Kaseya Patches Two Flaws in VSA IT Management Platform

A researcher has uncovered a pair of vulnerabilities in the Kaseya VSA IT management platform, including an open redirect that could be used to force users to visit an attacker-controlled sites. Kaseya VSA is a platform designed to handle a wide variety of IT management tasks, including audit,...

Cloudminr Bitcoin Hack Exposes Data on 80,000

Attackers were able to break into servers belonging to Bitcoin cloud-mining platform Cloudminr.io last week and harvest the site’s entire database. Now hackers are attempting to sell the information, which includes thousands of unencrypted usernames, email addresses, and passwords. Cloudminr, a...

Hacking Team Promises to Rebuild RCS

The aftermath of the Hacking Team attack raised legitimate questions about the controversial Italian surveillance software vendor’s long-term viability. With reams of sensitive internal data and intellectual property posted online, how could the company survive? For now, however, the company seem...

New PHP Releases Fix BACRONYM MySQL Flaw

Several new versions of PHP have been released, all of which contain a number of bug fixes, most notably a patch for the so-called BACKRONYM vulnerability in MySQL. That bug in MySQL is caused by a problem with the way that the database software handles requests for secure connections. Researcher...

Two Dozen Zoos Potentially Hit by Data Breach

Anyone who’s visited one of two dozen zoos across America over the last several months may want to check their credit and debit card statements. A third party operator of concessions and retail services at zoos from Hawaii to Florida acknowledged this week that it was hit by a data breach earlier...

Census Project Identifies Open Source Projects at Risk

Heartbleed may have brought on a major case of heartburn last April for system admins worldwide, but a positive offshoot of the biggest of the Internet-wide bugs was that it opened a lot of eyes to the lack of support afforded even ubiquitous open source software projects. Shortly after Heartblee...

Dennis Fisher and Mike Mimoso Discuss the Hacking Team Hack and the OPM Breach

Dennis Fisher and Mike Mimoso discuss the Hacking Team hack and the continued fallout from the OPM breach. Download: digitalunderground212.mp3 Music by Chris Gonsalves...

U.S. Government Wades Into Vulnerability Disclosure

Security researchers and software vendors have spent decades trying to work out the process of vulnerability disclosure, with limited success. Now the federal government is joining the fray in hopes of getting the two sides to play nice. The National Telecommunications and Information...

OPM Hack Expands to Include Data of 21.5M People

UPDATE–The ever-expanding data breach at the Office of Personnel Management has now spread to include the Social Security numbers and other personal data of a total of 21.5 million people, and the toll also now includes the agency’s director, Katherine Archuleta, who resigned Friday morning...

Wekby APT 18 Exploiting Hacking Team Flash Zero Day

The Wekby APT group, implicated in a number of targeted attacks against health care organizations such as Community Health Systems and major pharmaceutical companies, is reportedly making use of the Adobe Flash Player zero-day found in the Hacking Team data dump. According to Virginia-based...

OpenSSL Patches Critical Certificate Validation Vulnerability

Organizations that installed the June 11 OpenSSL update need to pull it back immediately after a serious certificate validation error was discovered and patched today in a new update. The bug was reported two weeks ago to the OpenSSL project by Google researcher Adam Langley and BoringSSL’s David...

Bug in Android ADB Backup System Can Allow Injection of Malicious Apps

There’s a severe vulnerability in the way that all versions of Android handle the restoration of backups that can allow an attacker to inject a malicious APK file into the backup archive. The bug is the result of an issue with the ADB command-line tool for Android and the researchers who discover...

Ransomware Campaign Alters Variants to Evade Detection

A recently uncovered operation has been mutating versions of ransomware to better avoid getting detected. As part of the campaign, which researchers from Cambridge-based Cybereason have dubbed Kofer, attackers are tweaking certain variables of ransomware like CryptoWall 3.0 and Crypt0L0cker to...

Firefox 39 Out With Patches for Four Critical Vulnerabilities

Mozilla has rolled out a new version of its Firefox browser, an update that includes patches for four critical security vulnerabilities and several less-severe bugs. IN all, Firefox 39 patches 13 vulnerabilities, including two high-risk bugs and six moderate-level ones. The most dangerous...

FBI Director to Silicon Valley: 'Try Harder' to Find 'Going Dark' Solution

The United States government has eased off off its demands for “exceptional access” to encrypted communication, and instead volleyed the problem back to technology companies and asked them to try harder to come up with a solution. The government’s concern is that recent enhancements to encryption...

Wendy Nather on the Retail Cyber Intelligence Sharing Center

Dennis Fisher talks with Wendy Nather about her new role as the research director at R-CISC, the challenges of getting companies to share threat intelligence, how smaller retails can deal with breaches and threats, and how the government can play a role in information sharing. Download:...

Hacking Team Flash Zero Day Weaponized in Exploit Kits

Handlers for three major exploit kits have managed to utilize in short order a zero-day vulnerability in Adobe Flash Player uncovered among the 400 Gb of data stolen from Hacking Team. Experts, including French researcher Kafeine and a number of others from security companies, revealed last night...

Hacking Team Plans to Continue Operations

UPDATE–It has been absolutely brutal week for Hacking Team. All of the company’s documents, internal communications, emails with customers, and invoices have been published, including its dealings with oppressive regimes and customers in sanctioned countries. But even with all that, company...

Adobe to Patch Hacking Team Flash Zero Day

Adobe tomorrow is expected to release an updated version of Flash Player that will patch a zero-day vulnerability uncovered among the 400 GB of data stolen from Hacking Team. The controversial Italian intrusion and surveillance software vendor was breached and on Sunday, private documents,...

Gunpoder Android Malware Hides Malicious Behaviors in Adware

A stream of new Android malware infections is sounding a harsh tone on two fronts: hackers are making free and open source applications their own; and legacy security software needs to step up detection of adware behaving maliciously. The Gunpoder malware is spreading via third-party Android app...

EU Lawmaker Wants Answers on Hacking Team Sales to Sanctioned Countries

A prominent member of the EU parliament, who has been outspoken on security and privacy issues, on Tuesday submitted a written list of questions to the European Commission about the actions of Hacking Team and whether the company had violated EU sanctions regarding sales to specific countries...

Critical DoS Bug in Node.js, io.js Patched

Developers at Node.js over the weekend released a critical update to the open source runtime environment that addresses a bug that could be used to cause denial of service attacks. The JavaScript framework is used in one way or another by a handful of companies, including Netflix, PayPal, the New...

Crypto Leaders: 'Exceptional Access' Will Undo Security

A powerhouse baker’s dozen of cryptography experts and pioneers have released a paper explaining the potential legal and ethical issues relative to the government’s continued insistence on access to cryptographic keys that secure communication over the Internet. The paper, called “Keys Under...

Hacking Team Couldn't Hack Your iPhone

More than 36 hours after the huge cache of data from Hacking Team’s corporate network was dumped online, researchers are continuing to find surprising bits and pieces in the documents. Among them is evidence that the company had an enterprise developer certificate from Apple, allowing it to devel...

Google Pulls ClickFraud App from Google Play

A malicious Android app spoofing the popular BatteryBot Pro app has been pulled from Google Play. Researchers at Zscaler reported the app, which had a package name of com.polaris.BatteryIndicatorPro. The app requested excessive permissions from the user in an attempt to get full control of an...

UK Student's Research a Wassenaar Casualty

U.S.-based security researchers may soon be championing the case of Grant Wilcox, a young U.K. university student whose work is one of the few publicly reported casualties of the Wassenaar Arrangement. Wilcox last week published his university dissertation, presented earlier this spring for an...

Ad Fraud Malware Updating Flash on Infected PCs

Ad fraud malware is one of the more profitable specialties in the cybercrime world, and the attackers who use it often have to adapt their tactics in order to keep the money rolling in. One of the tactics that they have adopted in recent months is that of updating the version of Flash that’s...

Command Vulnerabilities Plague IP Enabled AirLive Cameras

A handful of IP-enabled cameras are susceptible to command injection vulnerabilities that could let attackers decode user credentials and gain complete access to the devices. At least five different types of AirLive cameras, manufactured by OvisLink Corp., an IP surveillance networking solutions...

Hackers Release Hacking Team Internal Documents After Breach

Attackers have compromised the network of Italian intrusion software vendor Hacking Team and released a large cache of the company’s private documents, including customer invoices that show sales to oppressive governments. The incident came to light Sunday evening when unnamed attackers released ...

Harvard Breach in June Hit Multiple Schools

Officials from Harvard University are warning some of its students that the school fell victim to a data breach last month and that it’s in the process of determining the scope of the attack. Anne Margulies, Harvard’s vice president and chief information officer, sent a memo to students and facul...

Dennis Fisher and Mike Mimoso on the Latest Apple Patches, Mudge and the Cyber UL, and the OPM Hack

Dennis Fisher and Mike Mimoso discuss the OS X and iOS patches, the potential for the new cyber UL project run by Mudge, and the lawsuit against OPM after its data breach. Download: digitalunderground210.mp3 Music by Chris Gonsalves...

Angler Exploit Kit Evasion Techniques Cryptowall 3.0

The Angler Exploit Kit is turning into a model for malware rapidly integrating new evasion techniques. Starting in early June, URL patterns used by the notorious exploit kit have been changing almost daily, coinciding with it pushing Cryptowall 3.0 ransomware. SANS Internet Storm Center handler...

Senator Demands Answers on FBI's Use of Zero Days, Phishing

The chairman of the powerful Senate Judiciary Committee is asking some pointed questions of the FBI director about the bureau’s use of zero-day vulnerabilities, phishing attacks, spyware, and other controversial tools. Sen. Charles Grassley R-Iowa has sent a letter to FBI Director James Comey...

Cisco UCDM Platform Ships With Default, Static Password for Root Account

A week after admitting that several of its security appliances ship with static SSH keys, Cisco warned customers on Wednesday that its Unified Communications Domain Manager platform has a default, static password for an account that carries root privileges. The vulnerability affects versions of t...

RIPv1 Reflection Amplification DDoS Attacks

A long-deprecated—and aptly named—routing protocol, RIPv1, still has some life to it. Hackers, since the middle of May, have been carrying out reflection- and amplification-style distributed denial of service attacks using home office and small business routers still running on the old protocol...

Pinterest Fixes Validation Vulnerability in API

Pinterest recently fixed an issue in the API of its web app that could have allowed remote attackers to compromise emails and carry out session hijacking and phishing attacks. Vulnerability Lab researcher Benjamin Kunz Mejri discovered the issue, which is a persistent mail encoding and validation...

LifeLock Patches XSS That Could've Led to Phishing

Researchers identified a cross-site scripting vulnerability in a page on the LifeLock website that could allow an attacker to create an authentic-looking login page for the service and harvest usernames and passwords from customers. LifeLock patched the vulnerability quickly after researchers Bla...

Patched Apple QuickTime Vulnerability Details Disclosed

Use-after-free vulnerabilities have nudged buffer overflows off their exclusive perch of serious bugs that hackers covet. They’ve been used in a number of targeted attacks, including some high-profile nation-state attacks, and also were a motivation for Microsoft to implement UAF-specific...

Class-Action Suit Alleges OPM Officials Failed to Protect Employees' Data

A class-action lawsuit filed by a government employees’ union against the Office of Personnel Management as a result of the massive data breach at OPM that affects more than 18 million people alleges that not only did the agency know about vulnerabilities in its network long before the attack, bu...

Cisco Acquires OpenDNS for $635 Million

Cisco continues to spend on security, today announcing its intent to acquire San Francisco-based OpenDNS for $635 million. OpenDNS’ domain name system and cloud-based security services bring threat data collected from those platforms to Cisco’s security offerings. “To build on Cisco’s advanced...

In Wake of New Vulnerability OPM Temporarily Halts Background Checks

The Office of Personnel Management — already deep in the throes of a breach that may implicate upwards to 18 million government employees — announced yesterday that it is temporarily suspending the system it uses to conduct government background checks. According to the OPM, the shuttering of the...

Apple Patches Dozens of Flaws in iOS 8.4, OS X 10.10.4

Apple has released new versions of iOS and OS X, both of which include a significant number of security patches, several for bugs that can lead to remote code execution and other serious issues. Version 8.4 of iOS contains fixes for more than 30 security vulnerabilities, including bugs in the iOS...

Amazon Releases S2N TLS Crypto Implementation to Open Source

Amazon today released to open source its own TLS implementation called s2n, which stands for signal to noise. While admittedly not meant to be a replacement for OpenSSL, for example, s2n is a slimmed-down crypto implementation analogous to libssl, the OpenSSL library that supports TLS. Amazon chi...

Cyber UL Could Become Reality Under Leadership of Hacker Mudge

UPDATE–One of the longstanding problems in security–and the software industry in general–is the lack of any universally acknowledged authority on quality and reliability. But the industry moved one step closer to making such a clearinghouse a reality this week when Peiter Zatko, a longtime...

Five Arrested in Zeus, SpyEye Takedown

Authorities in six different countries worked together to take down a cybercrime ring which ultimately infected tens of thousands of computers with Zeus and SpyEye malware and made off with roughly $2.25 million from banks in the process. Europol and Eurojust joined forces to take down the group,...

LG Handsets' App Update Doesn't Verify SSL Cert, Could Lead to Hijacking

Many smartphones manufactured by LG contain a vulnerability that can allow an attacker to replace an APK file with a malicious file of his choice. The problem is the result of several conditions on LG phones. Like other manufacturers, LG includes custom apps on its handsets, which are not availab...

Amazon Patches Certificate Vulnerabilities in Fire Phones

Amazon last week patched three vulnerabilities in its Fire smartphones, including two in its Certinstaller package that put devices at risk. An attacker could take advantage of the vulnerability in the package, which allows mobile apps to install certificates on Amazon Fire devices without user...

Searches for Pirated Content Lead to Pain and Little Gain

People love to try and get something for nothing, especially on the Internet where there’s all kinds of things available for nothing. But a lot of those free things are illegal and attackers have become very adept at taking advantage of users’ desire for free episodes of Gilmore Girls or bonus...

Magnitude Exploit Kit Adobe Flash Zero Day 0Day

The urgency to patch Adobe Flash Player installations ramped up over the weekend when exploits for a recently patched zero-day vulnerability were found in the Magnitude Exploit Kit. French researcher Kafeine said on Sunday that a sample he encountered was dropping two instances of Cryptowall...

Samsung to Patch Windows Update Issue Within Days

Samsung said today it will no longer automatically disable Windows updates on PCs and laptops it manufactures and will release a patch “within a few days.” The practice was outed this week by a 22-year-old Microsoft MVP named Patrick Barker who posted a report to his personal website the explaine...