SLOTH Collisions Attacks Against SHA-1, MD5 in TLS, IKE, SSH

If you’re hanging on to the theory that collision attacks against SHA-1 and MD5 aren’t yet practical, two researchers from INRIA, the French Institute for Research in Computer Science and Automation, have demonstrated new attacks that raise the urgency to move away from these broken cryptographic...

All Drupal Versions Open to Code Execution, Credential Theft Vulnerabilities

A number of issues exist in the content management system Drupal that could lead to code execution and the theft of database credentials via a man-in-the-middle attack, a researcher warns. The vulnerabilities lie in the way Drupal processes updates, according to Fernando Arnaboldi, senior securit...

BrainTest Malicious Android Apps Removed From Google Play

Update The Brain Test mobile malware family has once again been evicted from Google Play. Known for piggy-backing on fully functioning mobile applications, the malware’s various iterations try to root Android devices, download malicious APKs and inflate the Google Play ratings of other apps writt...

Silent Circle Blackphone Icera Modem Security Patch

Silent Circle, makers of the security and privacy focused Blackphone, have patched a vulnerability that could allow a malicious mobile application or remote attacker to access the device’s modem and perform any number of actions. The update was released Dec. 7 in version 1.1.13 RC3; details of th...

Linode Customer Password Reset, DDoS Attack

Cloud-based webhost Linode absorbed another body blow on Tuesday when it said it was resetting customer passwords after a suspected breach. The development compounded the company’s existing woes as it continues to battle a distributed denial-of-service attack that began on Christmas. A Linode...

Dutch Government Embraces Encryption, Denounces Backdoors

While the “Going Dark” debate over encryption standards rages on here in the ­­United States, government officials in the Netherlands this week released a statement that actually calls for stronger encryption and rejects backdoors entirely. On Monday officials said, citing respect for privacy and...

Zerodium Offers $100K for Adobe Flash Heap Isolation Bypasses

Despite calls to eliminate Adobe Flash Player, researchers inside and outside the vendor continue to invest in and build mitigations against modern attacks. As recently as three weeks ago, Adobe announced it had rewritten its memory manager, laying the groundwork for widespread heap isolation,...

Comcast's Xfinity Home Security System Vulnerability

Update Comcast’s Xfinity Home Security System is vulnerable to attacks that interfere with its ability to detect and alert to home intrusions. Researchers at Rapid7 today disclosed the issue after fruitless attempts to contact and report the problem to Comcast dating back to Nov. 2; Rapid7 did...

Cisco Jabber for Windows STARTTLS Downgrade Attack

An attacker in a man-in-the-middle position could abuse a STARTTLS downgrade vulnerability in the Cisco Jabber client-server negotiation in order to intercept communication. Cisco warned its customers yesterday, but has yet to patch the vulnerability, which affects the Cisco Jabber clients for...

January 2016 Android Nexus Security Bulletin

Since last summer’s Stagefright vulnerabilities toppled the Android world for a few weeks, researchers inside and out of Google have been taking a close look at not only the maligned media playback engine, but also at Mediaserver where it lives. Today’s release of the monthly Android Nexus Securi...

Tor to Launch Bug Bounty Program in 2016

The Tor Project announced last week that it will launch a bug bounty program later this year to encourage security researchers to responsibly report issues they find in the software. Tor Browser and Tor Performance Developer Mike Perry announced the news during the “State of the Onion” address la...

Ransom32 Ransomware-As-A-Service Written in JavaScript

Crimeware services are nothing new. Criminals for years have advertised on the underground not only malware, but management services and support for banking Trojans, exploit kits and more. Researchers this week turned up a new ransomware-as-a-service operation that pushes the first ransomware cod...

2016 Computer Security Predictions

Well, if you thought you had it rough in 2014 because of big, bad Poodles and an irritating case of Heartbleed, things only got worse this year. Rather than intrusions permeating our IT systems and stealing our data, attacks got a bit more personal in 2015. Not only were privacy and civil liberti...

Mike Mimoso and Chris Brook Discuss the Threats of 2015

With 2015 more or less in the rear view mirror Mike Mimoso and Chris Brook discuss the year in security: Wassenaar, ransomware, Carbanak and Equation Group,how big of a deal Stagefright was, that Juniper backdoor, and more. Download: tp2015inreview.mp3 Music by Chris Gonsalves...

Microsoft Bans Superfish SSL Interception Adware

Microsoft has taken steps to impede the next Superfish from impacting users. Superfish was pre-installed adware found on new Lenovo laptops earlier this year. The software exposes users to man-in-the-middle attacks because of the way it injects advertisements into the browser. It comes with a...

Juniper Backdoor Picture Getting Clearer

The NSA’s subversion of encryption standards may have come home to roost. As more eyes examine the Juniper backdoor in ScreenOS, the operating system standing up its NetScreen VPNs, it’s becoming clear that someone backdoored the NSA backdoor in DualECDRBG, opening the door to passive decryption ...

Yahoo to Warn Users of State-Sponsored Attacks

Yahoo has announced it will follow in the footsteps of Twitter and Facebook and begin warning users when it believes their accounts have been targeted by a state-sponsored actor. Bob Lord, who was hired as the company’s new CISO in October, discussed the initiative in a blog post Monday. Lord sai...

Oracle Java FTC Settlement

Oracle’s stewardship of Java has been scrutinized by the security community, which in 2013 languished through nearly a full year of targeted attacks exploiting zero days and other vulnerabilities in the platform. Since then, Oracle has improved the Java user experience by denying unsigned applets...

Juniper ScreenOS Backdoor Password

Researchers from two security firms have uncovered the password guarding one of the backdoors discovered in Juniper Networks’ ScreenOS, the operating system behind its NetScreen enterprise-grade firewalls. Fox-IT and Rapid7 found the secret code, which was disguised to look like debug code, said...

Google SHA-1 Deprecation

Google has announced its timeline for deprecating SHA-1 certificates, despite concerns expressed recently that sunsetting the broken encryption hashing algorithm will disconnect millions from the Internet. SHA-1’s demise has been accelerated in recent months since researchers published a paper...

Schneider Electric Patches Buffer Overflow in PLC Line

Automation and energy management company Schneider Electric patched a vulnerability in a product line this week that was leaving a handful of programmable automation controllers at risk of being hacked. Thirteen different builds of the Modicon M340 PLC are affected by the vulnerability, a buffer...

Google Search Engine Rank Prefers HTTPS

Nothing in Google’s arsenal carries more weight than its search engine rankings. Pair that weapon with a desire to inspire encrypted connections on the web, and you have a pretty powerful combination. More than a year ago, Google said it was testing a method where a site’s search ranking would be...

Juniper Patches ScreenOS Backdoor

Juniper Networks today has released an emergency patch that removes what it’s calling “unauthorized code” from ScreenOS that could allow attackers to decrypt VPN traffic from NetScreen devices. Juniper has not commented on the origin of the code it found. However, Juniper’s products were singled...

Facebook, Researcher Spar Over Instagram Vulnerabilities

A security researcher is in a bit of a scrum with Facebook over vulnerability disclosures that not only tested the boundaries of the social network’s bug bounty program, but he said, also prompted hints of legal and criminal action. Wesley Wineberg, a contract employee of security company Synack,...

Pro PoS Malware Simple, But Less Sophisticated Than Initially Thought

A strain of point-of-sale malware that began making the rounds on underground markets late last month is easy to use, but less sophisticated than initial reports suggested. According to researchers at Talos, Cisco’s research division, Pro PoS is mostly built on Alina, another type of POS malware...

Critical Flaws Found in Network Management Systems

Update Four leading network management system providers are busying patching and preparing fixes for a half-dozen critical cross-site scripting and SQL injection vulnerabilities disclosed Wednesday by Rapid7. Two Three of the affected vendors, Spiceworks, Ipswitch and Opsview, have already patche...

13 Million MacKeeper Records Found in Public Database

A trove of MacKeeper user data—some 13 million records—has been locked down after a researcher found an exposed and accessible database using a simple Shodan query. Chris Vickery revealed his discovery on Monday on Reddit in more of an appeal to reach officials at Kromtech, the parent company tha...

Attacks Accelerate Against Joomla Zero Day

Update Attacks are accelerating against a now-patched Joomla zero-day vulnerability, putting pressure on site administrators to update quickly. The patch was published on Monday, but not before attacks were spotted in the wild and carried out for at least two days, said researchers at security...

Twitter State-Sponsored Attack Notification

Update A relatively small number of Twitter users, including a few connected to security and privacy advocacy, have been informed that their accounts have been targeted by state-sponsored hackers. Notifications began appearing in the inboxes of affected users two days ago, with very little concre...

Spy Banker Banking Malware Hosted on Google Cloud Server

A new run of Spy Banker banking malware infections has been targeting Portuguese-speaking victims in Brazil. While Spy Banker is an old threat, dating back to 2009 according to some security companies, the latest wrinkle attackers are taking is a new one. The campaign, spotted by researchers at...

FBI on Encryption: 'It's A Business Model Question'

Now that encryption has been elevated to a default technology on mobile devices, the government has heightened its “Going Dark” rhetoric, again on Wednesday insisting during a Senate Judicial Committee hearing that Silicon Valley figure out how to deliver plain-text communication between criminal...

Internet Root Name Servers DDoS Attack

An unusual DDoS amplification attack was carried out 10 days ago against many of the Internet’s 13 root name servers, the authoritative servers used to resolve IP addresses. The attacks happened on Nov. 30 and again on Dec. 1, and each time, massive volumes of traffic, peaking at five million...

Cisco Warning of CSRF, XSS Vulnerabilities

UPDATE Cisco is warning users this week that several of its products — routers, gateways, and data center platforms — suffer from vulnerabilities, including one critical one. Cisco warned about the most pressing issue, a critical vulnerability in its Prime Collaboration Assurance software, shortl...

Google Updates Chrome, Extends Safe Browsing to Chrome for Android

Google yesterday released an update for the Chrome browser that patches seven vulnerabilities and also updates Adobe Flash Player. It also announced that Google Safe Browsing has been extended to Chrome for Android. The Chrome browser update is the second in less than a week; on Dec 1, Chrome 47...

Apple Patches 50+ Vulnerabilities in iOS, OS X, Safari

Apple has piled on the patches already released by Adobe and Microsoft today, and pushed out updates for iOS, OS X, Apple TV, Safari, and it’s watch-based operating system watchOS this afternoon. Fifty-four vulnerabilities across OS X were patched Tuesday, including fixes for Mavericks v10.9.5, O...

December 2015 Microsoft Patch Tuesday Security Bulletins

Forgive your local Windows admin if they’re a little shy on holiday cheer in the coming days. Blame instead Microsoft for foisting upon them on Tuesday 71 security patches, including two for vulnerabilities in Office and the Windows kernel currently under attack. Microsoft also issued a separate...

December 2015 Adobe Flash Player Security Update

Adobe may indeed be thinking about phasing out Flash Player, and updates like today’s monster security bulletin will only serve to fuel that movement going forward. Released just an hour before Microsoft’s scheduled Patch Tuesday release, Adobe pushed out a new version of the maligned Flash Playe...

Microsoft, Law Enforcement Collaborate in Dorkbot Takedown

A coalition of law enforcement agencies worked together recently to disrupt Dorkbot, a botnet that’s managed to infect more than one million machines in 190 countries during the last year. Researchers with Microsoft’s Malware Protection Center announced the news via a post on the MMPC blog. Two...

December 2015 Android Over-the-Air Nexus Security Update

Google has patched another critical Android vulnerability in Mediaserver, which has been maligned since this summer’s barrage of patches for the Stagefright vulnerability, along with a critical rooting vulnerability in the mobile operating system’s kernel. In all, 19 vulnerabilities were patched ...

Experts Say Bitcoin Extortionist Copycats on the Rise

Experts believe that the success tied to a recent spate of DDoS-for-hire groups may be because many are copycat collectives operating with a shorter lifespan. Researchers with Recorded Future, a Massachusetts-based firm that tracks real time threat intelligence, said Monday that they’ve noticed a...

Persistent Financial Malware 'Nemesis' Targets Boot Record

A group of attackers are behind a strain of payment card malware that has bootkit functionality, something that makes it very difficult to detect, much less remove. “FIN1,” the group behind the malware, appears to be based in Russia, according to researchers at both FireEye and Mandiant who...

Let's Encrypt Initiative Enters Public Beta

The Let’s Encrypt initiative reached yet another milestone this week when it entered public beta, something it claims should help make it easier for website owners to embrace HTTPS encryption. The latest step comes on the heels of the movement issuing its first certificate back in September and...

OpenSSL Patches Bring Last Update for Two Versions

The OpenSSL Software Foundation patched four vulnerabilities in the cryptographic software library on Thursday, likely marking the last time that two older versions of the library will receive updates. The group announced back in December 2014 that it would cease support for two of OpenSSL...

Sofacy APT28 Gang Using New Backdoors, Zero Days

A new analysis of the Sofacy APT gang, a Russian-speaking group carrying out targeted attacks against military and government offices for close to a decade, shows a relentless wave of intrusions peaking this summer against victims in a number of NATO countries and the Ukraine. Researchers at...

Signal Desktop Released by Moxie Marlinspike

In March when Moxie Marlinspike and Open Whisper Systems released the iOS version of the Signal encrypted messaging app, the noted security researcher promised to expand its reach and among other things, eventually release a desktop version of Signal. That vision was realized on Wednesday with th...

Adobe Flash Player Days Numbered

If there’s unanimity among security professionals in anything, it’s in their loathing of Adobe’s Flash Player. There’s yet to be an APT or exploit kit that hasn’t welcomed vulnerabilities in the development platform with open arms. And for all that misery tallied up in lost intellectual property...

Cisco WebEx for Android Security Patch

Cisco has been busy the last two days pushing out a patch and security advisories for a number of its products, including a fix for a remotely exploitable vulnerability in its WebEx Meetings mobile application for Android. Cisco said the vulnerability affects versions prior to 8.5.1 of the app, a...

Angler Exploit Kit Spreading Cryptowall 4.0

As expected, it didn’t take long for one of the most popular exploit kits, Angler, to start spreading the latest iteration of Cryptowall ransomware. A drive-by campaign that uses a one-two punch to drop Cryptowall 4.0 has been observed in the wild this week, according to researchers at Heimdal...

Advantech EKI Vulnerable to Shellshock, Heartbleed

Twice in the past year, security researchers have found and reported critical vulnerabilities in Modbus gateways built by Advantech that are used to connect serial devices in industrial control environments to IP networks. Most recently, independent security researcher Neil Smith found hard-coded...

Google Plans to End Chrome for 32-bit Linux, Releases Chrome 47

Google announced this week it will end Chrome support for older, 32-bit Linux distributions early next year and will maintain the browser on more popular distributions of the software. Specifically Google plans to stop pushing updates and security fixes to those running Chrome on 32-bit Linux,...