Cryptowall 3.0 Infections Spike from Angler EK, Malicious Spam

Since the Angler Exploit Kit began in late May spreading Cryptowall 3.0 ransomware, traffic containing the malware has continued to grow, putting more potential victims in harm’s way. Today, the SANS Internet Storm Center reported that Cryptowall 3.0 infections are emanating from not only the...

Apple Moving to 2FA, Six-Digit Passcodes in iOS 9

With each new release of iOS, Apple has been improving the security of the mobile operating system, adding new features, inserting exploit mitigations, and taking away avenues for attack. In the forthcoming iOS 9.0 release, the company is continuing this movement with the addition of two-factor...

Mozilla Bug Bounty Payouts Going Up

After admittedly letting its bug bounty rewards get a little stagnant, Mozilla on Tuesday announced it was ready to sweeten the pot for researchers contributing vulnerabilities to the program. Raymond Forbes, an engineer at Mozilla, announced on the company’s website that payoffs were...

Microsoft Brings HSTS to Windows 7 and 8.1

In the midst of a relatively light Patch Tuesday, Microsoft yesterday introduced an extra measure of security for users running Internet Explorer 11 on Windows 7 and Windows 8.1 machines: HSTS. Short for HTTP Strict Transport Security, HSTS is a browser header that forces any sessions sent over...

Congress Looking Into Restricting Power of Government-Owned CAs

UPDATE–As the debate over potential government interference with encryption technologies rages in countries around the world, Congress is now going down a different path, asking technology companies whether it’s feasible and potentially effective for certificate authorities to restricting the way...

Mail Bug on iOS, OSX, Opens Door to Phishing Attacks

A bug in the standalone mail client for both iOS and OSX could enable an attacker to load external HTML and easily carry out convincing phishing attacks on unsuspecting users. In fact, with a little HTML and CSS, an attacker could trick users into giving up their usernames and passwords, accordin...

Duqu Resurfaces With New Round of Victims, Including Kaspersky Lab

The Duqu attackers, who are considered by researchers to be at the top of the food chain of APT groups and are responsible for attacking certificate authorities and perhaps spying on Iran’s nuclear program, have resurfaced with a new platform that was used to compromise high-profile victims,...

Apple Pushing Developers Toward HTTPS Connections in Apps

Apple is encouraging developers who create apps for iOS to begin moving their apps to an HTTPS-only model as soon as possible in an effort to thwart eavesdropping on insecure, plaintext HTTP connections. The move is yet one more sign that major Internet and technology companies are becoming ever...

June 2015 Microsoft Patch Tuesday Security Bulletins

IT administrators today were granted a relatively light month of security bulletins from Microsoft, which is likely to be welcomed given that Windows Server 2003 security support ends in little more than a month. Microsoft today released eight bulletins, two of them rated critical, including a...

Banking Malware Vawtrak Seen Using Tor2Web

Developers behind the banking Trojan Vawtrak have begun obscuring some of their servers with Tor2Web, a move that’s added another degree of difficulty when it comes to uncovering their activity. To this point the malware’s techniques – its evolution beyond banking websites, ability to break...

June 2015 Adobe Flash Player Security Update

Adobe today released another sizeable security update for Flash Player, patching 13 vulnerabilities. None of the security issues are being publicly exploited, Adobe said. All of them, however, expose Flash Player to remote attacks that would give a hacker access to the underlying system. Adobe sa...

Federal Agencies to Move to HTTPS-Only Connections

Following the lead of many major Web services, the White House on Monday announced that it would move all of the federal government’s public sites and services to HTTPS-only. Tony Scott, the federal CIO, has issued a memorandum to all federal agencies and departments instructing them to move all ...

Toshiba Commerce Solutions Retail Software Security Vulnerabilities

Toshiba last week patched a potentially serious vulnerability in its CHEC self-checkout software prevalent in retail locations, while it is still wrangling with another security issue in its point-of-sale offering. The vulnerabilities were reported in August 2014 by David Odell of FishNet Securit...

OPM Warned About Vulnerabilities, Governance Weaknesses

It’s hardly a surprise that the U.S. Office of Personnel Management OPM was targeted by nation-state hackers, given the sensitivity of the personal information the office stored. It’s also no shocker that OPM has been successfully infiltrated more than once given the state of its information...

Wassenaar, Bug Bounties and Vulnerability Rewards Programs

Bug bounties have gone from novelty to necessity, not only for enterprises looking to take advantage of the skills of an organized pool of vulnerability hunters, but also for a slew of independent researchers who make a living contributing to various vendor and independent bounty and reward...

Many Drug Pumps Open to Variety of Security Flaws

In April, a security researcher disclosed a litany of severe vulnerabilities in the PCA3 drug-infusion pump manufactured by a company named Hospira. He went so far as to call the pump “the least secure IP enabled device I’ve ever touched in my life.” As it turns out, those same vulnerabilities...

Researcher Finds CSRF Bug in Wind Turbine Software

UPDATE–Wind turbines have been popping up across the United States in great numbers of late, and many of them are connected to the Internet. That, of course, means that these turbines are going to be natural targets for attackers and researchers. A security researcher named Maxim Rupp has...

OPM Hack May Have Exposed Security Clearance Data

Twenty-four hours after unnamed White House officials said the Office of Personnel Management OPM data breach was linked to China, one security company has connected the intrusion to the massive break-ins earlier this year at insurance companies Anthem and Premera Blue Cross, while a D.C. think...

New Snowden Documents Outline Govt. Memos on Expanded Spying

A new set of memos uncovered by Edward Snowden and shared with the New York Times and ProPublica this week reveal how the Obama administration narrowed its search for hackers and expanded its warrantless surveillance program. The two memos, which date back to May and July 2012, enabled the Nation...

Dennis Fisher and Mike Mimoso on Facebook's Security Moves, GitHub's Audit and More

Dennis Fisher and Mike Mimoso discuss Facebook’s moves toward encrypted notifications and SHA-2 usage, the audit of GitHub SSH keys and the awesome OpenSesame garage door hack from Samy Kamkar. Download: digitalunderground206.mp3 Music by Chris Gonsalves...

Rights Groups Call for More Change Two Years After Snowden Revelations Began

It’s been two years now since the first stories about NSA surveillance capabilities began to appear, and the environment has shifted dramatically in that time. Awareness of and resistance to mass surveillance has increased greatly, but the changes to policy and laws that many observers had hoped...

Phishers Going the Long Way Round to Avoid Filtering Systems

Any human with an email address likely has gotten thousands of spam messages that look like delivery notifications, invoices, or other alleged communications from shipping companies such as UPS or DHL. They typically contain malicious attachments with exploits for a browser or plug-in...

Adware-Laden Skype Botnet Disrupted

Skype, Microsoft’s now ubiquitous video/messenger program, has long been a go-to destination for attackers looking to peddle their malware. The latest campaign to leverage the software – a botnet circulating adware, composed entirely of Skype users – was recently disrupted by researchers. Ronnie...

Tesla Motors Starts Bug Bounty--But Not For Its Cars

Tesla Motors has started a bug bounty program that will pay researchers up to $1,000 for disclosing vulnerabilities. However, the rewards don’t apply to bugs found in the company’s vehicles. The program’s scope is quite narrow, with only the main teslamotors.com domain and other domains owned by...

Author Behind Ransomware Tox Calls it Quits, Sells Platform

Earlier this week, when the author behind the crypto-ransomware Locker apologized and released decryption keys for his victims, it seemed like a change of heart, uncharacteristic for an attacker. Now another ransomware creator has also decided to cut his losses and get out of the game – but not...

Using Toys to Open a Fixed-Code Garage Door in 10 Seconds

It may be time to upgrade your garage door opener. Security researcher Samy Kamkar has developed a new technique that enables him to open almost any garage door that uses a fixed code–and he implemented it on a $12 child’s toy. The attack Kamkar devised, known as OpenSesame, reduces the amount of...

Privacy Proponents In Favor of Tracking Protection for Firefox

Privacy advocates are calling on Mozilla to better deploy Tracking Protection, a technology that offers more stringent privacy and speeds up page loads by blocking requests to tracking domains, in its Firefox browser. The functionality has existed in the browser for months but the idea of making ...

Facebook Requires SHA-2 Support as of Oct. 1, 2015

Facebook has put developers on notice that as of Oct. 1, apps that do not support SHA-2 will no longer connect to its network. With Tuesday’s announcement, the tech giant has fallen in line alongside Google, Mozilla and Microsoft in deprecating the SHA-1 and older hash algorithms. “These changes...

Unity Web Player Zero-Day Vulnerability Disclosed

Some detail has been disclosed about a zero-day vulnerability in the Unity Web Player browser plugin that can allow an attacker to use a victim’s credentials to read messages or otherwise abuse their access to online services. The partial disclosure was made after nearly six months of bug-report...

Microsoft to Support SSH in Windows

After several false starts, Microsoft finally is planning to support SSH in Windows and the company’s engineers also will contribute to the OpenSSH project. While SSH has been a popular tool for remote login and command execution on many Unix and linux systems for years, Windows has not supported...

Audit of GitHub SSH Keys Finds Many Still Vulnerable to Old Debian Bug

An audit of the SSH keys associated with more than a million GitHub accounts shows that some users have weak, easily factorable keys and many more are using keys that are still vulnerable to the Debian OpenSSL bug disclosed seven years ago. The public SSH keys that users associate with their GitH...

Machines Infected by Locker Ransomware Decrypted

Update: Computers infected by the Locker crypto-ransomware were today decrypted as promised by the malware’s author, who last week posted the decryption keys to an upload site and apologized for releasing the malware. Lawrence Abrams of Bleeping Computer said the infected computers were decrypted...

U.S. and Japan to Cooperate on Cybersecurity, Information Sharing

The United States and Japan have agreed to cooperate more closely on cybersecurity and information sharing initiatives as a way to help both countries defend against future threats and attacks. The new initiative will include a variety of components, most notably cooperation during serious...

Google My Account Privacy and Security Settings

Less than a week after announcing some welcome changes that keep Android mobile app permissions in check, Google on Monday announced a new privacy and security settings tool. My Account walks users through their Google account’s privacy and security settings, points out potential shortcomings and...

Sunset of Section 215 Means All Eyes on USA FREEDOM Act

The sun may have set at midnight on Section 215 of the PATRIOT Act, putting a temporary halt to the NSA’s bulk collection of phone call metadata, but privacy champions and legal experts point to May 7 as the day the lights dimmed on that facet of the government’s surveillance efforts. On that...

Slew of Vulnerabilities Foud in D-Link Storage Devices

Researchers have identified dozens of vulnerabilities in several D-Link products, some of which allow attackers to bypass authentication requirements or upload arbitrary files to target devices. The vulnerabilities lie in a variety of D-Link network storage devices and the company has produced...

Facebook Adds PGP Encryption Feature to Email

Facebook announced early Monday that the social network is in the process of adopting OpenPGP encryption and that it will give privacy conscious users the ability to post their public keys on their profile. The feature, which is gradually rolling out to users today, should better lock down messag...

Researchers: Patch Incomplete for Hola VPN Vulnerabilities

Hola, a popular, free, peer-to-peer service that enables anonymous surfing and access to blocked online resources, said today it has patched vulnerabilities discovered last week that expose its millions of users to possible code execution, remote monitoring and other threats to privacy and...

Firmware Bug in OSX Could Allow Installation of Low-Level Rootkits

There is a vulnerability buried deep in the firmware of many Apple laptops that could allow an attacker to overwrite the machine’s BIOS and install a rootkit, gaining complete control of the Mac. The vulnerability lies in the UEFI system on some older MacBooks, and researcher Pedro Vilaca...

Poor Crypto Dooms Blockchain Android App

Shoddy crypto is being blamed for the loss of Bitcoin for an unnamed number of Blockchain users. Blockchain, one of the busiest Bitcoin wallets, on Thursday released a security update for its Android app correcting the situation. “In rare circumstances, certain versions of the Android operating...

Apple Publishes Workaround for Unicode iMessage Bug

Apple has quickly given iPhone users a workaround for a pesky iMessage bug that’s been making the rounds this week. The bug, which some users have dubbed a “text message attack,” has been frustrating many iPhone users since surfacing on Wednesday. It occurs when a user receives a text message tha...

Oracle PeopleSoft Security Vulnerabilities Elevate ERP Security

Enterprise resource planning systems are the unexplored continent of vulnerability research, in spite of the fact that these massive, critical business systems support the inner workings of many large corporations and IT organizations. A recent run of bugs in SAP, and a presentation at this week’...

Brian Donohue on Security and Journalism

Dennis Fisher talks with Brian Donohue about his time at Threatpost, learning about security and the joy and pain of being a journalist. Download: digitalunderground205.mp3 Music by Chris Gonsalves...

Google Locks Down Excessive Android App Permissions

Excessive mobile application permissions have long been a security and privacy concern, in particular for Android users who download apps for the platform from a number of sources, and not just from Google. The most notorious case is likely Goldenshores Technologies LLC, which agreed to settle...

Angler Exploit Kit Exploiting New Adobe Vulnerability, Dropping Cryptowall 3.0

While the Angler Exploit Kit may have already established itself as one of the more sophisticated kits on the underground market, it appears it’s still finding ways to evolve. Angler, this week, was spotted dropping the latest iteration of CryptoWall ransomware and leveraging yet another previous...

Apple Blocks Older Versions of Flash Player

On the heels of a major Adobe Flash Player update two weeks ago, Apple last night updated its blacklist to include older versions of the software. In its advisory, Apple said it will begin blocking out-of-date versions of Flash in its Safari browser. “If you’re using an out-of-date version of the...

Rockwell RSView32 Security Vulnerability Patched

Human machine interface software from Rockwell Automation has been patched, protecting users from a vulnerability in the way stored passwords are protected. The vulnerability was discovered in RSView32, versions 7.60.00 and earlier, according to an alert from the Industrial Control System Cyber...

Microsoft to Detect Search Protection Code as Malware

The Microsoft Malware Protection Center announced yesterday that its security products would begin detecting all software containing search protection functions and classifying it as malicious, regardless of whether the search-censoring features are enabled or latent. Search protection is a schem...

Security Researchers Publish Comments on Wassenaar Rules

With the two-month comment period for the proposed U.S. Wassenaar Arrangement rules barely under way, a cast of influential security researchers has wasted no time preparing and submitting their thoughts on the controversial proposal. Researchers who seek out vulnerabilities in software—developin...

IRS Hack Exposes 100,000 Taxpayer Records

Users of the Internal Revenue Service’s Get Transcript service are at risk for identity theft after the agency reported today that personal records belonging to more than 100,000 taxpayers had been accessed by hackers. Get Transcript is unavailable currently on the IRS.gov website; the service...