Samsung Galaxy S6 Edge Security Vulnerabilities

Google’s Nexus Android devices are considered the most secure by default since they’re guaranteed to receive all security patches for vulnerabilities found internally and those disclosed by third parties. Google’s Project Zero research team, however, decided to expand its reach and test the water...

XcodeGhost Malware Supports iOS9

New samples of XcodeGhost, malware targeting iOS devices, have surfaced beyond the borders of China with new support for iOS9 and obfuscation techniques making it that much harder to detect. iOS9 is only a few weeks old and included new security measures that allowed for only secure HTTPS...

PageFair Hack Serves Up Fake Flash Update to 500 Sites

More than 500 users of a free analytics service may have had their websites compromised over the weekend after a hacker was able to execute malicious JavaScript through the service. On Halloween night, an attacker was able to hijack a “key email account” at PageFair, an ad blocking analytics...

Vulnerability Identified in Genomic Data Sharing Network

A vulnerability in a network that processes genomic data could pave the way to some global genetic databases being hacked, and open the door to some serious privacy issues. Experts claim the problem lies in The Beacon Project, a network run by a coalition, Global Alliance for Genomics and Health,...

Latest EMET Bypass Targets WoW64 Windows Subsystem

Backwards compatibility, a necessary evil for Microsoft in its need to support so many legacy applications on Windows, may be its undoing as researchers have found a way to exploit this layer in the operating system to bypass existing mitigations against memory-based exploits. Specifically in thi...

November 2015 Android Security Bulletin

The Stagefright vulnerabilities are the gifts that keep on giving. Months after the potentially devastating security flaws in the mobile OS were publicly disclosed, Google continues to send out patches addressing vulnerabilities related to the initial reports. Today’s monthly Android security...

Data-Stealing Android App Impersonates Word Doc

A new strain of Android malware has taken a decidedly old-school approach to infecting mobile devices. Researchers at security company Zscaler said they spotted several hundred new infections since Oct. 10, primarily targeting Android users in China. The malware arrives impersonating a Microsoft...

Mike Mimoso and Chris Brook Discuss the Latest Xen Vulnerability, CISA Passing the Senate, and More

Mike Mimoso and Chris Brook discuss the news of the week: The latest Xen vulnerability, CISA passing the Senate, a researcher challenging that Weak DH paper, and more. Download: newswrap10-30-15.mp3 Music by Chris Gonsalves...

Xen Patches VM Escape Vulnerability

The Xen Project, which oversees the open source Xen hypervisor, yesterday patched a seven-year-old vulnerability that allows an attacker to escape a guest virtual machine and attack the host operating system. The flaw is so bad that the developers of the Qubes OS Project, a security-heavy operati...

Web Hosting Service 000webhost Hacked, Information of 13 Million Leaked

Information on nearly 14 million users of 000webhost, a Lithuanian web hosting service, was spilled earlier this year when a hacker exploited an old version of the company’s website and gained access to the backend. 13.5 million customer usernames, plaintext passwords, email addresses, IP...

Rockwell Automation FrostyURL Security Vulnerability

Rockwell Automation has patched a handful of vulnerabilities in its Allen-Bradley MicroLogix programmable logic controllers, including one that researchers say can be exploited with a single malicious URL. Members of CyberX’s research team disclosed details on the vulnerability Wednesday at the...

Fewer IPsec VPN Connections at Risk to Weak Diffie-Hellman

A challenge has been made against one of the conclusions in a potentially blockbuster academic paper on cryptographic weaknesses that may be the open door through which intelligence agencies are breaking encrypted connections. The paper, “Imperfect Forward Secrecy: How Diffie-Hellman Fails in...

CISA Passes Senate Without Addressing Privacy Concerns

To the consternation of many — tech companies, privacy advocates, and civil liberties groups included — members of the Senate voted overwhelmingly Tuesday to pass a version of the Cybersecurity Information Sharing Act, a bill that many opposed argue will lead to continued pervasive government...

Gary McGraw on Software Security and BSIMM6

Mike Mimoso talks to Cigital’s Gary McGraw about software security and analysis from the sixth version of the Building Security in Maturity Model report. Download: garymcgraw102715.mp3 Music by Chris Gonsalves...

Car Hacking, Mobile Jailbreaking Among DCMA Exemptions Granted

Car hackers and jailbreakers today apparently got a green light from the Librarian of Congress David Mao to tinker away. The Library of Congress’ triennial exemptions to the anti-circumvention rules within the Digital Copyright Millennium Act DCMA were released today, and among the exemptions to...

Attackers Targeting Unpatched Joomla Sites Through SQL Injection Vulnerability

Following the disclosure of a critical SQL injection vulnerability in the software last week, as expected, attacks are being carried out against sites running old, unpatched versions of the content management system Joomla. Experts warned that it’d be easy for an attacker to gain full control of ...

October 2015 Adobe Shockwave Security Patch

Adobe today updated Shockwave player, patching one privately disclosed memory corruption vulnerability in the software. Adobe gave the vulnerability, CVE-2015-7649, its highest criticality rating, though there are no known public exploits for this flaw. The vulnerability, Adobe said, could allow ...

New Campaign Shows Dridex Active, Targeting the French

Two weeks after authorities announced they had taken down the botnet behind the banking malware Dridex, new research suggests the threat is alive and well. Researchers with security company Invincea announced today that they’ve noticed 60 instances of attackers dropping Dridex on users in France,...

Yahoo Hires Bob Lord as CISO

Yahoo has filled the vacancy in its CISO office, today announcing the hiring of former Twitter and Rapid7 security executive Bob Lord. Lord starts in his new role Nov. 9. He was most recently Rapid7’s CISO-in-residence; he has spent much of the last two decades in high-profile security positions...

TalkTalk Hackers Demand Ransom of CEO Dido Harding

Update The U.K.’s Metropolitan Police Cyber Crime Unit this afternoon arrested a 15-year-old Northern Ireland boy in connection with the TalkTalk hack. The teen is alleged to have violated the Computer Misuse Act, a police statement said. He is being questioned at the County Antrim police station...

Cryptographers Concerned Over NSA's Deprecation of ECC

The National Security Agency has long cuddled up to Elliptic Curve Cryptography, swaying standards bodies away from RSA crypto and toward ECC in the late 1990s, as well as recommending it as a strong enough solution for sensitive government agencies to use in guarding their biggest secrets. In...

Mike Mimoso and Chris Brook Discuss the Apple and Oracle Patches, Facebook Detecting Nation-State Attacks and More

Mike Mimoso and Chris Brook discuss the news of the week: How Facebook will begin warning users of nation-state attacks, all the Apple and Oracle patches, and the latest attacks against the Network Time Protocol NTP. Download: newswrap10-23-15.mp3 Music by Chris Gonsalves...

Joomla Update Patches Critical SQL Injection

Joomla on Thursday released a new version of its content management system, 3,4,5, that addresses a critical SQL injection vulnerability that could have let attackers gain access to data in the backend of any site running on the platform. The bug existed in versions 3.2 to 3.4.4 of the CMS, and...

Novel NTP Attacks Roll Back Time

Sharon Goldberg remembers the cold February day when her Boston University PhD candidate Aanchal Malhotra was studying routing security, in particular, attacks against the resource public key infrastructure RPKI—and kept hitting a dead end because of a cache-flushing issue. The resourceful Malhot...

Google App Engine for Java Security Vulnerabilities

A tweak carried out by Google in the Google App Engine for Java continues to stir up security concerns. Oracle this week patched the latest vulnerability in Java SE-the flaw also lives in Google’s platform-as-a-service entry-after it was privately disclosed by Java bug-hunters from Security...

Apple Patches Vulnerabilities in OS X, iOS, Including Pangu Jailbreak

It was only three weeks ago that Apple patched its core line of products and pushed its latest version of OS X, El Capitan. Yet another wave of patches arrived Thursday however to address scores of vulnerabilities in OS X, iOS, Safari, iTunes, and even the company’s smart watch operating system,...

Google Moving Gmail to Strict DMARC Implementation

By next summer, most of the major Web-based email providers will have implemented a policy of strictly adopting the DMARC protocol. Google, in a statement published Tuesday by DMARC.org, said it will move gmail.com to a policy of rejecting any messages that don’t pass the authentication checks...

October 2015 Oracle Critical Patch Update

Oracle on Tuesday patched 154 vulnerabilities in 54 different products as part of its regularly scheduled Critical Patch Update. More than half of the patches, 84 to be exact, address vulnerabilities that Oracle claims may be remotely exploitable without authentication. Java SE is responsible for...

Microsoft .NET Core, ASP.NET Beta Bug Bounty

Microsoft today opened a bounty for the .NET Core and ASP.NET Beta, both of which are part of the Visual Studio development suite. The bounty will remain open through Jan. 20 and payouts will fall between $500 and $15,000 USD. Microsoft said only bugs in the .NET core runtime CoreCLR and beta...

Let's Encrypt Free HTTPS Secures Cross-Signatures To Be A CA

The continued march toward encrypting every online connection hit a noteworthy milestone last night when Let’s Encrypt announced that it was officially a Certificate Authority. Let’s Encrypt is an open source movement to make HTTPS implementations simple and free of cost for domain owners. A mont...

Juan Andres Guerrero-Saade on the Dangers of APT Security Research

Juan Andres Guerrero-Saade from Kaspersky Lab’s Global Research & Analysis Team GReAT joins Ryan Naraine on the podcast to discuss the “identity crisis” in the anti-malware industry and the ethics and perils of investigating state-sponsored or geopolitically significant threats. READ The Ethics a...

Western Digital Self-Encrypting Drives Vulnerable

Some consumer-grade, self-encrypting external hard drives are littered with security vulnerabilities that render their encryption an afterthought. An academic paper published in late September took apart a number of drives manufactured by Western Digital that suffer from flaws that are trivial to...

Apple to Remove Apps Using Private APIs

Apple said it will remove 256 misbehaving apps from its App Store that were using private APIs to pull personal and device information that would allow a user to be tracked. SourceDNA, an analytics company that specializes in studying the iOS and Android mobile app stores, privately disclosed to...

Facebook to Notify Users of Targeted Attacks

Facebook will inform users when it believes their account is being either being targeted by an attacker, or has been compromised by a nation-state campaign. Alex Stamos, Facebook’s Chief Security Officer, announced the initiative in a post on Facebook’s Security page late Friday afternoon. Users...

BSIMM6 Data Shows Poor Health Care Software Security

The folks behind the Building Security in Maturity Model BSIMM, its sixth iteration available today, tout the project as an intersection between science and computer security. “It’s more like a science experiment that escaped the test tube,” said Gary McGraw, chief technology officer of Citigal,...

Apple Patches Keynote, Mozilla Patches Firefox

Apple on Thursday patched a handful of vulnerabilities in several iterations of its Keynote, Pages, Numbers and iWork productivity software. The most serious of the security flaws allow an attacker to execute code on a compromised OS X computer running Yosemite 10.10.4 or later, or iOS 8.4 or lat...

Mike Mimoso and Chris Brook Discuss the Diffie-Hellman News, the Security of Android Devices, and More

Mike Mimoso and Chris Brook discuss the news of the week – how a weakness in the Diffie-Hellman protocol could be the key to breaking crypto, a paper that claims 85 percent of Android devices contain at least one critical vulnerability, and the Netgear debacle. Download: newswrap10-16-15.mp3 Musi...

Emergency Adobe Flash Zero Day Patch Arrives Ahead of Schedule

Adobe has decided to patch the zero day vulnerability that was disclosed in Flash Player earlier this week today — instead of next week as originally scheduled. According to a security bulletin Adobe posted this morning the update actually fixes three vulnerabilities in the software, but the most...

NSA Exploiting Weak Diffie-Hellman Primes to Break Crypto

The great mystery since the NSA and other intelligence agencies’ cyber-spying capabilities became watercooler fodder has not been the why of their actions, but the how? For example, how are they breaking crypto to decode secure Internet communication? A team of cryptographers and computer...

Latest Microsoft Transparency Report Details Content Removal Requests

Microsoft launched a new transparency website this week that bundles reports detailing requests for data the company has received, including those from law enforcement, the government, and elsewhere. The page, which Microsoft is calling its Transparency Hub, is somewhat similar to what Apple did...

WordPress Fixes Stored XSS Vulnerability in Akismet

Developers at Automattic, the parent company behind the blogging platform WordPress, fixed a nasty stored cross-site scripting error this week in Akismet, an anti-spam plugin that figures into millions of websites. The bug was fixed Tuesday in an update, 3.1.5, according to Christopher Finke, an...

Emergency Adobe Flash Player Security Update

The latest version of Adobe Flash Player, which was made available on Tuesday, will have a short shelf life. Adobe will release an emergency Flash update next week after public attacks were carried out against a zero day vulnerability in the latest version of the software, 19.0.0.207, for Windows...

Dridex Banking Malware Takedown

Once word circulated of the arrest of a Moldovan man allegedly connected with the development and distribution of the Dridex banking malware, it was a matter of time before the operation was put out of business for good. The FBI, Department of Justice, the U.K.’s National Crime Agency and a numbe...

Researchers Find 85 Percent of Android Devices Insecure

Roughly 85 percent of Android devices have been exposed to one of 13 critical vulnerabilities that plague the operating system – and because of a chronic failure by carriers to issue patches, many linger without getting fixed for far too long, researchers said. Especially in the wake of...

Chrome 46 Patches, Mixed Content Warning Changes

Google has made some changes to the way it presents browser warnings in Chrome. Starting with Chrome 46, don’t expect to see the yellow warning icon on HTTPS pages with minor errors. Google announced on Tuesday that it would start marking those pages with the neutral icon it uses on unencrypted...

Magmi Magento Zero Day Under Attack

A zero-day in a popular plugin for the Magento ecommerce platform is under attack. Attackers are using a few IP addresses to scan for vulnerable versions of Magmi, which is an open source database client that imports data into Magento. “We’ve seen a couple hundred requests for this specific attac...

Cesar Cerrudo on Securing Smart Cities

IOActive Labs CTO Cesar Cerrudo talks to Ryan Naraine about major realistic security problems affecting technology implementations of smart cities — from traffic control systems to surveillance cameras and power grids — and warns that the damages from live attacks could be catastrophic. Download:...

October 2015 Microsoft Patch Tuesday Security Bulletins

Microsoft’s monthly release of security bulletins today is a relatively light load of patches to be tested and deployed. The real news, however, could be in a separate advisory in which it continues to deprecate the outdated RC4 encryption algorithm. Following its initial advisory in May that...

Dow Jones & Company Latest Financial Firm to Report Breach

The financial information firm Dow Jones & Company announced late last week that it’s the latest in an exhaustive list of companies this year to report a data breach. The News Corp.-owned company informed customers Friday that hackers managed to infiltrate their system in an apparent attempt to...

Netgear Patches Routers Under Attack

After a pair of very public disclosures in the last two weeks, Netgear published new firmware for vulnerabilities in its routers that have been publicly exploited. Researchers discovered as many as 10,000 routers had been taken over, according to data lifted from one of the command and control...