Bash Vulnerability Exploits Dropping DDoS Bots

A honeypot run by researchers at AlienVault Labs has snared two separate pieces of malware attempting to exploit the Bash vulnerability. One sample is a repurposed IRC bot written in Perl that is trying to build a botnet to be used in distributed denial of service attacks DDoS, said Jaime Blasco,...

Patching Bash Vulnerability a Challenge for ICS, SCADA

While the most urgent focus where the Bash vulnerability is concerned is around Internet-facing web servers, embedded systems and industrial control systems are not exempt from worry. Experts are concerned about Linux-based industrial control systems and SCADA equipment, in particular, that may b...

Mozilla Patches RSA Signature Forgery in NSS, Firefox

The Mozilla Foundation has issued a security alert informing users that they have updated a number of their products in order to fix a vulnerability that could allow an attacker to forge RSA certificate signatures and perform man-in-the-middle attacks. The vulnerability has been known for some...

Bash Botnet Exploit Found, Bash Patches Incomplete

The urgency to patch systems against the Bash zero-day vulnerability has been cranked to 10 after reports of an exploit in the wild have been made public by AusCERT, the Computer Emergency Response Team of Australia. This seems to reflect a similar finding posted by a researcher who goes by the...

Home Hacking Made Simple

SEATTLE–Like most security researchers, David Jacoby is naturally curious about how things work, and whether they can be made to do things they weren’t meant to do. Sitting at home in Sweden a few months ago, he looked at all of the Web-enabled devices in his house–TV, game console, network stora...

Small Signs of Progress on DNSSEC

SEATTLE–DNS doesn’t have a lot of friends. It’s old, it’s kind of creaky and it has some insecurity issues. The few friends it has have tried to help it out in the last few years with the addition of DNSSEC, but that hasn’t gone so well, either. The Internet hasn’t been quick to adopt DNSSEC, for...

Researchers Work to Predict Malicious Domains

SEATTLE–A typical phishing or Web-based malware attack usually isn’t terribly complex. But they need a few things in order to work, and one of the key components often is a malicious domain. Researchers spend a lot of time identifying and taking these domains down, but some researchers now are...

As Bug Bounties Become the Norm, Challenges Remain

SEATTLE–For many years, Microsoft and other large software vendors resisted the idea of providing bug bounties or other financial incentives for researchers to report vulnerabilities. That changed when the landscape began to shift and more researchers began reporting vulnerabilities through broke...

Major Bash Shell Vulnerability Affects Linux, UNIX, Mac OS X

A critical vulnerability in the Bourne again shell, simply known as Bash and which is present in most Linux and UNIX distributions and Apple’s Mac OS X, has been discovered and administrators are being urged to patch immediately. The flaw allows an attacker to remotely attach a malicious executab...

David Jacoby on Hacking His Home

Dennis Fisher talks with David Jacoby of Kaspersky Lab about the research he did on the security of electronics gear in his home, including his smart TV, game console and storage devices, and what the vendors need to do to respond.​ Download: digitalunderground168.mp3 Music by Chris Gonsalves...

Second jQuery Hack of Week Reported

Update A day after a compromise of the jQuery website was disclosed, the open source JavaScript library is dealing with a second attack. JQuery Foundation board member Ralph Whitbeck confirmed via email to Threatpost that a new compromise was under way and the organization was taking steps to...

Travel Site Viator Claims 1.4 M Implicated in Breach

Travel website Viator.com is in the middle of notifying approximately 1.4 million of its customers that their personal information – payment card data included – may have been compromised. The San Francisco-based company, which specializes in expert curated travel suggestions, announced the breac...

Obamacare Marketplaces Could Improve Information Security

The health insurance marketplaces instituted by the Affordable Care Act and through which tens of millions of Americans have signed up for medical coverage, aren’t doing a bad job of securing sensitive personal information but they could certainly be doing a better job, according a new analysis. ...

Mozilla Begins Phasing Out Support for SHA-1 Hash Algorithm

Mozilla has joined the chorus of browser makers and technology companies no longer throwing their support behind the shaky SHA-1 hash algorithm. Long considered vulnerable to attack, SHA-1 is already on hackers’ collective to-do list with experts predicting collision attacks practical within four...

Microsoft Online Services Bug Bounty Program Launches

Microsoft had always rejected the possibility of a full-scale bug bounty, relying instead on solid relationships it spent the better part of a decade fostering with researchers worldwide who submit vulnerabilities to the Microsoft Security Research Center MSRC. Yet in the past couple of years, th...

High-Volume, High-Rate DDoS Attacks Persist

As expected, the numbers back up the continued proliferation of both high-volume and high-rate distributed denial of service attacks – like the ones executed via NTP amplification – over the last few months. NSFOCUS, a security firm that measures DDoS traffic, released its Mid-Year Threat Report...

jQuery.com Hacked, Redirecting to RIG Exploit Kit

Owners of websites built using the jQuery library are being warned of an attack against the toolkit’s website which is redirecting visitors to a third-party site hosting the RIG exploit kit. JQuery is a free and open source JavaScript library used for a number of things, including building AJAX...

Blackphone Bug Bounty Program Launches on Bugcrowd

During DEF CON in August, Twitter became the preferred medium for submitting bugs found in secure smartphone Blackphone, including one high-profile claim on the social network that the phone had been rooted. That wasn’t the final straw that led to today’s announcement of a bug bounty, rather it w...

Malware-Laced Emails Appear to Come From LogMeIn

The SANS Internet Storm Center yesterday warned users and administrators to be on the lookout for malicious emails purporting to come from the security and authentication firm LogMeIn. For it’s part, LogMeIn is aware of the attacks, and has issued a number of warnings to its customers on its blog...

Charney on Trustworthy Computing: 'I Was the Architect of These Changes'

Scott Charney, the head of Microsoft’s Trustworthy Computing efforts, said that he was the one who decided it was time to move the TwC group in a new direction and integrate the security functions more deeply into the company as a whole. “I was the architect of these changes. This is not about th...

Researcher Discloses Wi-Fi Thermostat Vulnerabilities

Heatmiser, a U.K.-based manufacturer of digital thermostats, is contacting its customers today about a series of security issues that could expose a Wi-Fi-connected version of its product to takeover. Andrew Tierney, a “reverse-engineer by night,” whose specialty is digging up bugs in embedded...

Kyle and Stan Malvertising Network Nine Times Bigger

The Kyle and Stan malvertising network has a much bigger reach than first reported—about nine times bigger. In the two weeks since Cisco’s first report on the malicious ad distribution campaign, researchers had a chance to look closer at telemetry data, connect more dots and learn that nearly 6,5...

MyFitnessPal App Patches Privacy Vulnerability

The details of a patched vulnerability in a popular mobile fitness application have been disclosed three months after a fixed was released. The flaw could have allowed a user to fetch the personal profile of another registered app user. MyFitnessPal deployed a fix on June 26 for a privacy flaw in...

Productivity Trumping Security as BYOD Grows

More than half of organizations say that employees regularly sacrifice security in exchange for the efficiency enabled by using personal mobile devices to get work done in the office and at home. That problem seems to be compounded by survey results showing that one-third of those organizations’...

New Research Refines Security Vulnerability Metrics

Adequate security metrics have seemingly been an unattainable goal, especially when it comes to software security. Too often, organizations simply rely on vulnerability counts for flaws disclosed in an operating system or popular application as a measure of its security. But too often, variables...

Dennis Fisher and Mike Mimoso Discuss All Things Apple Security, Home Depot and Microsoft

Dennis Fisher and Mike Mimoso talk abut the crazy news of the last couple of weeks, the Apple privacy and Apple Pay announcements, the details of the Home Depot breach and the end of the Microsoft Trustworthy Computing unit. Download: digitalunderground167.mp3 Music by Chris Gonsalves...

Era Ends With Break Up of Trustworthy Computing Group at Microsoft

In a move that has surprised many in the security community, Microsoft has disbanded its Trustworthy Computing unit, the group that was responsible for the pioneering work that helped reverse the company’s security reputation and make Windows a much more secure and reliable computing platform. Th...

Home Depot Data Breach Put 56 Million Cards at Risk

Home Depot confirmed this afternoon that the breach of its systems put approximately 56 million unique payment cards at risk, considerably more than the Target data breach. The giant home retailer disclosed on Sept. 2 that hackers had been on its network since April; by comparison, the Target...

OWASP Releases Latest App Sec Testing Guide

Advocates with the web application security consortium OWASP published the latest iteration of its Testing Guide this week. The guide, celebrating its 10th anniversary this year, is an informational manual designed to teach developers how to build and maintain secure applications in the face of...

CVE Syntax Change Deadline Approaching

There was a time when 9,999 vulnerabilities in a calendar year was an exaggeration of the problem. There was no way—folks at MITRE said in 1999—that they would have to produce that many CVE identifiers. The syntax for CVE identifiers supporting four digits was an unnecessary cushion. Yet here we...

Chinese Penetrate TRANSCOM Amid Lack of Data Sharing

Hackers allegedly affiliated with the Chinese government compromised the computer networks of the United States Transportation Command, the group tasked with providing air, land and sea transportation services to the Department of Defense, according to the findings of a Senate Armed Services...

New Initiative Simply Secure Aims to Make Security Tools Easier to Use

The dramatic revelations of large-scale government surveillance and deep penetration of the Internet by intelligence services and other adversaries have increased the interest of the general public in tools such as encryption software, anonymity services and others that previously were mainly of...

Dyre Trojan Targeting More than Salesforce.com Credentials

The criminals who unleashed a variant of the Dyre banking Trojan recently may have more up their sleeve than harvesting Salesforce.com credentials. Analysis of a sample conducted by SaaS security company Adallom determined that the new strain of Dyre is targeting large enterprises in addition to...

Apple CEO Tim Cook Says Company Dedicated to Protecting Users' Privacy

While much of the tech community is still swooning over the iPhone 6, Apple Pay and Apple Watch, the company’s top executive is spending a lot of time and energy trying to reassure customers that Apple is doing everything it can to protect their privacy and the security of their data. Apple CEO T...

Rich Mogull on Apple Pay

Dennis Fisher talks with Rich Mogull about the new iPhone 6, the security and privacy of Apple Pay and whether there’s another company that could put together a similar payment system. Download: digitalunderground166.mp3 Music by Chris Gonsalves...

Drupal Mollom Module Cross-Site Scripting Patch

Drupal today released an update that patches a cross-site scripting vulnerability in a popular spam and content moderation module used by websites built on the open source CMS. The vulnerability was in a feature of the Mollom module that is installed on at least 60,000 sites, said Drupal security...

Apple Launches iOS 8, Fixes Dozens of Security Flaws

Apple has released iOS 8, a massive update to its mobile operating system, that includes fixes for more than 40 security vulnerabilities. Apple is touting iOS 8 as the biggest update to the software since it launched the App Store, and, aside from the security fixes, there are hundreds of new...

Series of Vulnerabilities Found in Schneider Electric SCADA Products

UPDATE–There are several unpatched, remotely exploitable vulnerabilities in a number of Schneider Electric’s SCADA products, one of which could be used to perform a shutdown of the SCADA server. Another of the vulnerabilities is an authentication bypass that could give an attacker access to...

POS Service Confirms Goodwill Breach Lasted 18 Months

Third-party payment vendor C&K Systems released further details this week regarding a breach that affected its systems for 18 months and went on to affect customers who shopped at Goodwill, in addition to two unnamed retailers. The company provided an update on the breach via a press release Mond...

FreeBSD Patches TCP Processing DoS Vulnerability

FreeBSD has patched a denial-of-service vulnerability that could affect a host of third-party packages built atop the UNIX-like operating system. The vulnerability—found in the way FreeBSD processes TCP packets—was discovered by a member of Juniper Networks’ incident response team. FreeBSD’s...

White House: Internet Not Borderless, but Lacking Interior

WASHINGTON D.C. – In an afternoon keynote address at the Billington Cybersecurity Summit yesterday, Michael Daniel, a special assistant to the president and White House Cybersecurity Coordinator, refuted the common sentiment that the Internet is difficult to defend because it is borderless. To th...

2014 Google Transparency Report Requests for Data Up Again

Against a backdrop of new surveillance programs being uncovered in New Zealand and allegations of the NSA and GCHQ’s penetration of Deutsche Telekom in Germany, Google yesterday published its biannual Transparency Report for the first half of 2014. Google’s numbers reflect not only a continually...

Apple Extends Two-Factor Authentication to iCloud

Apple finally has enabled two-factor authentication for its iCloud storage service, more than a year and a half after the company first turned the protective measure on for iTunes purchases and Apple ID. The extension of 2FA–which Apple calls two-step verification–to iCloud comes two weeks after...

Archie Exploit Kit Spotted Leveraging Adobe, Silverlight Vulnerabilities

A relatively new exploit kit that borrows modules copied from the Metasploit Framework and exploits any older versions of Adobe Flash, Reader and, Silverlight the user may be using has begun to make the rounds. Jaime Blasco, the director of AlienVault Labs dug deeper into kit, known as Archie, on...

September 2014 Adobe Reader Acrobat Patches

Adobe has straightened out issues it spotted during regression testing that caused a Reader and Acrobat update to be postponed last week. New versions of the PDF reader were made available today for Windows and Macintosh computers and they include patches for a number of critical vulnerabilities...

Back-and-Forth With Google Led to Disclosure of Android Browser Flaw

The researcher who originally discovered the same-origin policy bypass in the Android browser said he reported the vulnerability to Google some time ago, but that the company’s Android security team said it was unable to reproduce the issue. Rafay Baloch said he first reported the vulnerability t...

NSA Director Urges Cyber-Resilience at Billington Summit

WASHINGTON, D.C. – In his keynote address at the Billington Cybersecurity Summit, NSA Director and Commander of U.S. Cyber Command, Admiral Mike Rogers, explained that the Defense Department and corporate information security teams must focus on cyber-resiliency rather than total network...

Citadel Used in Attacks Against Petrochemical Companies

Cybercrime tools continue to crossover into the realm of nation-state targeted attacks, with the latest example being a variant of the Citadel banking Trojan used in attacks against petrochemical companies in the Middle East. The attacks took place within the past few months, said researchers at...

Apple CEO Defends iMessage Security

Despite research published last year that demonstrated that Apple has the ability to decrypt users iMessages if it so chooses, Apple CEO Tim Cook said that the company does not hold the encryption key for those messages and couldn’t even produce the plaintext in response to a government order. In...

SNMP DDoS Attack Spoofs Google DNS Server

Update: The SANS Internet Storm Center this afternoon reported SNMP scans spoofed from Google’s public recursive DNS server seeking to overwhelm vulnerable routers and other devices that support the protocol with DDoS traffic. “The traffic is spoofed, and claims to come from Google’s DNS server...