0-Days Exposed in Several Corel Applications

UPDATE–Researchers from Core Security have disclosed DLL hijacking vulnerabilities in several applications made by Corel Software after the vendor didn’t respond to Core’s notifications about the flaws. There are no patches available for the bugs, which can allow remote code execution. Corel sell...

Google Won't Patch WebView Prior to Android Jelly Bean

Hackers may have a perpetual shooting gallery of unpatched Android vulnerabilities at their disposal after it was disclosed today that Google no longer will provide WebView patches for older versions of its operating system. Researchers at Rapid7 have made mincemeat of WebView in Android Jelly...

Certificate Transparency Moves Forward With First Independent Log

The Certificate Transparency scheme proposed by Google engineers has taken a couple of significant steps forward recently, with the approval of the first independent certificate log and the passing of a deadline for all extended validation certificates to be CT-compliant or lose the green indicat...

Google Engineers Critical Aviator Browser Privacy, Security

Within hours on Thursday of WhiteHat Security releasing its Aviator browser to open source, a remote code execution vulnerability was disclosed, along with a handful of other coding issues that Google security engineers said jeopardized the security and privacy of Aviator’s users. Google’s public...

Zappos Settles with Nine States Following Data Breach

Online retailer Zappos this week settled with attorneys general in nine states, agreeing to pay out $106,000 stemming from a data breach in 2012 that exposed 24 million customers’ information. Massachusetts Attorney General Martha Coakley filed the settlement in Suffolk Superior Court on Wednesda...

ICS-CERT Advisory Warns of Schneider, Emerson Vulnerabilities

Industrial HMI software from Schneider Electric has been updated to patch a buffer overflow vulnerability that could be exploited by a remote attacker. The buffer overflow vulnerability was found in the Wonderware InTouch Access Anywhere Server v10.6 and v11. The server is human machine interface...

Inside North Korea's Naenara Browser

Up until a few weeks ago, the number of people outside of North Korea who gave much thought to the Internet infrastructure in that country was vanishingly small. But the speculation about the Sony hack has fixed that, and now a security researcher has taken a hard look at the national browser use...

Root Command Execution Flaw Haunts ASUS Routers

There is a serious security vulnerability in the firmware of many ASUS routers that allows unauthenticated command execution. The bug may be present in all current versions of the router firmware, and there is an exploit published for it, as well. Security researchers Joshua Drake posted an...

NAFCU Dismisses Data Encryption Rule Idea

Even after suffering a data breach, the organization in charge of overseeing the needs of credit unions has cast off the idea of implementing a rule mandating the use of encryption for data transfers. Despite the breach, the National Association of Federal Credit Unions, or NAFCU, is insisting th...

Microsoft Shuts Down Patch Tuesday Advanced Notifications

Microsoft today pulled the plug on its Advanced Notification Service ANS, offering it going forward only to paying Premier customers. ANS preceded the release of Microsoft’s monthly Patch Tuesday security bulletins; on the Thursday prior, Microsoft would provide users via its security website a...

Thunderstrike Apple Mac OS X Firmware Bootkit Unveiled

A vulnerability at the heart of Apple’s Mac OS X systems—one thus far only partially addressed by Apple—opens the door to the installation of malicious firmware bootkits that resist cleanup and give hackers persistent, stealthy control over a compromised Mac. The research is the work of a reverse...

FBI Director: 'High Confidence' in North Korea Attribution

When the FBI publicly announced that the North Korean regime was responsible for an embarrassing compromise of corporate networks at Sony Pictures Entertainment, security experts remained skeptical. FBI Director James Comey doubled down on the assertion yesterday at the Fordham University...

OpenSSL Fixes Eight Security Vulnerabilities

The OpenSSL Project has released several new versions of the software that fix eight security vulnerabilities, including several certificate issues and a couple of denial-of-service flaws. The patches included in OpenSSL 1.0.0p, 1.0.1k and 0.98zd are not for critical or high-risk vulnerabilities,...

FTC Urges IoT Privacy, Security at Consumer Electronics Show

In her keynote address yesterday at the Consumer Electronics Show in Las Vegas, Federal Trade Commission Chairwoman Edith Ramirez imagined the dystopic convergence of big data conglomerates and a ceaseless information gathering machine fueled by the constant connectivity ushered in by the so-call...

Backdoors Found Leveraging Pastebin

The cut and paste website Pastebin is perhaps best known as a conduit for attackers to share database dumps, stolen data and other code, but now hackers have begun leveraging the site for their actual attacks. Instead of relying on compromised sites to host malware, hackers are using Pastebin to...

Dridex Banking Trojan Spreading Via Office Macros

The left-for-dead Office macro has apparently made a comeback with cybercriminals who have found them to be a good hiding place for banking malware. Recently, Microsoft reported a spike in the use of macros in hacking campaigns, peaking in mid-December. This has been corroborated by researchers a...

New Emomet Variant Targets Banking, Email Credentials

Security researchers are tracking a new version of the Emomet malware that is targeting users’ banking credentials and also has the ability to steal email usernames and passwords, which are then used to send spam from compromised accounts. The new variant of Emomet has mostly been seen targeting...

Morgan Stanley Insider Theft Wealth Management Client Data

The financial services giant Morgan Stanley announced yesterday that that an employee had stolen sensitive information pertaining to more than 900 of the firm’s wealth-management clients. According to a company press release, the wealth management employee in question “has been terminated.”...

Malvertising Campaign Hits AOL Ad Network, Leads to Exploit Kit

Researchers have detected a malvertising campaign running on a pair of sites owned by Huffington Post that is using ads distributed through an AOL ad network. The attack is sending victims through a series of redirects that eventually brings them to a landing page that is running an exploit kit...

Cryptowall 2.0 Ransomware Analysis

If you need more evidence that ransomware is here to stay, and could turn into cybercriminals’ weapon of choice, look no further than Cryptowall. Researchers at Cisco’s Talos group today published an analysis of a Cryptowall 2.0 sample, peeling back many layers of known commodities around this...

Users Report Malicious Ads in Skype

Some Skype users have reported seeing malicious ads inside their Skype clients in recent days that lead to a site that tries to download a fake Adobe or Java update. Users in the Skype community forum on Monday said that they have been seeing a banner ad that, if clicked on, will lead to a dodgy...

Moonpig API Vulnerability Exposes Payment Card Data

Moonpig, a U.K.-based company that sells personalized greeting cards, mugs, t-shirts and other novelties, has been taken to the woodshed for poor security practices by a researcher who claims it’s simple to pilfer user and payment card data through a wonky mobile app API. The company this morning...

DHS Warns of UEFI Hardware Vulnerabilities

The CERT/CC at Carnegie Mellon University today released three advisories warning of vulnerabilities that affect some unified extensible firmware interface UEFI systems and the BIOS of some Intel chipsets. Hardware and firmware vulnerabilities, such as these reported by Corey Kallenberg of MITRE...

Microsoft Reports Massive Increase in Macros Enabled Threats

The Microsoft Malware Protection Center says there has been a dramatic increase in threats using macros to spread malware via spam and social engineering over the last month. Macros are used for automating frequently used tasks in Office. Macro-related infections were constant and near zero daily...

Wifiphisher Wi-Fi Hacking Tool Automates Wi-Fi Phishing

A new Wi-Fi attack tool has been made available on GitHub that automates phishing attacks over WPA networks, putting credentials and other supposedly secret data at risk. The tool, called wifiphisher, jams Wi-Fi access points with deauthentication packets and then mimics the target access point...

Bitstamp Offline Following Wallet Compromise

Bitstamp, a Bitcoin exchange based in the United Kingdom, remains offline this afternoon following what appears to have been a compromise over the weekend. The company tweeted shortly after 4 a.m. Monday that it had to temporarily halt all withdrawals because it believes one of its wallets was...

Openwall 3.1 Released With Fixes for Shellshock, POODLE Attack

The maintainers of the Openwall security enhanced Linux distribution have released a new stable version, which includes fixes for a number of serious vulnerabilities, such as the Shellshock Bash bug and the flaw in SSLv3 that leads to the POODLE attack. Openwall is designed to be a small, compact...

North Korea Sanctions Handed Out in Sony Hack

President Obama today signed an Executive Order authorizing sanctions against North Korea for its alleged involvement in the Sony hack. The FBI on Dec. 19 formally blamed the hack on the North Korean government; the attack destroyed workstations and resulted in the loss of employee personal and...

Google Project Zero Discloses Windows Zero Day

Update: Google’s Project Zero has disclosed the details of an unpatched Windows vulnerability reported to Microsoft in September. The disclosure was made on Monday upon the expiration of 90-day waiting period imposed by Google researchers. Microsoft has yet to patch the Windows 8.1 vulnerability...

WordPress Symposium Plug-In File Upload Vulnerabiilty

Since the disclosure of a serious file-upload vulnerability in WordPress Symposium and the public availability of proof-of-concept exploit code, attacks against sites running the plug-in are starting to raise concern. Researchers at Trustwave SpiderLabs on Tuesday said they had snared a number of...

Payment Cards Exposed in Possible Chik-fil-A Data Breach

It’s been the year of the data breach, so it only makes sense that reports alleging a data breach at the popular fast food chain, Chik-fil-A, would emerge in the final days of 2014. Late yesterday security journalist Brian Krebs reported that an anonymous source at an unnamed financial institutio...

2015 Computer Security Risks and Trends to Watch

P4ssw0rds got you down? POODLEs Bashing you over the head giving you Heartbleed? Well, bad puns aside, 2014 was a rough year and you can surely expect more of the same in 2015—with a few new twists. Hackers will still chase credit card numbers and point-of-sale systems, but they’ve got their eye ...

Facebook Careers Page XXE Vulnerability Patched

A vulnerability was discovered and patched in a third-party service that handles resumes on Facebook’s careers page. The discovery was worth more than $6,000 in a bounty paid out by Facebook to researcher Mohamed Ramadan of Egypt, who published some details of the vulnerability and exploit on his...

Majority of 4G USB Modems, SIM Cards Exploitable

Researchers say 4G USB modems contain exploitable vulnerabilities through which attackers could, and researchers have, managed to gain full control of the machines to which the devices are connected. Researchers from Positive Technologies presented a briefing detailing how to compromise USB modem...

Cellular Privacy, SS7 Security Shattered at 31C3

The recently concluded Chaos Communications Congress 31c3 in Hamburg, Germany was an all-out assault on cellular call privacy and security. Of particular interest was the SS7 protocol used to route calls between switching centers. Researchers, doing parallel research as it turns out, found gaping...

Internet Systems Consortium Site Redirects to Angler Exploit

UPDATE: This story has been updated with comments from the Internet Systems Consortium. The Internet Systems Consortium website is offline today after the non-profit domain name service maintainer announced its website had possibly become infected with malware. The ISC, as it is commonly known, i...

Missing Two-Factor Authentication Led to JPMorgan Breach

The biggest U.S. banking breach of all time came down to the smallest of details. The New York Times, citing sources close to the ongoing investigation of the JPMorgan data breach, said hackers found a server unprotected by two-factor authentication to break in using a stolen user name and passwo...

HP's Zero Day Initiative Changes Bug-Buying Guidelines

HP’s Zero Day Initiative has decided to adjust its guidelines and criteria or buying some vulnerabilities in the future, eliminating some large classes of bugs from its menu. The group, which has been among the more visible and prominent of the vulnerability purchasing programs since its inceptio...

Apple Patches NTP Vulnerabilities in First Automated Patch

Apple last night for the first time pushed an automated patch to Mac OS X users, taking care of critical Network Time Protocol NTP vulnerabilities. The fix was delivered automatically and did not require Mac users to restart their machines. The latest security issue in NTP, which is used by...

Podcast: 2014 Year in Review

Mike Mimoso and Dennis Fisher look back on the crazy year that was in security, including the big Internet-wide bugs such as Heartbleed and Shellshock, the Home Depot and Sony breaches and what lessons we learned in 2014.​ READ: 2014: A Specious Odyssey SEE: Revisiting Threatpost’s 10 Most Popula...

SoakSoak Malware Campaign Evolves

The attackers behind the SoakSoak malware campaign are continuing to modify their tactics and have infected a new group of Web sites. The Javascript code that the attackers target with the malware has also changed. Last week, Google took the step of blacklisting thousands of sites that had been...

North Korea Online Amid 'Proportional Response' Speculation

Ten hours after North Korea’s fragile and limited Internet connectivity disappeared on Monday, the isolated country was back online last night. While that much is certain, it’s still unknown who was behind the outage and why. Naturally, after promising on Friday a “proportional response,” immedia...

2014: A Specious Odyssey

The wonderful and terrifying thing about the security world is that things never stay calm for long. As soon as you think you have a chance to catch your breath, someone breaks something and it’s time to scramble again. In 2014, those small moments of downtime were hard to come by. There was a...

1.2 Million Credit Cards Lost in Staples Data Breach

Retailer Staples has confirmed that point-of-sale malware had been used at 115 of its retail locations in the United States and criminals were able to access 1.16 million payment card numbers during a six-month-long intrusion. Staples said it removed the malware in September from the affected...

DHS Releases Destover Wiper Malware Indicators of Compromise

US-CERT released a not-so-cryptic advisory this weekend providing enterprises with indicators of compromise and detailed descriptions of the malware used against “a major entertainment company,” the Department of Homeland Security’s description of Sony Pictures Entertainment. DHS describes in gre...

Tor Project Warns of Possible Upcoming Attack on Network

The Tor Project is warning that an unnamed attacker is planning to try to cripple the network by seizing directory authorities, the servers that help Tor clients find Tor relays in the network. Tor officials said that the network right now is still safe to use, and also emphasized that they are...

How I Got Here: Andrew Jaquith

Dennis Fisher talks with Andrew Jaquith of SilverSky about his days running networks in the transportation industry, being there at the birth of @stake during his time at Cambridge Technology Partners, helping to kickstart the security metrics movement and what’s next for him. Download:...

FBI Officially Blames North Korea in Sony Hacks

The FBI announced today that it has gathered enough evidence to say with certainty that the government of the Democratic People’s Republic of Korea is in fact responsible for recent intrusions into the networks of Sony Pictures Entertainment SPE. This fact was all but officially stated yesterday...

Exploits Circulating for Remote Code Execution Flaws in NTP Protocol

Researchers at Google have uncovered several serious vulnerabilities in the Network Time Protocol and experts warn that there are exploits publicly available for some of the bugs. The vulnerabilities are present in all versions of NTP prior to 4.2.8 and include several buffer overflows that are...

GitHub Fixes Critical Vulnerability, Urges Users to Update Immediately

GitHub is strongly encouraging all Mac OS X and Windows users of GitHub and GitHub Enterprise to update their Git clients as soon as possible. The GMANE mailing list published the details of a critical arbitrary code execution vulnerability affecting all versions of the official Git client and al...