second in some cases, in order to bring down web applications. The attacks were recorded prior to the release of the source code fuelin...

StrongPity APT Covets Secrets of Crypto Users

APT groups covet secrets, and one in particular has chosen to target users intent on protecting theirs. The group is known as StrongPity, and it’s been a characteristic APT outfit using its share of zero days and modular attack tools to infiltrate victims and conduct espionage. This summer,...

When DVRs Attack: Post IoT Attack Analysis

Researchers examining the aftermath of last month’s massive distributed denial-of-service attack against KrebsOnSecurity.com and French hosting giant OVH have identified key flaws that contributed significantly in those attacks and have unearthed new details on how the assaults were carried out...

On Virus Bulletin, APT False Flags, and the NSA Contractor Arrest

Mike Mimoso and Chris Brook discuss this week’s Virus Bulletin conference in Denver and CNBC’s Cambridge Cyber Summit at MIT, the NSA contractor arrest, APT false flags, and more. Download: ThreatpostNewsWrapOctober72016.mp3 Music by Chris Gonsalves...

The Ethics and Morality Behind APT Reports

DENVER—Investigations into state-sponsored APT campaigns are much more than black-and-white research into malware, exploits and zero-days. Behind the scenes, these can be geopolitical powder kegs that require moral examinations into the ethics of publishing public reports that could expose tools...

Cisco Warns of Critical Flaws in Nexus Switches

Cisco Systems released several critical software patches this week for its Nexus 7000-series switches and its NX-OS software. The vulnerabilities can allow remote access to systems, enabling a hacker to execute code or commands on targeted devices. According to Wednesday’s Cisco Security Advisory...

Free Tool Protects Mac Users from Webcam Surveillance

DENVER—Hijacking a user’s webcam is one of the more dastardly tactics used for surveillance. In most cases the attacker can use a number of different webcam-aware malware samples to quietly turn on and record audio and video from the target’s machine. Doing so, however, also turns on the embedded...

Web-Based Keylogger Used to Steal Credit Card Data from Popular Sites

Popular ecommerce sites have been infected with web-based keyloggers that are being used to steal credit card data as it’s entered into online checkout forms. More than 100 compromised sites have been identified, but the number could be in the thousands, researchers said. RiskIQ, in collaboration...

EFF: NSA's Support of Encryption 'Disingenuous'

CAMBRIDGE, Ma.—The National Security Agency came out in support of encryption again Wednesday, but privacy advocates were quick to contest the agency’s stance, criticizing it for having a different definition of the term than others. Glenn Gerstell, general counsel for the NSA, stressed that the...

Mobile App Collusion Can Bypass Native Android Security

DENVER – Android’s native security mechanisms, most notably application sandboxing, secure devices against threats from one app at a time. Multiple apps however, can collude in different ways and bypass these protections. Researchers on Wednesday at the 26th Virus Bulletin International Conferenc...

Juan Andres Guerrero-Saade and Brian Bartholomew on APT False Flags and Attribution

Mike Mimoso talks to Kaspersky Lab Global Research and Analysis Team researchers Juan Andres Guerrero-Saade and Brian Bartholomew about a paper released at Virus Bulletin on deception tactics and false flags flown by APT groups to frustrate analysis. Download their paper presented at Virus...

Abandoned Mobile C&C Servers Present Opportunity to Attackers

DENVER—When developers build mobile apps, they’re not only coding functionality, but they’re also dragging in third-party software development kits SDKs for ads, analytics and lots of things in between. A big function of SDKs is to communicate with a central server to receive instructions and...

NSA Contractor Secretly Charged With Stealing Classified Secrets

The Federal Bureau of Investigation arrested a National Security Agency contractor working for Booz Allen Hamilton and charged him with stealing highly classified documents. Harold T. Martin III, of Glen Burnie, Md was charged in a criminal complaint filed in late August that became public...

Yahoo Slams Email Surveillance Story: Experts Demand Details

Bombshell revelations that Yahoo conducted mass email surveillance is raising hackles among legal, civil liberties and security experts that demand Yahoo and the U.S. government come clean. Meanwhile Yahoo challenged the accuracy of Tuesday’s report by Reuters. “The article is misleading. We...

IoT Botnets Are The New Normal of DDoS Attacks

If you’ve been on the wrong end of what passes for a modern-day DDoS attack, you’re well familiar with the firepower of the almighty DVR. That’s right, the innocuous set-top box responsible for the posterity of your Game of Thrones seasons 1-6 is behind some of the biggest swarming attacks agains...

Subpoena for Signal Messaging Data Renders Little

Open Whisper Systems, the non-profit group behind the encrypted messaging app Signal, was served with a subpoena for user data earlier this year but since the company keeps such little information on its users, it was unable to produce most of what it was asked for. The American Civil Liberties...

Cloud, IoT Big Factors in Annual BSIMM 7 Report

Bad software equals insecure software, and companies don’t have to accept this status quo. That’s both the takeaway and goal of Cigital’s seventh annual Building Security in Maturity Model report released Tuesday. The report reveals that the cloud, application containers, and agile software...

Vulnerabilities in Insulin Pumps Can Lead to Overdose

Patients who use insulin pumps made by Johnson & Johnson are being warned this week that vulnerabilities in the devices could be exploited to trigger an overdose. The bugs exist in OneTouch Ping, a medical device made by Animas Corp. – a subsidiary of Johnson & Johnson – which allows diabetic...

Hack Crashes Linux in Just 48 Characters of Code

With just a mere 48 characters of code, Linux admin and SSLMate founder Andrew Ayer has figured out how to crash major Linux distributions by locally exploiting a flaw in systemd. Ayer said the following command, when run as any user, will crash systemd: NOTIFYSOCKET=/run/systemd/notify...

Apple To Block WoSign Intermediate Certificates

Apple weighed in on the ongoing WoSign fiasco over the weekend, saying it would soon distrust certificates issued by the Chinese Certificate Authority’s Free SSL Certificate G2 intermediate CA on macOS. Apple’s decision comes several days after Mozilla accused the CA of backdating SHA-1...

Source Code Released for Mirai DDoS Malware

The dangers of haphazardly connecting embedded devices to the Internet have manifested themselves in mammoth distributed denial-of-service attacks, in particular one two weeks ago against security journalist Brian Krebs’ website that peaked at better than 620 Gbps. The situation worsened over the...

Mozilla Reduces Threat of Export-Grade Crypto to Firefox

Logjam was one of several downgrade attacks discovered in the last 18 months that could theoretically allow a resourced attacker to take advantage of lingering export-grade cryptography to read and modify data over a supposedly secure connection. While the severity of this particular attack again...

Researchers Break MarsJoke Ransomware Encryption

Victims infected with the MarsJoke ransomware can decrypt their files after researchers last week cracked the encryption in the CTB-Locker lookalike. A trio of researchers from Kaspersky Lab’s Anti-Ransom Team–Anton Ivanov, Orkhan Mamedov, and Fedor Sinitsyn–described Monday how errors in the...

Academics Put Another Dent in Online Anonymity

The Internet may make many promises, but anonymity isn’t always one of them. Users, for example, who covet their privacy often turn to Tor and other similar services to keep their activities on the web from prying eyes, yet that hasn’t stopped the FBI and researchers from trying to uncloak people...

ICS-CERT Report Grim Reminder of State of Critical Infrastructure Security

U.S. critical infrastructure got another reminder this week that it needs to do more to protect itself from cyber attacks with the release of an annual government report. The NCCIC/ICS-CERT FY 2015 Annual Vulnerability Coordination Report points out that nagging issues continue to plague industri...

On the Yahoo Breach, WhatsApp-Facebook, and Zerodium's $1.5M Bounty

Mike Mimoso and Chris Brook discuss the news of the week, including the latest on the Yahoo breach, Germany’s problem with WhatsApp-Facebook, Facebook osquery tool for Windows, and Zerodium’s $1.5M iOS bounty. Download: ThreatpostNewsWrapSeptember302016.mp3 Music by Chris Gonsalves...

Backdoored D-Link Router Should be Trashed, Researcher Says

A researcher who found a slew of vulnerabilities in a popular router said it’s so hopelessly broken that consumers who own them should throw them away. Pierre Kim said attackers could easily exploit the vulnerabilities and use the device as a spamming zombie or a man-in-the-middle tool. “I advise...

Zerodium Triples its iOS 10 Bounty to $1.5 Million

Zerodium has tripled the bounty it offers for an Apple iOS 10 remote jailbreak, boosting the reward today to $1.5 million USD, founder Chaouki Bekrar said. Zerodium had previously offered $1 million for iOS 9 attacks that result in an untethered jailbreak, but that bounty was for a specific time...

Yahoo Challenged on Claims Breach Was State-Sponsored Attack

As challenges mount against Yahoo’s attribution of a massive 2014 data breach to state-sponsored hackers, CISO Bob Lord yesterday confirmed that a cache of 200 million Yahoo accounts marketed this summer in an underground forum is unrelated to the breach. Speaking at the Structure Security...

Cisco Warns of Critical Flaw in Email Security Appliances

Cisco Systems released a critical security bulletin for a vulnerability that allows remote unauthenticated users to gain complete control of its email security appliances. The vulnerability is tied to Cisco’s IronPort AsyncOS operating system. Cisco first issued a security bulletin last week for...

Vendetta Brothers: Cyber Crooks Adopt Real World Tactics

Meet Vendetta Brothers Inc., a small-time cybercrime ring that has mastered the art of compromising point-of-sale systems and selling the data online. The group, named after its “Vendetta World” underground marketplace, is unique because of its ability to adopt real-world criminal tricks of the...

Microsoft Unveils Cloud-Based Fuzz-Testing Service

Microsoft announced a cloud-based fuzz testing service called Project Springfield that identifies software bugs in applications that could turn into vulnerabilities. The service, announced at this week’s Microsoft 2016 Ignite technology conference in Atlanta, combines artificial intelligence and...

ISC Patches Critical Error Condition in BIND

The Internet Systems Consortium patched the BIND domain name system this week, addressing what it calls a critical error condition in the software. A security advisory on ISC’s Knowledge Base on Tuesday acknowledges an attacker can exploit the vulnerability remotely and likely for that reason,...

Congressional Leaders Demand Answers on Yahoo Breach

Vermont Senator Patrick Leahy, along with a number of his Democratic congressional colleagues, has demanded answers from Yahoo CEO Marissa Mayer about what is now the biggest data breach in history. Leahy called the two years between the intrusion of Yahoo’s network and the discovery and disclosu...

Microsoft Edge Adds App Guard Browser Security

Microsoft is bringing virtualization to its Edge browser with a security tool called Windows Defender Application Guard. The technology, announced this week at Microsoft’s 2016 Ignite conference in Atlanta, takes a virtualization-based approach to isolating browser-based attacks from the internet...

Germany Orders Facebook to Stop Collecting Data on WhatsApp Users

A German privacy regulator issued an order this week prohibiting Facebook from collecting user data on German WhatsApp users, calling the company’s actions misleading and in violation of the nation’s data protection law. The move comes a few weeks after a recent WhatsApp policy change that said t...

Mozilla Wants to Drop WoSign as Trusted CA

Mozilla has accused a Chinese Certificate Authority of back-dating SHA-1 certificates to get around restrictions barring deprecated certs from being trusted, and is ready to ban the CA for one year. The back-dating is just one of many violations derived after a lengthy investigation of WoSign and...

Signal Adds iPhone Access to Desktop App

Open Whisper Systems has long offered Android users of its encrypted messaging app a companion desktop version of the service. iPhone users haven’t been as lucky until Monday when the company announced desktop support for iPhone users of its Signal desktop beta app called Signal Private Messenger...

Facebook Debuts Open Source Detection Tool for Windows

Facebook successfully ported its SQL-powered detection tool, osquery, to Windows this week, giving users a free and open source method to monitor networks and diagnose problems. The framework, which converts operating systems to relational databases, allows users to write SQL-based queries to...