Caution Urged over Patched Windows USB Driver Flaw

USB-related vulnerabilities make people nervous; you need look no further than Stuxnet and BadUSB to see the dangers associated with infected portable storage devices and peripherals. Yesterday, Microsoft patched a flaw in the Windows USB Mass Storage Class Driver that could put some people on...

Firefox 45 Fixes 40 Vulnerabilities, 22 Critical

Much like Google, which updated Chrome yesterday, Mozilla released a new version of Firefox on Tuesday, fixing 40 vulnerabilities in the browser. The update, Firefox 45, included eight bulletins rated critical and patched a handful of serious use-after-free vulnerabilities and a pair of buffer...

Google Updates Chrome, Fixes Three High Severity Issues

Google pushed out the latest version of its flagship browser Chrome on Tuesday, fixing three high severity bugs in the process. The update graduates the browser to version number 49.0.2623.87 for Windows, Mac, and Linux, according to a post on Google’s Chrome Releases blog this week. Two of the...

Cancer Clinic Warns 2.2 Million Of Records Breach

Florida-based cancer treatment center 21st Century Oncology Holdings is warning 2.2 million patients that health data and Social Security numbers were stolen from its computer network. The breach, which was revealed on March 4, occurred last November and included the theft of patient names, Socia...

March 2016 Microsoft Patch Tuesday Security Bulletins

Microsoft released a baker’s dozen worth of security bulletins on Tuesday, including five rated critical and two rated important that could result in remote code execution attacks against compromised machines. Two of the bulletins rated critical address flaws in Internet Explorer and Microsoft...

March 2016 Adobe Acrobat, Reader, Digital Editions Patches

Adobe today released security updates for its PDF editing and viewing products, Acrobat and Reader, and its ereader for books called Adobe Digital Editions. And while the customary Flash update is missing from today’s monthly rollout, Adobe said a new version of the software will be available “in...

Facebook Password Reset Bug Gave Hacker Access To Any Account

Anand Prakash could have hacked your Facebook account or anyone else’s. The India-based security researcher found a glaring password-reset vulnerability last month that has since been patched. The bug allowed him to crack open any of Facebook’s 1.1 billion accounts using a rudimentary brute force...

ISC Warning Some Versions of DHCP Vulnerable to DoS

The Internet Systems Consortium ISC this week announced that it plans to patch versions of its Dynamic Host Configuration Protocol DHCP to mitigate a vulnerability that could’ve let a remote attacker cause a denial of service condition. The group acknowledged on Monday that it plans to release DH...

Amazon Backtracks On Encryption Removal

Amazon reversed course on its unpopular decision to remove encryption from its Fire OS 5 tablets. Over the weekend, Amazon said, customers’ device-level encryption support will return this spring. The move comes after Amazon customers and privacy activists expressed outrage over the company’s...

Apple: Court Order Turns Back Clock on iPhone Security

Apple’s head of software engineering told law enforcement and the government via a Washington Post op-ed on Sunday that a precedent-setting backdoor into the iPhone threatens to turn back the clock on mobile security to less safe times. The column, written by Craig Federighi and posted last night...

Google Fixes Critical Mediaserver Bug, Again

Google today patched two critical holes in its problematic Android Mediaserver component which would allow an attacker to use email, web browsing, and MMS processing of media files to remotely execute code. With this latest vulnerability, Google has patched its Mediaserver more than two dozen tim...

Passcode Bypass Bugs Plague iOS 9.1 and On

Apple has yet to patch a series of bypass vulnerabilities in iOS that could enable an attacker to sidestep the passcode authorization screen on iPhones and iPads running iOS 9.0, 9.1, and the most recent build of the mobile operating system, 9.2.1. Like all passcode bypass bugs, an attacker would...

KeRanger OS X Ransomware Impact Likely Mitigated

It’s likely that the first functional ransomware for OS X is a dud. Discovered on Friday by researchers at Palo Alto Networks, the KeRanger ransomware sits dormant for three days before encrypting files from a comprehensive list of 300 file extensions; today would be Day 3. The malware was includ...

Proofpoint Warns Of New MSIL/Crimson Tied To Cyber Espionage

Diplomats and military personnel in India have been victimized in targeted espionage attacks that use a number of means of infection including phishing and watering hole sites. Researchers at Proofpoint this week published a report on Operation Transparent Tribe, which was ongoing as of Feb. 11...

Amazon Faces Backlash Over Removal Of Device Encryption

Amazon’s decision to remove encryption from its tablets running the latest Fire OS 5 release of its software has many privacy-minded tablet owners are crying foul. They are blasting Amazon for making their tablets less secure and no longer safe to store personal data from email credentials, credi...

Recapping RSA 2016, FBI vs. Apple, and More

Mike Mimoso and Chris Brook recap RSA 2016, including how pervasive the FBI vs. Apple debate has been around the conference, OpenSSL two years after Heartbleed, and why hacking back is always a bad idea. Download: ThreatpostNewsWrapMarch42016.mp3 Music by Chris Gonsalves...

Cisco Fixes Another Default, Static Password Flaw

Cisco Systems issued a “critical” patch on Wednesday for its Nexus 3000 and 3500 series switches that allow remote attackers to access default account and static password information on affected hardware. The vulnerability could allow an unauthenticated user to log in to the affected system with...

Apple Hackers Ask Court to Vacate Order

SAN FRANCISCO—A laundry list of past and present iPhone experts and cryptography experts today filed an amicus brief asking the courts to vacate their order mandating Apple assist the FBI in unlocking a phone belonging to San Bernardino shooter Syed Farook. Filed by Jennifer Granick and Riana...

Weak Bank Password Policies Leave 350 Million Vulnerable, Say Researchers

Should passwords that protect your financial data be less secure than the ones used to lock up selfies, cat videos and tweets swapped on social networks? In a study that looked at the password strength required to access website account for Wells Fargo, Capital One and 15 other banks, researchers...

Nearly Two Years After Heartbleed OpenSSL Operating With Renewed Vision

SAN FRANCISCO—Experts have stressed this week that DROWN is no Heartbleed, but at some point in the not too distant future, there’s going to be another major Internet vulnerability and developers at OpenSSL claim they’re battle tested. Rich Salz and Tim Hudson, members of OpenSSL’s development...

Gentle Reminder at RSA: Hacking Back is a Bad Idea

SAN FRANCISCO—Surely all breached organizations consider hacking back as some means of response to being attacked and losing intellectual property. Thankfully there was a room full of lawyers at RSA Conference on Wednesday to remind IT pros of what a colossally bad idea that is. Putting aside the...

DROWN Flaw Illustrates Dangers of Intentionally Weak Crypto

Calls for encryption backdoors that date back to the 1990s are coming back to haunt the industry 20 years later with DROWN, security experts say. The flaw that researchers found with DROWN center around the fact that during the so called Crypto Wars of the 1990s President Bill Clinton’s...

NSA's Rogers Quiet on Apple-FBI Debate at RSA

SAN FRANCISCO—National Security Agency and U.S. Cyber Command director Admiral Michael S. Rogers stood before tens of thousands of RSA Conference attendees on Tuesday and asked for help. In what has almost become a speaking slot reserved for the government to use as a recruiting pitch of some sor...

Crypto Panel Experts Clash on FBI-Apple Debate

SAN FRANCISCO—One would think that six of the smartest security people on the planet could come to some sort of collective conclusion on the FBI-Apple debate. But that wasn’t the case today during the annual Cryptographers’ Panel at RSA Conference. The debate over whether Apple should assist the...

DROWN Flaw Opens 33 Percent Of HTTPS Connections To Attack

Researchers revealed a massive transport layer security TLS vulnerability today that leaves millions of Internet users vulnerable to an attack that could expose passwords, credit card numbers and financial data. OpenSSL and others are urging companies to patch their web servers or risk exposure t...

White House Wants Wassenaar Renegotiation

The White House, lawmakers said yesterday, wants to renegotiate the divisive U.S. implementation of the Wassenaar Arrangement rules as they relate to intrusion software. A draft of the rules was pulled off the table in July by the Commerce Department’s Bureau of Industry and Security BIS followin...

Connected Cars' Cybersecurity Falls Short

As automakers rush to market connected cars to feed drivers hungry for collision avoidance systems and self-parking features, security experts are urging the industry to pump its brakes and prioritize the their cars’ cyber defenses. In a report released Tuesday by IDC and the security firm...

Hospital Security Fail: Report Outlines Dangerous Shortcomings

Hospitals are risking patient lives by failing to protect critical computer systems that can be manipulated by attackers. In a scathing report that looks at the current state of hospital security, researchers say everything from bedside patient monitoring systems, automated drug dispensing machin...

Angler Exploit Learns New Tricks, Finds Home On Popular Website

Researchers report Angler Exploit Kit attacks have become more brazen and are now targeting top websites with new tricks that can evade browser-based antimalware protection. Karl Sigler, a SpiderLabs researcher at Trustwave, told Threatpost his lab found the Angler Exploit Kit on a popular websit...

On FBiOS, Tor, Operation Blockbuster, and RSA 2016

Mike Mimoso and Chris Brook discuss the news of the week including the ongoing FBiOS battle, a judge’s confirmation that the DoD funded research to uncloak Tor users, and news surrounding Operation Blockbuster. They also preview next week’s RSA Conference in San Francisco, Calif. Download: Music ...

Troy Hunt Explains Nissan Leaf Car Hack

Last month, when researcher Troy Hunt argued the dangers of insecure APIs at a security workshop, little did he know hours later he would discover an API vulnerability that allowed remote access to onboard computers of 200,000 Nissan Leaf and eNV200 electric automobiles. “After talking about the...

Drone Application Privacy, Security Shortcomings

This Threatpost op-ed is part of a series of guest contributions from computer security research and policy experts. Today, we feature Kaspersky Lab’s Kurt Baumgartner. Boulder, Colorado’s Open Space and Mountain Parks winter photo gallery displays parts of the beautiful and productive 45,000-plu...

Apple Files Motion to Vacate Court Order to Unlock iPhone

It took Apple nine words to make its point: “This is not a case about one isolated iPhone.” Apple on Thursday filed a motion to vacate a court order mandating it assist the FBI in unlocking an iPhone belonging to the San Bernardino shooter. Apple said the order violates its First Amendment...

Nissan Car Hack Allowed Remote Access To Car

Automaker Nissan deactivated a remote access feature that let owners of its Leaf electric car remotely adjust climate controls and check battery status via a smartphone app. The move comes after a security researcher posted his finding regarding a simple hack that allowed anyone with the right Le...

Apple Must Threat Model Against Itself

Apple, like most advanced tech companies, understands threats and how to close them off. But one salient point that’s emerged from its ongoing dispute with the FBI over unlocking the San Bernardino shooter’s phone is that Apple is a threat to itself. Therefore, it should be no surprise that Apple...

Drupal Update Fixes 10 Vulnerabilities, One Critical

Developers at Drupal addressed 10 vulnerabilities in the content management system this week, including a critical access bypass issue that could have let users access certain elements thought to be blocked, and another issue that could lead to remote code execution. Through the critical access...

Judge Confirms CMU Paid to Break Tor

A U.S. district court judge has confirmed what has probably been the worst-kept secret in security, that Carnegie Mellon University’s Software Engineering Institute was indeed contracted by the Department of Defense to study how to break Tor anonymity. A motion to compel discovery filed by Brian...

CTB-Locker/Critroni Finds New Legs Targeting Websites

After months of relative dormancy, ransomware CTB-Locker or Critroni is back and this time finding new life targeting websites. Researchers are calling this variant “CTB-Locker for Websites” because it targets websites, encrypts their content, and demands a 0.4 bitcoin $425 ransom for access to t...

FTC And Asus Settle Over Router Security

The U.S. Federal Trade Commission announced a settlement with ASUSTeK Computer over sloppy security settings tied to its routers that left the personal data of 12,900 consumers’ publicly available. On Tuesday, the Taiwanese electronics company agreed to 20 years of periodic security audits along...

Five-Year 'Dust Storm' APT Campaign Seen Targeting Japanese Critical Infrastructure

A five-year campaign primarily focused on extracting sensitive information from Japanese oil, gas, and electric utilities was outlined by researchers on Tuesday. Referred to as Operation Dust Storm .PDF by researchers at Cylance, the campaign has managed to stay persistent over the years, and...

Apple Attorney Reveals Dozen Other iPhone Requests from FBI

Apple CEO Tim Cook’s major argument in objecting to the FBI’s request to assist in unlocking San Bernardino shooter Syed Farook’s iPhone 5c is the precedent it would set in doing so. As it turns out, Cook had a leg to stand on when he defiantly objected to a federal magistrate’s order last week...

uKnowKids Attacks Researcher Over Insecure Database

Child safety firm uKnowKids is blasting a security researcher who discovered the company exposed 1,700 identities of the children they were supposed to be protecting. On Monday, security researcher Chris Vickery alerted uKnowKids, a company that helps parents keep tabs on their kid’s online...

Operation Blockbuster Ties Destructive Attacks to Lazarus Group

The nation-state sponsored hacker group allegedly behind the 2014 attack against Sony Pictures Entertainment has been linked to similar intrusions against a number of companies in South Korea including the Dark Seoul and Operation Troy attacks. A coalition of security companies called Operation...

Rogue Chinese iOS App Removed from App Store

Apple removed an iOS application from its Chinese iTunes App Store that allowed users of non-jailbroken iOS devices to install pirated and jailbroken apps. Researchers at Palo Alto Networks, who discovered the rogue application, said the app was not malicious, but presented a serious security ris...

Santiago Pontiroli and Roberto Martinez on ATM Jackpotting

Threatpost editor Mike Mimoso talks with Roberto Martinez and Santiago Pontiroli, researchers with Kaspersky Lab’s Global Research and Analysis Team GReAT about ATM malware, jackpotting, and why it works so well in Latin America...

Mousejack Attacks Abuse Vulnerable Wireless Keyboard, Mouse Dongles

Wireless keyboards and mice are the latest peripherals to put enterprise networks and user data at risk. Researchers at Bastille Networks today said that non-Bluetooth devices from seven manufacturers including Logitech, Dell and Lenovo are vulnerable to so-called Mousejack attacks that would all...

Angler Exploit Kit Attacks Silverlight Vulnerability

Exploits for a vulnerability in Microsoft Silverlight have found their way into the dangerous Angler Exploit Kit a little more than a month after it was patched. French security researcher Kafeine said he was able to get independent confirmation from researchers at Kaspersky Lab that the exploit...

IRS Email Tax Scams Up 400 Percent

A 400 percent surge in tax-related phishing and malware incidents is making this tax season the most treacherous yet for taxpayers. According to an Internal Revenue Service bulletin, this year’s attacks include the tried-and-true email phishing, but also newer forms of attacks that include bogus...

Delicate Hardware Hacks Could Unlock Shooter's iPhone

A researcher at IOActive believes the U.S. intelligence community has the capability to carry out a delicate hardware hack that could unlock the iPhone 5c at the center of the current FBiOS debate. The attack requires considerable financial resources and acumen with an intrusive attack against th...

Dewan Chowdhury on Hacking Power Grids

Threatpost editor Mike Mimoso talks with Dewan Chowdhury, the founder and CEO of MalCrawler, about hacking power grids and a honeypot they built to mimic an energy management system...