15946 matches found
Google Outlines Plans to Deprecate RC4, SSLv3
As expected, Google formally announced its intent to move away from the stream cipher RC4 and the SSLv3 protocol this week, citing a long history of weaknesses in both. Adam Langley, a security engineer for the company, announced the plans through a blog post on Thursday. While there isn’t a...
D-Link Private Code-Signing Keys Leaked
A simple mistake by networking gear manufacturer D-Link could have opened the door for costly damage. Private keys used to sign software published by D-Link were found in the company’s open source firmware packages. While it’s unknown whether the keys were used by malicious third parties, the...
Apple Addresses Dozens of Vulnerabilities, Embraces Two-Factor Authentication in iOS 9
Apple pushed out iOS 9 Wednesday, addressing a cornucopia of vulnerabilities, including bugs that could lead to arbitrary code execution, credential leakage, and interface spoofing among other issues. But conspicuously absent from the update however is a fix for the vulnerability in AirDrop that...
Bugzilla Privilege Escalation Security Patch
Developers and organizations that use the Bugzilla open source bug-tracking system should upgrade to current versions after the disclosure of details of a vulnerability in its email-based permissions process. The flaw, CVE-2015-4499, was patched last week in versions 4.2.15, 4.4.10 and 5.0.1 afte...
Dennis Fisher On Security, Journalism, and the Origins of Threatpost
Ryan Naraine hijacks the podcast to talk with Dennis Fisher about the origins of Threatpost, his time as a security reporter, the changes in the industry, and what’s next on the horizon. Download: lastdigitalundergroundever.mp3 Music by Chris Gonsalves...
Dutch Police Arrest Alleged CoinVault Ransomware Authors
Ransomware has emerged as major threat to consumers and businesses in recent years, and law enforcement agencies and security researchers have taken note. Authorities last year disrupted the Cryptolocker ransomware operation and now Dutch police have arrested two young men they believe are involv...
Schneider Electric StruxureWare Building Expert Security Patch
Industrial control manufacturer Schneider Electric has published new firmware for its StruxureWare Building Expert building automation system that patches a remotely exploitable vulnerability. Researcher Artyom Kurbatov discovered that the system transmits user credentials in plaintext between th...
Android Lockscreen Bypass Security Patch
Boredom led John Gordon to discover a technique that bypassed the lockscreen on his Android device. By entering a long string of random characters into the password field after opening the phone’s camera app, Gordon said he was able to get to the home screen and eventually access anything stored ...
Spam Campaign Continuing to Serve Up Malicious .js Files
A malicious spam campaign that’s been doling out zipped Javascript .js files remains an issue, the SANS Internet Storm Center warns. The campaign was spotted earlier this year, but Brad Duncan, a handler for the site and researcher with Rackspace’s information security operations center, claims...
Scan of Internet for Compromised Cisco Routers Finds Fewer Than 100
A day after researchers detailed a technique that attackers are using to upload malicious firmware images to Cisco routers, academic researchers say they have scanned the entire IPv4 address space and discovered a total of 79 likely compromised routers. The researchers at the University of Michig...
Bug in iOS and OSX Allows Writing of Arbitrary Files Via AirDrop
There is a major vulnerability in a library in iOS that allows an attacker to overwrite arbitrary files on a target device and, when used in conjunction with other techniques, install a signed app that the device will trust without prompting the user with a warning dialog. The vulnerability lies ...
Let's Encrypt Issues First Cert
Let’s Encrypt, a movement to issue free and automated HTTPS certificates, today hit a major milestone when its first cert went live. The desire to encrypt web-based services has accelerated projects such as Let’s Encrypt, which was announced last November, and promised by the close of this summer...
WordPress Shortcodes Security Patch
WordPress core engine security vulnerabilities aren’t rare, but they are uncommon. Most issues affecting the integrity of sites running on the content management system are introduced by third-party plugins and put those sites at risk for a host of attacks. Today WordPress upgraded to version 4.3...
CoreBot Adds New Capabilities, Transitions to Banking Trojan
As researchers expected it would, CoreBot, the credential-stealing malware that surfaced last month, has added a bevy of new capabilities and reinvented itself as a robust banking Trojan. Researchers said the malware shares more similarities with Dyre, another high profile banking Trojan, than a...
Attackers Replacing Firmware on Cisco Routers
Cisco routers are built into the fabric of the Internet and enterprise networks, a fact that makes them highly attractive targets for attackers. Researchers at FireEye have come across attacks recently in which hackers have been modifying the firmware of Cisco routers and using that foothold to...
DARPA Protecting Software From Reverse Engineering Through Obfuscation
Researchers with a DARPA-led team are looking into new ways to combat reverse engineering by using obfuscation to tidy up shoddy commercial and government security. Researchers with the unit, dubbed the SafeWare program, are hoping to develop new methods, bolstered by encryption, to obscure...
New Debian Releases Fix PHP, VirtualBox Bugs
The maintainers of Debian have released new packages to fix several vulnerabilities, including a number of bugs in PHP and an unspecified flaw in Oracle’s VirtualBox application. Among the patches is one for the VirtualBox bug, which is difficult to describe, because Oracle no longer publishes an...
Installation of Tor Relays in Libraries Attracts DHS Attention
The Tor Project recently started a program to help libraries install Tor relays as a way to protect the privacy of patrons and other Internet users. The program didn’t get too far, however, as the first library to install a relay had to turn it off after town police officials were contacted by...
Researchers Outline Bugs in Yahoo, PayPal, Magento
Researchers recently discovered a smattering of vulnerabilities in web applications and mobile applications belonging to companies like Yahoo, PayPal, Magento, and Shopify that could have led to account theft, session hijacking, and phishing, among other consequences. Hadji Samir, Ebrahim Hegazy,...
Series of Buffer Overflows Plague Many Yokogawa OCS Products
There is a series of stack buffer overflows in nearly 20 ICS products manufactured by Japanese vendor Yokogawa that can lead to remote code execution. The bugs affect a long list of the company’s products, which are used in a variety of industries around the world. The Yokogawa products are mainl...
Gary McGraw on Scalable Software Security and Medical Device Security
Dennis Fisher talks to Gary McGraw about the challenges of scaling software security programs, the FTC’s security programs, and the current push for better security in medical devices. Download: digitalunderground220.mp3 Music by Chris Gonsalves...
IOT Security Pits Regulators Against Market
CAMBRIDGE, Mass. – Listening to today’s privacy panel at the Security of Things Forum, you might have thought you were beamed back to the early 2000s: government people hinting that legislation might be the ultimate solution for security and privacy concerns when it comes to embedded computers an...
Password Cracking Group Decodes 11 Million Ashley Madison Passwords
A San Diego-based password cracking group has taken a big step towards deciphering some of the 36 million odd passwords leaked in last month’s Ashley Madison breach, a move that could quickly lead to the widespread hacking of any users who used the same password on other services. Hackers had...
Chris Valasek Security of Things Forum Keynote
CAMBRIDGE, Mass. – Chris Valasek and Charlie Miller’s car hacking research put a crunching reality on Internet of Things security, moving it beyond almost clichéd discussions of smart refrigerators leaking inconsequential data, to hackers remotely manipulating car brakes. But Furby hacking matter...
Pair of Drupal Modules Patch Access Bypass Flaws
A pair of modules included in the Drupal content management system have been updated to fix access bypass vulnerabilities that could allow an attacker to take actions on the behalf of some users. One of the modules fixed is the Twitter module, which allows users to take a variety of actions,...
NY Health Provider Excellus Discloses Data Breach Dating to 2013
Excellus BlueCross BlueShield, a large health care provider in New York state, says it was hit by an attack that began in 2013 and wasn’t discovered until last month, resulting in the compromise of members’ personal information, including Social Security numbers, addresses, financial and account...
FTC, Experts Push Startups to Think About Security From the Beginning
About a decade ago, many large software makers learned some very difficult lessons about software security and building security into their products from the start. Some are still learning. The FTC and a variety of security experts are hoping that today’s crop of start-ups will not have to go...
Musical Chairs Campaign Found Deploying New Gh0st RAT Variant
Researchers have peeled back the layers on a new campaign that spans multiple years and involves a new variant of the ubiquitous Gh0st remote access tool RAT. The campaign, now believed to in its sixth year, is dubbed Musical Chairs, according to new research from Palo Alto Networks published...
Android Stagefright Exploit Code Released to Public
Joshua Drake, the researcher who found the so-called Stagefright vulnerability in Android, today released exploit code to the public, which he hopes will be used to test systems’ exposure to the flaw. The move comes more than a month after vulnerability details were released in August during...
Security of iMessage System Comes to the Fore Again
The iMessage system, like much of what Apple does, is mostly a black box. The company doesn’t talk much about how the system works, and although some security researchers found a couple years ago that Apple could read users’ encrypted messages if they so choose, law enforcement has had no luck in...
Turla APT Group Abusing Satellite Internet Links
Poorly secured satellite-based Internet links are being abused by nation-state hackers, most notably by the Turla APT group, to hide command-and-control operations, researchers at Kaspersky Lab said today. Active for close to a decade, Turla’s activities were exposed last year; the Russian-speaki...
Jessy Irwin on Password Security, Opsec and User Education
Dennis Fisher talks with Jessy Irwin of 1Password about her path into the security world, the many security challenges in the education sector, the password-security problem, and security jewelry. Download: digitalunderground219.mp3 Music by Chris Gonsalves...
September 2015 Microsoft Patch Tuesday Security Bulletins
Microsoft today patched a vulnerability in its graphics component present in Windows, Office and Lync that has been publicly attacked, and is one of five vulnerabilities patched this month that have been publicly disclosed. Microsoft released a dozen bulletins today, five of them it rates critica...
Flawed TLS Implementations Leak RSA Keys
A number of TLS software implementations contain vulnerabilities that allow hackers with minimal computational expense to learn RSA keys. Florian Weimer, a researcher with Red Hat, last week published a paper called “Factoring RSA Keys With TLS Perfect Forward Secrecy” that demonstrated...
Gozi Co-Author Pleads Guilty As Authors Behind Citadel, Dridex Arrested
The author behind one strain of banking malware, Gozi, has plead guilty and is awaiting sentencing while two other men, who allegedly had a hand in developing the banking malware Citadel and Dridex, were recently apprehended. Latvian Deniss Calovskis, 30, acknowledged in a federal court in New Yo...
September 2015 Adobe Shockwave Security Patch
Adobe today released a new version of its Shockwave Player that patches two critical vulnerabilities that could be remotely exploited. Adobe said that it is not aware of public exploits for either security flaw. The vulnerability affects Shockwave for Windows, versions 12.1.9.160 and earlier and...
eBay Fixes XSS Flaw in Subdomain
There was a cross-site scripting vulnerability in an eBay domain that could have allowed an attacker to steal users’ session cookies and take over their accounts. The company has removed the vulnerable page, according to the researcher who discovered the bug and disclosed it to eBay, Aditya Sood...
Government Releases Policy on Vulnerability Discovery and Disclosure
After more than a year of legal wrangling, the federal government has agreed to hand over its policy on vulnerability use and disclosure. The government had said that the policy was classified and too sensitive to release, but relented late last week and sent the document to the EFF, albeit a...
Attacker Compromised Mozilla Bug System, Stole Private Vulnerability Data
Security experts constantly tell users not to reuse passwords on multiple accounts, but the message often falls on deaf ears. Now, officials at Mozilla are finding that advanced users don’t always follow that advice either after discovering that an attacker was able to compromise a Bugzilla user’...
Feds Change Policy to Require Warrant for Use of Stingrays
The Department of Justice has established a new policy that requires federal law enforcement agents–and state and local agencies working with the department–to obtain search warrants in order to use Stingray devices. The change is a major one, as agents will now need to show probable cause before...
Dennis Fisher and Mike Mimoso Discuss the Week in News: Chinese Sanctions, Doing Away with RC4, and Mobile Pwn2Own
Dennis Fisher and Mike Mimoso talk about the potential US sanctions against China over cyberespionage, the browser vendors dumping RC4, the trouble at Mobile Pwn2Own and more security news of the week. Download: digitalunderground218.mp3 Music by Chris Gonsalves...
Citing Wassenaar, HP Pulls out of Mobile Pwn2Own
More evidence of the potential chilling effect the Wassenaar Arrangement could have on security research surfaced this week when it was revealed HP has decided not to take part in November’s Mobile Pwn2Own hacking contest in Japan. Dragos Ruiu, who organizes the CanSecWest and PacSecWest...
Cisco Patches File Overwrite Bug in IMC Supervisor and UCS Director
Cisco has patched a remote file-overwrite vulnerability in a couple of its products that could allow an attacker to replace arbitrary files and cause target systems to become unstable. The vulnerability affects the Cisco Integrated Management Controlled Supervisor and UCS Director software. The...
New Android Ransomware Communicates over XMPP
A new strain of Android ransomware disguised as a video player app uses a means of communication unseen in other similar malware. Most of the victims are in the United States and the mobile crypto-ransomware scam seems to be profitable according to researchers at Check Point Software Technologies...
How I Got Here: Window Snyder
Dennis Fisher talks with Window Snyder of Fastly about her early interest in technology, what it was like meeting the L0pht crew at the MIT Flea as a teenager, her time at @stake, working on XP SP2 at Microsoft, Apple’s security evolution and much more. Download: 18snyder.mp3 Music by Chris...
New Versions of Carbanak Banking Malware Seen Hitting Targets in U.S. and Europe
New variants of the notorious Carbanak Trojan have surfaced in Europe and the United States, and researchers say that the malware now has its own proprietary communications protocol and the samples seen so far have been digitally signed. Carbanak has been in use for several years, and researchers...
Netflix Sleepy Puppy Cross-Site Scripting Payload Framework
Most automated scanning and security tools that ferret out cross-site scripting vulnerabilities don’t do much analysis beyond the target application. Netflix this week, however, released to open source a tool developed in-house that persists beyond the target app and can flag potential XSS troubl...
OPM Hack Victims Still Haven't Been Notified
Millions of government workers whose information was implicated in this year’s expansive Office of Personnel Management hack still haven’t been notified, the agency revealed this week. The agency announced Tuesday that it would contact 21.5 million federal employees and contractors “later this...
Google Chrome 45 Security Patches, Bug Bounty Awards
Tuesday turned out to be a busy day for browser makers. The three major vendors in the space—Google; Mozilla; and Microsoft—joined arms and announced their intent to stop support for the weakened RC4 encryption algorithm starting early next year. Google, having already announced it would pause...
Encryption, Lock Mechanism Vulnerabilities Plague Lock App AppLock
Multiple weaknesses exist in AppLock, a popular lock application for Android devices that boasts more than 100 million users. A researcher is claiming that the app, which is supposed to securely store photos, videos and other apps, doesn’t really use encryption to do so, it simply hides the files...