Gunter Ollmann on the Future of Ransomware, Exploit Kits, and IoT

LAS VEGAS—Gunter Ollmann, CSO at Vectra networks, talks to Mike Mimoso at Black Hat about ransomware as a prototype for malware going forward, as well as the long-term future of exploit kits and whether IoT is something that can be secured sooner rather than later. Download:...

Apple Launches Bug Bounty with Maximum $200,000 Reward

LAS VEGAS—Apple closed out Black Hat today with a long-awaited announcement that next month it will launch a bug bounty. The Apple Security Bounty will be an invitation-only program, open to two dozen researchers at the outset, said Ivan Krstic, head of security engineering and architecture. The...

Lack of Encryption Leads to Large Scale Cookie Exposure

LAS VEGAS—There’s been an abundance of attacks against crypto over the last few years but a much simpler, scarier threat, cookie hijacking, remains significantly overlooked in the eyes of researchers. Two academics, Suphannee Sivakorn, a PhD student at Columbia University, and Jason Polakis, an...

How Bugs Lead to a Better Android

Google is used to taking a beating over Android vulnerabilities, but it says too often its hard work fixing vulnerabilities and keeping the platform safe goes unnoticed. “Over the seven years working on Android security vulnerabilities I’ve seen a lot of bugs and a lot of fear uncertainty and...

Miller, Valasek Deliver Final Car Hacking Talk

LAS VEGAS—Charlie Miller and Chris Valasek figuratively drove off into the sunset today at Black Hat, hanging up their car hacking exploits for good and leaving behind a pioneering legacy that elevated this type of research into the mainstream. “It’s time someone else pick it up,” Valasek said. “...

Never Trust a Found USB Drive, Black Hat Demo Shows Why

Does dropping an infected USB drive in a parking lot work when it comes to a hacker luring its prey into a digital trap? The answer is a resounding yes. At Black Hat USA, security researcher Elie Bursztein shared the results of an experiment where he dropped 297 USB drives with phone-home...

Joshua Drake on Android Security Post-Stagefright

Joshua Drake of Zimperium Labs talks to Mike Mimoso about the last year post-Stagefright, the effectiveness of Google’s monthly patching cycle, and some of the security enhancements forthcoming in Android N. Download: JoshuaDrakeonPost-StagefrightAndroid.mp3 Music by Chris Gonsalves...

Researchers Go Inside a Business Email Compromise Scam

LAS VEGAS – Poor operational security on the part of Nigerian scammers running a Business Email Compromise BEC scheme has given researchers a window into their operations. Dell SecureWorks today published a report at Black Hat USA 2016 on what the criminals involved call wire-wire, or “waya-waya....

Researchers Bypass Chip and Pin Protections at Black Hat

LAS VEGAS – Credit card companies for the most part have moved away from “swipe and signature” credit cards to chip and pin cards by this point; the technology known as EMV Europay, MasterCard, and Visa which is supposed to provide consumers with an added layer of security is beginning to see som...

Oracle EBusiness Suite 'Massive' Attack Surface Assessed

LAS VEGAS—Buried in the pages of the secure configuration guide for Oracle EBusiness Suite 11i is a declaration that SQL injection just isn’t a thing for the ubiquitous enterprise software. “Of the many potential SQL injections we have seen reported, we have yet to find a single confirmed example...

Dan Kaminsky Black Hat Keynote

LAS VEGAS – There is no guarantee that the internet will succeed. And if we aren’t careful we can really screw it up. It has happened before and we can do it again. The warning comes from technologist Dan Kaminsky who says there is a need to treat the internet similarly to the way the National...

Export-Grade Crypto Patching Improves

LAS VEGAS – The FREAK, LOGJAM and DROWN attacks of the last 17 months weren’t just the work of academics and security researchers who found a cool way to unmask encrypted traffic. They were ugly reminders of the Crypto Wars of the 1990s and why export-grade cryptography and intentional encryption...

Unmasking xDedic's Black Market for Servers and PCs

LAS VEGAS — Black market machine trading of PC and server resources is maturing at alarming speeds. Underground networks such as xDedic have fine-tuned their compute platform to the point where they are almost indistinguishable to legitimate networks such as Amazon Web Services and Rackspace. Tho...

Bug Hunting Cyber Bots Set to Square Off at DEF CON

LAS VEGAS — A government project in the works since 2013 is set to conclude Thursday at DEF CON when DARPA’s Cyber Grand Challenge culminates with a competition it’s calling the CGC Final Event. The challenge will mirror Capture the Flag competitions usually held at the hacking conference. CTF...

Yahoo Investigates 200 Million Alleged Accounts For Sale On Dark Web

Yahoo says it is investigating reports of 200 million user credentials advertised for sale on the Dark Web by a hacker that goes by the handle “peaceofmind”. The Yahoo credentials, according to the site listing the database for sale, includes usernames, passwords hashed using the MD5 algorithm,...

Previewing Black Hat 2016, Ivan Krstic's on Apple, Kaminsky's Keynote, And More

Mike Mimoso, Tom Spring, and Chris Brook preview Black Hat 2016, including Ivan Krstic’s talk on Apple/iOS security, Dan Kaminsky’s keynote, IoT, PAC malware, and more. Download: ThreatpostBlackHat2016Preview.mp3 Music by Chris Gonsalves...

Kaspersky Lab Bug Bounty Program Launches

LAS VEGAS – Kaspersky Lab today at Black Hat USA 2016 announced the launch of a public bug bounty, one of the few offered by a software vendor in the computer security industry. The bounty begins tomorrow on the HackerOne platform, and the first phase will run for six months. The company said tha...

August 2016 Android Security Bulletin

Google today patched more than three-dozen critical vulnerabilities in Qualcomm components embedded in the Android operating system, all of them allowing attackers to gain a foothold on devices to launch further attacks. The Qualcomm-related patches are among dozens in the monthly Android Securit...

Google Adds New Layer of Security to Domain: Adds HSTS

Google is adding HTTP Strict Transport Security or HSTS to the Google.com domain, an extra layer of protection that prevents visitors from using a less secure HTTP connection. By using HSTS, visitors following HTTP links to Google.com will be automatically redirected to the more secure HTTPS...

HA-CFI Technique Checks Mitigation Bypasses Earlier

LAS VEGAS — It wasn’t long ago that ROP, or return-oriented programming, was a hacker’s best friend when it came to bypassing mitigations against memory-based attacks such as DEP and ASLR. ROP, however, is so 2005. In the last couple of years, researchers and attackers have figured out how to...

New HTTPS URL Leakage Attack Leaves PCs, Macs, Linux Systems Vulnerable

LAS VEGAS — Researchers have found flaws in the Web Proxy AutoDiscovery protocol tied to DHCP and DNS servers that allow hackers spy on HTTPS-protected URLs and launch a myriad of different malicious attacks against Linux, Windows or Mac computers. According to the security firm SafeBreach, this...

AdGholas Malvertising Campaign Leveraged Steganography, Filtering

For over a year attackers were able to carry out a malvertising campaign that managed to draw between one and five million client hits a day, according to researchers. The scam infected thousands a day using a one-two-punch of filtering and steganography, the art of hiding information inside...

New Trojan SpyNote Installs Backdoor on Android Devices

A new Android Trojan called SpyNote has been identified by researchers who warn that attacks are forthcoming. The Trojan, found by Palo Alto Networks’ Unit 42 team, has not been spotted in any active campaigns, but it is now widely available on the Dark Web and that it will soon be used in a wave...

On KeySniffer, Two Factor Authentication, LastPass, and Tor

Mike Mimoso and Chris Brook discuss the news of the week, including a wireless keyboard vulnerability – KeySniffer, NIST’s statement on 2FA, a LastPass remote compromise bug, and a new Tor paper. Download: ThreatpostNewsWrapJuly292016.mp3 Music by Chris Gonsalves...

Google Details Linux Kernel Defenses, New and Old

Developers with Android’s Security Team peeled back some of the layers on the mobile operating system this week; describing the lengths Google goes to protect the Linux kernel. In a post to Google’s Security Blog, Jeff Vander Stoep clarified several mitigations slated for inclusion in Nougat, the...

Petya Sabotages Rival Ransomware Chimera, Leaks 3,500 Decryption Keys

There is no honor among thieves, as the saying goes, and that includes ransomware crooks. In an apparent move to sabotage a ransomware competitor, the authors of the Mischa and Petya ransomware-as-a-service leaked 3,500 decryption keys for its competitor Chimera ransomware. The move appears to be...

LastPass Patches Ormandy Remote Compromise Flaw

LastPass has patched a vulnerability in its Firefox add-on found by Google Project Zero researcher Tavis Ormandy that allows attackers complete remote compromise of the password manager, . The divisive Ormandy submitted a bug report on Tuesday to LastPass after a series of tweets hinting at serio...

White House Beefs Up Cyber Threat Response Action Plan

President Barack Obama signed a Cyber Incident Coordination policy directive on Tuesday that puts processes in place for how the government will respond to malicious or accidental threats to the nation’s public and private cyber infrastructure. The White House directive is designed to improve...

Trump Comments Straddle Line of Soliciting Computer Crime

Donald Trump may have left himself an out today when he urged Russian hackers to find 30,000 emails deleted by Hillary Clinton from her private server. “Russia, if you’re listening, I hope you’re able to find the 30,000 emails that are missing,” Trump said during a press conference in Florida. “I...

NIST Recommends SMS Two-Factor Authentication Deprecation

A U.S. government agency said the end is nigh for SMS-based two-factor authentication, citing a lack of security around the feature. The latest draft version of the Digital Authentication Guideline issued this week by the U.S. National Institute for Standards and Technology NIST said the practice...

Attributing Advanced Attacks Remains Challenge For Researchers

Amid the connections being made between the Russian government and the attack on the Democratic National Committee DNC, researchers on Tuesday reminded us of the challenges security experts have in correctly attributing advanced attacks. In a wide-ranging Reddit AMA, members of Kaspersky Lab’s...

Yahoo Ordered to Explain Data Gathering Procedures in Deleted Email Case

Yahoo has been given until August 31 to comply with a court order asking how the company was able to recover emails that were presumed deleted. Yahoo’s policy guide claims it cannot recover emails from a user’s account that have been deleted but defense lawyers for a convicted U.K. drug trafficke...

Kimpton Hotels Investigating Payment Card Fraud

Kimpton Hotels & Restaurants, a nationwide chain of 62 boutique hotels, is investigating a string of unauthorized charges on payment cards used at a number of its locations. It’s unknown how many cards are involved, nor at which locations. A Kimpton representative told Threatpost that an...

Public, Private Sector Team to Fight Ransomware

Knowing where to turn for help when victimized by ransomware isn’t always clear. Should you pay the ransom? Are there alternatives to getting your precious data back? Who can you turn to for help? In an effort to answer those questions and help victims retrieve data encrypted by ransomware a uniq...

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

Wireless keyboards made by eight different companies suffer from a vulnerability that can allow attackers to eavesdrop on keystrokes from up to 250 feet away, researchers warned Tuesday. If exploited, the vulnerability, dubbed KeySniffer, could let an attacker glean passwords, credit card numbers...

Unpatched Smart Lighting Flaws Pose IoT Risk to Businesses

A host of web-based vulnerabilities in Osram Lightify smart lighting products remain unpatched, despite private notification to the vendor in late May and CVEs assigned to the issues in June by CERT/CC. Researchers at Rapid7 today publicly disclosed some of the details on each of the nine...

Windows UAC Bypass Hack Leaves Systems Open to Malicious DLLs

Researchers have crafted a stealthy new way of bypassing Windows User Account Controls UAC that opens the door to attacks on targeted systems. According researchers, the bypass technique can fly under the radar of security solutions that monitor for this type of circumvention. The UAC bypass...

Upcoming Tor Design Battles Hidden Services Snooping

More than 100 malicious Tor Hidden Services Directories HSDirs were found to be snooping on the services they host, and in some cases, operators were actively using the data collected to attack the services. While at first blush, the discovery would seem to put another dent in the privacy and...

Pornhub Hack Earns Researchers $22,000

A PHP vulnerability that exposed adult website PornHub’s user data to hackers and allowed for code execution on servers hosting the site, earned a trio of German researchers $22,000 as part of a bug bounty program. PHP patched the vulnerability in June. The flaw is tied to a use-after-free memory...

PowerWare Ransomware Masquerades as Locky to Intimidate Victims

A new variant of the PowerWare ransomware is stealing street creds from the Locky strain of ransomware in an attempt to spoof the malware family. A new sample of PowerWare found by Palo Alto Networks’ Unit 42 reveals the ransomware’s quickly evolving tactics. According to researchers, a new versi...

PayPal Fixes CSRF Vulnerability in PayPal.me

PayPal recently fixed a vulnerability on its PayPal.me site that could have let an attacker change a user’s profile without permission. The issue stemmed from a cross-site request forgery CSRF vulnerability that existed in PayPal.me, a site the company launched last year to let its users request...

Google Fixes 48 Bugs, Sandbox Escape, in Chrome

Google has patched a high-risk vulnerability in its Chrome browser that allows an attacker to escape the Chrome sandbox. That vulnerability is one of 48 bugs fixed in version 52 of Chrome released Wednesday. Four dozen of those flaws are rated as high risks and Google paid out more than $22,000 i...

Firefox to Block Flash in August, Disable in 2017

Starting next year, Firefox users who navigate to pages that contain Flash will be asked for their consent before activating the plugin. The move, long expected, comes as developers seek to curb usage of Flash in everyday web browsing. Benjamin Smedberg, Manager of Firefox Quality Engineering at...

EFF Files Lawsuit Challenging DMCA's Restrictions Security Researchers

The Electronic Frontier Foundation filed a lawsuit Thursday against the U.S. Government over a provision within the Digital Millennium Copyright Act that it says impinges on free speech and hobbles security researchers ability to do their job. The lawsuit asks the court to strike down the highly...

15 Vulnerabilities in SAP HANA Outlined

SAP recently fixed 15 different vulnerabilities that existed in the database management system HANA and subsequent communication channels used by the software. All told the vulnerabilities affect just north of 10,000 SAP customers running different versions of the system, according to researchers...

IoT Insecurity: Top Connected Device Security Concerns

It’s a coin toss whether or not that Internet of Things device you depend on is secure. Those unacceptable 50/50 odds come from a survey by IOActive where technology professionals were asked about the security of connected devices from thermostats, security cameras to alarm systems. Those numbers...

SoakSoak Botnet Pushing Neutrino Exploit Kit and CryptXXX Ransomware

Researchers are reporting a surge in CryptXXX ransomware infections delivered via business websites compromised to redirect to the Neutrino Exploit Kit. Attackers are targeting websites running the Revslider slideshow plugin for WordPress, according to a report released Tuesday by Invincea. Behin...

Oracle Fixes 276 Vulnerabilites in July Critical Patch Update

Oracle has one-upped itself once again. The company fixed a record 276 vulnerabilities – more than half of which are remotely exploitable – as part of its July Critical Patch Update released Tuesday afternoon. The quarterly patch update resolves vulnerabilities in 84 different products, including...

Google Chrome Malware Leads to Sketchy Facebook Likes

Ever wonder how your mild-mannered friend’s Facebook feed suddenly got packed with lewd clickbait? That’s the question Maxime Kjaer was determined to answer when he noticed a friend’s Facebook feed peppered with Likes for sketchy link bait such as “Basic Kissing Tips”. “Intrigued, I decided to go...

Former Cardinals Scout Christopher Correa Sentenced Four Years for Houston Astros Hack

The Federal Court came down hard on a former scouting director for the St. Louis Cardinals on Monday, sentencing Christopher Correa to almost four years in prison for hacking into a computer system that belongs to the Houston Astros. Correa, who until last summer served as Director of Baseball...