October 2015 Adobe Reader, Acrobat Flash Patches

Adobe today released a jumbo-sized Patch Tuesday update for Reader, Acrobat, and Flash, addressing a combined 69 critical vulnerabilities in the software, many which can lead to information disclosure and code execution. The company warned about the bugs via a blog post at its Product Security...

Mike Mimoso and Chris Brook Discuss how the a Campaign Using the Angler Exploit Kit was Disrupted and More of the Week's News

Mike Mimoso and Chris Brook discuss the week in news–including how researchers disrupted a $30M campaign using the Angler Exploit Kit, how another researcher was forced to pull a talk from a conference, and how a practical SHA-1 collision could be months away, not years. Download:...

Apple Removes Apps That Expose Encrypted Traffic

Apple has purged its App Store of a number of apps that expose encrypted traffic via the installation of root certificates. Apple has declined to name the apps. “Apple has removed a few apps from the App Store that install root certificates that could allow monitoring of data,” Apple said today i...

Martijn Grooten on the Anti-Virus Industry, This Year's Virus Bulletin Conference, and More

Virus Bulletin’s Martijn Grooten joins Ryan Naraine on the podcast to talk about the changing face of the anti-virus industry, the emergence of APTs as a priority for anti-malware researchers and the highlights of the 25th annual VB Conference. Download: martijngrooten10915.mp3 Music by Chris...

European Aviation Agency Warns of Aircraft Hacking

The director of one of Europe’s top aviation agencies warned on Thursday that hackers could infiltrate critical systems in an airplane on the ground. Patrick Ky director of the European Aviation Safety Agency, said a consultant hired by the agency—one who is a commercial pilot as well—exploited...

Practical SHA-1 Collision Attack Months Away

When Bruce Schneier made his oft-cited and mathematically sound projections about the life expectancy of the SHA-1 cryptographic algorithm, he didn’t think he was being conservative. “I thought I was being accurate given the information I had at the time,” Schneier said on Thursday. Schneier in...

October 2015 Adobe Acrobat Adobe Acrobat Patches

Adobe is expected next week to patch critical vulnerabilities in Acrobat and Reader. The company today gave advanced notification of the impending updates to both products. The patches will be released on Tuesday, which figures to be a busy day for system administrators given that Microsoft will...

Netgear Router Vulnerabilities Public Exploits

A vulnerability in Netgear routers, already disclosed by two sets of researchers at different security companies, has been publicly exploited. Netgear, meanwhile, has yet to release patched firmware, despite apparently having built one and confirmed with one of the companies that privately...

Amazon Web Services Inspector Application Security Scanner

Amazon answered many security and compliance prayers yesterday with the release of its Inspector tool. Inspector scans applications launched in Amazon Web Services instances, looking for issues on two fronts: compliance with certain regulations such as the Payment Card Industry Data Security...

Moker RAT Bypassing Security Measures, Evading Detection

Researchers warned Tuesday the latest APT to make the rounds features a remote access Trojan that can effectively mitigate security measures on machines and grant the attacker full access to the system. Experts with the Israeli cyber security start-up enSilo discovered the RAT – which they refer ...

Kemoge Malicious Adware Campaign

Google has been busy removing a number of apps from Google Play that are disguised as popular selections that are actually pushing what starts out as adware but eventually turns more malicious. Google has already yanked down a file-transfer app called ShareIt, developed by Zhang Long of China, wh...

Researchers Disrupt Angler Exploit Kit, $60 Million Ransomware Campaign

Researchers took a big step towards eradicating the Angler exploit kit, disrupting a large ransomware campaign connected to it that purportedly netted a hacker more than $30 million annually. According to a report published today, experts with Cisco’s Talos Security Intelligence and Research Grou...

Canceled HITB GSEC Singapore Presentation

With apologies to George R. R. Martin, the drama around legitimate security research is starting to rival anything the Starks, Lannisters and Targaryens could muster. Hardly a month goes by without some white-hat bug hunter wedged between a vendor or government threatening legal or regulatory...

Outlook Web Access Targeted Attack

Attackers aiming for lateral movement inside an enterprise network have done well in the past to target domain controller credentials. Researchers at Cybereason, however, have uncovered a targeted attack in which hackers were able to burrow onto the corporate network and steal thousands of...

Google Patches Stagefright 2.0 in Android OTA Nexus Update

Google today patched the latest round of Stagefright vulnerabilities in Android, pushing them out as part of its latest over-the-air update to Nexus devices. Stagefright 2.0, as it’s come to be known, affected the Stagefright media playback engine in Android and one billion devices dating back to...

YiSpecter Apple iOS Malware Distributes Adware

Researchers warned that the November unveiling of the WireLurker malware targeting Apple platforms could turn out to be a blueprint for Mac and iOS malware writers. While WireLurker was quickly squashed and proved to be fairly benign, its authors demonstrated how the abuse of Apple-issued...

Scottrade Breach Affects 4.6 Million Users

Discount brokerage firm Scottrade began firing off emails late last week, warning customers that as a result of a breach, their names and street addresses may have been stolen from its system. Scottrade’s statement on the incident, published on its site last Thursday doesn’t exactly rule out that...

Mike Mimoso and Chris Brook Discuss Gatekeeper, Stagefright 2.0, the Accidental Windows Update and More

Mike Mimoso and Chris Brook discuss the week in news–the latest Gatekeeper bypass in OS X, Stagefright 2.0, that accidental Windows Update, and Apple’s new privacy initiative. Download: newswrap10-2-15.mp3 Music by Chris Gonsalves...

Experian Breach Spills Personal Info of 15 Million T-Mobile Customers

A massive data breach at the credit-reporting agency Experian could wind up having major implications for 15 million T-Mobile customers. The telecom uses the agency, one of the “big three” credit reporting bureaus, to check the credit ratings of its customers. News broke last night however that a...

WordPress Jetpack Plugin Security Patch

After a few critical bugs were recently discovered and patched in the core WordPress engine—a rarity with WordPress-related security issues—order has apparently been restored with the discovery of a critical vulnerability in a popular plugin. Insecure plugins have been at the heart of numerous...

Dridex Banking Malware Infections Return

Conspicuously off the grid for close to two months, the Dridex banking Trojan made some noise Thursday morning when a large phishing campaign, primarily targeting victims in the U.K., was corralled by researchers at Palo Alto Networks. The phishing emails are laced with a Microsoft Word document...

Apple Patches 100+ Vulnerabilities in OS X, Safari, iOS

UPDATE Apple pushed out its latest operating system, El Capitan, yesterday, and while it boasts many security fixes, the update fails to address the outstanding vulnerability in Gatekeeper that came to light this week. The issue with Gatekeeper, as described yesterday by Patrick Wardle, the...

HTTPS Available as Opt-In for Blogspot

Google said on Wednesday it has made HTTPS available as an opt-in for its Blogspot publishing service. Google and other technology providers have been ramping up encryption rollouts in the two years since the publication of the Snowden documents began. To date, Google has encrypted Gmail, search,...

Android Stagefright 2.0 Vulnerabilities

When researcher Joshua Drake published details in August about critical Android vulnerabilities in the Stagefright media playback engine, he promised there would be more issues that he and others would find and report to Google’s Android security team. Today, Drake, vice president of platform...

Mystery Windows 7 Update An Accidental Test Update

A suspicious Windows 7 update today raised concern on a number of Microsoft and technology forums that the Windows Update service had been compromised. Microsoft, however, cleared the air several hours later admitting that the update was their mistake. “We incorrectly published a test update and...

Honeywell Experion PKS Security Vulnerabilities

Update – Unsupported versions of Honeywell distributed control system software are vulnerable to publicly available remote exploits. The Industrial Control System Cyber Emergency Response Team ICS-CERT published on Tuesday an advisory warning organizations to upgrade to supported versions of...

Apple Mac OS X Gatekeeper Bypass

Gatekeeper is Mac OS X’s guardian against rogue applications and malware sneaking into Apple’s famous walled garden. It’s also been a favorite target of researchers and advanced attackers desperate to gain control of Apple devices. Tomorrow at Virus Bulletin in Prague, researcher Patrick Wardle,...

Apple Clarifies Privacy Policy

Apple’s clarified and repackaged privacy policy is merely the storefront to a company-wide decision to make the safety and integrity of user data a differentiator among large technology companies, experts said. The new privacy policy appeared today filled with practical advice for users, describi...

Dyreza Dyre Trojan Phishing IT Supply Chain Credentials

The Dyreza Trojan long ago ceased its exclusive focus on stealing banking credentials, and has been blamed for its part in attacks against Salesforce.com customers, webhosts and registrars, online retailers and many more. Researchers at Proofpoint today published new information that indicates th...

SAP Fixes A Dozen Vulnerabilities in HANA

SAP patched a dozen holes in its in-memory management system, HANA, that could have led to SQL injection attacks, cross-site scripting XSS errors, and memory corruption vulnerabilities. Many of the bugs were addressed by the company months ago, but it wasn’t until Tuesday that Onapsis, the securi...

TrueCrypt Security Vulnerabilities Patched in VeraCrypt

TrueCrypt may be a fond memory for most of its users, but that hasn’t stopped researchers and hackers from poking about the open source encryption software. Recently, researchers from Google’s Project Zero team uncovered a pair of elevation of privilege vulnerabilities in TrueCrypt, both of which...

Hotel Chain Hilton Worldwide Investigating Potential POS Breach

Hilton Hotels and Resorts is reportedly looking into claims that some of its point-of-sale devices were compromised, some potentially as far back as November 2014. Security blogger Brian Krebs notes that Visa sent alerts to financial institutions warning of a breach from April 21 to July 27, but...

JavaScript-Based DDoS Peaks at 275,000 Requests Per Second

Two years ago at the Black Hat conference, WhiteHat Security researchers Jeremiah Grossman and Matt Johansen explained how hackers could in theory leverage an online ad network to distribute malicious JavaScript efficiently and quickly. Depending on how much money the attacker wanted to spend, th...

Yahoo Transparency Report Shows Requests for Data Up

Yahoo this week published its transparency report for the first six months of the year and the numbers indicate that government requests for data on its users are up slightly after sharp dropoff for the report covering the last six months of 2014. Yahoo said that it received 5,221 government data...

Mozilla Addresses 14-Year-Old Bug in Firefox 41

Developers at Mozilla pushed out Firefox 41 this week and brought some much needed relief to Adblock Plus users by finally fixing a 14-year old bug in the browser. The update addresses a longstanding issue with how the browser handles memory usage by the add-on. Previously the browser created too...

DHS Alerts to Continuing Browser Cookie Vulnerabilities

In case didn’t know or need a reminder, browser cookies aren’t exactly impervious to attack. The DHS-sponsored CERT at the Software Engineering Institute at Carnegie Mellon University this week dropped an alert that warns users about the continued prevalence of a class of cookie vulnerabilities...

Google Report Outlines Dependencies in the For-Profit Cybercrime Food Chain

Security specialists need to change the game and shift gears, researchers argue – instead of focusing on protecting their users and systems, they should narrow their sights on trying to shake up cybercrime’s seedy underbelly. At least that’s how Kurt Thomas and Elie Bursztein, researchers at...

Microsoft Revokes Leaked D-Link Certificates

Microsoft today revoked trust for the four digital certificates inadvertently leaked last week by networking gear manufacturer D-Link. Microsoft said it has modified its Certificate Trust List removing trust for the four certs, which could have been used to sign malicious code used in attacks. Th...

China PLA Unit 78020 Cyberespionage Naikon APT

Chinese president Xi Jinping is supposed to have dinner this evening with U.S. president Barack Obama. Wonder if the name Ge Xing will come up? Ge Xing is the subject of a joint report published this morning by ThreatConnect and Defense Group Inc., computer and national security service providers...

Cisco Fixes Denial of Service, Bypass Vulnerabilities in IOS

Cisco pushed out on Wednesday its usual semiannual round of patches for IOS, the software the company uses for most of its routers and switches. This month’s security advisories addressed four vulnerabilities, three which could lead to denial of service situations, and another that could have let...

5.6 Million Fingerprints Stolen In OPM Hack

It turns out roughly 5.6 million federal employees may have had their fingerprints stolen as part of this year’s mammoth Office of Personnel Management breach – a figure five times what the agency initially announced in June. OPM press secretary Sam Schumach broke the bad news Wednesday morning,...

XcodeGhost Apple AppStore Malware

As more eyes peer into XcodeGhost, the malware that managed to sneak into Apple’s App Store, more trouble bubbles to the surface. Researchers at Palo Alto Networks said in an updated report that the malware contains a vulnerability that allows an attacker in man-in-the-middle position to control...

Control Flow Guard Mitigation Bypass

Introduced in Windows 8.1 Update 3 and Windows 10, Control Flow Guard was Microsoft’s latest antidote to memory-corruption attacks. The technology was meant to stand up to attacks that had long ago figured out how to bypass previous-generation protections such as Address Space Layout Randomizatio...

Federal CISOs Propose New Efforts to Shore Up Govt. Cybersecurity

Nearly six months removed from the OPM hack and with many government departments still reeling when it comes to security, several federal chief information security officers volunteered a handful of new ideas at last week’s Billington Cybersecurity Summit in Washington, D.C to combat future hacks...

HackerOne Vulnerability Coordination Maturity Model

The proliferation of independent and vendor-sponsored bug bounties has not only put some money in researchers’ pockets, but has also forced enterprises—and software makers—to put processes in place to handle outside bug reports. “Saying you want one is not enough,” said Katie Moussouris, chief...

Apple watchOS2 security patches

Apple today brought a smile to the face of gadget geeks with the release of watchOS2, and for the second time in five months, a new version of the Apple Watch operating system brought with it a flurry of security patches. This round includes more than a dozen code execution vulnerabilities in a...

South Korean Child Monitoring App Beset by Vulnerabilities, Privacy Issues

A South Korean child monitoring app is so fraught with vulnerabilities that security researchers warn it could lead to the compromise of users’ accounts, disclosure of minors’ information, and a smattering of other issues. Researchers with the Canadian watchdog group Citizen Lab discovered 26...

XcodeGhost iOS App Malware Contained

Concern over the so-called XcodeGhost malware has put the security of Apple’s App Store on the front page. While the App Store was not hacked, attackers did manage to append malicious code to a number of popular apps—most of those developed in China—and find a loophole in Apple’s code-scanning to...

Adobe Patches 23 Vulnerabilities in Flash Player

Adobe has released a Flash Player update that addresses 23 critical vulnerabilities in the software, many which can lead to code execution. Version 18.0.0.231 and earlier of Flash Player for Windows and Mac, Microsoft Edge and Internet Explorer 11 in Windows 10, and Internet Explorer 10 and 11, a...

Zerodium Hosts Million-Dollar iOS 9 Bug Bounty

Exploit vendor Zerodium, a company started by VUPEN founder Chaouki Bekrar, today announced it will host a month-long million-dollar bug bounty focused on Apple iOS 9. Bekrar said in a statement there is a $3 million pool available for the bounty, which will close on Oct. 31 or earlier if the tot...