15946 matches found
Android Zero Day in Admin App Can Bypass Sandbox
The Android security team at Google is having a busy month. First the Stagefright vulnerabilities surfaced last month just before Black Hat and now researchers at MWR Labs have released information on an unpatched vulnerability that allows an attacker to bypass the Android sandbox. The...
Stagefright Patch Incomplete Leaving Android Devices Still Exposed
Google today released to open source a new patch for the infamous Stagefright vulnerability found in 950 million Android devices after researchers at Exodus Intelligence discovered the original patch was incomplete and Android devices remain exposed to attack. “We’ve already sent the fix to our...
OpenSSH 7.0 Fixes Four Flaws
A new version of OpenSSH has been released, fixing four security vulnerabilities and a number of non-security related bugs. OpenSSH 7.0 includes patches for a use-after-free vulnerability and three other flaws, two of which only affect Portable OpenSSH. The maintainers of the software also gave...
Lenovo Hit With Criticism Over Second Rootkit-Like Utility
Lenovo is under fire again for installing a covert utility on laptops and desktops that some users have compared to a rootkit. The issue stems from a utility called the Lenovo Service Engine, that is designed to collect some system information and send it to Lenovo at the time the machine connect...
Facebook Internet Defense Prize Doubles Payout
Facebook tonight awarded a $100,000 prize to a team of Georgia Tech researchers who found a new class of browser-based memory-corruption vulnerabilities and built a corresponding detection technique. The award brings the social media giant on par with Microsoft and its six-figure payouts for...
Vulnerabilities Identified in Several WordPress Plugins
Researchers have identified a handful of vulnerabilities present in three different plugins used by the content management system WordPress. The issues, most of which are cross-site scripting XSS vulnerabilities, could give some users administrative privileges, warns dxw Security, a British firm...
Cisco Warns Customers About Attacks Installing Malicious IOS Bootstrap Images
Cisco is warning enterprise customers about a spike in attacks in which hackers use valid credentials on IOS devices to log in as administrators and then upload malicious ROMMON images to take control of the devices. The ROM Monitor is the program that initializes the hardware and software on IOS...
Microsoft Patches USB-Related Flaw Used in Targeted Attacks
It used to be that dropping a USB stick in a parking lot in the hope that someone plugs the malicious peripheral into an important computer was the realm of penetration testers and ambitious nation-state actors. That’s just not so anymore. The practice has gone mainstream, even infiltrating popul...
Firefox 40 Begins Warning Users About Unsigned Add-Ons
With Tuesday’s release of Firefox 40, Mozilla has begun the process of requiring all add-ons for the browser to be signed. The company announced the forthcoming change in February, and Firefox 40 is the first version to warn users about unsigned add-ons. The goal for the change in policy is to...
Twitter Adds Email Privacy Data to Transparency Report
The number of information requests Twitter is receiving from the United States government is increasing steadily, having risen roughly 50 percent in the first six months of this year compared to the last six months of 2014. In its latest transparency report, Twitter said that it received 2,436...
August 2015 Microsoft Patch Tuesday Security Bulletins
Microsoft Edge wasted no time making its presence felt on Patch Tuesday today when Microsoft released the first security bulletin for the company’s new browser. Released two weeks ago along with the public debut of Windows 10, Edge, like its big brother Internet Explorer, got its own critical...
Hack That Fueled Insider Trading Ring Netted $100M
Hackers based in Ukraine and Russia allegedly broke into servers belonging to several newswires and passed sensitive information onto an underground trading ring as part of what’s being referred to as an unprecedented new level of insider trading. Prosecutors claimed Tuesday that corporate...
Oracle CSO: You 'Must Not Reverse Engineer Our Code'
UPDATE–Oracle, never the most researcher-friendly software vendor, has taken its antagonism to another level after publishing a blog post by CSO Mary Ann Davidson that rails against reverse engineering and saying that the company has no need for researchers to look at Oracle’s code for...
Huge Flash Update Patches More Than 30 Vulnerabilities
Adobe has released a massive update for Flash, the application that has become the Internet’s problem child. The update contains patches for more than 30 vulnerabilities in Flash on Windows, OS X, and Linux. Adobe pushed out the fixes on Tuesday afternoon, the latest in a long series of fixes for...
Android 'Serialization' Vulnerability Affects 55 Percent of Devices
Google has patched a severe Android vulnerability that researchers at IBM said impacts more than 55 percent of devices. As with most Android vulnerabilities, users are reliant on handset makers and carriers to push patches downstream to devices, something they’ve not always been diligent about. I...
Sen. Warren Worried About Banks' New Encrypted Messaging Platform
UPDATE–The list of politicians in Washington wringing their hands over the increasing use of encryption by consumers and businesses is growing longer by the day. Sen. Elizabeth Warren added her name to that list on Monday. Warren D-Mass. sent a letter to Attorney General Loretta Lynch expressing...
Researchers Unveil Square Reader Mobile POS Hacks
It wasn’t long ago when hacking a point-of-sale system meant deploying a RAM scraper at a retailer, sitting back and watching the credit card numbers roll in. Now that POS has gone mobile with vendors such as Square, Intuit, Revel and others using hardware fobs connected to smartphones and tablet...
Darkhotel APT Latest to Use Hacking Team Zero Day
The fallout from the HackingTeam data dump shows no signs of abating. Since the controversial surveillance software maker was hacked and 400 Gb of its data posted online in early July, a handful of zero-day vulnerabilities and exploits were publicly leaked and continue to find their way into the...
Privacy Badger 1.0 Released With Support For EFF Do Not Track Policy
The EFF has released the 1.0 version of Privacy Badger, its browser extension that blocks the hidden trackers used on many sites to follow users around the Web. The extension has been out in beta form for several months and has drawn praise from privacy advocates for its ability to block trackers...
Mozilla Patches Bug Used in Active Attacks
UPDATE–Mozilla has released a patch for a vulnerability in Firefox that was discovered when a user found it being actively exploited in the wild. The bug affects Firefox’s PDF viewer and Mozilla officials said that the exploit being used by attackers right now looked for specific files on a...
Manipulating Microsoft WSUS to Own Enterprises
LAS VEGAS – Windows Server Update Services WSUS is your friend, if you run an enterprise IT shop, because it facilitates the download and distribution of security patches, service pack installations and hardware driver updates among others. Two researchers this week at the Black Hat conference,...
'Prohibition Era' Of Security Research May Be Ahead
LAS VEGAS–Export controls have become a dirty phrase in the security community, especially among researchers, pen testers, and others who rely on vulnerability information and exploits to do their jobs. And if the Wassenaar Arrangement rules proposed by the United States aren’t modified...
Black Hat BLEKey RFID Access Control Hack
LAS VEGAS – A device the size of a quarter that can be installed in 60 seconds on a proximity card reader could potentially be used to break physical access controls in 80 percent of deployments. The device, dubbed BLEKey, is used to read cleartext data sent from card readers to door controllers ...
Updated DGA Changer Malware Generates Fake Domain Stream
LAS VEGAS — The group behind the DGA Changer downloader has been pretty adept in modifying the malware to elude sandbox detection in particular. Researchers at Seculert today published a report on the latest twist to DGA Changer, which now is able to generate a fake stream of domains if it detect...
Gone in Less Than a Second
LAS VEGAS–Do not let Samy Kamkar near your car. Kamkar has built a new device that is about the size of a wallet and can intercept the codes used to unlock most cars and many garage doors. The device can be hidden underneath a vehicle and when the owner approaches and hits the unlock button on he...
Black Hat 2015 Going Dark Cryptography Presentation
LAS VEGAS – Try as they might, technologists are struggling to find a feasible way to solve the government’s and law enforcement’s “Going Dark” crypto issue. Cryptographer Matthew Green and D.C. intellectual property attorney James Denaro today during a talk at the Black Hat conference made no...
Google Plans Monthly Security Updates for Nexus Phones
LAS VEGAS–Google is changing the way that it updates its Nexus Android phones and will now send out monthly over-the-air updates to users. The first update is being pushed out today, and the company said that other Android handset manufacturers are planning to follow suit and provide monthly...
Emissary Panda APT Group Gets Selective About Data it Steals
LAS VEGAS – The Emissary Panda APT group has a long history of invading Western organizations—be they enterprises, government or political outfits—hungry for reams of intellectual property. Lately the group, however, has become a little more selective about what it steals. Researchers at Dell...
Government Asks for Security Community's Help on Technical Issues
LAS VEGAS–Washington is looking for a few good hackers. Politicians and policymakers in the United States generally are not thought of as being the most technically savvy lot. It’s a reputation that’s well-earned in some cases, with some politicians boasting about their inability to use email and...
Black Hat 2015 Keynote Jennifer Granick
LAS VEGAS – The Internet is barreling down the same road of regulation and not-so-subtle censorship that has turned every other means of mass communication into a centralized and vanilla fountain of useless information. Kinda like television. That’s the fear that today Black Hat keynoter Jennifer...
'Software Liability Is Inevitable'
LAS VEGAS–The push for some form of liability for vendors who sell faulty or insecure software is nearly as old as software itself. Software makers have pushed back hard against it for decades, but the day may soon come when software liability is a reality. Bugs, defects, and security...
Rig Exploit Kit 3.0 Claims 1 Million Malvertising Victims
LAS VEGAS – A rampant malvertising campaign fueled by a new version of the Rig Exploit Kit has claimed at least 950,000 victims worldwide and is doing so with an unprecedented success rate. Researchers at Trustwave said in advance of this week’s Black Hat conference that they have been watching...
Researchers Uncover Chinese VPN Service Used by APT Crews for Cover
Building a business can be expensive and time-consuming, and owners will look for ways to save money wherever they can. Researchers from RSA Security have found a VPN provider in China that is taking this to an unusual extreme: hacking Windows servers around the world for use as VPN nodes on a...
DHS Raises Privacy Concerns With Senate Cyber Threat Sharing Bill
A major information-sharing bill that’s in the Senate right now would allow private organizations to share threat data with any government agency, something that the Department of Homeland Security says could have severe privacy implications and cause confusion and inefficiencies inside the feder...
Thunderstrike 2 Mac OS X Firmware Worm
A new attack against Intel firmware running in Apple computers is expected to be unveiled at this week’s Black Hat conference. The research is an extension of the Thunderstrike Mac OS X firmware bootkit disclosed this spring that enables the undetectable installation of malicious firmware that...
EFF, AdBlock and Others Launch New Do Not Track Standard
After years of discussions, disagreements, and digressions, the Do Not Track header is supported by all of the major browsers. But because there’s no real requirement for sites or advertisers to respect it, DNT is not as effective as it could be. Now, the EFF, Disconnect, and several other...
Windows 10 Upgrade Spam Carries CTB-Locker Ransomware
In the week since a free upgrade to Windows 10 was made available, users have learned a of about a host of built-in privacy and security issues, the most troubling being a native feature called Wi-Fi Sense that grants access to your Wi-Fi network to contacts stored in a host of online services. N...
Government Takes Second Look at US Wassenaar Rules
In spite of self-congratulatory pats on the back from several corners of the security world, this week’s decision from the Commerce Department’s Bureau of Industry and Security BIS to rewrite the proposed U.S. implementation of the Wassenaar Arrangement rules was an expected outcome—albeit an...
Dennis Fisher and Mike Mimoso Discuss the Rifle Hack, Stagefright, OwnStar, and Black Hat 2015
Dennis Fisher and Mike Mimoso discuss the hacked sniper rifle, the huge Android bug in Stagefright, Samy Kamkar’s OwnStar device, and the joy and pain of next week’s Black Hat conference. Download: digitalunderground215.mp3 Music by Chris Gonsalves...
FBI Warns of Increase in DDoS Extortion Scams
Online scammers constantly are looking for new ways to reach into the pockets of potential victims, and the FBI says it is seeing an increase in the number of companies being targeted by scammers threatening to launch DDoS attacks if they don’t pay a ransom. The scam is a variation on a theme, th...
Xen Patches VM Escape Flaw
The Xen Project has patched a serious vulnerability that could allow an attacker in a guest virtual machine to escape and gain the ability to run arbitrary code on the host machine. The vulnerability is in the QEMU open source machine emulator that ships as part of the Xen hypervisor. The problem...
Cisco Fixes DoS Vulnerability in ASR 1000 Routers
Cisco has patched a denial-of-service vulnerability in its ASR 1000 line of routers, a bug that’s caused by an issue with the way the routers handle some fragmented packets. The company said the DoS vulnerability affects all of the ASR 1000 Series Aggregation Services Routers that are running a...
Writing OS X Malware at Black Hat 2015
Patrick Wardle has one word for today’s generation of Mac OS X malware: lame. Sure there are advanced samples out there developed by nation-state sponsored groups or exploit vendors such as Hacking Team, but for the most part, Wardle says, we’re still talking about malware that are standalone...
Moonpig Warns Customers of 'Security Issue'
Moonpig has warned customers that some of their email addresses, passwords, and account balances have been published after what it calls a “security issue”. The company, which sells custom greeting cards, said in a message to users that attackers were not able to get any credit card information, ...
OwnStar Device Can Remotely Locate, Unlock, and Start GM Cars
Car hacking just jumped up a few levels. A security researcher has built a small device that can intercept the traffic from the OnStar RemoteLink mobile app and give him persistent access to a user’s vehicle to locate, unlock, and start it. The device is called OwnStar and it’s the creation of Sa...
Facebook Security Checkup Tool Keeps Tabs on Security Settings
Large technology companies have long led their users to security and privacy features. Some security technologies are transparent and are on by default, while others require a little prodding of users to turn them on. Even in an age of enhanced scrutiny of exactly what privacy is and means, and...
Researchers Hack TrackingPoint Rifle's Precision Targeting System
TrackingPoint rifles are state-of-the-art precision hunting and sniper rifles that come equipped with a networked tracking scope that’s accessible via Wi-Fi, and comes complete with USB ports and a mobile app. It’s almost foolproof shooting, albeit at a $13,000 price tag. And the security of all ...
New Chrome Extension Helps Combat Keyboard Biometrics
Two security researchers released a new Chrome extension this week that thwarts attempts to profile users based on a biometric. Researchers Per Thorsheim and Paul Moore collaborated on KeyboardPrivacy, an add-on that injects random delays between presses on a keyboard, Moore said. Those delays, t...
Yahoo Touts Success of Bug Bounty Program
Yahoo established its formal bug bounty program nearly two years ago, and the company has paid out more than $1 million in rewards to researchers in that time. But security officials say the value the program has provided to the company has been just as great. Although Yahoo was among the latter...
Click-Fraud Malware Spreading via JavaScript Attachments
A new malware campaign has been spotted that has begun seeding spam messages with a downloader heavily obfuscated with JavaScript. The SANS Internet Storm Center said today that two days ago, a flood of spam messages were observed laced with .js attachments. The JavaScript obfuscates a downloader...