Yahoo Discloses Contents of Three National Security Letters

Yahoo today disclosed the contents of three National Security Letters it has received since 2013, the first time a company has made such a disclosure since the passage of the USA FREEDOM Act. Under the law, the FBI is now required to periodically review whether non-disclosure around National...

Windows Zero Day Selling for $90,000

Hackers claim to have unearthed a zero-day vulnerability giving attackers admin rights to any Windows machine from Windows 2000 to a fully patched version of Windows 10. The zero day is for sale on the black market for $90,000. Security experts say the zero-day exploit looks legitimate and in the...

SandJacking Attack Puts iOS Devices At Risk to Rogue Apps

Apple has yet to patch a vulnerability disclosed during last week’s Hack in the Box hacker conference in Amsterdam that allows an attacker with physical access—even on the latest versions of iOS—to swap out legitimate apps with malicious versions undetected on the device. Researcher Chilik Tamir ...

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

Hackers are peddling roughly 427 million passwords belonging to users of MySpace, a social network that in its heyday was one of the most visited sites on the internet. The same service that claimed to have information on 164 million LinkedIn users earlier this month is now boasting to have...

Hackers Find Bugs, Extort Ransom and Call it a Public Service

Crooks breaking into enterprise networks are holding data they steal for ransom under the guise they are doing the company a favor by exposing a flaw. The criminal act is described as bug poaching by IBM researchers and is becoming a growing new threat to businesses vulnerable to attacks. Accordi...

OEM Bloatware Security Vulnerabilities Found

Last year’s Superfish and eDellRoot bloatware mishaps exposed the security nightmare that pre-installed software updaters can create on new laptops. And while these two high-profile incidents made the issue public, they’re hardly isolated cases. Many popular consumer and business laptops from...

Cybercrime Hit Businesses Hardest in 2015, says IC3 Report

Businesses were hit hardest by inbox-based scams in 2015 that robbed U.S. companies of $263 million. The numbers come from the FBI’s recently released 2015 Internet Crime Report that tallies the types of cybercrimes hitting U.S. business and individuals the hardest. According to the FBI, its...

Judge Tosses Evidence Gathered by FBI's Tor Exploit

The FBI’s refusal to share details about a network investigative technique it used to gather evidence against a Vancouver teacher charged with possession of child pornography has forced a federal judge’s hand to exclude the evidence from trial. The NIT used by the FBI to hack the Playpen website ...

Researcher Pockets $30,000 in Chrome Bounties

Security researcher Mariusz Mlynski is having a good month. Having cashed in earlier in May to the tune of $15,500, Mlynski pocketed another $30,000 courtesy of Google’s bug bounty program after four high-severity vulnerabilities were patched in the Chrome browser, each worth $7,500 to the...

Microsoft Offers Pro-Tips on Avoiding Credential Theft

With the scourge of digital credential theft on the rise Microsoft is urging IT admin to button-up their networks and get serious about passwords and account security. The IT behemoth posted on Tuesday a best practices cheat sheet for administrators along with updating customers on some of the...

Amazon Users Targets of Massive Locky Ransomware Spam Campaign

Amazon customers were targeted in a massive spear phishing campaign where recipients received Microsoft Word documents with a macro that triggered downloads of the Locky ransomware. Researchers at Comodo Threat Research Labs say it is one of the largest spam ransomware campaigns this year. Fatih...

Warrant Canary Database Shuts Down

Warrant canaries aren’t definitive markers that a company has been served with a National Security Letter or some other type of court order mandating that customer information be turned over to a government agency or law enforcement. But oftentimes, they are a strong indicator that something has...

Moxa MiiNePort Devices Leak Data, Open to Unauthorized Access

Embedded device servers made by Moxa remain vulnerable to a trio of vulnerabilities disclosed today in an advisory published by the Industrial Control Systems Cyber Emergency Response Team ICS-CERT and a blog post by researcher Karn Ganeshen. Moxa, which is based in Taiwan, will publish a beta...

Wekby APT Gang Seen Using DNS Tunneling for Command and Control

Palo Alto Networks is reporting a shift in malware tactics used by the APT group Wekby that has added a rare but effective new tool to its bag of tricks. The security firm reported on Tuesday that over the past week, Wekby attackers are turning to the technique known as DNS tunneling in lieu of...

APT Groups Exploiting Patch Microsoft Office Flaw CVE-2015-2545

A Microsoft Office vulnerability patched six months ago continues to be a valuable tool for APT gangs operating primarily in Southeast Asia and the Far East. Researchers at Kaspersky Lab today published a report describing how attackers continue to flourish exploiting CVE-2015-2545, a remote code...

Google Aims to Kill Passwords with Project Abacus

Google wants to kill passwords. And the weapon it wants to use is called Project Abacus, which Google said will become available on Android devices by the end of 2016. The way Project Abacus works is that instead of relying on passwords or two-factor authentication to open your Android phone, you...

Apple Hires Crypto Innovator Jon Callas

Jon Callas, equal parts security entrepreneur and innovator, has been hired at Apple for what will be his third stint with the company. Callas left Silent Circle, a company he cofounded, in April after four years there. Silent Circle designs and produces secure communication platforms, including...

LinkedIn Latest Contributor to Breach Fatigue

The obvious takeaway from last week’s LinkedIn data breach revelation where we learned hackers were selling 117 million LinkedIn usernames, email addresses and passwords from a 2012 breach is, change your passwords-and often. The not so obvious takeaways come from noted security expert Troy Hunt,...

Wireless Keyloggers Hidden in USB Wall Chargers, FBI Warns

A private industry notification sent by the FBI in late April to its business partners warns of the risks associated with KeySweeper, a tool released in January 2015 by noted hardware hacker and researcher Samy Kamkar. Sixteen months ago, Kamkar released the source code and instructions on how to...

Unraveling Turla APT Attack Against Swiss Defense Firm

Ever since hackers targeted Swiss defense contractor RUAG, government officials have been tight lipped about the breach. But on Monday Switzerland’s CERT Computer Emergency Readiness Team spilled the beans on the attack against the firm and the how perpetrators pulled it off. While Monday’s repor...

Persistent EITest Malware Campaign Jumps from Angler to Neutrino

A two-year-old EITest malware campaign is still going strong, fueled by the fact it has shifted its distribution technique over time. Now, researchers at the SANS Institute’s Internet Storm Center, are reporting EITest is morphing again based on analysis of the malware campaign conducted earlier...

SWIFT Urges Collaboration on Financial Security

The SWIFT banking network on Friday updated financial institutions worldwide of new security resources it has developed in the wake of massive fraud. Officials also reminded banks of their role in securing their respective infrastructures. Banks in Bangladesh, Vietnam and Ecuador have been...

Exploit Kits Attacking Adobe Flash Player Zero Day

Update Exploits for the most recent Adobe Flash Player zero-day vulnerability have been integrated into the Angler, Neutrino and Magnitude exploit kits, and are leading compromised computers to different ransomware strains, banking malware, and a credential-stealing Trojan. A French researcher wh...

Microsoft Warns of Sneaky New Macro Trick

Microsoft is warning of an innovative new technique attackers are using to sneak macro malware past virus detection engines and add to the already huge uptick in reported macro attacks. According to researchers at Microsoft’s Malware Protection Center, they stumbled upon the macro technique in a...

Instagram Patches Brute-Force Authentication Flaws

Facebook on Thursday patched a pair of vulnerabilities that enabled brute-force attacks against Instagram passwords, and also hardened its password policy. Researcher Arne Swinnen privately disclosed the flaws in December and in February respectively. One bug was patched in February, while the...

Google Allo a Clash of Privacy and Functionality

Reaction to the release of Google’s Allo messaging app has been mixed since it was unveiled Wednesday during Google’s I/O event. Allo has two modes, a normal mode run by an artificial intelligence that includes Google Assistant. It analyzes messages and offers suggestions based on the content tha...

LinkedIn Slams Breach Data Reseller With Cease and Desist Order

LinkedIn is striking back against a website attempting to monetize the 117 million usernames and passwords stolen from the company as part of a 2012 data breach. Website LeakedSource is reporting lawyers representing LinkedIn have served the company a cease and desist order on Wednesday alleging...

On the LinkedIn Breach, TeslaCrypt Closing Up Shop, and More

Mike Mimoso and Chris Brook discuss the news of the week, including the LinkedIn breach, TeslaCrypt closing up shop, and a breakthrough in random number generation. The two also recap this week’s Source conference in Boston. Download: ThreatpostNewsWrapMay202016.mp3 Music by Chris Gonsalves...

Protecting Cloud APIs Critical to Mitigating Total Compromise

When it comes to cloud computing, APIs more or less drive everything, but in the eyes of some researchers, existing security controls around them haven’t kept pace. While individual components of a system can be secure, when that system gets deployed in the cloud it can often become insecure – an...

Android Qualcomm Vulnerability Impacts 60 Percent of Devices

A flaw in mobile chip maker Qualcomm’s mobile processor, used in 60 percent of Android devices, allows attackers to take control over a targeted phone or tablet under specific conditions. Researchers at Duo Labs said the vulnerability is tied to Android’s problem-plagued mediaserver, coupled with...

Ubiquiti Network Gear Targeted By Worm

ISP equipment maker Ubiquiti Networks is fending off a stubborn worm targeting its networking equipment running outdated AirOS firmware. According to security experts, the worm is already being blamed for crippling networking gear in the Argentina, Brazil, Spain and the United States. Ubiquiti...

Master Decryption Key Released for TeslaCrypt Ransomware

The criminals behind the TeslaCrypt ransomware have closed up shop and publicly released the master decryption key that unlocks files encrypted by the malware. The news is significant given the investment and constant innovation devoted to TeslaCrypt, which has been one of the most active...

LinkedIn Breach Just Got A Lot Worse: 117 Million New Logins For Sale

Over 117 million LinkedIn user logins are for sale on the black market “The Real Deal” by hacker “Peace” for five Bitcoins $2,280. The breach is tied to an earlier hack on LinkedIn in 2012, when the company originally said 6.5 million accounts had been compromised. The hacker, identified as Peace...

Gaping Security Hole in Android Platform Grows Larger, Researchers Claim

Security researchers at Skycure are upping the ante on a vulnerability that it says now leaves 95.4 percent of Android devices vulnerable to an attack that hands over control of a phone or tablet to an attacker. First reported at the RSA Conference in March, Skycure discovered a theoretical attac...

Google Set to Kill SSLv3, RC4 in SMTP, Gmail in June

Google clarified this week exactly when it plans to disable support for the RC4 stream cipher and the SSLv3 protocol on the company’s SMTP servers and Gmail’s web servers. It turns out the end will come sooner than later; the company announced it will begin to disable both a month from now, on Ju...

Academics Make Theoretical Breakthrough in Random Number Generation

Two University of Texas academics have made what some experts believe is a breakthrough in random number generation that could have longstanding implications for cryptography and computer security. David Zuckerman, a computer science professor, and Eshan Chattopadhyay, a graduate student, publish...

Banking Trojan Outwits Google Play Malware Scanner

Google Play’s first line of defense against malware was circumvented by attackers who managed to sneak a malicious app called “Black Jack Free” into the official app store. The app was discovered by Lookout Security and removed by Google last week. Lookout estimates that 5,000 people downloaded t...

Apple Patches DROWN, Lockscreen Bypass Vulnerability, With Latest Round of Updates

Apple on Monday rolled out a series of patches for nearly all of its operating systems, OS X, iOS, its smart watch operating system, watchOS, and Apple TV’s tvOS, along with fixes for both iTunes and Safari. OS X received the lion’s share of the updates, 67 in total, bringing Apple’s operating...

Giving Red-Teamers the Blues

Pen-testing engagements are generally a breeze for most red-teamers; roadblocks are few, despite the ones in place being expensive and often paid for by very large companies. Chris Nickerson has been running such engagements for 15 years and he sees companies that throw more money and more server...

Microsoft Quietly Kills Controversial Wi-Fi Sense Feature

From its introduction, Microsoft’s Windows 10 feature Wi-Fi Sense has faced a massive amount of fear, uncertainty and doubt. Now those losing sleep over the feature can get some rest; Microsoft quietly announced last week it’s snuffing out the feature. Later this summer, when Microsoft rolls out ...

500K Members of Hacking Forum Doxxed

An underground forum called Nulled.io that helped users share stolen credentials, software cracks, and leaked content was hacked earlier this month, spilling a glut of information, including users’ email addresses, encrypted passwords, and IP addresses, among other details. According to researche...

Chrome Defaults to HTML5 over Adobe Flash Starting in Q4

As zero days in Adobe Flash Player continue to bubble to the surface, major technology players are announcing their plans to shove the maligned software aside in favor of HTML5. Google is the latest, announcing recently that by Q4 of this year, HTML5 would be the default in the Chrome browser,...

Malware-Laced Porn Apps Behind Wave of Android Lockscreen Attacks

Incidents of Android lockscreen malware masquerading as porn apps are a growing concern to security analysts who are forecasting an uptick in attacks. Once infected, Android users bitten by this malware appear to be locked out of their device and are forced to undergo a complex extraction of the...

Cerber Ransomware On The Rise, Fueled By Dridex Botnet

Starting in April security experts at FireEye spotted a massive uptick in Cerber ransomware attacks delivered via a rolling wave of spam. Researchers there link the Cerber outbreaks to the fact that attackers are now leveraging the same spam infrastructure credited for making the potent Dridex...

On Zero Days, SAP Vulnerabilities, and FBI vs. Tor

Mike Mimoso and Chris Brook discuss the news of the week, including zero day vulnerabilities–both in Adobe Flash and Windows, a nasty vulnerability in SAP business applications, Mozilla asking FBI to disclose a Tor exploit, and more. Download: ThreatpostNewsWrapMay132016.mp3 Music by Chris Gonsal...

Tumblr Requires Password Reset

Yahoo has forced a password reset on Tumblr account holders after it discovered that someone had accessed email addresses, and salted and hashed passwords from early 2013. A Tumblr spokesperson would not disclose who had accessed the data, where it was found, nor how many email addresses were...

SWIFT Warns of Second Bank Attack via PDF Malware

News of yet another attack involving a bank and SWIFT, the financial network used by thousands of banks to transfer funds, came to light Thursday as investigators continue to probe a separate $81 million heist in February involving the network and the central bank of Bangladesh. The Brussels-base...

Petya Ransomware Installs Mischa As Failsafe

The Petya ransomware strain signaled a new escalation for crypto-malware when it surfaced in March. For the first time, ransomware went beyond encrypting files on local and shared drives and instead set its sights on locking up the Master File Table on compromised machines. Petya did have its...

Corruption, Code Execution Vulnerabilities Patched in Open Source Archiver 7-Zip

Several vulnerabilities were fixed this week in the file archiver 7-Zip that could have led to arbitrary code execution and file corruption. The developer behind the tool-which is open source and can be used with any compression, conversion, or encryption method-is urging users to update to the...

Adobe Emergency Update Patches Flash Zero Day

As promised earlier this week, Adobe today released an updated version of Flash Player that includes a patch for a zero-day vulnerability. Adobe said it is aware of the existence of a public exploit for CVE-2016-4117, but said the flaw has not been publicly attacked. The vulnerability affects Fla...