5 Vulnerabilities Fixed In Chrome Browser, Google Pays $20K to Bug Hunters

Google is urging Windows, Mac and Linux users to update their Chrome browser to fix five security holes – two which rate as high severity. Google warned users of the vulnerabilities Wednesday as it released a new version, 50.0.2661.102, of the browser. The Chrome security holes were found by four...

Motion Filed Asking FBI To Disclose Tor Browser Zero Day

Mozilla on Wednesday filed a motion with the U.S. District Court in Tacoma, Wa., asking the government to disclose a vulnerability it exploited in the Tor Browser and Firefox. The FBI used the zero-day to hack a child pornography site and de-anonymize users visiting the site using the Tor Browser...

Wendy's Comes Clean On Data Breach

Fast-food chain Wendy’s disclosed it was a victim of a point-of-sale system attack that installed malware on PoS computers affecting 300 franchise restaurants. The disclosure was part the company’s first quarter 2016 SEC filings on Wednesday and is the most complete account to date of a 2015 data...

FireEye Details Microsoft Zero Day Attack on 100 Companies

More than 100 North American companies were attacked by crooks exploiting a Windows zero day vulnerability. The attacks began in early March and involved the zero day vulnerability CVE-2016-0167 reported and partially fixed in April’s Patch Tuesday security bulletins by Microsoft. The zero day wa...

Viking Horde Malware Co-Ops Android Devices for Ad Fraud

The latest Android malware campaign to wend its way through Google’s Play marketplace can leverage victims’ phones for ad fraud, carry out DDoS attacks, send spam, and more, researchers warn. Dubbed Viking Horde, the campaign ropes Android devices into a botnet without their owners being any the...

Attackers Targeting Critical SAP Flaw Since 2013

Three dozen global enterprises have been breached by attackers who exploited a single, mitigated vulnerability in SAP business applications. The attacks were carried out between 2013 and are ongoing against large organizations owned by corporations in the United States, United Kingdom, Germany,...

Facebook Capture The Flag Platform Open Source

If you’ve been to DEF CON or any number of other technical hacker conferences, you’re familiar with Capture the Flag contests. These events pit teams of hackers and researchers against each other in a series of challenges until a winner is determined. Capture the Flag is also a valuable teaching...

IBM's Watson Supercomputer Tackles Security

IBM is leveraging the power of its Watson supercomputer to thwart viruses, ransomware and DDoS attacks. On Tuesday it unveiled an ambitious plan to feed Watson billions of data points from security sources daily so that Watson can spot anomalies as they happen and stop them dead in their tracks...

May 2016 Microsoft Patch Tuesday Security Bulletins

Microsoft released a hefty load of security bulletins today, which included a patch for a JScript and VBScript scripting engine vulnerability being publicly exploited. The flaw is addressed in its own bulletin, MS16-053, but users need to pay attention to, and apply MS16-051 as well since the...

Outdated, Unpatched Software Rampant in Businesses

We all know outdated software, browsers, and plugins are unsafe, but how unsafe? Duo Labs has taken a hard look at the dangers of outdated software in a report released Tuesday that said 25 percent of business systems risk exposure to 700 possible vulnerabilities. The most insecure software, Duo...

Adobe Patches 95 Vulnerabilities in Acrobat, Reader, Warns of Flash Zero Day

Adobe rolled out security updates for three of its products on Tuesday, including 95 fixes it pushed for Acrobat, Reader, and ColdFusion. Users will have to wait until later this week, however, to patch a critical vulnerability that exists in Flash Player. It may only be a matter of time until th...

FCC, FTC Investigate Mobile Security Update Practices

The glowing lack of public, real-world Stagefright exploits didn’t stop the U.S. government from using last summer’s blockbuster Android vulnerability as an illustration of the dangers facing mobile device users. Under the context of Stagefright exposing up to 1 billion devices to attack, the...

WordPress 4.5.2 Security Release

WordPress vulnerabilities continue to be a magnet for hackers laden with exploit kits, and as recently as February, crippling ransomware attacks. As a result, WordPress has already released three security updates this year, the latest for the content management system coming last Friday, bringing...

Yahoo Releases Second Wave Unsealed FISA Documents

Yahoo officially released part two of its once-secret government documents that were part of its 2007 court battle with the Foreign Intelligence Surveillance Court FISC that forced it to reveal sensitive customer data requested by the National Security Agency. This second wave of documents brings...

GoDaddy Patches Blind XSS Vulnerability

Domain registrar GoDaddy fixed a vulnerability affecting systems used by its customer support agents that could have been abused to take over, modify or delete accounts. Researcher Matthew Bryant said that a riff on a cross-site scripting attack called a blind XSS was to blame. A GoDaddy customer...

Police Allege SWIFT Technicians Left Bangladesh Bank Vulnerable

Bangladeshi police this week alleged that technicians associated with the financial network SWIFT introduced vulnerabilities that made it easier for hackers to infiltrate the systems of Bangladesh Bank and carry out a massive heist. Earlier this year hackers used stolen credentials to inject...

Bucbi Ransomware Gets Makeover

Two-year-old Bucbi ransomware is making a comeback, with new targeted attacks and a new brute force technique. Researchers at Palo Alto Networks said they spotted the ransomware recently infecting a Windows Server demanding a 5 bitcoins or $2,320 ransom. Researchers report the ransomware is no...

Twitter Denies Intelligence Community Fire Hose Access Via Dataminr

A Twitter business partner, whose service sifts through Twitter’s so-called fire hose of tweets as well as data from other sources to ascertain patterns in breaking news events, has been told to no longer provide its services to the U.S. intelligence community. The Wall Street Journal on Sunday...

Microsoft Security Intelligence Report: Top Takeaways

Microsoft’s Security Intelligence Report painted a bleak picture when it comes to malware, fraudulent login attempts and the staying power of really old exploits. Key findings in the 198-page biannual report run the gamut illustrating how old threats die hard and what new threats are on the...

On Ransomware Hitting an Online Casino, Brazil Taking WhatsApp Offline, And More

Mike Mimoso, Chris Brook, and Threatpost’s newest reporter, Tom Spring, discuss the week in news, including a first hand account of an online casino’s experience with a Teslacrypt infection, Brazil shutting down WhatsApp, and attackers mining an ADP portal for W-2s. Download:...

PwnedList Shutdown Unrelated to Parameter Tampering Vulnerability

PwnedList, an online service that allows subscribers to monitor whether their credentials have been leaked in data breaches, said on Thursday that its decision to shut down has nothing to do with a serious vulnerability that exposed its collection of 866 million compromised credentials. “The site...

New Security Flaw Found in Lenovo Solution Center Software

A new vulnerability has been discovered in Lenovo’s much-maligned Lenovo Solution Center LSC software. The vulnerability allows attackers with local network access to a PC to execute arbitrary code, said researchers at Trustwave SpiderLabs. The flaw allows an attacker to elevate privileges and is...

Affordable AlphaLocker Ransomware Difficult to Detect

It’s rare a week goes by now without a new strain of ransomware making headlines. Researchers described one of the latest earlier this week, a relatively affordable ransomware-as-a-service named AlphaLocker. One of the main selling points to AlphaLocker is how cheap it is; the ransomware can be...

Ransomware Victims Lessons Learned

For online casinos, business begins to peak as gamblers punch out of work and belly-up to virtual blackjack tables. But on this Tuesday in February at 5p.m., the odds were not in the house’s favor. That’s when this virtual casino—with tens of millions of dollars in virtual transaction data,...

Old Android Flaw Elevates Privileges, Steals SMS, Call Logs

A five-year-old Android vulnerability disclosed today affects hundreds of different device models going back to Jelly Bean 4.3. Older devices are at the greatest risk; newer devices running Android with SE Android, the OS’ implementation of Security Enhanced Linux, are at a lesser risk. The...

Cisco Issues Critical Security Warning Tied to TelePresence Hardware

Cisco Systems said it has patched a critical flaw tied to its TelePresence hardware that allowed unauthorized third-parties to access the system via an API bug. The networking behemoth also alerted customers to a duo of denial of service attack vulnerabilities that represent a high risk for its...

Apple Patches Two Flaws in Xcode's Git Implementation

Apple has updated its Xcode development environment, patching two vulnerabilities in its implementation of git. Git is a version control system, and in March its handlers patched two flaws that exposed the software to remote code execution. The new version of Xcode, 7.3.1, is available for El...

Identity Thieves Used Leaked PII to Steal ADP Payroll Info

Cybercriminals accessed a W-2 portal maintained by payroll company ADP recently to glean sensitive information about employees at a handful of companies. The company is stressing that the company itself wasn’t hacked, but that it appears identity thieves may have been able to create ADP accounts ...

Public Exploits Available for ImageMagick Vulnerabilities

Within hours of the disclosure of serious vulnerabilities in ImageMagick, public exploits were available increasing the risk to thousands of websites that make use of the open source image-processing software. Attackers can append malicious code to an image file that ImageMagick will process...

10-Year-Old Instagram Bug Hunter Earns $10,000

A 10-year-old boy from Finland earned $10,000 after discovering an API bug that allowed him to erase Instagram comments from any account. Facebook confirmed to Threatpost the boy, who goes by the name “Jani”, discovered the bug in late February and received the payout in early March from Facebook...

Google Expands Default HTTPS to Blogspot

Google today flipped the switch on default HTTPS support for its free domain service provider Blogspot, upping the security ante for the millions of users of the popular platform. Google had previously introduced HTTPS support for Blogspot domains as an option in September 2015. Starting Tuesday,...

Brazilian Judge Overturns 72-Hour WhatsApp Suspension

Following an appeal from WhatsApp’s lawyers, on Tuesday afternoon a Brazilian judge overturned a suspension previously handed down this week that would’ve blocked usage of the messaging app for 72 hours. According to Reuters, on Tuesday afternoon a “different judge from the state tribunal...

Linux Foundation Badge Program Boost Open Source Security

The Linux Foundation says a new Core Infrastructure Initiative CII Best Practices Badge program launched Tuesday will help companies interested in adopting open source technologies evaluate projects based on security, quality and stability. The CII Best Practices Badge does not issue certificates...

OpenSSL Patches Padding Oracle Attack Bug

The latest batch of OpenSSL security patches were released today, with a pair of high-severity flaws and four low-severity issues addressed in OpenSSL 1.0.1t and OpenSSL 1.0.2h. One of the high-severity flaws, CVE-2016-2107, opens the door to a padding oracle attack that can allow for the...

FreedomPop Account Hijacking Flaws Remain Unpatched

It took close to two months, but free wireless and mobile provider FreedomPop has acknowledged reports of a serious vulnerability in its service. U.K.-based researcher Paul Moore told Threatpost that FreedomPop, which has been operating in the U.K. since last September, finally responded to a bug...

Microsoft's SHA-1 Deprecation Begins with Windows 10 Anniversary Update

The home stretch of Microsoft’s planned SHA-1 deprecation schedule has arrived. This summer, with the planned release of the Windows 10 Anniversary Update, users should see signs that the weak cryptographic hash function is being phased out. Microsoft said that once the anniversary update is roll...

Microsoft Expands Bug Bounty Program, Preps Windows Server 2016 for Final Release

Microsoft is accelerating the fumigation of bugs on its soon-to-be released Windows Server 2016 operating system. Last week, Microsoft announced a new bug bounty program running from April 29, through July 29, 2016 – with up to $15,000 in rewards for each qualifying bug. Microsoft’s expansion of...

FBI Issues Ransomware Warning

The FBI has issued a warning to businesses about the relentless wave of ransomware. The bulletin includes preventative tips, and an affirmation of the bureau’s stance that companies affected by cryptoransomware attacks in particular should not succumb to temptation and pay their attackers off. Th...

Privacy Watchdogs Vow to Fight 'Dystopian' Rule 41

The Supreme Court is moving to expand the FBI’s hacking authority with Criminal Rule 41, an amendment to federal criminal procedures that makes it easier for the FBI to access computers remotely when their locations are unknown. Privacy watchdogs are blasting the proposed change saying it would...

Google Patches More Trouble in Mediaserver

Google has re-branded its monthly patch release, bringing a new name and new scope to the newly renamed Android Security Bulletin. While that may be new, the content is definitely familiar. Once again, critical remote code execution Mediaserver vulnerabilities dominate this month’s patches...

Slack Plugs Token Security Hole

Popular collaboration and communication firm Slack rushed to plugged a security hole in its platform Thursday that was leaking some of its users’ private chats and files for anyone to access. Slack, a leading tool used by companies to communicate internally, was alerted by security firm Detectify...

Google Patches 9 Security Flaws in New Chrome Browser Build

Google updated its browser Thursday patching nine security bugs, labeling four as “high” and two as a “medium” risk to computer users. The update was tied to a new Chrome browser build 50.0.2661.94 that fixes the flaws. Google also shelled out $14,000 tied to bug bounty payouts addressed in this...

Phony Google Update Spreads Android Malware

Android users are being warned of a phony Google update that is pushing malware onto devices. The attackers behind this scheme are domain squatting URLs that are similar to ones used by Google for legitimate updates, hoping to snare less-than-vigilant users. Researchers at Zscaler said yesterday ...

CryptXXX Ransomware Spreading Via Angler Exploit Kit

In the ransomware world, it doesn’t take long for today’s darling to become yesterday’s news. Case in point: Locky. Not long ago, Locky was at the core of debilitating infections at major hospitals in California and the Washington, D.C., area, affecting not only access to patient data but also...

Privacy Activists Cheer Passage of Email Privacy Act, Brace for Senate Battle

In a vote of 419-0 on Wednesday, the U.S. House of Representatives passed the Email Privacy Act that would require the government to obtain a warrant in order to access digital communications stored in the cloud. Privacy advocates cheered the victory and said it was a win for U.S. citizens and...

Unskilled Pro-ISIS Hackers A Growing Threat

Hackers sympathetic to ISIS may lack the funding and talent of government-sponsored hackers, but they merit attention because of their promotion of physical violence and ability to incite others via social media to target individuals or groups. A report today by security company Flashpoint points...

Scourge of Android Overlay Malware on Rise

The black market for malicious Android software is heating up thanks to a rise in popularity of overlay malware, which can siphon credentials off Android devices and give crooks a tool to defeat two-factor identification schemes, according to security researchers at IBM’s X-Force. Overlay malware...

Office 365 Vulnerability Exposed Any Federated Account

A severe vulnerability in the way Microsoft Office 365 handles federated identities via SAML put an attacker in position to have access to any account and data, including email messages and files stored in the cloud-based service. Microsoft pushed through a mitigation to the service on Jan. 5,...

Tuto4PC Utilities Silently Install 12M Backdoors, Cisco

Security experts are warning PC users of scareware computer utilities published by the French firm Tuto4PC that secretly bundle adware and spyware. Cisco’s Talos security research team said several of the company’s utilities, including OneSoftPerDay and System Healer, contain Trojans that exhibit...

Firefox 46 Patches Critical Memory Vulnerabilities

Mozilla yesterday updated Firefox and patched 10 vulnerabilities, one which was rated critical. Firefox 46 also included patches for four vulnerabilities that Mozilla rated as high severity. Critical bugs enabled remote code execution without user interaction, while bugs rated high can be exploit...