Critical Remotely Exploitable Bug Haunts BIND

The maintainers of BIND have patched a critical remotely exploitable vulnerability in the DNS software that can be used in a denial-of-service attack. The vulnerability affects all versions of BIND from 9.1.0 through 9.9.7. The vulnerability is in the way that BIND handles certain queries related...

New Hammertoss Espionage Tool Tied to MiniDuke Gang

The espionage gang behind the MiniDuke backdoor uncovered by Kaspersky Lab and CrySys Lab in 2013 has surfaced again with a new backdoor and attack platform that is used sparingly against only high-value targets. The new data theft tool, called Hammertoss, is a study not only in espionage...

White House Says No Thanks to Snowden Pardon Petition

It’s been more than two years since Edward Snowden became a name as familiar to the millions of people who have no idea what the NSA actually does it is to the power players in Washington. In that time support for Snowden has waxed and waned, but the position of the White House on Snowden’s actio...

Apple Patches Remote 'Invoice Vulnerability' in iTunes, App Store

Apple recently patched a serious issue in its App Store and iTunes Store web app that could have let a remote attacker inject malicious script into invoices that come from Apple and subsequently lead to session hijacking, phishing, and redirect. The vulnerability was unearthed in June by Benjamin...

New Google Drive Phishing Scam Uncovered

Phishers have again leveraged users’ trust in Google with a newly discovered campaign designed to steal credentials that grant access to the multitude of Google’s online services. New phishing pages hosted on Google Drive were discovered by researcher Aditya K. Sood of Elastica Cloud Threat Labs...

NSA Says It Will End Access to 215 Records When Authority Ends in November

The National Security Agency says that once its legal authority to conduct Section 215 bulk telephone surveillance ends on Nov. 29, its analysts no longer will be allowed to access the database that holds all of the collected Section 215 records. In May, an appeals court ruled that bulk telephone...

Valve Patches Password Reset Vulnerability in Steam

Valve Software has reportedly patched a vulnerability in the popular online Steam gaming platform that enabled account hijacking through its password reset mechanism. Kotaku, a popular blog among gamers, said that a number of prominent Steam accounts and Twitch streamers were stolen or accessed...

PHP File Manager Riddled With Vulnerabilities, Including Backdoor

Multiple critical vulnerabilities have existed, some for nearly five years, in PHP File Manager, a web-based file manager used by several high profile corporations. According to Sijmen Ruwhof, a security consultant and penetration tester based in the Netherlands, some of the issues have been...

Pair of Bugs Open Honeywell Home Controllers Up to Easy Hacks

The accumulation of automation and Internet-connected devices in many homes these days has led observers to coin the term smart homes. But as researchers take a closer look at the security of these devices, they’re finding that what these homes really are is naive. The latest batch vulnerabilitie...

Android Stagefright Flaws Put 950 Million Devices at Risk

Vulnerabilities discovered in the Stagefright media playback engine that is native to Android devices could be the mobile world’s equivalent to Heartbleed. Almost all Android devices contain the security and implementation issues in question; unpatched devices are at risk to straightforward attac...

Census Bureau Says Breach Didn't Compromise Sensitive Data

Officials at the United States Census Bureau say that the attackers who compromised one of the bureau’s databases last week did not get access to any confidential information, but only data such as names and phone numbers of organizations that submit information to the Federal Audit Clearinghouse...

Stakeholders Argue Against Restrictive Wassennaar Proposal

The commenting period regarding the Wassenaar Arrangement expired on Monday but the echo chamber around the largely maligned proposal continues to reverberate. Several stakeholders implicated in the proposal added their voices to that chamber on Friday morning, urging the government to revise...

Fiat Chrysler Recalls 1.4 million Cars After Software Bug is Revealed

A few days after issuing a patch and reassuring owners that the attack that shut down the transmission and other systems remotely on a Jeep was not a huge risk, Fiat Chrysler has decided to recall nearly 1.5 million vehicles as a result of the bug exposed in the research. The recall is the result...

VUPEN Launches New Zero-Day Acquisition Firm Zerodium

UPDATE–In the weeks since the Hacking Team breach, the spotlight has shone squarely on the small and often shadowy companies that are in the business of buying and selling exploits and vulnerabilities. One such company, Netragard, this week decided to get out of that business after its dealings...

Several Critical Flaws Patched in Drupal Module

There are several critical vulnerabilities in a middleware layer used in Drupal, including both cross-site scripting and cross-site request forgery bugs, that can be exploited remotely. The vulnerabilities are in the Open Semantic Framework, which is a third-party project and not part of the Drup...

WordPress Patches Critical XSS Vulnerability in All Builds

WordPress rolled out a new version of its content management system this morning that addresses a nasty cross-site scripting XSS vulnerability that could ultimately lead to site compromise. According to Gary Pendergast, an engineer at Automattic, WordPress’ parent company, the XSS vulnerability...

Chris Valasek on Car Hacking

Dennis Fisher talks with Chris Valasek of IOActive about the new research he did with Charlie Miller on remotely hacking a Jeep, how the disclosure process worked, what auto makers can do to secure their vehicles’ on-board systems, and how much of a threat these attacks pose to drivers. Download:...

Four Zero Days Disclosed in Internet Explorer

UPDATE–As if all of the vulnerabilities in Flash and Windows discovered in the Hacking Team document cache and the 193 bugs Oracle fixed last week weren’t enough for organizations to deal with, HP’s Zero Day Initiative has released four new zero days in Internet Explorer Mobile that can lead to...

Bartalex Variants Spotted Dropping Pony, Dyre Malware

Some strains of Bartalex malware, a macro-based malware that first surfaced earlier this year, have recently been spotted dropping Pony loader malware and the Dyre banking Trojan. Primarily spread through spam, the first iterations of Bartalex were observed in late March embedded in Microsoft Wor...

EFF Hopeful Car Hacking Demo Could Help Yield DMCA Exemption

The latest car hacking research from Charlie Miller and Chris Valasek has elicited a broad spectrum of reactions: admiration for the skill; outrage at the danger the demo may have put drivers; and even a patch from an automaker. And the EFF is hoping it might also help produce a new exemption to...

Hacking Team Says It Always Sold 'Strictly Within the Law'

Hacking Team officials are disputing reports that the company sold its surveillance and intrusion software to oppressive regimes in countries that were under sanction. The company said it sold its products “strictly within the law and regulation as it applied at the time any sale was made.” The n...

Google Patches 43 Bugs in Chrome

A new version of Google Chrome is available, and it contains patches for 43 security vulnerabilities, many of them in the high-risk category. Two of the more serious vulnerabilities fixed in Chrome 44 are a pair of universal cross-site scripting bugs. One of the flaws is in blink, the Web layout...

Class Action Suit Against Neiman Marcus Data Breach Revived

It turns out that Neiman Marcus, one of many retailers that announced it suffered a data breach last year, will indeed face a class action lawsuit that claims the upscale department store failed to protect its system from hackers. A decision on the case, which was initially argued in the Northern...

Google Helps Lead Effort Against Automated Traffic From Data Centers

Google is helping to lead a new effort to reduce the amount of fraudulent traffic that emanates from data centers and produces artificial clicks on ads. The collaborative initiative will rely on blacklists of known-bad IP addresses that Google and others maintain to help identify bots that are us...

Car Hacking Gets the Attention of Detroit and Washington

Car hacking is a relatively new phenomenon, but it is evolving at a frighteningly quick pace. While just a year or two ago security researchers were still trying to work out exactly how the internal electronics and communications gear in vehicles works, now a pair of researchers has discovered a...

Possible Breach Results in Shutdown of Many Retail Photo Services

A potential data breach at a third-party provider has resulted in the shut down of retail photo-printing services at a number of chains, including CVS, Costco, Rite Aid, and several others. The breach reportedly hit PNI Digital Media, a Canadian company that provides the online photo platform for...

Microsoft Issues Critical, Out-of-Band Patch for All Versions of Windows

Microsoft released an out-of-band patch Monday that addresses a critical remotely exploitable flaw in all versions of Windows. The vulnerability stems from how Windows’ Adobe Type Manager Library handles OpenType fonts. If a user was tricked into either opening a rigged document or visiting an...

Google Calls Proposed U.S. Wassenaar Rules 'Not Feasible'

As the clock winds down on the comment period for the United States government’s proposed implementation of the Wassenaar Arrangement export controls for intrusion software, Google officials say that the rules would have a “significant negative impact” on security research. The Department of...

New Campaign Targeting Japanese with Hacking Team Zero Day

Yet another group of attackers has quickly cashed in on one of the Adobe Flash zero days uncovered in the HackingTeam leak and is leveraging it to target Japanese organizations. Last week researchers determined that attackers were able to compromise two Japanese websites, the country’s...

Free Tool Looks for HackingTeam Malware

UPDATE–Researchers at Rook Security have released a new tool that looks for HackingTeam malware on target systems, and also have published a set of indicators of compromise to help organizations look for signs of an infection from the intrusion software. The HackingTeam Remote Control System is t...

OpenDNS BGP Stream Twitter Feed

Enterprises in the throes of a denial-of-service attack, or suspicious about the integrity of their Internet traffic, will soon have a free data feed available that cuts through the noise produced by normal Internet routing over BGP, the Border Gateway Protocol. During next month’s Black Hat...

Netragard Shutters Controversial Exploit Acquisition Program

Netragard, one of the small number of companies that buys and sells exploits, has shut down its exploit acquisition program in the wake of the HackingTeam breach. Among the revelations in the cache of documents leaked after the attack on HackingTeam was information about Netragard selling an...

Dennis Fisher and Mike Mimoso on the Microsoft, Adobe and Oracle Patches, and More

Dennis Fisher and Mike Mimoso talk about all of the patches from Microsoft, Adobe and Oracle, the Flash security saga and the Darkode forum takedown. Download: digitalunderground213.mp3 Music by Chris Gonsalves...

Samy Kamkar's ProxyGambit Picks Up for Defunct ProxyHam

Without fail in the weeks leading up to Black Hat and DEF CON, there are inevitably talks that are either pulled by organizers, cancelled by presenters, or strong suggestions are made that the talks don’t happen. This year’s first casualty, Ben Caudill’s scheduled DEF CON demonstration of ProxyHa...

Office, Java Patches Erase Latest APT 28 Zero Days

An APT group thought to be tied to Russia is flying against conventional wisdom, having as recently as the last three weeks dropped its sixth zero-day in the past four months. Given the underground value of unpatched and unreported vulnerabilities, this is highly unusual behavior, even for a...

Google to Expand Use of Safe Browsing to Stop Unwanted Software

Google is expanding the use of its Safe Browsing mechanism to warn users about a broader variety of unwanted software, in addition to the warnings they see regarding phishing pages, malware, and other threats. Safe Browsing is the service that Google uses to help protect Chrome users from malicio...

TotoLink Routers Plagued By Serious RCE, XSS, CSRF Vulnerabilities

A slew of routers manufactured in China are fraught with vulnerabilities, some which have existed in products for as long as six years. Nearly 20 different routers made by the electronics company TotoLink contain multiple remote code execution bugs, suffer from XSS and CSRF vulnerabilities, and...

Authentication Bypass Bug Hits Siemens Energy Automation Device

An authentication bypass vulnerability in a Siemens device that’s used in energy automation systems could allow an attacker to gain control of the device. The vulnerability is in the Siemens SICAM MIC, a small telecontrol system that performs a number of functions and includes an integrated Web...

New RC4 Attack Dramatically Reduces Plaintext Recovery Time

Two Belgian security researchers from the University of Leuven have driven new nails into the coffin of the RC4 encryption algorithm. A published paper, expected to be delivered at the upcoming USENIX Security Symposium next month in Washington, D.C., describes new attacks against RC4 that allow ...

Feds Detail Shutdown of Cybercrime Forum Darkode

Officials worldwide this week culminated an 18-month effort to take down Darkode, a cybercrime forum where hackers fraternized, shared malware, credit card information and more. The campaign, dubbed Operation Shrouded Horizon, resulted in the arrest of 28 hackers and 27 house searches across 18...

Windows XP Security Support Ends

Yes, there are still some rather large organizations maintaining their investments in Windows XP, as we recently learned when an unclassified U.S. Navy document showed that it had extended a support contract with Microsoft for two more years meaning that its systems will continue to receive XP...

Coalition of Security Companies Forms to Oppose Wassenaar Rules

A large group of security companies have formed a coalition to oppose the proposed rules from the Department of Commerce that would regulate the export of so-called intrusion software, a broad term that researchers and legal experts are concerned would limit security research and development. The...

Oracle Patches Java Zero Day

Oracle has released its quarterly patch update, which includes fixes for nearly 200 vulnerabilities. The most notable bug fixed in this release is the Java zero day that’s been used in an ongoing attack campaign. The massive release from Oracle has patches for a long list of products, but the Jav...

July 2015 Microsoft Patch Tuesday Security Bulletins

Microsoft has patched a zero-day vulnerability in the Windows kernel uncovered and exploited by Hacking Team. The zero day was found among the 400 GB of data stolen from the Italian surveillance software maker and posted online July 5. A trio of Adobe Flash Player zero days were also uncovered...

New Version of TeslaCrypt Changes Encryption Scheme

A new version of the nasty TeslaCrypt ransomware is making the rounds, and the creators have added several new features, including an improved encryption scheme and some details designed to mimic CryptoWall. TeslaCrypt is among the more recent variants of ransomware to emerge and the malware, whi...

New Bill Would Grant Lifetime Credit Monitoring to OPM Victims

A group of lawmakers are proposing victims of last month’s expansive Office of Personnel Management hack receive lifetime fraud protection and credit monitoring. Democratic lawmakers on Monday presented the Reducing the Effects of the Cyberattack on OPM Victims Emergency Response, or RECOVER Act...

CloudFlare Transparency Report Shows Spike in Court Orders

In its latest transparency report, CloudFlare says that the number of subpoenas it has received has remained steady since last year, but the volume of court orders has more than doubled since the second half of last year. While much of the data from CloudFlare’s report for the first half of 2015...

Adobe Patches Hacking Team Zero Days in Flash

Adobe has put the two outstanding Hacking Team Flash Player zero-day vulnerabilities in check. Today, Adobe released an updated Flash Player that patches CVE-2015-5122 and CVE-2015-5123, two use-after-free bugs uncovered and exploited by the controversial Italian surveillance software vendor. The...

United Airlines Hands Out Million-Mile Bug Bounty

Poking about a United Airlines online property might not seem to be the wisest course of action for a professional hacker given the fallout over the Chris Roberts saga, but Jordan Wiens insists he wasn’t deterred. Wiens, who founded a security company in Florida called Vector 35 and not too long...

Mozilla Disables Flash in Firefox

As the zero days in Adobe Flash continue to pile up, Mozilla has taken the unusual step of disabling by default all versions of Flash in Firefox. The move is a temporary one as Adobe prepares to patch two vulnerabilities in Flash that were discovered as a result of the HackingTeam document dump...