Microsoft Extends SHA-2, TLS Support for Windows

One by one, tech companies have been tossing aside the SHA-1 cryptographic algorithm like the unreliable collision-prone mess that it is. Microsoft was among the first to steer its customers away from SHA-1 and established an internal edict that its developers would no longer use it for...

Browser Vendors Move to Disable SSLv3 in Wake of POODLE Attack

With details of the new POODLE attack on SSLv3 now public, browser vendors are in the process of planning how they’re going to address the issue in their products in a way that doesn’t break the Internet for millions of users but still provides protection. The attack, which was disclosed by a tri...

October 2014 Oracle Java Security Patches

Problems with the maligned Java Reflection API, the molten core of far too many exploited Java vulnerabilities in 2013, have surfaced again. Researchers with Security Explorations yesterday published details of a number of critical vulnerabilities in Java; the disclosures were made on the same da...

New POODLE SSL 3.0 Attack Exploits Protocol Fallback Issue

A new attack on the SSLv3 protocol, disclosed Tuesday, takes advantage of an issue with the protocol that enables a network attacker to recover the plaintext communications of a victim. The attack is considered easier to exploit than similar previous attacks against SSL/TLS, such as BEAST and...

Fixes for IE, Flash Player in October Patch Tuesday Release

Microsoft and Adobe issued their monthly patch Tuesday releases today, and Microsoft posted eight bulletins, three of which are considered critical including the now-monthly cumulative Internet Explorer update, addressing 24 vulnerabilities in various products. Adobe has fixes for three...

Kmart Latest Retail Chain to Disclose Payment Card Breach

Kmart is the latest domino to fall in the seemingly endless streak of major retail chain breaches. The discount department store acknowledged on Friday that it fell victim to a “payment security incident” for most of September and some of October. The store, which is operated by Sears Holdings...

BlackBerry 10 Open to Bug That Allows Malicious App Installation

BlackBerry has patched a vulnerability in its BlackBerry 10 devices that could allow an attacker to intercept users’ traffic to and from the BlackBerry World app store and potentially install malware on a targeted device. The vulnerability is a weakness in the integrity checking system that...

Dropbox Denies Hack, Says 'Your Stuff is Safe'

Dropbox officials on Monday said that a large cache of usernames and passwords posted online and alleged to have come from the company’s users are not related to Dropbox customer accounts. A spate of media reports reported yesterday that attackers had stolen several million sets of credentials fr...

Sandworm APT Team Found Using Windows Zero Day Vulnerability

UPDATE–A cyberespionage team, possibly based in Russia, has been using a Windows zero day vulnerability to target a variety of organizations in several countries, including the United States, Poland, Ukraine and western Europe. The vulnerability, which will be patched today by Microsoft, is...

Backoff Malware Identified as Culprit in Dairy Queen Breach

Backoff apparently has a sweet tooth. International Dairy Queen on Thursday confirmed that 395 of its Dairy Queen locations nationwide were breached by hackers using the dangerous point-of-sale malware. One Orange Julius location was also involved in the breach. The hackers were able to access...

EFF Launches New Anti-Surveillance Site

The EFF has launched a new site dedicated to educating users about how to resist pervasive surveillance online, through the promotion of encryption and other tools and the publication of first-person stories from people around the world who have fought surveillance in various ways. The new site, ...

October 2014 Microsoft Patch Tuesday security bulletins

Microsoft on Tuesday will push out its first set of patches since it announced the dissolution of the Trustworthy Computing group that gave birth to Patch Tuesday. The monthly patch cycle was just one output from TwC, which was formed in the ashes of Code Red, Nimda and hundreds of other network...

Rovnix Variant Surfaces With New DGA

Researchers have unearthed a new version of the Rovnix malware that has a couple of additional features, including a new domain generation algorithm and a secure transmission channel for communicating with the command-and-control servers. Rovnix is a malware variant that often has been distribute...

SAP Patches Seven Vulnerabilities in Three Products

SAP pushed out patches to address seven vulnerabilities in three different lines of software it produces. If exploited, the bugs – which weren’t disclosed until yesterday – could expose those running the systems to specialized attacks, information disclosure and in some cases, complete compromise...

Shellshock Exploits Spreading Mayhem Botnet Malware

The Mayhem malware piqued researchers’ interest earlier this summer after a published report from researchers at Russian search engine Yandex shed light on its ability to target Linux and UNIX machines and run under restricted privileges. Generally, web servers are well guarded against remote...

Wyden: Surveillance is a 'Clear and Present Danger' to the Digital Economy

The pervasive dragnet surveillance of Americans revealed by the Edward Snowden documents has caused serious damage to the trust that enterprises and citizens had in the United States government and unless that trust is repaired, it could have serious effects on the Internet economy, a panel of...

National Security Letters Challenged in Ninth Circuit Court

In the Ninth Circuit Court in San Francisco Wednesday morning, the Electronic Frontier Foundation’s EFF Kurt Opsahl urged the federal appeals court to uphold a lower court’s ruling that national security letters NSLs are unconstitutional. Regardless whether the ruling is upheld, the matter of NSL...

Karsten Nohl BadUSB Patch Fall Short of a Fix

Two researchers who released code that can be used to exploit a critical weakness in most USB drives followed that up Sunday with their version of a patch for the problem. The attack code and subsequent patch is a response to the BadUSB research released during Black Hat this summer, yet, the fix...

Google Fixes 159 Flaws in Chrome

Google updates its Chrome browser on a very aggressive timeline, often a couple of times a month. Usually, each update includes a handful of security fixes, maybe 12 or 15. On Tuesday, the company released Chrome 38, which patched a staggering 159 vulnerabilities. The huge majority of those...

Siemens Patches Five Vulnerabilities in SIMATIC WinCC for PCS 7

Siemens has patched five vulnerabilities in its SIMATIC PCS 7 system that could result in privilege escalation and give an attacker unauthenticated access to sensitive data. The flaws technically exist in WinCC, a SCADA supervisory control and data acquisition and HMI human-machine interface syst...

Arbor: DDoS Attacks Getting Bigger as Reflection Increases

Reflected distributed denial of service DDoS attacks continue to increase, particularly among large scale DDoS events, but it’s a relatively new type of amplification attack which exploits the Simple Service Directory Protocol SSDP that has emerged in a new Arbor Networks report. Data from the...

Twitter Files Suit Over Government Restrictions on National Security Letter Data

Twitter has filed a lawsuit in federal court asking that the United States Department of Justice’s prohibitions on publishing the number and kind of government requests for data the company receives be declared unconstitutional. The suit claims that the rules infringe on Twitter’s right to free...

Tyupkin ATM Malware Discovered by Kaspersky Lab

Criminals in Eastern Europe have evolved their attacks against automated teller machines, moving beyond solely targeting consumers with card skimmers that steal debit card numbers, to attacks against banks using malware that allows someone to remove money directly from an ATM without the need for...

Yahoo Confirms Infected Servers Unrelated to Shellshock

Yahoo CISO Alex Stamos refuted claims made by a Louisiana security company that a number of Yahoo servers had been compromised by Romanian hackers using Shellshock exploits against the vulnerability in Bash. Stamos said three Yahoo Sports API servers were infected with malware by hackers looking...

Bugzilla Vulnerability Exposes Bug Collections

Hundreds of open source software projects that make use of Bugzilla, Mozilla’s bug-tracking software, anxiously await a patch for a vulnerability that exposes private bugs collected by the system. Mozilla is today expected to make available a patch for the vulnerability in its account creation...

Experts Laud Changes to iPhone, Android Encryption

The changes that both Google and Apple have made to their mobile operating systems to encrypt the data on users’ devices have generated praise from the security and privacy communities and vitriol and criticism from the law enforcement and political worlds in equal measure. The changes to iOS and...

AT&T Hit By Insider Breach

AT&T is warning consumers about a data breach involving an insider who illegally accessed the personal information of an unspecified number of users. The compromised data includes Social Security numbers and driver’s license numbers. In a letter sent to the Vermont attorney general, AT&T official...

Shellshock-like Vulnerability May Affect Windows

In the early hours of the Shellshock vulnerability in Bash, the running joke was that Windows administrators could sit back with a box of popcorn and a beverage and watch the Linux and UNIX admins scramble about for once. Looks like those same Windows admins may soon be dragged into the fray. As...

76M Households, 7M Businesses Impacted in JPMorgan Chase Breach

A securities filing on Thursday revealed that up to 76 million households and seven million small businesses, far more than initially thought, were implicated in the cyber attack that hit JPMorgan Chase over the summer, making it one of the largest data breaches in U.S. history. The New York-base...

Dennis Fisher and Mike Mimoso Discuss Bash, Shellshock and BadUSB

Dennis Fisher and Mike Mimoso talk about the Bash Shellshock bug nightmare and the BadUSB code release. Download: digitalunderground169.mp3 Music by Chris Gonsalves...

Google Changes SafeSearch Option for Administrators

Google is removing a feature that allowed administrator to require their users to employ a search option that removes explicit content from search results. The decision is tied to the fact that the option required the use of an unsecured connection to Google, something that the company said allow...

Researcher Takes Wraps off Undisclosed Bash Vulnerabilities

The Bash bug has kept Linux and UNIX administrators busy deploying a half-dozen patches, worrying about numerous Shellshock exploits in the wild, and a laboring over a general uncertainty that the next supposed fix will break even more stuff. Researcher Michal Zalewski, a longtime bug-hunter, has...

Xen Bug Could cause Crashes, Expose Cloud Data

The Xen Project published a security advisory yesterday about a critical vulnerability in its virtual machine and hypervisor systems that could expose public cloud servers to attacks capable of crashing host machines and even stealing small amounts of random data. The fix was made available under...

BadUSB Attack Code Publicly Disclosed

Rarely in security is anything an absolute, but in the case of the BadUSB research that emerged during this year’s Black Hat conference, phrases such as “completely compromised” and “undetectable” paint a grim picture for the security of devices that communicate over USB. Over the weekend, the...

Second Same-Origin Policy Bypass Flaw Haunts Android Browser

There is another same-origin policy bypass vulnerability in the Android browser in versions prior to 4.4 that allows an attacker to steal data from a user’s browser. Google has fixed the vulnerability in some versions of Android, but millions of users of older versions are still affected. The...

Joomla Re-Issues Security Update After Patches Glitch

Users of the Joomla content management system have been on a patching roller coaster the past 24 hours with one set of patches for critical vulnerabilities being pulled last night before being re-issued today. The Joomla update, bringing the CMS up to version 3.3.6, is a security update addressin...

VMware Begins to Patch Bash Issues Across Product Line

Much like Heartbleed triggered vendors to issue out of band patches to remedy vulnerabilities that popped up earlier this year, Shellshock, the Bash vulnerability, has forced vendors’ hands in a similar fashion. Virtualization firm VMware issued a progress report on fixes for four different types...

Xsser Trojan Spies on Jailbroken iOS Devices in Hong Kong

An iOS version of an Android espionage Trojan targeting activists and protestors in Hong Kong has been discovered on the command and control server hosting the Android malware. The iOS version, a mobile remote access Trojan dubbed Xsser by Lacoon Mobile Security, affects only jailbroken iOS...

Schneider Electric Fixes Remotely Exploitable Flaw in 22 Different PLCs

There’s a remotely exploitable directory traversal vulnerability in more than 20 individual products from Schneider Electric that can enable an attacker to gain control of an affected machine. The flaw allows attackers to bypass the authentication mechanism on the server and get access to resourc...

DARPA Working on Provably Secure Embedded Software

DARPA is the birthplace of the network that eventually became today’s Internet, and the agency has spent the decades since it released that baby out into the world trying to find new ways defend it. That task has grown ever more complex and difficult, and now DARPA is working on a new kind of...

Google Ups Chrome Rewards, Offers More Money For Exploits

Google is again increasing the amount of money it offers to researchers who report vulnerabilities in Chrome as part of the company’s bug bounty program. Now, researchers will be able to earn $15,000 at the high end of the scale, and Google also is offering more cash for researchers who can submi...

OpenVPN vulnerable to Shellshock Bash vulnerability

OpenVPN wasn’t immune to the Heartbleed vulnerability in OpenSSL, and it’s not going to sidestep Shellshock either. Fredrick Stromberg, cofounder of Mullvad, a Swedish VPN company, reported that OpenVPN servers are vulnerable to Shellshock , the vulnerability in Bash plaguing Linux, UNIX and Mac ...

New Signed Version of CryptoWall Ransomware On the Loose

UPDATE–Researchers have discovered a variant of the CryptoWall ransomware that has a valid digital signature and is being distributed through malicious ads on several top-ranked Alexa Web sites. CryptoWall is one of the more successful ransomware strains in recent memory, with researchers...

Apple Patches Shellshock Vulnerability in Bash

Apple tonight released its patch for the Bash vulnerability, updating OS X Lion, Mountain Lion and Mavericks. Late Friday, Apple reassured Mac OS X users that most were protected by default, but nonetheless that it was working on a patch. The vulnerability in Bash, which stands for Bourne Again...

WPScan Vulnerability Database WordPress Security Resource

WordPress’ popularity as a content management system 44 percent of CMS market share is matched in parallel by the number of security vulnerabilities afflicting the open source platform, as well as its versatile plug-ins and themes. It’s not unlikely that a developer may be at a loss as to the...

Web Editor Vulnerable To XSS Attacks

All versions of an HTML editor used in several Microsoft technologies, including ASP.NET, suffer from a high-risk cross-site scripting XSS vulnerability that could allow an attacker to inject malicious script and glean private information. The problem exists in all versions of RadEditor, a WYSIWY...

CloudFlare Rolls Out Free SSL

In a move that will essentially double the number of SSL-protected sites on the Web in the space of 24 hours, CloudFlare on Monday said that it was enabling SSL for all of its more than two million customers for free. The new service is called Universal SSL, and the company is making it available...

FBI to Open Up Malware Investigator Portal to External Researchers

SEATTLE–The FBI has developed an internal malware-analysis tool, somewhat akin to the systems used by antimalware companies, and plans to open the system up to external security researchers, academics and others. The system is known as Malware Investigator and is designed to allow FBI agents and...

Apple Says OS X Safe By Default Against Bash Vulnerability

Apple is trying to soothe users who are anxious about Mac OS X’s exposure to the Bash vulnerability. The company said in a statement to Threatpost that most Apple users are not at risk, and reports have it that Apple is preparing to release a patch. “With OS X, systems are safe by default and not...

September 2014 Yahoo Transparency Report

There was less clamor from governments and law enforcement around the world for data collected and stored by Yahoo, but nonetheless, the technology giant still fielded more than 18,000 data requests over the first six months of the year. Yahoo yesterday released its third Transparency Report, and...