GPG 32-Bit Short Key ID Collision Attacks

Attack and vulnerability details are often disclosed in order to prompt vendors and project maintainers into action. It happened recently with publication of attack code that mimicked the work of Karsten Nohl on BadUSB and tried to nudge Phison Electronics of Taiwan into looking at its USB...

Google Retools reCAPTCHA with No CAPTCHA

Google is getting right to the point with the latest update to its reCAPTCHA authentication system. Rather than have users signing in to an online service try to decipher blurred text, Google has simplified the process by simply asking users whether they’re a bot. One click later, they’re...

Sony Employee Payroll, Healthcare Information, Leaked

As expected, the Sony Pictures breach has unearthed more than just unreleased, pirated movies. A slew of sensitive employee information is also making the rounds online, and at one point it appears servers belonging to Sony were helping pass the information around. It had been widely speculated...

Elipse SCADA Denial of Service Patch

Brazilian process management software developer Elipse has patched a serious denial-of-service vulnerability in its web-based Elipse SCADA application. The software is used in a number of critical industries worldwide, including manufacturing, energy, water and wastewater plants. The vulnerabilit...

Mozilla Critical Security Update for Firefox Thunderbird ESR

The Mozilla Foundation yesterday released nine security updates fixing as many vulnerabilities in its popular Firefox browser. The fixes address three critical vulnerabilities, and others rated high and moderate. Mozilla issues critical ratings for bugs an attacker can exploit in order to run cod...

Avoiding Data Breaches: Context Aware Behavioral Analytics

RESTON, VA – Security, it turns out, is all about layers, where if one layer fails, there are secondary and tertiary and a long line of backup defenses. This is neither new nor revolutionary. It’s why castles had moats, drawbridges and parapets; it’s also why prisons have cells, walls and gates...

OpenVPN Patches Denial of Service Vulnerability

An update for OpenVPN released on Monday patches a serious denial of service vulnerability present in the open source VPN software since 2005. “It is also possible that even older versions are affected,” OpenVPN said in its advisory, clarifying that the flaw affects primarily OpenVPN 2.x versions...

IBM Fixes Serious Code Execution Bug in Endpoint Manager Product

IBM has fixed a serious vulnerability in its Endpoint Manager product that could allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. The vulnerability lies in the Endpoint Manager for Mobile Devices component of the product and the researchers who discovered...

Operation Cleaver Critical Infrastructure Hacking Attacks

Iranian state-sponsored hackers have been singled out for attacks on critical infrastructure worldwide, including 10 targets in the United States. Security firm Cylance today released an 86-page report on Operation Cleaver that lays out Iran’s hacking capabilities and motivations to attack global...

FBI Flash Warning Alerts Businesses to Wiper Malware Attacks

The FBI issued a five-page flash warning yesterday urging American enterprises to be on the lookout for wiper malware. The alert, a Reuters report said, described some details about the malware but kept the victim anonymous. It’s general practice for the FBI not to name victims in such alerts. Th...

Payment Card Data Accessed in Parking Provider Data Breach

SP+, a parking management services provider, late last week announced that 17 of its facilities in the United States had been breached and hackers may have made off with an unspecified number of payment card numbers. In a statement, the company said it was notified on Nov. 3 by a payment processo...

Researcher Releases Database of Known-Good ICS and SCADA Files

A prominent security researcher has put together a new database of hundreds of thousands of known-good files from ICS and SCADA software vendors in an effort to help users and other researchers identify legitimate files and home in on potentially malicious ones. The database, known as WhiteScope,...

F.B.I., Mandiant Investigating Sony Pictures Breach

Sony Pictures Entertainment SPE is continuing to investigate a potentially massive breach that last week compromised most of the company’s systems and leaked several films online, some which haven’t even been released in theaters yet. Officials from the FBI and experts with Mandiant, FireEye’s...

Cybercrime Group Preys on Wall Street Insider Information

A criminal hacking group with an innate understanding of how Wall Street moves and what influences stock prices has found a soft spot in more than 100 publicly traded companies and is stealing, among other data, mergers and acquisitions intelligence. The group is homed in on healthcare and...

Sandbox Escape Bug in Adobe Reader Disclosed

Details and exploit code for a vulnerability in Adobe Reader have surfaced and the bug can be used to break out of the Reader sandbox and execute arbitrary code. The bug was discovered earlier this year by a member of Google’s Project Zero and reported to Adobe, which made a change to Reader that...

New Google Security Dashboard Manages Device Activity

Google this week made available to Google Apps users a dashboard that displays recent account activity for each of a user’s devices, and allows them to take action if anything suspicious is afoot. Eran Feigenbaum, Google for Work director of security, said the new Devices and Activity dashboard...

Siemens Patches WinCC Vulnerabilities Likely Being Exploited

Global industrial supplier Siemens has patched two critical vulnerabilities that it believes are likely being exploited. Organizations running products using the Siemens WinCC application are urged to apply available patches immediately; the company said it is working on updates for any remaining...

Home Depot Breach Cost Company $43 Million in Third Quarter

The massive Home Depot data breach disclosed earlier this fall involved the theft of 56 million credit and debit card numbers, and now the company has revealed that the incident so far has cost it $43 million. The costs are the result of both the investigation into the data breach as well as the...

Sony Pictures Dealing With Apparent Network Compromise

Sony Pictures Entertainment is still in the process of trying to recover from an apparent compromise of some of the company’s computer systems. The attack first came to light on Monday, and the extent of the incident is still emerging. The compromise appears to affect just the networks at SPE, a...

Adobe Releases Emergency Flash Player Patch

Adobe today revised a security bulletin it released more than a month ago, adding a patch for a code-execution vulnerability in Flash Player already included in some exploit kits. French researcher Kafeine found the exploits in the Angler and Nuclear kits less than a week after Adobe released an...

Brain Science and Browser Warnings

Browser and other types of security warnings generally don’t stop computer users in their tracks, especially when they’re in the middle of some task. Clicking through them seems to be the accepted response, rather than to halt and evaluate the situation. Researchers at Brigham Young University...

Experts Question Legality of Use of Regin Malware by Intel Agencies

The disclosure of the Regin APT malware campaign this week has spurred much speculation about the source of the attack, with many experts pointing the finger at either the NSA or GCHQ, the British spy agency. Though security researchers involved in uncovering the attack have remained mum on the...

Craigslist Back Online Following DNS Hijack

The popular classifieds website Craigslist is back online today following a DNS attack that forced it offline for several hours Sunday evening. According to a blogpost Sunday night by Craigslist’s CEO Jim Buckmaster, DNS records maintained at one of Craigslist’s domain registrars were compromised...

Remote Code Execution in Popular Hikvision Surveillance DVR

A number Hikvision digital video recorders contain vulnerabilities that an attacker could remotely exploit in order to gain full control of those devices. According to a report written by the security firm Rapid7, Hikvision’s DVRs contain three fairly typical buffer overflows in the request...

Costin Raiu on the Regin APT Malware

Denis Fisher talks with Costin Raiu of the Kaspersky Lab GReAT Team about the discovery of the Regin APT malware, the threat’s targets and tactics, its ability to compromise GSM base stations and its other capabilities. Download: digitalunderground173.mp3 Music by Chris Gonsalves...

Regin Cyberespionage Malware Platform Targets GSM Networks

Researchers have uncovered a complex espionage platform reminiscent of Duqu that has been used since at least 2008 not only to spy on and extract email and documents from government agencies, research institutions and banks, but also one that targets GSM network operators in order to launch...

EFF, Privacy Groups Say NIST Crypto Standards Must be Free From Backdoors

The EFF and a long list of civil and privacy groups have sent a letter to NIST, emphasizing the need for the agency to create “a process for establishing secure and resilient encryption standards, free from back doors or other known vulnerabilities.” The letter comes at a time when the agency is ...

FTC Shutters $120 Million Tech Support, Bogus Software Scam

Earlier this week a federal court in Florida issued a temporary restraining order shutting down a series of organizations in the business of peddling fake software and nonexistent tech support services, temporarily freezing the assets of those companies’ and placing them under the control of a...

Podcast Discussing WordPress Security, Anti-Surveillance

Dennis Fisher and Mike Mimoso talk about the news from the past week, including the out-of-band Microsoft patch, the compromised Joomla and WordPress plug-in attack campaign and the Detekt anti-surveillance tool.​ Download: digitalunderground172.mp3 Music by Chris Gonsalves...

Buffer Overflow Haunts Advantech WebAccess SCADA Product

The ICS-CERT is warning users about a stack buffer overflow in the Advantech WebAccess SCADA product that could lead to arbitrary code execution. Advantech WebAccess is a SCADA and human-machine interface product that’s accessible over the Web. It’s used in a variety of industries, including...

WordPress 4.0.1 Cross-Site Scripting Vulnerability Patch

WordPress’s latest update, 4.0.1, patches a critical cross-site scripting vulnerability affecting comment boxes on websites running the content management system software. An attacker would need only to inject malicious JavaScript into a comment that would infect a reader viewing it on the webpag...

Most Targeted Attacks Exploit Privileged Accounts

We all like to write and talk about flashy zero-day vulnerabilities. However, a new threat report cautions enterprises not to flatter themselves, because the majority of criminals are not using valuable zero-days exploits to penetrate corporate networks: they’re phishing privileged account...

Detekt Open Source Surveillance Detection Tool

Hours spent on long-distance phone calls to political activists in the Middle East, journalists in Africa or human rights organizations in Asia are stressful for Claudio Guarnieri, an independent security researcher, white-hat hacker and civil rights activist. Often he has to convince that party,...

Attackers Using Compromised Web Plug-Ins in CryptoPHP Blackhat SEO Campaign

Researchers have discovered a group of attackers who have published a variety of compromised WordPress themes and plug-ins on legitimate-looking sites, tricking developers into downloading and installing them on their own sites. The components then give the attackers remote control of the...

Drupal Denial of Service Session Hijacking Patch

Details on a patched denial of service vulnerability in the open source Drupal content management system have been disclosed. The vulnerability, patched yesterday, could be abused to crash a website running on the CMS. Researchers Michael Cullum, Javier Nieto and Andres Rojas Guerrero reported th...

Angler Exploit Kit Adds New Flash Exploit

Exploit kit authors are nothing if not opportunistic, and they know a prime opportunity when they see one. Adobe Flash bugs fit that description nicely, and the people behind the Angler exploit kit already are exploiting one of the Flash bugs patched last week in the kit’s arsenal. This is a comm...

Citadel Variant Targets Password Managers

The Citadel Trojan has once again branched out beyond its roots as banking malware and is now targeting the master passwords guarding major password management products. Researchers from IBM Trusteer today said they’ve notified makers of the nexus Personal Security Client, Password Safe and KeePa...

Encrypt Everything Cannot Be Swayed by FREEDOM Act Rejection

Barring another vote before the end of the calendar year and the current Congressional session, the USA FREEDOM Act is dead in the water until 2015—and maybe even beyond. The Senate last night came up two votes shy of passing the bill, which would have overhauled the NSA’s current dragnet...

Nasty Security Bug Fixed in Android Lollipop 5.0

There is a vulnerability in Android versions below 5.0 that could allow an attacker to bypass ASLR and run arbitrary code on a target device under certain circumstances. The bug was fixed in Lollipop, the newest version of the mobile OS, released earlier this week. The vulnerability lies in...

Paper: NetFlow Data De-Anonymizes Tor Users

Tor Project leaders are trying to rein in concerns about an academic paper describing an end-to-end traffic correlation attack that could be used by a well-funded attacker such as a nation state to de-anonymize traffic on Tor. Executive director Roger Dingledine points out that the researchers...

Google Removes SSLv3 Fallback Support From Chrome

Google has released Chrome 39, fixing 42 security vulnerabilities and removing support for the fallback to SSLv3, the component that was the target of the POODLE attack revealed last month. When the POODLE attack was disclosed by several Google researchers in October, the company said that it had...

EFF, Others Plan to Make Encrypting the Web Easier in 2015

By all accounts, switching web servers over to HTTPS from HTTP has long been viewed as a fickle affair; HTTPS/SSL certificates are expensive and on top of that notoriously cumbersome to install and maintain. A new coalition comprised of The Electronic Frontier Foundation EFF and a handful of othe...

Google Releases Open Source XSS Web App Scanner

UPDATE: A previous version of this story incorrectly reported that Firing Range is a scanner when in reality Firing Range is a tool that tests Web application security scanners. Google today released to open source tool called Firing Range, which is designed as a test bed for Web application...

WhatsApp Adds Encryption by Default to Android App

WhatsApp, a massively popular messaging app, recently added end-to-end encryption for some mobile clients, a move that brings a high level of security to millions of users. The change is the result of a partnership with Open Whisper Systems, the secure text and mobile OS company started by securi...

Matsnu Botnet DGA Builds Domains From List of Nouns, Verbs

Domain generation algorithms have been botmasters’ favorite tool for keeping malware up and running—and for frustrating security researchers and detection technologies. Like malware, DGAs evolve, thus complicating an already tricky cat-and-mouse game between criminals and white hats. The latest i...

Microsoft to Release Critical Out-of-Band Windows Patch

UPDATE–Microsoft on Tuesday released a rare out-of-band patch for a critical vulnerability in several versions of Windows and Windows Server, including Windows 8 and 8.1. The Ms14-068 vulnerability is a flaw in the Kerberos implementation in Windows that could enable an attacker to elevate his...

Apple iOS 8.1.1 Fixes Several Code-Execution Flaws

Apple has patched 10 vulnerabilities in iOS, including a pair of bugs that allowed arbitrary code execution and one that enables an attacker to run random binaries on a target device. The patches come in iOS 8.1.1, a small update to the company’s mobile operating system. There are several serious...

Open Source OpenSOC Security Analytics Framework Released

Cisco announced today that it has made available through open source a framework that integrates data analytics tools into security operations. “The OpenSOC framework helps organizations make big data part of their technical security strategy by providing a platform for the application of anomaly...

IAB Urges Designers to Make Encryption the Default

The Internet Architecture Board, the body in charge of overseeing the structure of many of the Internet’s key standards, has recommended that encryption be the default traffic option for protocols. The recommendation comes after more than 18 months of revelations about the pervasive surveillance...

Half of Leading USB Controller Chips Vulnerable to BadUSB

BadUSB hasn’t gone from bad to worse necessarily, but it sure has reached a new state of confusion for security experts and consumers in the crosshairs. Researcher Karsten Nohl, who warned the world during Black Hat last summer that the controller chips in most USB devices could be reprogrammed t...