Visa, MasterCard Remove Passwords from 3D Secure

Payment giants Visa and MasterCard announced plans to eliminate the need for password authentication in the companies’ respective “Verified by Visa” and “SecureCode” payment platforms which are designed to add an additional layer of security to online transactions. In a press release, MasterCard...

AT&T Drops Controversial Tracking Header

When information came out earlier this month that some mobile carriers were injecting unique identifying “supercookies” into their users’ Web traffic, privacy groups and users were angered. The practice, used by Verizon and AT&T, enables advertisers to track users’ behavior and assemble informati...

How I Got Here: Kelly Jackson Higgins

Dennis Fisher talks with Kelly Jackson Higgins of DarkReading about her childhood days creating her own newspapers, her ambitions to be a sportswriter, getting into technology journalism and the fun and craziness of covering the security industry. Download: 14jacksonhiggins.mp3 Music by Chris...

Issues Arise With MS14-066 Schannel Patch

Some users who have installed the MS14-066 patch that fixes a vulnerability in the Schannel technology in Windows are having issues with the fix causing TLS negotiations to fail in some circumstances. The problem arises when users have TLS 1.2 enabled in certain configurations and it will sometim...

CoinVault Ransomware Betting on Hope with Free File Decrypt

UPDATE: A prior version of this story incorrectly defined VSS as vulnerability scanning systems when in fact it refers to volume shadow copy service, which is a Windows automatic data backup and recovery mechanism. Thanks to commenter Rudy for pointing this out. The courteous CoinVault ransomware...

Apple Offers Lukewarm Response to Masque Vulnerability

Apple said it is not aware of any customers affected by the Masque vulnerability disclosed earlier this week, and made no mention of a timeline when it might release an update patching the security hole. Masque is a vulnerability in iOS 7.1.1 and up that puts Apple mobile devices at risk to malwa...

Edward Snowden Effect on Privacy Attitudes

Serious concessions have been made about privacy post-Snowden, in particular about how personal information is processed and consumed online. Results from a survey conducted by the Pew Research Center of Washington, D.C., show that the Snowden leaks have raised consumers’ consciousness about not...

Dennis Fisher and Mike Mimoso Discuss the Windows Schannel Vulnerability and Wirelurker

Mike Mimoso and Dennis Fisher talk about the Windows Schannel vulnerability and whether it’s ripe for mass exploitation, as well as the WireLurker attack and why Apple hasn’t addressed it. Download: digitalunderground171.mp3 Music by Chris Gonsalves...

Microsoft Considering Public-Key Pinning for Internet Explorer

Microsoft is considering adding public-key pinning–an important defense against man-in-the-middle attacks–to Internet Explorer. The feature is designed to help protect users against the types of MITM attacks that rely on forged certificates, which comprise a large portion of those attacks...

Lame Duck Senate to Vote on NSA Reforming USA FREEDOM Act

The United States Senate will move to vote on the USA FREEDOM Act before the current congressional session closes at the end of the year, a move that pleases digital rights groups. In its current form, the bill would ban the bulk collection of Americans’ private records while granting the...

Windows Phone Sandbox Holds Up at Mobile Pwn2Own

The Mobile Pwn2Own hacking contest ended today as did the PacSec Applied Security Conference in Tokyo with hackers unable to gain complete control over a Windows Phone and the latest version of the Android mobile OS. Contest sponsors HP said two competitors, Nico Joly and Juri Aedla, were able to...

Chinese Attackers Hack NOAA's Systems

Systems belonging to the National Oceanic and Atmospheric Administration NOAA were recently compromised, purportedly by Chinese hackers. The NOAA confirmed that four of the scientific agency’s websites were targeted and compromised in an “internet-sourced attack” earlier this fall, in a statement...

Internet Voting Hack Alters PDF Ballots in Transmission

Threats to the integrity of Internet voting have been a major factor in keeping the practice to a bare minimum in the United States. On the heels of the recent midterm elections, researchers at Galois, a computer science research and development firm in Portland, Ore., sent another reminder to...

Automakers Move to Address Privacy Concerns

Several automakers have agreed on a set of privacy principles that they say will govern the way that they handle personal information generated by vehicles, geolocation data and other sensitive information that is being produced by in-car computers and networks. The principles are the result of...

EFF Calls Out ISPs Modifying STARTTLS Encryption Commands

As Net Neutrality debates swirl, privacy advocates at the Electronic Frontier Foundation and VPN provider Golden Frog have gone public with a Federal Communications Commission filing that got more attention for accusations that Verizon FIOS customers were having their Netflix streaming service...

Microsoft Schannel Bug Latest in Long Line of Serious Crypto Flaws

The critical vulnerability in the Schannel technology in Windows that Microsoft patched Tuesday is ripe for exploitation, experts say, and continues the long line of severe vulnerabilities in major SSL/TLS implementations in recent months. Secure Channel, also known as Schannel, is a technology...

Retail Trade Groups Want Fair Data Breach Reporting Rules

The National Retail Federation and dozens of other related groups cosigned a letter PDF to top congressional leaders last week pleading that they consider the passage of a federal law imposing uniform data breach notification rules that are equally applicable to every organization that handles...

Adobe Patches 18 Vulnerabilities in Flash

Adobe pushed out security updates for Flash Player this afternoon, addressing 18 different vulnerabilities, all critical, that could allow an attacker to take control of an affected system running the multimedia platform according to a security bulletin posted today. The Patch Tuesday updates,...

November 2014 Microsoft Patch Tuesday Security Bulletins

A busy Microsoft Patch Tuesday arrived today with an extra sense of urgency and a complication. Among 14 bulletins, four of which are rated critical by Microsoft, is a patch for the OLE zero-day vulnerability being used in a number of targeted attacks. The zero-day is being spread via email...

USPS Breach Hits Customers, Employees

The United States Postal Service is continuing its investigation around a cyber attack at the agency that managed to compromise the information of both employees and customers earlier this year. The USPS announced in a statement on Monday that it recently fell victim to a “cyber intrusion inciden...

Stuxnet's First Five Victims Provided Path to Natanz

Stuxnet’s first five victims were a carefully crafted list of targets that ultimately provided the attackers with the road map they needed to get inside a uranium enrichment plant in Natanz, Iran and disrupt the country’s nuclear program. Cobbled together from clues left behind by the infamous...

Tor Project Looking for Answers Following Operation Onymous

Officials at the Tor Project are continuing to look for answers following the takedown late last week of hundreds of Tor hidden services, including the popular black market website Silk Road 2.0. In a blog entry yesterday Tor made it clear that it wasn’t entirely sure how or why the services that...

Masque iOS Vulnerability Disclosed

The vulnerability used in the WireLurker attacks has been uncovered and was reported to Apple in July but has yet to be patched, a researcher at FireEye said. Today’s disclosure of the Masque attack, which affects iOS 7.1.1, 7.1.2, 8.0, 8.1, and 8.1.1 beta, revealed that Apple mobile devices are...

New Mozilla Privacy Initiative to Include High-Capacity Tor Relays

Mozilla is starting a new initiative that the company says is designed to incorporate more privacy enhancing features into Firefox and the other Mozilla products. The project, known as Polaris, involves collaboration with The Tor Project and the Center for Democracy and Technology and will involv...

Pidgin 2.10.10 Patches SSL MiTM, DoS Vulnerabilities

A handful of security vulnerabilities were patched in the most recent release of the Pidgin open source instant messaging client, Pidgin 2.10.10, including a SSL/TLS certificate validation issue that could be exploited in man-in-the-middle attacks. Reported by Jacob Appelbaum of the Tor Project,...

Darkhotel APT Group Targeting Top Executives in Long-Term Campaign

APT groups tend to be grouped together in a large amorphous blob of sinister intentions and similar targets, but not all APT crews are created equal. Researchers have identified a group that’s been operating in Asia for at least seven years and has been using hotel networks as key infection point...

Avoiding the Dark Security Future

LAS VEGAS—Nick Percoco has been thinking a lot about the future of technology, and some of the things he’s dreamed up aren’t very pretty: farms of people renting out their spare brain cycles, autonomous cars that freak out and careen into oncoming traffic and hacking groups hijacking users’...

Expanding Use of PKI in Variety of Devices Holds Challenges

LAS VEGAS–One of the longest running jokes in the security industry is that each coming year finally will be The Year of PKI. While that one huge year never materialized, the use of PKI and digital certificates has become an integral part of how the Internet works today. But there are some...

​Jeremy Rowley on the Facebook Tor Cert & the Future of PKI

Dennis Fisher talks with Jeremy Rowley of DigiCert about the company’s decision to issue a certificate for Facebook’s .onion site, the challenge of key protection in today’s environment and what the near future holds for PKI. Download: digitalunderground170.mp3 Music by Chris Gonsalves...

Serious Remote Root Access Bug in Belkin N750 Router

A serious vulnerability in a popular Belkin router could be exploited by a local, unauthenticated attacker to gain full control over affected devices. The good news is that the bug has already been patched by Belkin. The bad news is that approximately nobody installs router firmware updates. The...

Securing an Internet Made From 'Duck Tape and Baling Wire'

LAS VEGAS–The Internet that we use today was not designed as a cohesive network. It was put together from found bits and pieces over the course of the last few decades, and, as major bugs such as Heartbleed and others have shown, it’s a frighteningly fragile construction. Attackers know this as...

Windows Version of WireLurker Out of Commission Too

Given that most iPhone users update their Apple devices on Windows machines, it wasn’t really a shock to learn about the discovery of a Windows version of the WireLurker Trojan. Last night, researcher Jaime Blasco of AlienVault tweeted he had discovered the malware, which as it turns out, pre-dat...

Home Depot data breach 53 million email addresses stolen

Home Depot said Thursday that its network was breached by hackers using stolen credentials from a third-party vendor to not only make off with 56 million payment card numbers, but also 53 million email addresses. The giant retailer warned affected customers to be on the lookout for phishing scams...

DigiCert Considering Certs for Hidden Services

News broke last week that Facebook had built a hidden services version of its social network available to users browsing anonymously via the Tor Project’s proxy service. Unlike any .onion domain before it, Facebook’s would be verified by a legitimate digital signature, signed and issued by...

November 2014 Microsoft Patch Tuesday Security Bulletins

Microsoft today provided its Patch Tuesday advanced notification, giving IT managers a head’s up about 16 bulletins that are scheduled to be delivered next week, including five rated critical for remote code execution and privilege escalation issues. The heavy patch load is an anomaly for 2014,...

WireLurker Mac OS X Malware Shut Down

WireLurker is no more. After causing an overnight sensation, the newly disclosed family of Apple Mac OS X malware capable of also infecting iOS devices has been put to rest. Researchers at Palo Alto Networks confirmed this morning that the command and control infrastructure supporting WireLurker...

Michael Chertoff Risk Management ACSC Keynote

BOSTON – Former Homeland Security secretary Michael Chertoff gave enterprises a pep talk Wednesday during his keynote address at the Advanced Cyber Security Center’s annual conference. In a climate where massive financial services organizations such as JP Morgan Chase have been breached, the Whit...

ACSC Left of Boom Panel Tackles Resilience to Next Heartbleed

BOSTON – Heartbleed, and the rash of Internet-wide bugs that will ultimately define security in 2014, tested the resilience of enterprises worldwide. In turn, resilience has been elevated as a major talking point for companies evaluating their preparedness for the inevitable next Heartbleed-type...

Samsung Insists Find My Mobile Service Safe

Samsung this week tried to quell recent reports that its Find My Mobile service is vulnerable to hacking, firing back at NIST National Institute of Standards and Technology who warned last month that the feature could be exploited. In a blog post on the company’s global blog Tuesday, Samsung...

Government Requests for Facebook User Data Increasing

Facebook’s latest transparency report shows that U.S law enforcement agencies issued a greater number of total requests for user data related to criminal investigations in the first six months of 2014 than they have over any previous such period. This report, per Justice Department reporting...

NSA Director Says Agency Shares Vast Majority of Bugs it Finds

When the National Security Agency discovers a new vulnerability that looks like it might be of use in penetrating target networks, the agency considers a number of factors, including how popular the affected software is and where it’s typically deployed, before deciding whether to share the new...

New Backoff Variant ROM Tougher to Detect, Analyze

A new and more fine-tuned version of the Backoff point of sale malware known as ROM has been spotted in the wild, according to researchers. While the latest iteration is similar to the preceding version, ROM has tweaks that help the malware better evade detection and hinder the analysis process,...

AirHopper Steals Data From Air-Gapped Computers

Air-gapped computers are generally the home of sacrosanct data. The lack of a connection between these machines and others on a network, or the Internet, means in theory that data stored on those devices is kept away from the harm of web-based threats and hackers moving laterally on a network...

Hacking Team Defends Spyware, Attacks Researchers' Methods

Privacy advocates and anti-surveillance activists have been taking a close look at the way that some vendors of so-called lawful intercept and surveillance software and hardware systems conduct their business and which customers and governments they sell their wares to. Now, some of those...

Linksys SMART Wi-Fi Firmware Patches Released

Two versions of popular consumer and small office Linksys routers remain vulnerable to a pair of vulnerabilities recently patched in other models of the Belkin-owned networking gear. Linksys EA2700 and EA3500 routers running Linksys SMART Wi-Fi firmware have yet to be patched against...

Google Releases Nogotofail Tool to Test Network Security

The last year has produced a rogues’ gallery of vulnerabilities in transport layer security implementations and new attacks on the key protocols, from Heartbleed to the Apple gotofail flaw to the recent POODLE attack. To help developers and security researchers identify applications that are...

Smartphone Owners Lack Motivation to Adequately Lock Devices

A quarter of smartphone owners don’t lock their devices because they don’t believe they have any data worth protecting. Even more refrain from doing it because they feel like it’s too much of a hassle. That’s at least according to a new study carried out by six researchers, four from the Universi...

American Express Brings Tokenization to Payment Cards

American Express has taken steps toward lifting the burden from retailers having to store payment-card data with the announcement of its American Express Token Service. The service will replace traditional 16-digit credit card numbers with a digital token. Consumers carrying a card supporting the...

Destructive BlackEnergy Malware Plug-Ins Target Cisco Routers

BlackEnergy, a converted crimeware tool, operates behind a laundry list of plug-ins for Linux and Windows systems that allows it to be used to attack Cisco networking devices, steal digital certificates, brick systems it infects, and skillfully hide from security analysts. Researchers from...

Facebook Creates .Onion Site; Now Accessible Via Tor Network

UPDATE – This story has been updated with commentary from the Tor Project. Facebook announced today that the social network will now be directly available to users as a Tor hidden service. The Tor Project is an Internet-traffic anonymization service that relays user traffic through a number of...