U.S. Government Requests for Yahoo User Data Drop

Yahoo received nearly 5,000 requests for user data from the United States government in the last six months of 2014 and disclosed some content in nearly 25 percent of those cases. The company said in its new transparency report that it received between 0-999 National Security Letters from the U.S...

March 2015 Cisco IOS Security Advisories and Patches

Cisco on Wednesday pushed out its semiannual batch of security patches for Cisco IOS, the operating system on the bulk of its routers and network switches. Yesterday’s release—the next will be the fourth Wednesday of September—included seven advisories patching 16 vulnerabilities that could enabl...

GE Fixes Buffer Overflow in DTM Library

GE has released a fix for a vulnerability in a library that’s used in several of its products deployed in critical infrastructure areas. The flaw in the HART Device Type Manager library could allow an attacker to crash affected applications or run arbitrary code. The vulnerability in the DTM...

Default Setting in Windows 7, 8.1 Could Allow Privilege Escalation

A default setting in both Windows 7 and 8.1 could allow local users to elevate privileges and in some situations, escape application sandboxes. The issue, something that leaves all current Windows client installations vulnerable, lies in the way the operating system handles authentication. In som...

Tech Companies, Privacy Advocates Call for NSA Reform

A group of technology companies, non-profits and privacy and human rights organizations have sent a letter to President Barack Obama, the director of national intelligence and a wide range of Congressional leaders, calling for an end to the bulk collection of phone metadata under Section 215 of t...

Google Adds Deceptive Software to Safe Browsing API

Google is continuing to refine its Safe Browsing API and now is giving users warnings about not just malicious software on sites they’re attempting to visit, but also about unwanted software. Google’s Safe Browsing API is designed to help protect users from a variety of threats on pages across th...

Using Heat to Jump Air-Gapped Computers

When heat from one computer is emitted and detected by an adjacent computer, a channel can be opened that researchers are claiming can facilitate the spread of keys, passwords and even malware. According to researchers from the Cyber Security Research Center at Ben Gurion University in Israel, th...

Half of Android Users Exposed to Malware via Installation Vulnerability

Nearly half of all Android systems, 49.5 percent to be exact, contain a vulnerability through which an attacker could hijack the application installation process in order to install malware on impacted mobile devices. The security firm Palo Alto Networks says it discovered a Time-of-Check to...

Instagram API Bug Could Allow Malware Downloads

A security researcher says there is a bug in the Instagram API that could enable an attacker to post a message with a link to a page he controls that hosts a malicious file, but when the user downloads the file it will appear to come from a legitimate Instagram domain, leading the victim to trust...

CA Tied to Chinese Registrar Issued Unauthorized Google Certificates

Google security engineers, investigating fraudulent certificates issued for several of the company’s domains, discovered that a Chinese certificate authority was using an intermediate CA, MCS Holdings, that issued the unauthorized Google certificates, and could have issued certificates for...

Hilton Hotels Fix CSRF Vulnerability That Exposed All Accounts

A cross-site request forgery CSRF vulnerability in the website of hotel chain Hilton Worldwide could have inadvertently compromised much of its users’ personal information. Ironically the since-fixed issue stemmed from a promotion the chain was offering to users if they changed their passwords on...

Adobe CVE-2011-2461 Remains Exploitable Via Flex Four Years After Patch

UPDATE: This article has been updated to add commentary and clarification from Adobe. A four year old Adobe Flash patch did not properly resolve a vulnerable Flex application, and attackers can exploit the bug, which is said to affect some 30 percent of Alexa’s top 10 most popular sites in the...

Cisco Small Business IP Phones Open to Remote Eavesdropping

Cisco is warning customers about several vulnerabilities in some of its IP phones that can allow an attacker to listen in on users’ conversations. The bug affects the Cisco SPA 300 and 500 Series IP phones. Cisco had confirmed the vulnerabilities, which were discovered by Chris Watts, a researche...

Dridex Campaign Evades Detection with AutoClose Function

Pushers of the Dridex banking malware have gone old-school for some time now, moving the malware through phishing messages executed by macros in Microsoft Office documents. While macros are disabled by default since the release of Office 2007, the malware includes somewhat convincing social...

All Major Browsers Fall At Pwn2Own Day Two

Two researchers on Thursday took down the four major browsers, Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and Apple Safari, as Pwn2Own, the annual hacking contest that runs in tandem at CanSecWest, wound down in Vancouver. The story of the day was Korean researcher Jung Hoon Lee...

Yoast WordPress Google Analytics Plugin Patched

Update: Yoast on Thursday patched a cross-site scripting vulnerability in its Google Analytics WordPress plugin that was ripe for remote code execution. The plugin has been downloaded 6.8 million times according to statistics on the Yoast website; Yoast said there have been no public exploits. Th...

Flash, Reader, Firefox and IE All Fall On First Day of Pwn2Own

Four different research teams on Wednesday cracked four products–Adobe Flash, Reader, Mozilla Firefox, and Microsoft Internet Explorer—and collectively earned a payout of $317,000 on the first day of Pwn2Own 2015. The annual hacking contest, which kicked off Wednesday in Vancouver, runs...

OpenSSL Patches High Severity DOS Vulnerability

Hold the logo and the dedicated website; the anticipated high-severity OpenSSL vulnerability is serious, but it’s no Heartbleed or POODLE. As it turns out, the bug is a denial-of-service condition that affects only version 1.0.2 of the ubiquitous crypto library. A dozen other vulnerabilities nine...

BIOS Rootkit Implant Debuts at CanSecWest

When the National Security Agency’s ANT division catalog of surveillance tools was disclosed among the myriad of Snowden revelations, its desire to implant malware into the BIOS of targeted machines was unquestionable. While there’s little evidence of BIOS bootkits in the wild, the ANT catalog an...

Breach at Premera Blue Cross Affects 11 Million

Hackers wriggled their way into the servers of health insurance provider Premera Blue Cross 10 months ago, and potentially exposed the information of 11 million members, employees and other associates. The provider announced yesterday that customer information, including names, dates of birth,...

Apple Safari WebKit Vulnerabilities Patched

Apple on Tuesday pushed out new versions of its Safari browser that address 17 security vulnerabilities in the WebKit engine. Safari 8.04, 7.14 and 6.24 patch multiple memory corruption issues in WebKit, Apple said. “These issues were addressed through improved memory handling,” Apple said in its...

Mobile Android, iOS Apps Still Vulnerable to FREAK Attacks

In the shadow of a major OpenSSL vulnerability scheduled to be announced tomorrow, lingering issues remain with mobile platforms and applications that still run versions of the crypto library vulnerable to FREAK attacks. A report published Tuesday by FireEye paints a bleak picture of vulnerable...

HTTPS Opens Door to Paid Pinterest Bug Bounty

Pinterest’s journey toward becoming a fully HTTPS website opened a lot of doors, including a potentially profitable one for hackers. The social networking site this week announced that it would begin paying cash rewards through its bug bounty program, upping the stakes from the T-shirt it...

Shared Keys Simplify, Cheapen FREAK Attacks

UPDATE: First the good news: it would seem that large providers and individual server admins have for the most part found and spiked export-grade cipher suites vulnerable to the FREAK attack. The bad news: It would seem it’s even less expensive than first believed to exploit the remaining servers...

Microsoft Warns Fraudulent Certificate Could Lead to MiTM Attacks

Microsoft has blacklisted a phony SSL certificate that’s been making the rounds and is in the process of warning the general public that the certificate could be leveraged to stage man-in-the-middle attacks. In a security advisory published yesterday the company stressed that an improper...

Stealthy, Persistent DLL Hijacking Works Against OS X

DLL hijacking has plagued Windows machines back as far as 2000 and provides hackers with a quiet way to gain persistence on a vulnerable machine, or remotely exploit a vulnerable application. And now it’s come to Apple’s Mac OS X. This week at the CanSecWest conference in Vancouver, Synack direct...

D-Link Patches Two Vulnerabilities in Router Firmware

Router company D-Link has patched two separate vulnerabilities in its firmware that could be exploited remotely and lead to takeover and arbitrary code execution. Devices under the DCS-93xl umbrella, including the following IP cameras with a custom Linux distribution models: DCS-930L, DCS-931L,...

Google Fix for Android Memory Leakage Issue In The Works

Google is prepping a fix for Android users that addresses a meddlesome memory leakage issue that’s plagued some device users since the end of last year. The issue, present in versions 5.0.1 and 5.1 of the mobile operating system code-named Lollipop, has been causing irregular application activity...

Facebook Transparency Report: Government Requests Down

Facebook today reported a slight drop in government requests for user data, bucking a trend that peaked during the first half of 2014 with the highest numbers the company had seen. Its latest transparency report covers the second half of last year, and shows slight dips in requests for user data,...

Yahoo Previews End To End Email Encryption

Following up on a promise it made during last summer’s Black Hat, Yahoo on Sunday said it’s on track to deliver end-to-end encryption for its email users this year. And to that end, it released the early source code for the Yahoo encryption browser extension to GitHub. Chief information security...

Podcast Discussing the Windows LNK Patch

Dennis Fisher and Mike Mimoso discuss the new patch for the five-year-old LNK vulnerability used by Stuxnet, the new iOS patches and the other news of the week. Download: digitalunderground191.mp3 Music by Chris Gonsalves...

Mozilla Releases Open Source Masche Forensics Tool

Mozilla has released an open source memory forensics tool that some college students designed and built during the company’s recent Winter of Security event. The new tool, known as Masche, is designed specifically for investigating server memory and has the advantage of being able to scan running...

Google Apps 'Defect' Leaks Private WHOIS Data Of 280,000

Google has notified hundreds of thousands of domain registrants that their private WHOIS information has been exposed in the clear, opening them up to identity theft, phishing scams and more. Researchers from Cisco Talos last night said the problem likely lies with one of Google’s registrar...

March 2015 Adobe Flash Player Security Update APSB15-05

Adobe this afternoon pushed out a Flash Player update patching 11 critical security vulnerabilities, most of which lead to remote code execution. None are being publicly exploited, Adobe said. Versions 16.0.0.305 and earlier of the Flash Player Desktop and Flash Player for Google Chrome are...

Samsung Patches Social Media Vulnerability in Millions of Devices

Samsung patched a vulnerability last month in SNS Provider, a popular application that manages other social media apps present in millions of its devices. If exploited the bug could have given attackers the ability to access to any personal information users stored on Facebook, LinkedIn and...

CryptoLocker Variant Coming After Gamers

Gamers may soon be feeling the pain of crypto-ransomware. A variant of CryptoLocker is in the wild that goes after data files associated with 20 different online games, locking downloadable content in an attempt to target younger computer users. Researchers at Bromium today said an unnamed...

BlackBerry Warns Many Products Vulnerable to FREAK Attack

BlackBerry is warning customers that a large portion of the company’s product portfolio is vulnerable to the FREAK SSL attack. Many versions of the BlackBerry OS and BlackBerry Enterprise Server are vulnerable to FREAK, as are a number of versions of BlackBerry Messenger. The advisory from...

SQL Injection Bug Fixed in Popular WordPress SEO Plug-In

SEO by Yoast, a popular search engine optimization plug-in for WordPress, has fixed a pair of blind SQL injection vulnerabilities that could have allowed an attacker to take complete control of affected sites. It’s not clear how many WordPress sites have SEO by Yoast installed, but the maker of t...

Obama Administration Seeks More Legal Power to Disrupt Botnets

The federal government is seeking more legal power to step in and shut down botnets through an amendment to the existing criminal law, which would allow the Department of Justice to obtain injunctions to disrupt these malicious networks. The Obama administration has proposed an amendment to...

Microsoft SHA-2 Advisory Causing 'Infinite Loop' Issues

Problems with a security update issued this week by Microsoft have surfaced on a number of technology forums. Windows users say Microsoft Security Advisory 303929, which adds SHA-2 code-signing and verification support for Windows 7 client machines and Windows Server 2008 R2 boxes, is causing...

Dropbox Patches Remotely Exploitable Vulnerability in SDK

Developers at Dropbox recently fixed a remotely exploitable vulnerability in the Android SDK version of the storage app that enabled attackers to connect applications to a Dropbox account without the user’s consent. This could have opened users up to the theft of information from any app that use...

Details Surface on Stuxnet Patch Bypass

It took 10 hours to find what had eluded others for close to five years. German computer science student Michael Heerklotz spent the Christmas holiday reading Countdown to Zero Day, a narrative on the discovery and impact of Stuxnet, the computer worm considered one of the first cyberweapons, and...

Facebook Users Open to Attack Via Several Security Bugs

UPDATE–A security researcher has identified a pair of security issues in Facebook, one of which can be used to to upload an arbitrary file to the site, and the other of which can allow an attacker to gain control of a victim’s machine under some limited circumstances with user interaction. The mo...

Equation APT Group Attack Platform A Study in Stealth

Spies thrive only when they’re able to quietly infiltrate targets and slither away unnoticed; this principle is the same whether we’re talking about the physical world, or digital. The recently uncovered Equation APT group is prime example of the investment nation-state sponsored attackers make i...

March 2015 Microsoft Patch Tuesday Security Bulletins

Windows IT shops figure to be in for some scrambling today. Not only was it revealed that a five-year-old patch for a vulnerability exploited by Stuxnet was incomplete and machines have been exposed since 2010, but today is also Patch Tuesday and the updated Stuxnet patch is one of 14 bulletins...

Patched Windows Machines Exposed to Stuxnet LNK Flaw All Along

A five-year-old Microsoft patch for the .LNK vulnerability exploited by Stuxnet failed to properly protect Windows machines, leaving them exposed to exploits since 2010. Microsoft today is expected to release a security bulletin, MS15-020, patching the vulnerability CVE-2015-0096. It is unknown...

CloudFlare Aims to Defeat Massive DDoS Attacks with Virtual DNS

DDoS attacks have been a persistent problem for the the better part of 20 years, and as ISPs and enterprises have adjusted their defenses, attackers have adapted their tactics. One of the more effective tools in the attackers’ arsenal now is the use of botnets to generate massive numbers of DNS...

Apple Fixes FREAK Bug, iCloud Flaw in iOS 8.2

Apple has patched the FREAK SSL vulnerability, along with a nasty bug that could’ve allowed a remote attacker to restart a user’s iPhone via SMS, with the release of iOS 8.2. The new version of Apple’s mobile operating system contains a number of vulnerability fixes, with the FREAK patch being th...

OpenSSL Security Audit Ready to Start

Funding from the Core Infrastructure Initiative has helped the maintainers of OpenSSL, one of the Internet’s most-deployed pieces of open source software, begin to get the crypto implementation on its feet. Despite its ubiquity, OpenSSL has historically been under-funded and under-resourced, thou...

Yahoo Patches Critical Small Business, eCommerce Bugs

Yahoo has fixed a handful of vulnerabilities that could have given an attacker free reign over all of its user-run eCommerce websites and caused multiple headaches for small business owners. One bug could have allowed a hacker to change item prices on a whim and given them access to sensitive...