U.S. Air Force Aiming to Raise Cyber Awareness on Networks with MAMA

The United States Air Force is attempting to enhance what the military service branch is calling cyber situational awareness in order to contend with “increasingly sophisticated” threats to its networks and systems. The Air Force Research Laboratory’s Information Directorate announced it was...

Comcast Calls Reports it Will Terminate Tor Users Inaccurate

Comcast’s damage-control processes continue to get a workout. Weeks after an infamously exasperating exchange went public between a customer service person and a customer wishing to disconnect their service, the mega ISP spent most of the weekend defending itself from charges it was discouraging...

Flaw in Android Browser Allows Same Origin Policy Bypass

There’s a serious vulnerability in pre-4.4 versions of Android that allows an attacker to read the contents of other tabs in a browser when a user visits a page the attacker controls. The flaw is present in a huge percentage of the Android devices in use right now, and there’s now a Metasploit...

Big Batch of Bugs Fixed in Various Versions of IDA

The makers of the popular IDA disassembly and debugging tool have fixed more than a dozen security vulnerabilities in a variety of versions. Some of the vulnerabilities are a couple of years old, and patches are provided for versions from 6.1 up through 6.6. IDA is a tool used by malware analysts...

Four Vulnerabilities Patched in SCADA Server

Four different remotely exploitable vulnerabilities were recently discovered and patched in a popular SCADA server. The vulnerabilities exist in some versions of IntegraXor, a SCADA server manufactured by Ecava Sdn Bhd, a Malaysian-based software company. The Industrial Control Systems Cyber...

Hacked Political News Site Targets Router DNS Settings

The website for one of Brazil’s biggest newspapers has been compromised with malware that tries to change the victim’s router DNS settings. Web security company Securi published a report yesterday that Politica Estadao’s website was loading iFrames that carried out a brute-force attack against th...

Documents in Long-Running Yahoo FISC Challenge Case Published

During a long-running secret dispute between Yahoo and government officials over the constitutionality of orders from the federal government to turn over data belonging to Yahoo users, the company was facing fines of $250,000 for refusing to comply with the order. The revelation is contained in a...

Dropbox Reports 80 Percent of Subpoenas Contain Gag Request

Most U.S. government subpoenas for data on Dropbox users are accompanied with a request not to inform the user in question. Dropbox legal counsel Bart Volkmer said those gag orders are repelled unless there is a valid court order. The revelation accompanied the release of the cloud storage...

Chinese Groups Found Targeting Govt, Military Systems

Two Chinese cyber espionage campaigns are working in tandem in hopes of sniffing out trade secrets from surrounding nations. Researchers from FireEye outlined information about the two attack groups yesterday in advance of a more comprehensive report. One of the groups, Moafree, operates out of t...

Cisco Patches Denial-of-Services Vulnerability in IMC

US-CERT today released an advisory warning of a vulnerability in Cisco’s Integrated Management Controller IMC. Cisco released an update that patches the security hole. The IMC is a baseboard management controller that oversees embedded servers inside Cisco Unified Computing System E-Series Blade...

Congress Urged to Update ECPA with Email Privacy Protection

A coalition of digital rights groups and electronic privacy advocates are urging both houses of Congress to consider updating the Electronic Privacy Act of 1986 ECPA, which they claim is an archaic law exploited by the government to obtain the contents of emails without first obtaining a probable...

Users in Dark about Permissions Granted to Mobile Apps

It’s no secret that mobile applications are a greedy bunch, often grasping for many more permissions than necessary. The UK’s Information Commissioner’s Office ICO this week released the results of a study conducted by the Global Privacy Enforcement Network GPEN that quantified just how bad the...

Key Flaw Enables Recovery of Files Encrypted by TorrentLocker

Crypto ransomware, a relatively unknown phenomenon a couple of years ago, has exploded into one of the nastier malware problems for Internet users. Variants such as CryptoLocker and CryptoWall have been siphoning money from victims for some time, and now researchers have dissected a newer variant...

Details Disclosed on Patched Webmin Vulnerability

The University of Texas information security office yesterday disclosed the details on a critical vulnerability in Webmin that was patched in May, days after it was reported. The bug in the UNIX remote management tool provided remote root access to a host server. Authenticated users would then be...

Five Million Email Passwords, Addresses Leak Russian Forum

UPDATE–Nearly five million email addresses along with a list of passwords said to correspond with those email addresses showed up on a Russian-language Bitcoin security forum forum last night. Most of the email addresses belong to Gmail users. While the source of the email addresses and the...

Apache Warns of Tomcat Remote Code Execution Vulnerability

Some older versions of the open source Apache Tomcat web server and servlet container, are vulnerable to remote code execution. In what Mark Thomas, a longtime Apache Tomcat committer, calls “limited circumstances,” a user could upload malicious JavaServer Pages JSP to a server running Tomcat, an...

Information Sharing on Threats Seen as a Key for Auto Makers

A small segment of the security research community has been spending a lot of time tearing apart the innards of various vehicles and looking at ways that the computers and local networks that reside in modern cars can be hacked. There has been some remarkable success on this front, and while auto...

September 2014 Microsoft Patch Tuesday security bulletins

The Operation SnowMan espionage campaign, which targeted military intelligence earlier this year via an Internet Explorer zero day, exposed a weak spot in Microsoft’s vulnerability management efforts. What was unique about the SnowMan operation is that it included a check as to whether the...

Vulnerabilities in Android Apps That Allow Intercept of Messages, Photos Outlined

Researchers from the University of New Haven have taken to Youtube this week to publicize vulnerabilities in a dozen Android apps, including Instagram, Vine and OKCupid. Researchers at the University of New Haven’s Cyber Forensics Research and Education Group UNHcFREG have chosen to disclose the...

Adobe Flash Player security update September 2014

Adobe today released an updated Flash Player that patched a dozen vulnerabilities, and also announced that a scheduled security update for Reader and Acrobat has been postponed to the week of Sept. 15. Today’s release, which coincides with Microsoft’s monthly scheduled security updates, patches...

Research Finds No Large Scale Heartbleed Exploit Attempts Before Vulnerability Disclosure

In the days and weeks following the public disclosure of the OpenSSL Heartbleed vulnerability in April, security researchers and others wondered aloud whether there were some organizations–perhaps the NSA–that had known about the bug for some time and had been using it for targeted attacks. A...

More 1024-Bit Certificates to Be Deprecated in Firefox

When Mozilla released Firefox 32 last week, the company removed several root certificates from the trust store for the browser. The move wasn’t because the certificates were fraudulent or the CAs that issued them were compromised, but because the certificates use 1024-bit keys. This is the first...

Google 'Sunsetting' Weak SHA-1 Crypto Algorithm

Google announced Friday it will begin the process of phasing out the obsolete SHA-1 cryptographic hash algorithm with the upcoming release of version 39 of the company’s Chrome browser in November. After the November release, Chrome will no longer fully trust sites whose certificate chains trust...

Home Depot Data Breach Confirmed

Home Depot today finally confirmed that its payment systems have been breached, but a number of crucial questions remain unanswered by the giant home improvement retailer. In a statement released late this afternoon, Home Depot said customers using payment cards at its U.S. and Canada locations,...

Traffic Networks Firm Patches Sensor Vulnerabilities

A year after it was notified about a security vulnerability, a company in charge of manufacturing sensors used in traffic control systems has patched a series of previously disclosed bugs that could have opened the products up to a handful of exploits. A warning from the Industrial Control System...

New Timing Attack Could De-Anonymize Google Users

A new timing attack has been disclosed that could de-anonymize Google users under particular conditions. Google acknowledged the issue to researcher Andrew Cantino, the vice president of engineering at Mavenlink, but told him it would not address the issue because the risk is low. “I agree that...

Salesforce Warns Customers of Dyreza Banker Trojan Attacks

Salesforce.com is warning its customers that the Dyreza banker Trojan is now believed to be targeting some of the company’s users. The Trojan, which has the ability to bypass SSL, typically goes after customers of major banks, but seems to be expanding its reach. Dyreza is relatively new among th...

OpenSSL Security Policy Made Public for First Time

OpenSSL has been having a rough go of it for some time thanks to Heartbleed and a handful of other critical vulnerabilities. Not only did those bugs put commerce and communication at risk, but they opened many people’s eyes as to how omnipresent the open source crypto implementation is. In an...

Israeli Think-Tank Site Serves Sweet Orange Exploit

Attackers have compromised the website of a prominent Israel-based, Middle East foreign policy-focused think tank, the Jerusalem Center for Public Affairs JCPA. On Friday, researchers from Cyphort reported that the site was serving the Sweet Orange exploit kit via drive-by download. At the time o...

'Kyle and Stan' Malvertising Network Targets Windows and Mac Users

A malvertising network that has been operating since at least May has been able to place malicious ads on a number of high-profile sites, including Amazon and YouTube and serves a unique piece of malware to each victim. The network, dubbed Kyle and Stan by the Cisco researchers who analyzed its...

Mozilla 1024-Bit Deprecation Leaves 107,000 Sites Untrusted

When Firefox 32 shipped this week, Mozilla also officially ended its support of 1024-bit certificate authority certificates in its trusted store. While it still takes a considerable amount of resources to factor and crack a 1024-bit RSA key, important organizations such as NIST have been advising...

Dennis Fisher and Mike Mimoso Discuss the Apple iCloud Mess, Potential Home Depot Breach

Dennis Fisher and Mike Mimoso discuss the Apple iCloud mess, why the company waited until now to extend its 2FA system to the cloud, and the fallout from the possible Home Depot data breach. Download: digitalunderground165.mp3 Music by Chris Gonsalves...

Apple Plans to Extend 2FA to iCloud

In the wake of the iCloud photo theft scandal, Apple’s CEO said the company plans to extend its two-factor authentication system to logins to the iCloud service from mobile device. The change will come when iOS 8.0 comes out later this month. The change will give users the option of enabling a...

Verizon to Pay Largest Ever Consumer Privacy Settlement

Verizon will pay the Federal Communications Commission $7.4 million as part of a settlement over the company’s failure to adequately inform and obtain consent from customers before using their personal information to develop thousands of tailored marketing campaigns. Officials say this fine...

September 2014 Microsoft Patch Tuesday advance notification

Microsoft today announced a relatively light load of patches will be delivered on Patch Tuesday next week, along with some numbers that demonstrate public vulnerability disclosures continue to rise. Four security bulletins, one rated critical, are scheduled to be released next Tuesday. In what’s...

Home Depot Data Breach Prompts Look at Backoff PoS Malware

Naturally, early speculation on the malware culprit behind the possible Home Depot data breach has leaned toward Backoff. The point-of-sale malware, one of many used against payment terminals, has recently been blamed for more than 1,000 attacks on businesses, prompting the U.S. Secret Service to...

One in Five Massachusetts Residents Breached in 2013

Roughly one in five Massachusetts residents were affected by a data breach last year, according to numbers released today by the Commonwealth’s Office of Consumer Affairs & Business Regulation OCABR. The number, about 1.2 million residents, is nearly a 60 percent increase from 2012. “Last year wa...

Some Cable Modems Found to Leak Sensitive Data Via SNMP

Cable modems sold by two manufacturers expose a wide variety of sensitive information over SNMP, including usernames and passwords, WEP keys and SSIDs. Researchers who discovered the vulnerabilities say they’re trivially exploitable and plan to release Metasploit modules for them later this month...

Neverquest Trojan Adds New Targets, Capabilities

Researchers have found some recent modifications to the Neverquest banking Trojan that indicate the malware is no longer just targeting online banking sites, but also is going after social media, retailers and some game portals. The new changes also give the Trojan the ability to insert extra...

Android App SSL Certificate Validation Errors Enumerated

A growing compilation of close to 350 Android applications that fail to perform SSL certificate validation over HTTPS has been put together by the CERT Coordination Center at the Software Engineering Institute at Carnegie Mellon University. Researcher Will Dormann created a large spreadsheet host...

CSRF, XSS Vulnerabilities Afflict Wordpress Plugins

A smattering of bugs, mostly cross-site scripting XSS and cross-site request forgery CSRF vulnerabilities, have been plaguing at least eight different WordPress plugins as of late. A security researcher going by the pseudonym Voxel@Night published on Monday information regarding the...

Twitter Launches Bug Bounty Program

Twitter is the latest major Internet company to establish a bug bounty program, and has put no upper limit on the bounty that a researcher can earn for reporting a vulnerability. The company announced on Wednesday that it will operate its bounty program through the HackerOne platform, a bug bount...

Home Depot Urges Credit Monitoring Vigilance

Home Depot told its customers today to monitor their bank and credit card accounts for fraud as it continues to investigate the “unusual activity” on its networks that could turn out to be one of the biggest data breaches in U.S. history. “We’re looking into some unusual activity that might...

Firefox 32 Debuts With Public-Key Pinning, Several Security Fixes

Mozilla has released Firefox 32, the latest version of its browser, which now supports public-key pinning and also includes fixes for several critical security vulnerabilities. The move to support public-key pinning is an important one for Firefox, as it helps protect users against...

Gary McGraw on the IEEE Center for Secure Design

Dennis Fisher talks with Gary McGraw of Cigital about the IEEE’s new Center for Secure Design program, the difficulty of defeating large classes of bugs and the collaborative effort it will take to solve the software security problem. Music by Chris Gonsalves Download: digitalunderground164.mp3...

Home Depot Investigating Massive Data Breach

Home Depot may be the latest retailer to suffer a costly data breach, and if early indications are correct, the hackers may have been on the home giant’s network longer than hackers were on Target’s systems, and a greater number of consumers may be at risk. A Home Depot representative confirmed...

Watering Hole Attack Target Automotive, Aerospace Industries

Attackers managed to load malware onto the website of a prominent company involved in the development of simulation and systems engineering software widely used within the automotive, aerospace and manufacturing industries. These types of attacks are referred to as watering holes because, like a...

WPS Implementation Issue Exposes Wi-Fi Routers to Attack

A number of popular home and small office routers suffer from an implementation problem that could lead an experienced hacker down the road toward learning the devices’ eight-digit Wi-Fi Protected Setup WPS PINs in one guess. The attack, developed by Dominique Bongard, founder of 0xcite of...

Apple Fixes Glitch in Find My iPhone App Connected to Celbrity Photo Leak

UPDATE–Apple has patched the vulnerability in its Find My iPhone app that likely was used in the attack that led to the publication of private photos belonging to dozens of celebrities over the weekend. The victims of the breach included actors, models and athletes such as Jennifer Lawrence and...

Robert Hansen on Aviator and the $250,000 Security Guarantee

Dennis Fisher talks with Robert Hansen of WhiteHat Security about the company’s decision to change default search providers in their Aviator browser to Disconnect and the $250,000 guarantee for users of the Sentinel Elite product. ​Download: Robert Hansen on Aviator, Search Revenue and the $250,0...