15946 matches found
IETF Officially Deprecates SSLv3
Attacks such as POODLE and BEAST not only caused some sleepless nights for server admins having to patch against the respective weaknesses, but they also accelerated SSLV3 deprecation. In the time since both attacks were disclosed, major browsers have removed the fallback condition that enabled t...
New Chrome Extension Blocks BeEF Attacks
An engineer has devised a new way to help combat BeEF, or browser exploit framework attacks. The tool, a Chrome extension, detects and blocks hooks from BeEF–an exploit tool similar to Metasploit–that uses JavaScript to control browsers. Routinely used by researchers, pen testers, and attackers,...
NIST Drops Weak Dual_EC RNG From Official Recommendations
NIST officially has removed the controversial and compromised DualECDRBG from its list of recommended algorithms for generating random numbers. The DualEC random number generator was at the center of a controversy in the security community two years ago after revelations that the National Securit...
On the Cisco Default SSH Keys, OPM Hack, the Adobe Zero Day, and More
Dennis Fisher and Mike Mimoso talk about the Cisco default SSH keys, more details of the OPM data breach, the Adobe 0-day and why we never hear about bad APT groups, only the really good ones. Download: digitalunderground208.mp3 Music by Chris Gonsalves...
Cisco SSH Key Flaw Has Echoes of Earlier Vulnerabilities
When Cisco released a patch for several of its security appliances Thursday that eliminated the presence of hard-coded SSH host and private keys, the advisory had a distinct air of familiarity about it. That’s because the company released a patch for the same problem in one of its other major...
Default SSH Key Found in Many Cisco Security Appliances
Many Cisco security appliances contain default, authorized SSH keys that can allow an attacker to connect to an appliance and take almost any action he chooses. The company said that all of its Web Security Virtual Appliances, Email Security Virtual Appliances, and Content Security Management...
Samsung Disables Windows Update
Samsung PC owners could soon find themselves in an endless carousel of enabling Windows Update with each reboot of their machine after a computing enthusiast discovered that a Samsung feature disables Microsoft’s update mechanism by default. Windows Update is a service that delivers, among other...
Stored XSS Flaw Patched in Thycotic Secret Server
Thycotic, a maker of access-control and other security products, has patched a stored cross-site scripting vulnerability in one of its products that could enable an attacker to steal a victim’s stored passwords. The vulnerability is in the company’s Secret Server product, which is designed to...
Stolen U.S. Government Credentials Found Online
Credentials stolen in breaches and sundry hacks belonging to close to 100 unique U.S. government domains are scattered among a number of paste sites and are searchable in other locations online. Analysts at Recorded Future said on Wednesday that through open source intelligence gathering and...
Facebook Hires Ex-Yahoo CISO Alex Stamos
Facebook has hired away the top security executive at Yahoo, Alex Stamos, to become the company’s new CSO. Stamos said Wednesday that he is joining Facebook because he believes the company is in the best position to address some of the large security challenges facing users and companies right no...
Hotels.com Phishing Scam Duping Travelers
An undisclosed number of travelers who use Hotels.com may have been victims of a phishing scheme. The company said some customers were recently tricked into disclosing their names, phone numbers, email addresses and travel bookings. An individual was reportedly able to convince customers that the...
Details Available on Patched Adobe, Windows Font Vulnerabilities
A Google Project Zero researcher has publicly disclosed details on a number of patched Adobe and Microsoft vulnerabilities, including one in the Adobe Type Manager Font Driver that could enable takeover of a number of systems supporting modern font engines. Mateusz Jurczyk pointed the finger at h...
PITA Side-Channel Crypto Key Attack
It’s unlikely that anyone envisioned the evolution of cryptographic key thievery to include leavened flatbread, but that’s where we’ve arrived. Researchers from Tel Aviv University in Israel are expected in September to present a paper at the Workshop on Cryptographic Hardware and Embedded System...
Proposed Change to ICANN Domain Anonymity Rule Worries Privacy Advocates
A proposed change to the way that registrars treat the private contact details for domain owners could make it easier for anyone to get information on people who use proxy services. The potential change comes in the form of a document from a working group of the Generic Names Supporting...
Facebook Helps Combat Apple XARA Vulnerabilities With Osquery
Apple may still be in the process of patching XARA, the series of weaknesses that surfaced in its authentication infrastructure last week, but Facebook has stepped up and made it easier for organizations to detect whether their system is being exploited by the vulnerabilities. Engineers with the...
Adobe Patches Flash Zero Day Attacked by Clandestine Wolf
Adobe today released an out-of-band patch for a Flash Player zero-day vulnerability being used in targeted attacks by an APT gang known for its storehouse of exploits targeting unpatched browser-based vulnerabilities. The group, named by FireEye as APT3 and responsible for the so-called Clandesti...
FBI Says Cryptowall Cost Victims $18 Million Since 2014
In a little more than a year, consumers affected by the Cryptowall ransomware have reported to the FBI more than $18 million in losses related to infections from the malware. Cryptowall is among the group of ransomware families that encrypt the files on victims’ computers and then demands a ranso...
TCP Vulnerability Haunts Wind River VxWorks Embedded OS
There is a TCP prediction vulnerability in Wind River’s widely deployed VxWorks embedded software that can enable an attacker to disrupt or spoof the TCP connections to and from target devices. VxWorks is an embedded operating system that’s used in a large number of ICS products that are deployed...
RubyGems Patches Serious Redirection Vulnerability
RubyGems make life easier for developers to distribute software to users. A vulnerability in the Ruby package manager could make life easier for hackers to redirect victims to trouble. Disclosed today by researchers at Trustwave and OpenDNS, the vulnerability, CVE-2015-3900, enables an attacker t...
HP Releases Details, Exploit Code for Unpatched IE Flaws
Researchers at HP’s Zero Day Initiative have disclosed full details and proof-of-concept exploit code for a series of bugs they discovered that allow attackers to bypass a key exploit mitigation in Internet Explorer. The disclosure is a rarity for ZDI. The company typically does not publish...
Polish Planes Grounded After Alleged Airline Hack
Roughly 1,400 passengers were temporarily stranded at Warsaw’s Frederic Chopin airport over the weekend after hackers were purportedly able to modify an entire airline’s flight plans via a distributed denial of service DDoS attack. On Sunday someone was able to infiltrate the computer system of t...
Google Fixes Handful of Bugs in Chrome
Google has fixed several vulnerabilities in Chrome, including a pair of cross-origin bypasses and a high-risk scheme validation error. The new release updates Chrome to version 43.0.2357.130 and there are patches for other security flaws as well, though Google has only published information on fo...
Ubuntu Patches Privilege-Escalation Bug
There is a privilege-escalation vulnerability in several versions of Ubuntu that results from the fact that the operating system fails to check permissions when users are creating files in some specific circumstances. Security researcher Philip Pettersson discovered the vulnerability and reported...
Trio of Vulnerabilities Patched in Magneto Web App
A trio of vulnerabilities were recently patched in eBay’s Magento e-commerce web application that could have let attackers carry out a handful of exploits, including phishing, session hijacking, and data interception. Hadji Samir, a researcher at the firm Vulnerability Lab dug up the problems...
Dennis Fisher and Mike Mimoso on the OPM Hack Hearing and More
Dennis Fisher and Mike Mimoso discuss the brutal House Oversight Committee hearing on the OPM breach, the Navy soliciting zero days, the LastPass breach, and the Cardinals-Astros hacking story. Download: digitalunderground208.mp3 Music by Chris Gonsalves...
SAP HANA Encryption Vulnerabilities
SAP’s in-memory relational database management system, HANA, contains a whopper of a security weakness: a default encryption key guarding passwords, stored data and backups. Researchers from ERPScan, which recently uncovered serious configuration vulnerabilities in Oracle PeopleSoft products, on...
Major Carriers AT&T, Comcast Continue to Lag in EFF Privacy Report
While many companies have made strides when it comes to how they handle transparency and government requests post-Snowden, major telecoms such as AT&T and Verizon continue to lag behind. Despite publishing transparency reports within the last year, the two companies scored the lowest on the...
Reddit to Move to HTTPS-Only
In the two years since the details of the NSA’s deep penetration of the Internet infrastructure began to emerge, there has been a major movement afoot among Web companies to encrypt more and more of their resources and services. The latest large property to make this move is Reddit, which by the...
Drupal Fixes Critical OpenID Bug
Drupal has patched several vulnerabilities in versions 6 and 7 of the content-management system, including a critical bug that enables an attacker to hijack administrators’ accounts and take arbitrary actions on target sites. That vulnerability lies in the OpenID module in Drupal that enables use...
Non-Nexus Devices and the Android Security Rewards Program
Google’s decision to limit its Android Security Rewards program to newer Nexus devices clearly puts the Google phones on the top tier of secure mobile devices. It also could ultimately have the effect of putting non-Nexus devices in the line of fire. For now, limiting the rewards program to Nexus...
Password Stealing Vulnerabilities Outlined in iOS, OSX
A group of researchers from Indiana University say that they’ve found a handful of vulnerabilities in both Apple’s OS X and iOS, and perhaps more worrisome, cracked the Keychain service that the company uses for apps and their sandboxes on OS X. A series of weak app-to-app authentication...
LinkedIn Private Bug Bounty Program Goes Public
Public-facing bug bounties are the shiny new bauble of computer security. And with good reason since in most cases, companies that start their own bounties or go through a third-party platform provider are able to take advantage of a pool of skilled contributors, patch products, and improve...
OPM Breach Dates Back to December
The attack on the Office of Personnel Management that was disclosed earlier this month began as early as December 2014 and likely was the end result of a social engineering attack that enabled the hackers to gain valid user credentials and move around OPM’s network. During a hearing on Capitol Hi...
Plaintext Credentials Threaten RLE Wind Turbine HMI
A week after disclosing a cross-site request forgery vulnerability in small wind turbines manufactured by a company called XZERES, a security researcher has discovered a serious bug in the human-machine interface for turbines made by German company RLE International GmbH. Researcher Maxim Rupp...
Samsung's Swift Keyboard Update Mechanism Exposes 600M Devices
The Swift keyboard, installed by default on Samsung Android mobiles, exposes devices to a host of remote attacks that could be executed by attackers ranging from criminals sitting man-in-the-middle on local Wi-Fi networks, to a state actor in an upstream position at an ISP or backbone. NowSecure...
FBI Investigating Alleged Attack on Houston Astros
In one of the more bizarre alleged hacking stories to emerge recently, federal authorities are investigating whether employees of the St. Louis Cardinals hacked into systems belonging to the Houston Astros and got access to internal team conversations about players, trades, scouting reports, and...
Stegoloader Malware Uses Steganography to Hide Itself
Malware writers aren’t hesitant to do what it takes to protect a campaign and keep it hidden from detection technologies and security researchers. The group behind the Stegoloader malware, disclosed Monday by researchers at Dell SecureWorks, has taken to digital steganography to keep its...
Google Launches Android Security Rewards For Nexus Devices
Google today announced that it has expanded the scope of its vulnerability rewards program to include the latest versions of its Nexus mobile devices, dangling thousands of dollars in front of researchers willing to hunt not only for vulnerabilities but also develop bypasses for native Android...
Amazon Transparency Report Shows Few Requests For User Data
Amazon has released its first transparency report, and for a company as large as Amazon, there is surprisingly little in the way of detail or explanation in the report. The company reported that it received 813 subpoenas, 25 search warrants, and 0-249 national security requests. Of the 813...
LastPass Network Breached; Calls for Master Password Reset
Password manager LastPass disclosed today that its network was breached and advised users to change their master passwords and enable multifactor authentication. CEO and founder Joe Siegrist said in a security notice that LastPass on Friday discovered suspicious activity on its network; encrypted...
Hill Debates Course of Action on China Cyberespionage
Lawmakers and experts on the U.S.-China Economic and Security Review Commission today debated with and quizzed security and legal experts on the best course of action against cyberespionage attributed to China. The Senate committee heard pros and cons related to a number of possible scenarios...
Duqu 2.0 Attackers Used Stolen Foxconn Certificate to Sign Driver
The attackers behind the recently disclosed Duqu 2.0 APT have used stolen digital certificates to help sneak their malware past security defenses, and one of the certificates used in the attacks was issued to Foxconn, the Chinese company that manufactures products for Apple, BlackBerry, Dell, and...
Popular WordPress SEO Plugin Fixes XSS Bug
The Yoast WordPress SEO plugin, which has been downloaded more than 14 million times, has a serious cross-site scripting vulnerability that can allow an attacker to force a vulnerable site to execute arbitrary HTML code. The bug may have been reported to the plugin’s developer as long as two year...
US Navy Soliciting Zero Days
The National Security Agency may find and purchase zero days, but that doesn’t mean it’s sharing its hoard with other government agencies such as the U.S. Navy, which apparently is in the market for some unpatched, undisclosed vulnerabilities of its own. A request for proposal posted last...
Microsoft Classifies Ask Toolbar as 'Unwanted' Software
Microsoft has reclassified the Ask Toolbar as unwanted software, which means its security tools will automatically detect and remove all versions, except for the most recent, from Windows computers. Ask Toolbar is an interface to the 20-year-old Ask.com search engine, and it’s included in among...
Cisco Patches IPv6 Vulnerability in Carrier Routers
Cisco said on Thursday it has patched a denial of service vulnerability in its IOS XR software used in carrier-grade routers. The vulnerability, Cisco said, rests in the IPv6 processing code used by IOS XR in the Cisco CRS-3 Carrier Routing System. The bug is remotely exploitable and is due to...
Dennis Fisher and Mike Mimoso on Duqu 2.0, HSTS in Windows, and More
Dennis Fisher and Mike Mimoso discuss the Duqu 2.0 attack and its ramifications, the addition of HSTS support to Windows 7 and 8.1 and the rest of the news of the week. Download: digitalunderground207.mp3 Music by Chris Gonsalves...
Snapchat Offers Users Optional Two-Factor Authentication
Snapchat’s popularity with teens doesn’t run in parallel with the opinion of security and privacy professionals wary of its practices in guarding users’ data. With the release of the latest version of the photo and video sharing app, Snapchat added an optional two-factor authentication feature th...
OpenSSL Patches Five Flaws, Adds Protection Against Logjam Attack
The OpenSSL project has patched several moderate- and low-severity security vulnerabilities and also has added protection against the Logjam attack in new releases of the software. Most of the vulnerabilities fixed in the new releases are denial-of-service bugs, but one of them can potentially...
49 Arrested in "Operation Triangle" Phishing Campaign
Authorities from six nations worked in tandem on Tuesday to apprehend 49 suspects connected with allegedly carrying out a complex phishing scheme dubbed Operation Triangle that saw cybercriminals make off with more than $6 million. Police in Italy, Spain, and Poland coordinated the arrests, while...