Dennis Fisher and Mike Mimoso Discuss the Apple and Adobe Zero Days, and More

Dennis Fisher and Mike Mimoso talk about all of the zero days that were dropped this week on Adobe and Apple, the Oracle backdoor drama and the upcoming Kaspersky Security Analyst Summit in Cancun. Then, Dennis calls Brian Donohue to talk about the wonders of the Blackhat movie and Brian’s dog...

PHP 5.6.5 Released With Several Security Fixes

Several new versions of PHP have been released, fixing a number of security vulnerabilities and other bugs in the popular scripting language. PHP 5.6.5 is the newest version of the language, and it has patches for a handful of vulnerabilities, including a use-after-free flaw that could lead to...

Automated Gas Tank Gauge Hacks Possible: HD Moore

UPDATE: This story has been updated with commentary from the company that manufactures and sells the vulnerable automated tank guages. The gauges that detect and prevent fuel leaks at more than 5,000 gas stations in the United States are utterly vulnerable to remote attacks, according to new...

Google Project Zero Discloses Three OS X Zero Day Flaws

Update: OK Apple, your turn. After raising a ruckus with the disclosure of three unpatched Windows vulnerabilities, Google’s Project Zero research team did the same this week with a trio of security issues in Apple OS X. Project Zero imposes a 90-day deadline on vulnerabilities it reports to...

Mojang Resets Users' Passwords, Microsoft Insists Not a Hack

Microsoft confirmed this week that one of its recent acquisitions, the gaming firm Mojang, has not been hacked. Nearly 2,000 credentials belonging to users of the Mojang game Minecraft – email addresses and passwords in plain-text – surfaced on Pastebin earlier this week and speculation began to...

Chrome 40 Patches 62 Security Vulnerabilities

Google pushed out on Wednesday a new version of its Chrome browser 40.0.2214.91 and along with it paid out more than two dozen bounties, including 16 for memory corruption vulnerabilities. In all, 62 security vulnerabilities were patched, 17 of those considered high severity bugs by Google. Most ...

Regin Cyberespionage Malware Platform Modules Disclosed

The Regin malware platform used to steal secrets from government agencies, banks and GSM network operators caught the attention of security experts who called it one of the most advanced attack platforms that has been studied, surpassing Flame, Duqu, even Stuxnet. Researchers at Kaspersky Lab sai...

Adobe Patches One Zero Day in Flash, Still Investigating Separate Vulnerability

UPDATE–Adobe has released an emergency update for Flash to address a zero-day vulnerability that is being actively exploited. The company also is looking into reports of exploits for a separate Flash bug not fixed in the new release, which is being used in attacks by the Angler exploit kit. The...

Firefox Meta Referrer A Move Toward Browser Privacy

The HTTP Referer header is a marketer’s dream, and a privacy nightmare all in one. The header contains tracking information that organizations can use for statistical traffic analysis and naturally to promote services to the right audience. It started out by including just the last page the user...

Exploit for Flash Zero Day Appears in Angler Exploit Kit

The dangerous Angler exploit kit has a new piece of ammunition to use in its attacks: a fresh Adobe Flash zero-day vulnerability. The kit is exploiting the previously unknown vulnerability in several versions of Internet Explorer running on Windows 7 and Windows 8. French security researcher...

Bypass Demonstrated for Microsoft Use-After-Free Mitigation in IE

For a long time, Microsoft’s monthly Patch Tuesday security bulletins have periodically addressed use-after free vulnerabilities, the latest class of memory corruption bugs that have already found their way into a number of targeted attacks. Microsoft has implemented mitigations to address memory...

Hard-Coded FTP Credentials Found in Schneider Electric SCADA Gateway

The parade of easily exploitable, critical vulnerabilities in ICS software shows no signs of ending anytime soon, with the latest entrant being two flaws in Schneider Electric’s ETG3000 FactoryCast HMI Gateway that allow unauthenticated remote access to the device’s FTP server and configuration...

January 2015 Oracle Critical Patch update

Oracle’s first Critical Patch Update of the year arrived Tuesday with its usual volume, and some disturbing fanfare. Oracle admins today are staring at 169 patches on their collective plates across the company’s product line. One of the more pressing fixes is for a an issue in the Oracle E-Busine...

Like a Nesting Doll, Vawtrak Malware Has Many Layers

Researchers have peeled back more layers on Vawtrak, a relatively new banking Trojan so complex that those who have taken it apart have likened it to a Matryoshka, or Russian nesting doll. Virus Bulletin published a deep dive on the malware penned by Raul Alvarez, a researcher with Fortinet,...

Ubuntu Patches Several Security Flaws

Ubuntu has released a number of patches for security vulnerabilities in several versions of the OS, including some remote code execution flaws in Thunderbird, which is included with Ubuntu. Thunderbird is Mozilla’s email client, and the company recently fixed several memory corruption...

Academics Use Siri to Move Secrets Off Jailbroken iOS Device

Attackers living on any network are all about one thing: persistence. They want to get on quietly and stay on quietly. But what about moving stolen data off a network? How quiet can that be? Two researchers believe they’ve figured out a way to combine Siri, Apple iOS’ native voice-activated...

Nasty Oracle Vulnerability Leaves Researcher 'Flabbergasted'

Oracle on Tuesday will release a huge number of security fixes as part of its quarterly critical patch update, and one of them is a patch for a vulnerability that a well-known security researcher said looks a lot like a back door but was likely just a terrible mistake. The flaw is found in Oracle...

CSRF Vulnerability Patched in GoDaddy Domain Settings

Domain registrar GoDaddy yesterday patched a cross-site request forgery vulnerability that could have allowed an attacker to change domain settings on a site registered with GoDaddy. The flaw was reported on Saturday and patched within 48 hours, according to Dylan Saccomanni, a web application...

Report Companies Still Not Patching Security Vulnerabilities

The Cisco 2015 Annual Security Report is out and the findings are troubling as always: for every positive finding in the report, it seems, there is a negative finding, neutralizing any gains in the network security struggle. Chief information security officers say their security postures are stro...

Holes in Progressive Dongle Could Lead to Car Hacks

A device that a popular car insurance company sends to customers to keep track of their driving and reduce their rate may be insecure and could be used to take control of a user’s vehicles. Progressive manufactures the device, a dongle called Snapshot that plugs into the OBD-II diagnostic port on...

Patched API Flaw Allowed Anyone Access to Verizon Email

Verizon last week rushed out a patch for an API used by its My FiOS mobile application after a security researcher disclosed a vulnerability to the telecommunications giant that allowed any user access to any Verizon email account. The report was submitted last Wednesday and within 48 hours,...

Ceragon Networks Microwave Bridges Root Password Discovered

The Department of Homeland security warned users of Ceragon Networks microwave bridges that the devices contain an undocumented root password. The advisory said Ceragon FibeAir IP-10 Microwave Bridges can be accessed remotely. “The root account can be accessed through ssh, telnet, command line...

Potential Code Execution Flaw Haunts PolarSSL Library

There is a vulnerability in PolarSSL, an open-source SSL library used in a variety of products, that could enable an attacker to execute arbitrary code under some circumstances. The vulnerability is the result of an uninitialized pointer in the PolarSSL code and researchers said that an attacker...

Memory Corruption Bugs Found in VLC Media Player

There are two memory corruption vulnerabilities in some versions of the VLC open-source media player that can allow an attacker to run arbitrary code on vulnerable machines. Neither one of the vulnerabilities has been fixed by VideoLAN, the organization that maintains VLC. Security researcher...

Spammers Take A Liking to WhatsApp Mobile App

Spammers have settled in on the WhatsApp messaging platform with greater regularity, aided in one locale, by of all things, government regulations. Researchers at AdaptiveMobile yesterday published a report that exposed a number of spam campaigns peddling phony handbags and sunglasses, investment...

Dennis Fisher and Mike Mimoso Discuss Encryption, the Microsoft-Google Feud and More

Dennis Fisher and Mike Mimoso discuss the security news of the past week, including the proposed changes to the CFAA, David Cameron’s encryption comments, the NSA’s quasi-apology regarding Dual EC and the Microsoft-Google disclosure feud. Music by Chris Gonsalves Download: digitalunderground180.m...

Nine Vulnerabilities Fixed in Firefox 25

Mozilla released the latest version of its flagship browser this week, Firefox 35, fixing nine vulnerabilities, including three critical bugs that could have led to a crash or sandbox bypass, among other issues. One of those critical bugs was a sandbox escape discovered by security researcher Nil...

Teen Arrested in UK for Xbox, PlayStation Attacks

Police in the UK, working in cooperation with the FBI, arrested an 18-year-old man Friday in connection with recent DDoS attacks on the PlayStation Network and Xbox Live services. The authorities arrested the unnamed man in Southport, and he is being held on suspicion of computer crime and...

Google Project Zero Discloses Another Windows Zero Day

Two more unpatched Windows vulnerabilities on Thursday crossed into the public domain after the expiration of Google Project Zero’s self-imposed 90-day waiting period before disclosing bug details. Microsoft will patch only one of the vulnerabilities—in the upcoming February Patch Tuesday securit...

Proposed CFAA Amendments Bad News For Security Researchers

Legitimate security researchers, from bug hunters to pen-testers, are buckled in for a bumpy ride as vague language in President Obama’s proposed amendments to the Computer Fraud and Abuse Act CFAA is expected to be debated and sorted out as it makes its way through the legislature. The amendment...

Google AdWords Campaigns Hijacked by Malvertisers

A malvertising scheme has hijacked at least two distinct Google AdWords advertising campaigns, redirecting users who had browsed to the sites hosting the poisoned ads without those visitors even clicking on them. Some of the sites in question service more than a million monthly users. Last week,...

Pirelli Home Broadband Routers Exposed for Two Years

ISP-issued home broadband routers have been a shooting gallery for researchers and hackers alike looking for, and successfully exploiting, shocking vulnerabilities. One disclosed by a researcher in Spain this week is symptomatic of the problem to a disturbing degree. Researcher Eduardo Novella...

Matthew Green on the NSA and Compromising Crypto Standards

Dennis Fisher talks with Matthew Green of Johns Hopkins University about the NSA’s “regret” for continuing to support Dual EC after it had been shown to be compromised, the effects of the agency’s influence on crypto standards and the hope for more secure standards in the future. Download:...

Parking Services Confirm Payment Card Breaches

Two services that allow users to reserve over the Internet offsite parking spots at airports confirmed week that they recently suffered data breaches and customer data may be at risk. Park ‘N Fly, headquartered in Atlanta, and OneStopParking, which is based in Florence, Ky, allow travelers to...

Marriott Agrees to Stop Blocking Guest WiFi Devices

Marriott, which last year paid a $600,000 fine for blocking customers’ WiFi devices in its hotels, has said that it no longer will prevent guests from using personal hotspots or similar devices. The situation resulted from a complaint by a guest who stayed at Marriott’s Gaylord Opryland hotel in...

Government Demands for Verizon Customer Data Drop

The number of subpoenas, total orders and warrants that the United States government delivered to Verizon all dropped in the second half of 2014, according to the company’s latest transparency report. The giant telecom provider released data on Thursday that showed a decrease in subpoenas of abou...

Skeleton Key Malware Bypasses Active Directory Authentication

Enterprise Active Directory administrators need to be on the lookout for anomalous privileged user activity after the discovery of malware capable of bypassing single-factor authentication on AD that was used as part of a larger cyberespionage campaign against a global company based in London...

Fake Oracle Patches Making the Rounds

Support engineers with Oracle are warning users not to download any patches that don’t come directly from the company after learning that attackers are circulating fake fixes for Oracle error messages. Antonella Giovannetti, a member of the company’s SOA Proactive response team, wrote in a blogpo...

Crowti Cryptowall 3.0 Ransomware Moving in I2P Network

A new strain of the Crowti ransomware, also dubbed Cryptowall 3.0, was spotted by researchers early this week after a quiet period during the holiday season. The twist to these recent infections is that the malware communicates over the I2P anonymity network. French researcher Kafeine confirmed...

NSA Official: Support for Compromised Dual EC Algorithm Was 'Regrettable'

In a new article in an academic math journal, the NSA’s former director of research says that the agency’s decision not to withdraw its support of the Dual ECDRBG random number generator after security researchers found weaknesses in it and questioned its provenance was a “regrettable” choice...

GE Ethernet Switches Have Hard-Coded SSL Key

There is a hard-coded private SSL key present in a number of hardened, managed Ethernet switches made by GE and designed for use in industrial and transportation systems. Researchers discovered that an attacker could extract the key from the firmware remotely. The vulnerability exists in a number...

January 2015 Microsoft Patch Tuesday Security Bulletins

For the first time in more than a decade, the majority of Windows IT shops walked blindly into Patch Tuesday. After announcing last week that it would no longer provide its Advanced Notification Service of upcoming security bulletins to the public, Microsoft today ladeled eight bulletins upon...

DHS Not Addressing Cyber Threats to Building Access Systems

Civil watchdogs at the Government Accountability Office are warning the Department of Homeland Security and the Government Services Agency about unaddressed risks posed to building access control systems at federal facilities. The systems in question are those that prevent unauthorized access to...

January 2015 Adobe Flash Player Security Update

Adobe today released the year’s first round of security updates for Flash Player, addressing nine vulnerabilities in the software including several critical bugs that could allow an attacker to take control of an affected system. According to a security bulletin posted by the company today the...

Gitrob Combs Github Repositories for Secret Company Data

Free online code repositories such as GitHub provide a valuable collaboration service for enterprise developers. But it’s also a trove of potentially sensitive company and project information that’s likely to warrant attention from hackers. An application security specialist from Berlin has...

Encryption is Not the Enemy

There are few things scarier these days than a politician stepping in front of a microphone, taking a deep breath and opening his mouth to pontificate on security. A long list of American elected officials have reinforced this, and on Monday, UK Prime Minister David Cameron jumped to the head of...

How a $10 USB Charger Can Record Your Keystrokes Over the Air

Hardware hacker and security researcher Samy Kamkar has released a slick new device that masquerades as a typical USB wall charger but in fact houses a keylogger capable of recording keystrokes from nearby wireless keyboards. The device is known as KeySweeper and Kamkar has released the source co...

President Proposes National Breach Notification Standard

Lacking precious detail, President Obama today proposed a national data breach notification standard, legislation that would mandate breached companies notify affected consumers inside of 30 days. The national law would supersede the current collection of state laws that govern notification...

Microsoft Censures Google Publishing Windows Vulnerability

Microsoft yesterday excoriated Google for disclosing information about a Windows security vulnerability just days ahead of the Patch Tuesday release slated to fix the bug. The rebuke came in the form of a Technet blogpost calling for better coordinated vulnerability disclosure. In reality, the ti...

Lizard Squad's DDoS Site Runs on Hacked Home Routers

The distributed denial of service attacks that crippled both Xbox Live and the PlayStation Network PSN shortly after the holidays came at the hands of a botnet largely comprised of hacked home routers. The botnet is managed by Lizard Squad, the group of hackers that took credit for knocking the...