On Apple Patches, the iMessage Bug, Apple vs. FBI, Locky, and Badlock

Mike Mimoso and Chris Brook recap the week in news, including how the FBI vacated Tuesday’s Apple hearing, a crypto iMessage bug that was patched, and the latest hospital to be hit by the ransomware Locky. The two also preview Badlock and what, if any, implications this week’s announcement may...

Google Fixes Four Critical Vulnerabilities in Latest Chrome Build

Google pushed out the latest version of Chrome Thursday afternoon, fixing five issues, four of them critical. The update remedies an out-of-bounds read in Chrome’s open source JavaScript engine V8, two use-after-free vulnerabilities – one in Navigation and one in Extensions – and a buffer overflo...

Apple Mac OS X Zero Day Vulnerability SIP Bypass

System Integrity Protection SIP was implemented in OS X El Capitan and imposes limitations on what actions that Mac computers’ root accounts can take against protected paths of the operating system. Yesterday at the SysCan360 conference in Singapore, a researcher from SentinelOne disclosed detail...

Iranians Indicted Over DDoS Campaign on Banks, Dam Hack

The U.S. government on Thursday indicted seven hackers affiliated with the Iranian government for attacks it called “a frightening new frontier in cybercrime.” Accusing the men of carrying out a series of distributed denial of service DDoS attacks against 46 financial companies, the Department of...

Microsoft Deploys Macro-Blocker in Office to Curb Malware

If it ain’t broke, don’t fix it. If there’s one thing the recent surge in threats using macros to spread malware has shown, it’s that the vector is clearly working for attackers. Developers at Microsoft hope a feature in the latest version of Microsoft Office will reduce the frequency of those...

Emergency Java Patch Re-Issued for 2013 Vulnerability

Oracle yesterday released an emergency patch for a Java vulnerability that was improperly patched in 2013. Researchers at Security Explorations in Poland two weeks ago disclosed that a Java patch for an issue the company reported in 2013, CVE-2013-5838, was still trivially exploitable, and it...

Apple Intel HD3000 Graphics kernel driver patch

While the iMessage crypto bug got most of the attention among this week’s Apple patches, another vulnerability that was addressed represents a nasty trend of privilege escalation flaws that merit watching. Researchers at Cisco on Wednesday disclosed details on a flaw in an OS X graphics kernel...

Locky Ransomware Causes 'Internal State of Emergency' at Kentucky Hospital

For a strain of ransomware that’s only been in the wild for a little more than a month, Locky has sure been able to make a name for itself. The malware gained notoriety last month when it confounded administrators at the Hollywood Presbyterian Medical Center in Los Angeles and apparently took...

Bruce Schneier on the Integration of Privacy and Security

Threatpost Editor in Chief Mike Mimoso talks to crypto pioneer and security expert Bruce Schneier of Resilient Systems about the early days of the RSA Conference, the integration of privacy and security, and the current FBI-Apple debate over encryption and surveillance...

Android Rooting Application Emergency Patch

A rooting application has been found in the wild targeting Nexus mobile devices using a local privilege escalation vulnerability patched two years ago in the Linux kernel that remains unpatched in Android. Researchers at Zimperium, the same company that discovered last summer’s Stagefright flaws...

Uber Bug Bounty Rewards Loyalty, Promises Transparency

Uber’s bug bounty program emerged from private beta mode yesterday, which it used as a feedback forum for participants in order to develop the public program. “This was pretty unique in its approach,” said HackerOne CTO Alex Rice. Uber’s program is built on the HackerOne platform, and Uber...

Google Debuts New Untrusted CA Log Submariner

Google wants the internet to know that it’s keeping track of deployed certificates, whether they’re trusted or not. While the search behemoth has long maintained a list of trusted Certificate Authorities, it announced on Monday that it has created a new list of CAs that were once, or are not yet...

Attention Turns to FBI's 'Outside Party'

The FBI’s motion for a continuance in its case against Apple has opened a new avenue in this debate as to the identity and means by which the mystery “outside party” could unlock terrorist Syed Farook’s iPhone. Late yesterday afternoon, the FBI filed a motion to vacate a hearing scheduled for tod...

Deluge of Apple Patches Fix Vulnerabilities in OS X, iOS, Safari, and More

In addition to fixing the serious crypto vulnerabilities in iMessage that surfaced yesterday, Apple also deployed patches for nearly all of its products, including Safari, OS X, iOS, Apple TV’s tvOS, and watchOS. The iOS update, 9.3, is arguably the most pressing given the cryptographic issue dug...

Requests for Yahoo User Data Spiked After Paris Terror Attacks

Yahoo’s latest transparency report, published today, reflects a spike in government and law enforcement requests for user data following the Paris terrorist attacks of Nov. 13. The attacks resulted in the deaths of 130 people and injuries to more than 350 others; the situation remains fluid with...

FBI Files Motion to Vacate Case Against Apple

Update The FBI has dropped its case filed a motion to vacate today’s scheduled court hearing and showdown over its demands that Apple help unlock a terrorist’s iPhone. The government late Monday afternoon filed a motion to vacate its case, likely putting a halt to a saga that began in mid-Februar...

BinDiff Now Free, To Delight of Security Researchers

BinDiff is a constant presence inside a security researcher’s toolbox, ideal for patch and malware analysis or reverse engineering of code. The Google-owned software allows researchers to conduct side-by-side comparisons of binary files in disassembled code looking for differences in the samples...

Johns Hopkins Researchers: Crypto Flaws Endanger iMessage Integrity

When Apple released its iOS Security Guide for public consumption, it was an unprecedented look inside the security architecture behind its products. For cryptographer and professor Matthew Green and a team of four Johns Hopkins University graduate students, it was a road map to understanding not...

FBI Warning Of Car Hacks A Good Start, Say Security Experts

Security researchers are applauding the FBI and the National Highway Traffic Safety Administration for warning the auto industry that cars and trucks are vulnerable to internet-based attacks. But, they argue, more needs to be done by the government and car makers to protect drivers. Last week, in...

Yahoo Deploys Passwordless Account Key Tool

In hopes of eliminating the password, at least on the company’s mobile apps, Yahoo on Friday deployed a stable version of its Account Key mechanism. The feature, essentially two-step authentication—without the first step—allows Yahoo users to log into the company’s Finance, Fantasy, Mail,...

Home Depot Agrees $19.5 Million To Settle 2014 Breach

Home Depot agreed this week to pay $19.5 million to compensate the 40 million cardholders it said were impacted by a massive 2014 data breach. As part of a proposed settlement by Home Depot, it admits no wrongdoing or liability in the breach, according to court filings with the US District Court...

Pwn2Own Day Two: Safari, Microsoft Edge Go Down Winner Announced

In the end, it was a nail-biter pitting Tencent Security Team Sniper KeenLab and PC Manager against JungHoon Lee lokihardt for the title of Master of Pwn for Pwn2Own 2016. After a tense last two minutes of the competition, it was Tencent Security Team Sniper and its successful code execution of a...

Stagefright Variant 'Metaphor' Puts Millions Of Samsung, LG and HTC Phones At Risk

Millions of Android users are at risk of a new Metaphor exploit that can take over Samsung, LG and HTC phones in under 20 seconds. The hack gives attackers access to the targeted phones including the ability to inject malware and take control over key smartphone functions. Discovered by...

Mitre Tackles Its Critics: Set To Revamp CVE Vulnerability Reporting

Mitre Corporation will introduce a new pilot program for classifying Common Vulnerabilities and Exposures CVE in the coming weeks. The move is in response to a backlash in the security community where some critics contend Mitre is failing to keep pace with a massive influx in the number of report...

Scores of Serial Servers Plagued by Lack of Authentication, Encryption

Thousands of serial servers connected to the internet aren’t password protected and lack encryption, leaving data that transfers between them and devices they’re connected to open to snooping, experts warn. To make matters worse, the servers, manufactured by Taiwan-based networking device company...

Safari, Flash Fall at Pwn2Own 2016 Day One

Apple Safari and Adobe Flash have proved to be Pwn2Own 2016’s biggest punching bags so far—hackers took down both, earning $282,500 in prizes at the first day of the annual hacking challenge in Vancouver on Wednesday. There were four successful attempts, one partial, and one failed attempt at the...

CanSecWest 2016 Attack Attribution False Flags

With every APT report there comes the gnawing question of whodunit. Just this week, a Reuters report linked a spree of ransomware attacks against U.S. companies to state-sponsored hacker groups in China. Most reports, however, offer no tangible evidence other than technological footprints that ca...

Trojan Exploits Apple DRM Flaw And Can Plant Malware On Non-Jailbroken iOS Devices

Apple iOS devices are in the crosshairs of another malware attack that has already infected an estimated six million non-jailbroken iOS devices in China, according to researchers. Palo Alto Networks found the new malware called AceDeceiver that infects iOS devices via Windows PCs and which...

Apple Counters FBI's Backdoor Demand as Unconstitutional

Apple has matched the Department of Justice’s recent vitriol, by this week calling the FBI’s request for code to help it unlock Syed Farook’s iPhone unconstitutional. Furthermore, Apple in a court filing this week again challenged the validity of the government’s use of the All Writs Act of 1789 ...

American Express Notifies of Data Breach

American Express has begun notifying cardholders that their data may have been compromised in a third-party breach. A notification letter filed on March 10 with California’s attorney general indicates that AmEx account numbers, user names and other information including expiration dates may have...

VMware Patches XSS Vulnerabilities in vRealize Products

VMware patched two cross-site scripting vulnerabilities in its products this week that if exploited, could lead to the compromise of a user’s client workstation. The bugs, stored XSS vulnerabilities and rated important, exist in the company’s vRealize Automation and vRealize Business Advanced and...

Malvertising Campaign Lands On Top Websites

Big-name websites were hit with a cunning malvertising campaign over the weekend that attempted to sneak TeslaCrypt ransomware on computers vulnerable to the potent Angler Exploit Kit. Top sites running the malicious ads included The New York Times owned NYTimes.com, Answers.com and AOL.com,...

OpenSSH Implementations with X11Forwarding Enabled Should Heed Recent Security Update

Users who choose to enable X11Forwarding in OpenSSH, or those who use software products that re-enable it, should pay close attention to last Wednesday’s OpenSSH security update. The latest version of the open source implementation of the SSH protocol patches a flaw that exposes it to command...

Steam Stealer Malware "Booming Business" for Attackers Targeting Gaming Service

Malware that targets Steam accounts has proliferated the gaming platform and become what researchers are calling a “booming business” for cybercriminals over the last few months. The popular platform, owned by Valve, boasts 140 million users and is so ripe for attacks that according to the compan...

Clarke: Precedent-Seeking FBI Won't Ask NSA to Unlock Phone

The National Security Agency’s silence in the Apple-FBI story is probably not so surprising. But that hasn’t stopped people from dragging the NSA’s name into the conversation. The latest to do so is Richard Clarke, former counterterrorism chair under presidents George H.W. Bush and Bill Clinton...

WhatsApp Reportedly Next in DOJ's Battle on Crypto

If a report from this weekend’s New York Times is to be believed, the popular instant messaging platform WhatsApp may be the next technology company to find itself in the crosshairs of the Department of Justice and its war on crypto. Government officials are reportedly torn on how to proceed with...

Typosquatters Target Mac Users With New .OM Domain Scam

Typosquatters are targeting Apple computer users with malware in a recent campaign that snares clumsy web surfers who mistakenly type .om instead of .com when surfing the web. According to Endgame security researchers, the top level domain for Middle Eastern country Oman .om is being exploited by...

Chris Valasek Talks Car Hacking, IoT, at RSA

Threatpost editor Mike Mimoso talks to Chris Valasek, Security Lead, Uber ATC, about the talk he and Charlie Miller gave at RSA, hacking cars, the challenges around getting manufacturers to patch vulnerabilities in vehicles, IoT, and more...

OpenSSH Patches Information Leak Flaw

OpenSSH on Friday last Wednesday dropped a patch for a vulnerability that could expose files to theft and manipulation. The flaw affects all versions of OpenSSH prior to 7.2p2 with X11Forwarding enabled, the OpenSSH project said in its advisory. Unpatched versions of OpenSSH don’t properly saniti...

Broken 2013 Java Patch Leads to Sandbox Bypass

Java’s miserable 2013 just will not go away. One of the endless parade of bugs found in the platform throughout 2013—many of which were zero-day vulnerabilities exploited in targeted attacks—apparently wasn’t closed off completely by an October 2013 patch released by Oracle. Researchers at Polish...

Marcher Trojan Finds New Android Victims Targeting Porn Sites

In the security world where Trojans remake themselves more often than a fading Hollywood actor, the Marcher Trojan is no exception. The 3-year-old Marcher has found new relevance targeting Android users visiting porn sites, according to a report from security firm Zscaler. Over the past month,...

Patrick Wardle on OS X Malware With a Potential Hacking Team Connection

Threatpost Editor Mike Mimoso talks to Synack director of research and well-known OS X hacker Patrick Wardle about the discovery of an OS X malware dropper that likely was developed by the Hacking Team...

On How Amazon is Approaching Encryption, OS X Ransomware KeRanger, and More

Mike Mimoso and Chris Brook discuss the week in news, including how Amazon is backtracking on encryption when it comes to their devices, a new set of alleged passcode bypasses for iOS, and the new OS X ransomware KeRanger. Download: ThreatpostNewsWrapMarch112016.mp3 Music by Chris Gonsalves...

DOJ Calls Apple's Rhetoric 'Corrosive' and 'False'

The Justice Department took off the gloves in its latest volley against Apple and its refusal to comply with a court order to unlock a terrorist’s iPhone. “Apple deliberately raised technological barriers that now stand between a lawful warrant and an iPhone containing evidence related to the...

Locky Ransomware Now Part Of Massive Spam Attack

Researchers are tracking a massive spam campaign pelting inboxes with Locky ransomware downloaders in the form of JavaScript attachments. The huge spike, reported by security firm Trustwave, represents an extraordinary uptick in the attempted distribution of the Locky ransomware. Trustwave said...

Samsung Windows Laptop Owners Urged To Download Fix To MitM Vulnerability

Samsung laptop owners are being urged to update their Windows PCs after the discovery of a vulnerability that can allow remote attackers to download files onto a targeted system and gain complete control over the laptop. The flaw is tied to a feature called “Samsung SW Update Tool 2.2.5.16”...

Hackers and Developers Need to Hug it Out

The divide between developers and hackers is real. So, apparently, is the effort to bring them together and make them play nicely. “It’s not just a knowledge gap, but an empathy gap,” said I Am The Cavalry founder Josh Corman during a panel discussion at last week’s RSA Conference. “One common...

March 2016 Adobe Flash Player Security Update

Adobe today released a new version of Flash Player that patches 18 vulnerabilities, all of which can result in remote code execution attacks. On Tuesday, Adobe pushed out security updates for Reader, Acrobat and Digital Editions, and gave users a head’s up about an upcoming Flash update. Today’s...

libotr Off-the-Record Secure Messaging Security Patch

Users of secure messaging apps such as Pidgin, Adium and others built upon libotr, the Off-the-Record protocol, are being urged to update immediately to current versions after the discovery of a critical flaw that can be used in targeted attacks to expose encrypted communication. The OTR...

DROWN Vulnerability Remains 'High' Risk, Firms Say

Despite the rush to patch systems at risk to the massive transport layer security TLS vulnerability, known as DROWN, hundreds of cloud services are still at risk of attack. According to two independent research firms, Netskope and Skyhigh Networks, a week after the vulnerability was identified...