15946 matches found
Oracle to Kill Java Plugin
It’s the end of an era. Oracle has announced its intent to nail the coffin shut on the Java browser plugin. The company confirmed Wednesday that it expects to deprecate the plugin in JDK 9, slated for release in September, and JRE, in a future Java SE release. Dalibor Topic, a member of Oracle’s...
January 2016 OpenSSL Patch Diffie Hellman Safe Primes
The OpenSSL project team today patched two vulnerabilities in the crypto library, one of which is rated high severity. The patches are in new releases of OpenSSL, 1.0.1r and 1.0.2f, and were made along with an enhancement to the strength of the cryptography in a previous mitigation for last year’...
Jon Callas on Securing Our Private Data
Mike Mimoso talks to privacy and security veteran Jon Callas of Silent Circle about the digital footprint businesses and consumers leave, how to secure our private data, and how a new documentary sponsored by Silent Circle called “Power of Privacy” helps visualize how personal information is...
PayPal Java Serialization Vulnerability
A Java serialization vulnerability disclosed more than a year ago figured to have a long shelf life. It lived in popular Java application development frameworks such as Apache Commons Collections—where it’s been patched—and not to mention widely deployed application servers such as Oracle WebLogi...
BlackEnergy APT Group Spreading Malware via Tainted Word Docs
Attackers have begun using rigged Microsoft Word documents propagated via spearphishing emails to spread the BlackEnergy Trojan. Researchers with Kaspersky Lab’s Global Research and Analysis Team discovered a malicious Word document last week that appears to stem from a campaign against one of th...
Israeli Electric Authority Attacked, Potential Ransomware
Earlier this week Israel’s Electric Authority mitigated what officials there are calling a “severe cyber attack.” The Electric Authority is in charge of regulating and overseeing the distribution of electricity in Israel. The State of Israel’s National Infrastructure, Energy and Water Resources...
Cisco MiniUPnP Stack Smashing Protection Attack
The Internet of Things security challenge is twofold: finding bugs, and more urgent—fixing them. Cisco’s Talos security intelligence and research group found and privately disclosed a serious and trivially exploitable client-side bug in MiniUPnP that was patched in September of last year. The...
Mozilla Firefox 44 Security Patches
Mozilla has patched a number of critical vulnerabilities in Firefox 44 and Firefox Extended Release 38.6, which were released this week. The most serious flaws were memory vulnerabilities that lived in both the public and extended support versions of the browser. A buffer overflow write in WebGL,...
Amazon Certificate Manager Brings Free SSL Certs to AWS Users
Amazon is getting into the certificate game. The company announced late last week that it launched a certificate manager to expedite the process of securing SSL/TLS certificates for customers looking to add HTTPS to their sites or apps. The move comes less than a year after Amazon applied to...
Government Agencies Audit For Juniper Backdoor
Most U.S. government agencies have until Feb. 4 to audit their IT infrastructure for the use of backdoored Juniper Networks’ Netscreen firewalls. Letters went out late last week from the House Oversight & Government Reform Committee to the leaders of the various agencies asking them to provide th...
Magento Update Addresses XSS, CSRF Vulnerabilities
Magento patched 20 vulnerabilities last week, including a stored cross-site scripting XSS flaw in the e-commerce platform that could have let an attacker take over a site and create new admin accounts. Researchers at Sucuri dug up the XSS vulnerability while combing through research audits last...
Scarlet Mimic Behind Espionage Campaign Against Tibetan, Uyghur Activists
Researchers believe a single group is responsible for a series of attacks over the years to spy on Tibetan and Uyghur activists. For four years the group has used a cornucopia of spearphishing emails, a watering hole attack, and a backdoor Trojan to carry out espionage. Dubbed Scarlet Mimic, the...
OpenSSL to Patch Two Vulnerabilities This Week
OpenSSL is scheduled to update two versions of the software this week, patching a pair of vulnerabilities in the process. The OpenSSL project this morning said the updates will move users to versions 1.0.2f and 1.0.1r and should be available Thursday between 8 a.m. and noon Eastern time. “They wi...
FreeBSD Patches Kernel Panic Vulnerability
FreeBSD has patched a denial-of-service vulnerability affecting versions configured to support SCTP and IPv6, the default configurations on later version of the open source OS. Researchers at Positive Technologies in the U.K. said versions 9.3, 10.1 and 10.2 are affected and can be exploited by a...
Lenovo SHAREit App Hard-Coded Password
Lenovo today has patched a number of vulnerabilities that jeopardize private data, which are largely enabled by a simple hard-coded password in a freely available file-sharing application. The flaws were found in in the Lenovo ShareIT application for Android and Windows by researchers at Core...
HARMAN AMX Deliberate Backdoor SEC Consult
AMX, a provider of audio-visual conferencing gear used in sensitive government and military locations, has removed a “deliberate” backdoor in one of its central controller system products. New firmware for the AMX NX-1200 was made available Thursday, removing an administrative account that was...
On the Linux Zero Day, Twitter Users Looking for Answers, and Bot Fraud
Mike Mimoso and Chris Brook discuss the week in news, including the Linux zero day–how it was patched in Android, Twitter users sent nation state messages that are still looking for answers, and bot fraud. Download: ThreatpostNewsWrapJanuary222016.mp3 Music by Chris Gonsalves...
Apple Fixed Cookie Theft Bug in iOS 9.2.1
When Apple pushed out iOS 9.2.1 earlier this week, it fixed a nasty bug that lingered in the wild for nearly three years and could have let an attacker steal cookies and impersonate victims. The problem stems from the little windows that pop up when you connect to a public WiFi network according ...
Android Devices Linux Zero Day Kernel Vulnerability
Google is downplaying the scope of the critical Linux vulnerability patched this week, suggesting that the number of affected Android devices has been exaggerated. The Android OS is built upon the Linux kernel, but minus many of the libraries that are included in standard Linux builds. Initially,...
HD Moore Leaves Rapid7 for Venture Capital Opportunity
HD Moore, creator of the Metasploit Framework and a security innovator behind a number of Internet-wide security research projects, is moving into venture capital. Moore announced yesterday that he is leaving his current post as chief research officer at Rapid7 on Jan. 29 for a new opportunity in...
Spyware Asacub Evolves to Mobile Banking Malware
Asacub, once thought of as spyware, appears to have completed its transition into mobile banking malware, according to research published this week. When the Android malware surfaced in June 2015, researchers with Kaspersky Lab assumed it was spyware. It more or less fit the part; Asacub siphoned...
January 2016 Oracle Critical Patch Update 248 Patches
Oracle’s quarterly Critical Patch Updates CPU are known for their daunting volume, usually a disproportionately big number of fixes that database and system administrators have to deal with every three months. Yesterday’s CPU, however, takes the cake. Oracle pushed out the door a record 248 patch...
Dridex Adopting Dyre Tactics, Targeting U.K. Banks
Attackers behind the Dridex Trojan have narrowed their sights on banks based in the United Kingdom frequented by high-value business accounts, researchers claim. When a new version of the Trojan was released two weeks ago, it was promptly followed by a series of infection campaigns that focused o...
January 2016 Apple Security Patches iOS, OS X, Safari
Apple on Tuesday released security patches for iOS, OS X and an update for the Safari browser. The patches come less than a week after a ShmooCon presentation by Synack director of research Patrick Wardle revealed that Apple’s Gatekeeper security feature in OS X can be bypassed by an attacker wit...
Bot Fraud to Cost Advertisers $7 Billion in 2016
Mitigating fraud has long been an uphill battle for the online advertising world and numbers released Tuesday indicate it’s been a pricey one. The industry is poised to lose a combined $7.2 billion worldwide this year thanks to bogus ad fraud bots, according to a study carried out this past summe...
Twitter State-Sponsored Attack Notification
Twitter’s decision to notify users when their accounts are targeted in state-sponsored attacks earned its share of praise. But Twitter’s silence in terms of specifics about the attacks—whether by choice or gagged by a National Security Letter—has foisted some anxiety upon those who were notified....
Critical Yahoo Mail Flaw Patched, $10K Bounty Paid
A critical vulnerability in Yahoo Mail that could give attackers complete control of an account was patched two weeks ago. The flaw was privately disclosed Dec. 26 by Finnish researcher Jouko Pynnonen and patched Jan. 6. Pynnonen earned himself a $10,000 bounty, one of the highest paid out by Yah...
Linux Kernel Privilege Escalation Flaw Patched
A patch for a critical Linux kernel flaw, present in the code since 2012, is expected to be pushed out today. The vulnerability affects versions 3.8 and higher, said researchers at startup Perception Point who discovered the vulnerability. The flaw also extends to two-thirds of Android devices, t...
FDA Issues Guidelines on Medical Device Cybersecurity
The Food and Drug Administration FDA issued a new set of draft guidelines on Friday in hopes that medical device manufacturers not only address cybersecurity risks before they design products, but also during the maintenance of those products. FDA outlines cybersecurity recommendations for medica...
LastPass Mitigates LostPass Phishing Attack
LastPass has taken measures to mitigate a phishing attack described this weekend at ShmooCon that put at risk users’ credentials and information stored by the password manager. Researcher Sean Cassidy, chief technology officer of cloud security company Praesidio, demonstrated an attack where he w...
Mike Mimoso and Chris Brook Discuss the OpenSSH Patch, the Silverlight Zero Day, and More
Mike Mimoso and Chris Brook discuss the week in news, including a critical flaw patched by OpenSSH, the curious tale behind a Silverlight zero day, and how to turn a hacked webcam into a backdoor. Download: newswrap01-08-16.mp3 Music by Chris Gonsalves...
Advantech EKI Vulnerable to Bypass, Possible Backdoor
Researchers have uncovered yet another issue–and potential backdoor–in Advantech’s beleaguered EKI-1322 serial device server. The Dropbear SSH daemon associated with the server, because of heavy modifications, fails to enforce authentication. This makes it so any user who wants to bypass...
Apple Issues Incomplete Patches for Gatekeeper Bypass
Apple has had two cracks at patching a vulnerability that allows malicious apps to bypass its OS X Gatekeeper security feature, and twice has taken a shortcut approach to the fix, said the researcher who reported the flaw. The latest measure to address this was released on Thursday and it appears...
Many Health and Fitness Apps Remain Vulnerable
It seems little has changed over the last several years when it comes to how health and fitness apps go about securing user information. According to a survey carried out by the firm Arxan last fall, 86 percent of health apps it reviewed at had at least two critical vulnerabilities and 55 percent...
OpenSSH Private Crypto Key Leak Patch
OpenSSH today released a patch for a critical vulnerability that could be exploited by an attacker to force a client to leak private cryptographic keys. The attacker would have to control a malicious server in order to force the client to give up the key, OpenSSH and researchers at Qualys said in...
Cisco Patches Hardcoded Password, DoS Vulnerabilities in Software
Cisco patched a handful of issues across its software line this week, including two critical vulnerabilities that could lead to the complete compromise of any devices running the software, and a hardcoded password that exists in some access points made by the company. According to security...
DHCP Denial of Service Vulnerability Patched
The Internet Systems Consortium ISC on Tuesday patched a denial-of-service vulnerability in numerous versions of DHCP. The flaw affects nearly all IPv4 DHCP clients and relays and most servers, ISC said in its advisory. “A badly formed packet with an invalid IPv4 UDP length field can cause a DHCP...
Microsoft Silverlight Zero Day Vulnerability Patched
Microsoft Silverlight vulnerabilities certainly don’t have the same hacker cred as bugs in Adobe Flash, for example, but nonetheless, that does not diminish their value, nor does that mean they should be ignored. Microsoft patched a critical flaw in the application framework on Tuesday, and...
Microsoft Patches Six Critical Flaws with January 2016 Updates
Microsoft released a scant nine bulletins today for Patch Tuesday, but six of them are marked critical and seven can lead to remote code execution. The updates, which address 25 vulnerabilities will be the last many who run Internet Explorer 8, 9, and 10 will receive unless they elect to update t...
January 2016 Adobe Reader, Acrobat Security Patches
Adobe today patched 17 vulnerabilities in Acrobat and Reader, all of which the vendor rated as critical and warn could allow an attacker to commandeer the underlying system. Adobe said desktop versions of Acrobat and Reader XI 11.0.13, for Windows and Macintosh, are affected, as are Acrobat and...
New RAT Trochilus Skilled at Espionage, Evading Detection
Researchers have uncovered a new remote access Trojan RAT that can evade sandbox analysis, is adept at carrying out espionage, and is being used in targeted threat operations. Named Trochilus, the malware is part of a multi-pronged malware operation that researchers at Arbor Networks are calling...
D-Link Webcam Hack Turns IoT Device into Backdoor
Connecting a webcam to your home or office network might seem like a harmless thing, but researchers have figured out how to turn that connected device into a backdoor. Researchers at Vectra Networks today released a report demonstrating how a $30 D-Link webcam can be abused by attackers and turn...
Juniper Removes Dual_EC, ANSI X9.31 Algorithms
Juniper Networks announced late Friday it was removing the suspicious DualECDRBG random number generator from its ScreenOS operating system. And while that’s heralded as a positive move considering DualEC’s dubious origins, there remain important and unanswered questions about Juniper’s decision ...
Eight Arrested in Tyupkin ATM Hacking Takedown
European authorities dismantled a cybercrime ring last week responsible for a series of ATM attacks that ultimately led to substantial financial losses across Europe. Authorities apprehended eight Romanian and Moldovan nationals in connection with the ring following a series of house searches in...
General Motors GM Vulnerability Disclosure Program
General Motors’ new vulnerability disclosure program puts it alongside Tesla as the only major automakers with a mechanism for security researchers to report flaws. Unlike Tesla’s program, however, GM’s does not offer a monetary reward. GM launched its program last week via the HackerOne platform...
End of Life Internet Explorer 8, 9, 10 Security Support
Anxiety was high around April 8, 2014 when Microsoft officially closed the door on security support for Windows XP. Many envisioned black hats worldwide stockpiling exploits waiting for the day when XP machines would be left permanently exposed. The anticipated malware apocalypse, however, never...
On Dutch Encryption, the End of IE 8, 9, and 10 Support, and Zerodium's Latest Bounty
Mike Mimoso and Chris Brook discuss the week in news: How the Dutch are opening encryption with open arms, the end of support for IE 8, 9, and 10, and the latest bounty offered up by Zerodium. Download: newswrap01-08-16.mp3 Music by Chris Gonsalves...
Mozilla Warns of SHA-1 Deprecation Side Effects
As promised, Mozilla officially began rejecting new SHA-1 certificates as of the first of the year. And as promised, there have been some usability issues. Mozilla yesterday said that some security scanners and antivirus products are keeping some from reaching HTTPS websites. “When a user tries t...
Time Warner Cable Urges 320,000 Customers to Change Passwords
Roughly 320,000 Time Warner Cable customers are being told to change their email passwords this week after the company announced Wednesday that hackers may have gained access to them. The move comes after the F.B.I. notified the telecommunications giant that someone may have gained access to TWC...
Latest WordPress Update Resolves XSS Vulnerability
Developers at WordPress are encouraging users of the content management system to download and apply the most recent update, pushed yesterday, to address a cross-site scripting XSS vulnerability. According to WordPress the bug exists in all versions before 4.4 and if exploited, could allow a hack...