Backoff Sinkhole Reveals Sorry Point-of-Sale Security

Kaspersky Lab researchers say that a recent analysis of two Backoff malware command and control servers paints “a very bleak picture of the state of point-of-sale security.” Kaspersky Lab sinkholed two of the malware’s command and control servers. In just two days, nearly 100 infected systems,...

CryptoWall Ransomware Earns $1.1M, Encrypts 5 Billion Files

CryptoWall is a million-dollar business. The file-encrypting ransomware has netted the criminal gang responsible for its development and dispersal, more than $1.1 million in the six months it’s been in the wild, researchers at Dell SecureWorks’ Counter Threat Unit said in a report this week. The...

Mozilla to Support Key Pinning in Firefox 32

Mozilla is planning to add support for public-key pinning in its Firefox browser in an upcoming version. In version 32, which would be the next stable version of the browser, Firefox will have key pins for a long list of sites, including many of Mozilla’s own sites, all of the sites pinned in...

Nearly 100k Bugzilla Users Affected by Data Disclosure

The email addresses and encrypted passwords of nearly 100,000 users of Mozilla’s Bugzilla system were left on a publicly accessible server for several months earlier this year, the company said. The disclosure comes just a few weeks after Mozilla advised members of its Mozilla Developer Network t...

IEEE Guides Software Architects ToSecure Software Design

Participation in the IEEE Center for Secure Design initiative came with a price. “Everyone had to bring along a bag of flaws from their real SDL software development lifecycle,” said Gary McGraw, CTO of Cigital and one of 13 authors of a new guidance document released this week for software...

XP-Heavy Turkey Overrun with GameOver Zeus Infections

Like a predator, criminals who profit online will seek out weak prey. In the context of cybercrime, emerging countries such as Brazil, South Korea and Turkey among many others are in the crosshairs because of a number of factors, including a prevalence of outdated and unpatched computers and lowe...

Microsoft Re-Releases Broken Security Patch MS14-045

Microsoft today re-released security bulletin MS14-045, which was pulled shortly after the August Patch Tuesday updates because a number of users reported crashes and blue screens. The patch was removed from Windows Update on Aug. 15, three days after it was released as part of Microsoft’s monthl...

Verizon to Bolster Authentication with QR Codes

If you want to know what the future holds for authentication on the web, it all depends whom you ask. Some say it’ll come in the form of biometrics – iris and fingerprint scans, etc. Others say the answer lies in a tangle of constantly changing two-factor verification codes users need to punch in...

Java.com, TMZ Serving Malvertising Redirects to Angler Kit

Online ad network AppNexus has again been identified at the core of another malvertising campaign using the Angler Exploit Kit to redirect visitors to sites hosting the Asprox malware. Busy, popular websites including TMZ, Photobucket and Java.com in recent days have been serving malicious...

OpenSSL Heartbleed Impact, Vulnerabilities Down in 2014

On the one hand, the total number of vendor-reported vulnerabilities are down so far this year. On the other, 2014 was the year of the Heartbleed, the common name for a vulnerability in the nearly ubiquitous OpenSSL’s encryption implementation library, which IBM Security Systems characterized as...

Netflix Open Source Security Tools Solve Range of Challenges

Few organizations experience the scale of Web-based application security challenges that Netflix engineers deal with on a regular basis. Sometimes the response to a threat requires a homespun tool that, more often than not, ends up being released to open source. “Our assumption is that we...

South Korean Data Breach Compromises 27 Million

A data breach in South Korea appears to have impacted as many as 27 million citizens, roughly 70 percent of the nation’s population. Authorities with the South Jeolla Provincial Police Agency announced late last week that it had apprehended a 24-year-old, known simply as Kim, in addition to 15...

50 Security Flaws Fixed in Google Chrome

Google has fixed 50 security vulnerabilities in its Chrome browser, including a critical string of bugs that can allow an attacker to execute arbitrary code outside of the browser’s sandbox. This is one of the larger batches of fixes that Google has produced for Chrome recently. The company...

Secret Service Backoff point of sale malware advisory

Point-of-sale malware is a problem that apparently isn’t going away any time soon. No doubt spurred on by the massive data loss absorbed in the Target data breach and most recently Supervalu grocery chains, and UPS, which disclosed last week that 51 of its stores were victimized by credit card...

AdThief iOS Malware Affecting 75K Jailbroken Devices

A relatively new form of malware on iOS is estimated to have stolen revenue from 22 million ads and infected upwards to 75,000 devices so far. The malware, iOS/AdThief, was first identified back in March but wasn’t fully articulated until Axelle Aprville, a researcher with Fortinet, looked into t...

Android Side-Channel Hack Leads to Data Loss at USENIX

A weakness in Android, one that’s likely also found in other leading operating systems, allows an attacker to infer what’s happening on a victim’s user interface and launch an appropriate secondary attack resulting in data loss. Researchers from the University of Michigan and the University of...

Mozilla Adding Granular App Permissions to Firefox OS

Mozilla is set to add a feature to its mobile Firefox OS that will give users the ability to revoke any application’s permissions on a granular basis. Firefox OS is the open source operating system that Mozilla built for smartphones. The software runs on a variety of devices from manufacturers su...

Sony PlayStation Network Back Online Following DDoS

Sony Corporation took its online gaming platform, the PlayStation Network PSN, offline over the weekend in the face of a distributed denial of service DDoS attack. As of Sunday, the company said the PSN is back online and that game play can resume. Sony is saying that it has seen no evidence of a...

NIST Releases Secure Shell Guidance Document

NIST released a report yesterday urging enterprises, government agencies and other IT shops that rely on Secure Shell implementations to re-assess their deployments and be wary of a number of weaknesses plaguing those systems. Interagency Report 7966 is a guidance document that falls in line with...

Akeeba Patches Bypass Vulnerability in Joomla

The developers behind Akeeba, an extension for content management systems that lets users backup their work, fixed an outstanding issue this week that could’ve let anyone download site backups, passwords and user lists. Because of the sheer difficulty it takes to exploit the bug, the vulnerabilit...

Intelligence Insiders Disclose Bug Information With Tor

The executive director of the Tor Project told the BBC that U.S. and U.K. intelligence agencies are in an internal cat and mouse game, with one faction trying to break the anonymity network, and another one sharing bugs anonymously with Tor developers. Andrew Leman, in an extensive...

UPS Admits 51 Stores Hit With Malware For Five Months

The list of corporations that have been victimized by credit card stealing malware in 2014 grew a little longer this week as UPS announced that 51 of its stores suffered a “broad-based malware intrusion” earlier this spring. The company disclosed the breach – which affected franchised locations o...

Amazon CloudFront Turns On Perfect Forward Secrecy

Add Amazon to the growing list of technology providers ensuring that its encryption capabilities exceed a minimum standard. Yesterday, the company announced that its web content delivery platform Amazon CloudFront had turned on Perfect Forward Secrecy, in addition to a number of changes designed ...

New Facebook Internet Defense Prize Pays Out $50,000 Award

Large technology companies may already have bug bounty programs in place that reward researchers who attack and find holes in software or web platforms. Slowly, some are also starting to institute programs that pay for defensive measures. Facebook is the latest to do so with the implementation of...

Bitcoin Phishing Scam Takes Aim at 400 Organizations

More than 400 organizations were recently targeted by a Bitcoin phishing campaign that intended to con users into disclosing their wallet passwords. According to Proofpoint, a California-based email security firm that recapped the campaign Wednesday, 12,000 messages were recently sent in two wave...

Fake AV Defru Puts New Spin on Rogue AV

Rogue antivirus was once the scourge of the Internet, and while this sort of malware is not entirely extinct, it’s fallen out of favor among criminals as users have become more aware and security products have gotten better at blocking the threat. Image via TechNet However, Daniel Chipiristeanu, ...

Heartbleed Exploit Linked to Community Health Data Breach

Update: The Heartbleed OpenSSL vulnerability is now the centerpiece of the Community Health Systems data breach. Dave Kennedy, CEO of security consultancy TrustedSec, said yesterday that three sources close to the CHS investigation told him that a Heartbleed exploit was the hackers’ initial way i...

Tor Browser Hardening Features Under Scrutiny

Tor is a target like never before. The NSA has made no bones about its disdain for the anonymity network, and someone, allegedly researchers from Carnegie Mellon University, were recently on the network trying to de-anonymize users of its hidden services. All of this has prompted the keepers of T...

U.S. Nuclear Regulator Hacked Three Times in Three Years

Hackers hit the U.S. Nuclear Regulatory Commission NRC three separate times during the past three years, duping employees of the agency into spreading malware and clicking through phishing links intended to harvest log-in credentials. A NextGov report on Monday said hackers in an unnamed foreign...

Facebook Says 95 Percent of Notification Email Encrypted

All that’s missing from the organic encrypt the web movement seems to be a hashtag. Otherwise, no one can accuse major web providers of slacking as leading players such as Microsoft and Yahoo, prompted by the Snowden leaks, have made noteworthy leaps in the last 15 months to encrypt everything fr...

Community Health Systems APT Data Breach Medical Espionage

At first blush, the Community Health Systems data breach by Chinese hackers seems to be an anomaly. State-sponsored attackers generally target intellectual property for the purposes of military or economic gain; stealing healthcare credentials and personal patient records seems incongruous. But...

Pro-Syrian Malware Increasing in Number, Complexity

As the civil war in Syria continues, malware targeting those who oppose the embattled regime of Bashar al Assad is increasing in number, organization and sophistication according to a new report from Kaspersky Lab’s Global Research and Analysis Team. Most of the malware samples related to the...

Microsoft to Fix Broken Patch Tuesday Security Update

Microsoft is still hammering away at a fix for a security update released last week that caused a small number of computers to crash and blue screen. “We are aware of some issues related to the recent updates and we are working on a fix,” a Microsoft representative today told Threatpost. MS14-045...

Siemens Patches DoS Vulnerability in SIMATIC S7

Siemens released an update for one of its automation systems late last week, patching a denial of service vulnerability in all versions of its SIMATIC S7-1500 CPU prior to V1.6. An advisory on the Industrial Control Systems Cyber Emergency Response Team’s ICS-CERT website warned about the...

New Attack Binds Malware in Parallel to Software Downloads

In order to solve problems—problems such as intelligence agencies or hackers infecting open source software distribution systems with malware—one must first understand how problems may be exploited. Researchers from Ruhr University in Bochum, Germany, have developed a proof-of-concept attack in...

Data Breach Exposes Customer Payment Card Information

Grocery giants Albertsons and SUPERVALU announced yesterday that a data breach may have exposed the credit and debit card information of an unknown number of its customers at various grocery store locations in more than 18 states. Behind Kroger’s, Albertsons is the second largest grocery store...

Cridex Malware Takes Lesson From GameOver Zeus

The GameOver Zeus malware had a nice run for itself, making untold millions of dollars for its creators. But it was a run that ended with a multi-continent operation from law enforcement and security researchers to disassemble the infrastructure. Now researchers have identified a new variant of t...

Google Pushes Chrome 36, Fixes 12 Issues

Google patched its Chrome browser this week, fixing 12 vulnerabilities, including both a serious information disclosure bug and a use-after-free vulnerability that could let users obtain potentially sensitive information and execute arbitrary code. French security researcher Antoine Delignat-Lava...

NewGOZ Gameover Zeus Botnet Rebuilds

It didn’t take long for an updated version of GameOver Zeus to make some headway in rebuilding itself. Research published today from Arbor Networks demonstrates that cybercriminals behind GameOver Zeus, which was taken down by law enforcement in early June, have renewed the botnet with at least...

DEF CON SOHOpelessly Broken Router Hacking Contest

It’s becoming cliché to say it’s trivial to pop a small office or home router. Vendors are making it easy, since most are interested in cramming features such as print, file and media servers into these boxes and less so on basic security measures. Therefore, it sometimes helps to illustrate the...

Google Adds Warnings About Deceptive Software to Safe Browsing Service

The Google Safe Browsing service has become an integral part of most of the major browsers, integrating malware alerts, warnings about malicious Web sites and suspicious content. The company has been expanding the capabilities of the service steadily over the last few years, and now Google is...

Apple Patches Series of WebKit Flaws in Safari

Apple has released a new version of Safari that fixes seven security vulnerabilities, all of which are related to the WebKit framework in the browser. The advisory from Apple is typically bare-bones, with almost no information about the vulnerabilities fixed in Safari 6.1.6 and 7.0.6. Apple said...

Study: Uyghur Remain in Crosshairs of Targeted Attacks

It’s no secret that activists groups supporting the Uyghur and other ethnic minorities living either in exile or in oppressed nations have been in the crosshairs of targeted attacks for years. Regimes use phishing emails, other social engineering tactics, and drive-by downloads to infect computer...

Disqus Patches CSRF, Other Flaws in Plugin

Disqus, the maker of the popular community commenting plugin, has patched a handful of security flaws, including a CSRF bug. The vulnerabilities are present in all versions of the plugin up to 2.75. The most serious of the three vulnerabilities fixed in version 2.76 of the Disqus plugin is the CS...

Google Tweaks Gmail to Help Limit Spam

Google is making a small, but potentially important, change to the way that Gmail handles some special characters in messages as a way to defeat a common tactic used by spammers to confuse recipients and trick them into opening emails. In the early days of email, getting junk messages into the...

August 2014 Microsoft Patch Tuesday Security Bulletins

Microsoft today released its monthly Patch Tuesday Security Bulletins, and the top priority is another cumulative update for Internet Explorer; this one patches 26 vulnerabilities, including one that’s been publicly reported, Microsoft said, and is likely being exploited. All of them are rated...

Dennis Fisher and Mike Mimoso Wrap Up Black Hat and DEF CON 2014

Dennis Fisher and Mike Mimoso look back on the news from the last week in Las Vegas at Black Hat and DEF CON, including the Blackphone rooting, the Computrace research and the more upbeat mood at the conferences this year. Download: digitalunderground162.mp3 Music by Chris Gonsalves Image via Bla...

August 2014 Adobe Patch Tuesday security updates

Adobe today released an out-of-band patch for a zero-day vulnerability in Adobe Reader and Acrobat that has been leveraged in targeted attacks. Kaspersky Lab Global Research and Analysis Team director Costin Raiu is credited with reporting the vulnerability. Details were not announced, but Raiu...

Authentication Bypass Bug Fixed in BlackBerry Z10

There’s a remotely exploitable authentication bypass vulnerability in the BlackBerry Z10 phone that affects the service that lets users share files with machines on a wireless network. The bug could allow an attacker to steal users’ personal data or hit them with targeted malware. The Z10 is one ...

Blackphone DEF CON Vulnerabilities Difficult to Exploit

If ever there was a hacking story screaming for clarity, it’s the Blackphone saga that unfolded during DEF CON. First off, yes, the device was rooted by a researcher who goes by the handle Justin Case @TeamandIRC on Twitter—but not in five minutes as has been previously reported. Yes, it requires...