Home Automation Protocol Z-Way Vulnerable to Remote Attacks

A researcher is warning users of the extensible Z-Way controller project that a weakness built into the software could inherently expose it to attacks. Z-Way is the controller and abstraction layer of software that handles Z-Wave, a standard for wireless communication between devices in smart...

Ed Felten Joins White house as Deputy CTO

Ed Felten, a professor at Princeton University and a well-respected voice on security and privacy issues, is joining the White House as the deputy CTO. In his new role, Felten will be working under Megan Smith, the CTO of the United States and a former Google vice president. Felten has been at...

Tor Cloud Shut Down Amid Lack of Support

The Tor Project has shuttered its cloud proxy service citing security vulnerabilities, usability bugs and a lack of resources. Tor offers its users the capacity to surf the Web anonymously, bouncing traffic through a series of relay servers so that no observer at any point can tell where that...

MacKeeper Zero Day Patched

MacKeeper, well known to Mac OS X users for its noisy pop-under ads stressing the need for a system cleanup, has patched a critical remote code execution vulnerability. The software is a utility that is marketed as capable of improving Mac performance and security. The vulnerability was disclosed...

Elasticsearch Elastichoney Honeypot Shows 8,000 RCE Attacks

Hackers have taken an interest in Elasticsearch, a popular enterprise search engine. A researcher based in Texas, whose own Elasticsearch server was hacked, today published results collated from a honeypot he built to get a sense of how widespread attacks are against the vulnerability that did in...

Court's Ruling a 'Clear Signal' About Mass Surveillance Programs, Experts Say

The ruling last week by the Second Circuit Court of Appeals that the NSA’s years-long bulk collection of phone metadata is illegal is a “clear signal” that courts are moving in the direction of striking down some mass surveillance programs, experts say. The decision, issued Thursday, is among the...

Dennis Fisher and Mike Mimoso on the End of the Patch Tuesday Era, Section 215 and More

Dennis Fisher and Mike Mimoso talk about the end of the Patch Tuesday era for most Microsoft customers, the appeals court ruling on Section 215 metadata collection and Dennis’s idea for a security industry commission. Download: digitalunderground201.mp3 Music by Chris Gonsalves...

WordPress Sites Backdoored, Leaking Credentials

WordPress site administrators just cannot come up for air. With a raft of WordPress vulnerabilities—most of them in plugins—to address, now comes word that a number of sites running the content management system have been compromised and are sending credentials via a backdoor to a criminal group...

Rockwell Automation Patches Buffer Overflow in ICS App

There is a stack buffer overflow in a Rockwell Automation application that’s used to enable communications in industrial control applications used in manufacturing, energy, water,and other environments. The vulnerability is in the RSLinx Classic product and it can be used to crash the application...

May 2015 Adobe Reader, Acrobat Security Updates

Microsoft may no longer provide its customers with free advance notification of upcoming Patch Tuesday security updates, but Adobe continues to give users of its Reader and Acrobat products a gratis head’s up of what’s coming. The company yesterday said it is planning to release security updates...

Open Smart Grid Protocol Homegrown Crypto Weaknesses

In the three years since its inception, the Open Smart Grid Protocol has found its way into more than four million smart meters and similar devices worldwide. And like its SCADA, industrial control system, and embedded system brethren, it’s rife with security issues. Two researchers, Phillip...

Cisco UCS Central Software Security Vulnerabilities Patched

Cisco has patched a serious remote code execution vulnerability in its Unified Computing System UCS Central software, a data center platform that integrates processing, networking, storage and virtualization into one system. “An attacker could exploit this vulnerability by sending a crafted HTTP...

Vulnerabilities Identified in Two WordPress Plugins

The last few months have seen a significant uptick in WordPress plugin vulnerabilities, and judging by advisories issued this week regarding another another pair of insecure plugins, the trend will likely continue for the time being. The first vulnerability, discovered by security firm High Tech...

Appeals Court Rules NSA Metadata Collection Not Authorized by Section 215

The United States Court of Appeals for the Second Circuit ruled Thursday that the Patriot Act does not authorize the bulk collection of phone records by the NSA. The ruling undermines the key foundation upon which the federal government’s phone metadata surveillance program is built, Section 215 ...

Apple Fixes WebKit Vulnerabilities in Safari Browser

Apple has updated its Safari browser, fixing a handful of exploitable WebKit flaws in various versions of Safari. WebKit is the core layout engine responsible for rendering webpages in the Safari browser. The first bulletin, vulnerabilities uncovered by Apple, resolves multiple memory corruption...

Lenovo System Update Vulnerabilities Patched

Still reeling from the Superfish vulnerability, three more serious vulnerabilities have been patched and disclosed in Lenovo’s update system for its PCs. Researchers at IOActive yesterday disclosed details on a trio of security issues related to the mechanism by which Lenovo machines are sent...

NSA Whistleblowers, Civil Liberties Groups Urge Congress to Oppose USA Freedom Act

As the expiration date for the controversial Section 215 of the Patriot Act draws near, the voices opposing a renewal of the surveillance powers the measure grants the NSA are growing louder. The latest entry is a letter sent to members of Congress by a long list of privacy, civil liberties, and...

Windows Update for Business Uproots Patch Tuesday

Scheduled patch deliveries are so last decade—and thankfully, it looks like they’re over when it comes to Microsoft Patch Tuesday. Microsoft this week at its Ignite event introduced its new security update scheme called Windows Update for Business, which debuts in Windows 10 with several new...

Google Research Reveals Profitable, Pervasive Ad Injector Ecosystem

More than five percent of all unique IP addresses accessing Google sites included some kind of ad injector software, and there are more than 50,000 of those injector browser extensions in use today, according to new research from Google. The company conducted the research over the course of sever...

Vulnerability-Riddled Drug Pumps Open to Takeover

One medical device company’s line of drug pumps is so fraught with vulnerabilities that the researcher that discovered the flaws claims the pump is the least secure IP-enabled device he’s ever come across. Certain versions of Hospira’s Lifecare PCA3 Drug Infusion pumps are susceptible to multiple...

Microsoft LAPS Tool Addresss Local Admin Password Problem

Microsoft’s release last week of the Local Administrator Password Solution LAPS takes some steps to address an old question of what to do with local admin passwords, but doesn’t provide a complete answer, experts said. Windows admins have long used a common local account with the same password on...

ICU Project ICU4C Library Vulnerabilities Patched

Multitudes of software packages that make use of the ICU Project C/C++ and Java libraries may need to update after a pair of memory-based vulnerabilities were discovered and subsequently patched. Version 55.1 of the ICU Project ICU4C library, released yesterday, addresses separate heap-based buff...

Usbkill Script Can Render Computers Useless

The idea of needing to disable a computer quickly as the police–or another potential adversary–comes through the door typically has been the concern of criminals. But in today’s climate activists, journalists, and others may find themselves wanting to make their laptops unusable in short order, a...

Angler Exploit Kit, Bedep Malware Inflating Video Views

A new sort of hacktivism emerged last week when experts from Trustwave published new research revealing that attackers are using the Angler exploit kit and the Bedep Trojan in order to drive artificial views to politically controversial videos. The motivation for the scheme, it appears, is to...

Netflix Releases FIDO Incident Response Tool

Engineers at Netflix have released another one of the company’s bespoke security tools as an open-source application, this time an incident-response system known as FIDO. The tool is designed to help automate the process of incident response, and specifically it acts as a new layer that helps tie...

Rombertik Malware Can Overwrite MBR if Audited

A new strain of spyware that logs keystrokes and steals data has a destructive side to it, unleashing wiper capabilities if it detects it’s being analyzed and audited. A limited number of samples of the malware, dubbed Rombertik by researchers at Cisco Talos, were spotted at the start of the year...

Google Updates Password Alert Extension, But Some Bypasses Still Work

For the second time in less than a week, Google has updated its Password Alert extension for Chrome to address a method for bypassing the warning screens that alert users that they’re entering data on a non-Google site. However, the researcher who discovered the most-recent bypass method said his...

Sally Beauty Investigating Second Data Breach

Sally Beauty Supply, a seller of beauty products in the U.S., says it is investigating reports of fraudulent activities involving payment cards used at some of the chain’s retail locations. In March 2014, Sally Beauty admitted that hackers compromised its payment systems, exposing the sensitive...

Google Patches Clickjacking Bug in API Explorer

Google has patched a clickjacking vulnerability that a researcher says would enable an attacker to retrieve or delete email conversations, manipulate YouTube and Google Plus accounts, and more. A Google representative said in an email to Threatpost that the bug affected developers who had...

Researchers, FBI Warn of Nepal Earthquake Scams

The earthquake that hit Nepal late last month has caused untold damage in the region and kicked off a massive relief and aid effort. Attackers are loathe to let a chance like that go by, and they have concocted a number of schemes to deprive victims of their money and hope for relief funds. Aid...

Attackers Peddling Malware Through CareerBuilder

Attackers have recently taken to the job-search website CareerBuilder to spread Microsoft Word documents that appear to be job hopefuls’ resumes, but in reality, are laden with malware. Researchers at the firm Proofpoint discovered the campaign and discussed their findings in a blog post. In the...

Mozilla Moving Toward Full HTTPS Enforcement in Firefox

The Mozilla Foundation is initiating the process to phase out insecure HTTP connections in the Firefox browser. The decision is part of a broader movement to encrypt the Web, which in the case of Mozilla Firefox, means permitting only encrypted HTTPS browser connections. Mozilla is the developer ...

Researcher Finds Method to Bypass Google Password Alert

A security researcher has developed a method–actually two methods–for defeating the new Chrome Password Alert extension that Google released earlier this week. The Password Alert extension is designed to warn users when they’re about to enter their Google passwords into a fraudulent site. The...

Dennis Fisher and Mike Mimoso Discuss the MySQL bug, OpenSSL and the House Crypto Hearing

Dennis Fisher and Mike Mimoso discuss the post-RSA news, including the MySQL bug, the progress of the OpenSSL overhaul and the wildly entertaining House hearing on crypto backdoors. Download: digitalunderground200.mp3 Music by Chris Gonsalves...

Dyre Banking Trojan Avoids Sandbox Detection

A number of unidentified commercial and freely available sandboxes fail to detect a new version of the Dyre banking Trojan, which was recently blamed for more than $1 million in losses to financial institutions and enterprises. The new strain of Dyre, also known as Dyreza, uses a fairly new...

Routers Vulnerable to Critical Remote Code Execution Vulnerability

A zero day vulnerability in popular household routers from D-Link and Trendnet could be exploited by attackers to run arbitrary code on devices. The flaw, which can be exploited without authentication, is present in version 1.3 of Realtek’s SDK, which figures into some brands of routers, accordin...

New Spam Campaign Pushing CTB-Locker Ransomware

A new run of spam messages this week has been spotted dropping CTB-Locker ransomware. CTB-Locker, also known as Critroni, is a fairly new piece of crypto ransomware that encrypts hard drives and demands a ransom paid in Bitcoin to the attackers in exchange for the decryption key. Two days ago,...

New MySQL Bug Can Strip SSL Protection From Connections

Researchers have identified a serious vulnerability in some versions of Oracle’s MySQL database product that allows an attacker to strip SSL/TLS connections of their security wrapping transparently. The vulnerability is the result of the way that an option in MySQL handles requests for secure...

Congress, Crypto and Craziness

Crazy is never in short supply in Washington. Through lean times and boom times, regardless of who is in the White House or which party controls the Congress, the one resource that’s reliably renewable is nuttery. This is never more true than when that venerable and voluble body takes up a topic...

WordPress CartPress Plugin Zero Day Disclosure

Another round of WordPress vulnerability disclosures has taken place with details made public on a handful of unpatched bugs in the CartPress ecommerce plugin. These disclosures come on the heels of a separate disclosure of a zero-day in the WordPress core engine. Those vulnerabilities have since...

A Year Later, XSS Vulnerability Still Exists in eBay

A potentially dangerous cross-site scripting XSS vulnerability has existed in eBay for more than a year, and it doesn’t appear the company is a rush to fix the issue. Jaanus Kääp, a researcher based in Estonia, discovered the issue more than a year ago when he was looking into the security of web...

OpenSSL Past, Present and Future

Rarely does anything have a defined turning point in its history, a single day where people can point and say that was the day everything changed. For OpenSSL, that day was April 7, 2014, the day that Heartbleed became part of the security lexicon. Heartbleed was a critical vulnerability in the...

Google Releases Password Alert Extension for Chrome

Google is rolling out a new extension for Chrome that will monitor users’ logins and warn them if they enter a Google password on a non-Google page, a move designed to help protect users against phishing attacks. The new extension, called Password Alert, works for both consumer accounts and Googl...

Macro-Enabled Malware Making a Comeback

Malware that uses macros as part of its infection method has been around for more than a decade, and was one of the first major techniques to drive changes at software vendors such as Microsoft. The tactic has been making a comeback of late, and Microsoft is seeing a major spike in the volume of...

How I Got Here: Jennifer Leggio

Dennis Fisher talks with Jennifer Leggio, a longtime player in security PR and marketing, about her start as an obituary writer in Southern California, her move into tech in the Bay Area, what she loves about working in security and what makes for successful startups. Download: 16leggio.mp3 Music...

Criminal Group Using Dynamic Gate System to Infect with Fiesta EK

A sophisticated criminal group operating for more than a year is utilizing a changing series of Internet protocol addresses, domains and gates in order to infect its victims with the Fiesta exploit kit. Fiesta is among the handful of exploit kits to have emerged in the wake of the once prominent...

SendGrid Email Delivery Service Hack

SendGrid, which sells a cloud-based email delivery service, has admitted that the extent of a hack disclosed three weeks ago was much more serious than originally reported. The company said an employee account was compromised and used to access other systems that contained customer and employee...

WordPress Core Engine Stored XSS Vulnerability Patched

UPDATE: A critical stored cross-site scripting zero-day vulnerability affecting tens of millions of WordPress sites has been patched in version 4.2.1, which was released last night. The vulnerability allowed for malicious JavaScript to be stored in comment fields of WordPress sites and executed...

Authentication Vulnerabilities Identified in Projector Firmware

The manufacturer of a popular projector found primarily in classrooms is neglecting to address several authentication bugs that exist in the device that could open it up to hacks. It’s technically the firmware for the projector, InFocus IN3128HD, version 0.26, that’s vulnerable. The web interface...

Mozilla to Remove Turkish CA From Firefox Trust Store

Mozilla is removing a Turkish root CA from the Firefox trust store, not because of a compromise or a mistakenly issued certificate, but because the certificate authority hasn’t lived up to the audit requirements Mozilla has for trusted CAs. Like other browser vendors, Mozilla has a lengthy policy...