Millions of PCs Affected by Mysterious Computrace Backdoor

UPDATE: A previous version of this story incorrectly stated that Anibal Sacco works for Core Security. Sacco left Core Security last year to start Cubica Labs. LAS VEGAS – Nearly every PC has an anti-theft product called Computrace embedded in its BIOS PCI Optional ROM or its unified extensible...

Embedded Device Security, BadUSB, Car Hacking at Black Hat

LAS VEGAS — At the risk of diving headfirst into the Internet of Things fray, embedded device security emerged as a shiny new penny during last week’s Black Hat and DEF CON festivities. Firmware is the new hacker black, and everything from USB sticks, to home routers, to automobiles is in play fo...

Square Launches Bug Bounty, Hires Top Security Researcher

The bug bounty phenomenon began mainly with major software vendors and security companies, which were the main targets for security researchers and attackers. But it is now moving to virtually every corner of the Web and software ecosystem, and the latest company to join the party is Square, the...

Google Moves to Boost Search Ranking For HTTPS Sites

In the last couple of years, Google has been making a series of changes to its Web infrastructure to employ encryption more widely and help defeat active attackers. Much of this has gone on in the background, with the company securing the links between its data centers and making other...

Podcast: Black Hat News Wrap, Day Two

Dennis Fisher, Mike Mimoso and Brian Donohue discuss the news from day two of Black Hat, including a CryptoLocker working group, a medical device security and privacy roundtable and overview of the various security and privacy improvements at Yahoo over the last year. Image via Black Hat USA 2014...

IE to Block Older ActiveX Controls, Starting with Java

Next week’s Microsoft Patch Tuesday security bulletins will not only bring nine new security bulletins but also an update to Internet Explorer that blocks outdated ActiveX controls, starting with Java. Notifications will flag the older ActiveX controls and users will have the option to update the...

Black Hat News Wrap Podcast

Dennis Fisher, Mike Mimoso and Brian Donohue discuss the news from day one of Black Hat, including the Dan Geer keynote, attacks on mobile broadband modems and carriers’ control of mobile phones. Download: Black-Hat-Day-One-Podcast.mp3 Music by Chris Gonsalves...

Connected Medical Devices Increase Risk and Safety

LAS VEGAS – A few years ago the media was inundated with reports that former Vice President Dick Cheney had his pacemaker removed and replaced with a custom, presumably less connected one. The assumed reason for that procedure was to minimize the risk Cheney is exposed to in a world where it is...

Expert Warns of Chip-and-PIN Pitfalls

LAS VEGAS – The inevitable changeover from magnetic strip-based payment cards to EMV, or chip-and-PIN, is coming for consumers and merchants in the United States. And coming along with it are a raft of weaknesses and real-world attacks that shoot holes in the presumption that EMV will remedy cred...

Yahoo to Release End-to-End Encryption for Email Users

LAS VEGAS–Yahoo plans to enable end-to-end encryption for all of its Mail users next year. The company is working with Google on the project and the encryption will be mostly transparent for users, making it as simple as possible to use. Alex Stamos, CISO at Yahoo, said that the project has been ...

Behind the CryptoLocker Disruption

LAS VEGAS–The takedown of the GameOver Zeus malware operation in June got more than its share of attention, but it was the concurrent demolition of the CryptoLocker ransomware infrastructure that may prove to have been the most important part of the operation. That outcome was the culmination of...

Wendy Nather on the Black Hat Buzz

Dennis Fisher talks with Wendy Nather of 451 Research about the happenings on day one of Black Hat, the possibility of the US government disrupting the vulnerability market and software liability.​ Download: Wendy-Nather-on-the-Black-Hat-Buzz.mp3...

Epic Operation Kicks Off Multistage Turla APT Campaign

The Turla APT campaign has baffled researchers for months as to how its victims are compromised. Peaking during the first two months of the year, Turla has targeted municipal governments, embassies, militaries and other high-value targets worldwide, with particular concentrations in the Middle Ea...

Legal Line Between Security Research, Cybercrime Murky

LAS VEGAS — In his keynote address at Black Hat Wednesday, Dan Geer, the CISO of In-Q-Tel and a respected security luminary noted that the industry has never been closer to the forefront of corporate and government policy decision making. Despite this, security research remains a dangerous busine...

Oracle Database Redaction 'Trivial to Bypass'

LAS VEGAS–David Litchfield for many years was one of the top bug hunters in the game and specialized in causing large-scale headaches for Oracle. When he decided to retire and go scuba diving, there likely were few tears shed in Redwood City. Litchfield recently decided to resurface, which is goo...

Car Hacking Enters Remote Exploitation Phase at Black Hat

LAS VEGAS – Charlie Miller and Chris Valasek have proven to be adept backseat drivers. Noted for their car-hacking exploits, Miller and Valasek have gained fame at hacking conferences and on Fox News for forcing automobiles to do their bidding. However, until today’s talk at the Black Hat 2014...

Mobile Carrier Controls Exploitable on a Massive Scale

LAS VEGAS – Device manufacturers and service providers quietly maintain a pervasive level of remote control over the devices they sell to consumers so they can push over-the-air OTA updates for a variety of reasons, but problematically one popular product that enables this type of control is poor...

Mobile Broadband Modems Seen as Easy Targets for Attackers

LAS VEGAS–Mobile broadband modems can be a great alternative if you can’t find a WiFi network or don’t trust the ones you can find. But many of the models sold by the major manufacturers contain bugs and functionality that a remote attacker can exploit without much difficulty. Much of the market...

Dan Geer: Security at the Forefront of Policy Decisions

LAS VEGAS – Dan Geer carried his version of computer security’s Ten Commandments to a rapt Black Hat 2014 audience today, offering up 10 personal recommendations and observations related to the current state of security in the context of government surveillance and eroding privacy. Adorned in...

Another Bypass Identified in PayPal 2FA

A security researcher has uncovered a simple method for bypassing the two-factor authentication mechanism that PayPal uses to protect accounts that are tied to eBay accounts. The vulnerability is related to the way that the login flow works when a user is prompted to connect her eBay account to h...

Call Center Phone Fraud for Fun at Profit at Black Hat

Reconnaissance in the context of targeted attacks usually involves scouring freely available online resources such as social media and developer forums. Personal information willfully posted to these sites are clues a hacker can use to build a profile on a target, map systems and network...

Podcast: Threatpost Previews Black Hat 2014

In this special edition of the Digital Underground Podcast, Dennis Fisher interviews fellow Threatpost editor Mike Mimoso and also Threatpost reporter Brian Donohue about the Black Hat security conference, which begins this week in Las Vegas. Topics of discussion include Chris Valasek and Charlie...

In the Wake of the Snowden Revelations, A Wave of Innovation

It was an absurd scene. Keith Alexander, the director of the NSA and a four-star general in the Army, stood alone on the stage, squinting through the floodlights as members of the standing-room-only crowd shouted insults and accusations. Armed men in dark suits roamed the area in front of the...

Samba Patches Heap Overflow Bug in Current Versions

The keepers of Samba, an open source software package that provides Windows operability for Linux and UNIX systems, have patched a serious heap overflow vulnerability in all 4.x.x versions of the software. The bug was in the nmbd NetBIOS name services daemon, and a hacker exploiting the flaw coul...

IcoScript RAT Malware Communicates Via Yahoo! Mail

A new remote administration Trojan RAT receives command and control instructions through Yahoo Mail, and could be easily modified to communicate with its authors through Gmail or other popular webmail providers. This new RAT’s significance stems primarily from its ability to elude the notice of...

Twitter 'Weighing Legal Options' On Publishing National Security Requests Data

Twitter officials are pushing the United States government for more freedom to publish specific numbers about national security information requests, and said the company is considering its legal options if the government doesn’t allow more data to be made public. In its latest transparency repor...

Mozilla MDN Password Disclosure Affects 76,000 Developers

Some members of the Mozilla Developer Network are being advised to change their passwords after email addresses and encrypted credentials were disclosed on a public server. Mozilla director of developer relations Stormy Peters said the organization has been investigating the disclosure for 10 day...

Vulnerability Fixed in Subnet Solutions SCADA Server

A hole has been fixed in a popular industrial control system data management server that if left unpatched, could result in a remotely exploitable denial of service condition. Subnet Solutions, Inc., a Canadian manufacturer of electric utility products, fixed the vulnerability – along with anothe...

Citadel Variant Opens Backdoor After Malware is Removed

When hackers have compromised a valuable computer, maintaining persistence on that machine is the key to maintaining access to its resources and stored assets. A new variant of the Citadel banking malware has been discovered that comes with a feature that allows the attacker to leverage remote...

Twitter Gains Team From Mitro Password Management Company

Twitter has announced that a cloud-based password management company called Mitro has joined the Twitter team, and all of Mitro’s code is now free and open source. Mitro’s offering a secure password manager that’s meant to help distributed teams share passwords for accounts and services. The...

New Backoff PoS Malware Identified in Several Attacks

A new breed of point-of-sale malware has been found in several recent attacks, and experts say that the tool, known as Backoff, has extensive data stealing and exfiltration capabilities, including keylogging, memory scraping and injection into running processes. The Backoff malware doesn’t...

Microsoft Releases EMET 5.0 Exploit Mitigation Tool

The latest version of Microsoft’s freely available stopgap against zero-day exploits was released today with two new exploit mitigations and a batch of new configuration options. The update to Microsoft’s Enhanced Mitigation Experience Tool kit, or EMET, comes six months after a technical preview...

New GameOver Zeus Botnet Malware Variant Surfaces

The GameOver Zeus takedown was trumpeted as a victory against cybercrime, and for all its success, even those involved understood it was likely a temporary win. Researchers at Seculert have spotted a new variant of GameOver Zeus that has spurned previous versions’ peer-to-peer communication...

Crouching Yeti APT Campaign Stretches Back Four Years

A new analysis of a long-term APT campaign targeting manufacturers, industrial, pharmaceutical, construction and IT companies in several countries has uncovered fresh details of the attack, including identification of nearly 3,000 victims and the unmasking of the command-and-control infrastructur...

Black Hat 2014: Multipath TCP Introduces Security Blind Spot

If multipath TCP is the next big thing to bring resilience and efficiency to networking, then there are some serious security issues to address before it goes mainstream. MPTCP is an extension to the Internet’s primary communication protocol. It allows a TCP session to move over multiple...

ICS-CERT Warns of Flaw in Innominate mGuard Secure Cloud Product

The ICS-CERT is warning users about a vulnerability in a secure public cloud product from Innominate that enables an attacker to gain valuable configuration data about a target system, information that could be used in future attacks. The vulnerability is an information disclosure bug in the...

Poor Crypto on Instagram Mobile Apps Allow Man-in-the-Middle

Two unrelated researchers this week disclosed a similar session hijack bug in the Instagram mobile applications for Android and iOS. Facebook has reportedly acknowledged the problem, which arose from a failure to fully encrypt all data traffic on the service, but the world’s largest social networ...

Canada NRC Hit by Apparent Chinese Cyber Attack

One of Canada’s premier research and technology organizations was hit with a cyber-attack recently that forced the cooperative offline; the attack – which appears to be Chinese in origin – was so serious the organization is being forced to rebuild its entire system. The National Research Council ...

Tor hidden services attacks deanonymize users

UPDATE: For a little more than six months, attackers were on the Tor network trying to deanonymize users who operate or use Tor hidden services. Tor issued a security advisory this morning warning users who operated or accessed hidden services between Jan. 30 and July 4 that they were likely...

Trio of Flaws Fixed in Facebook Android App

Facebook has fixed a vulnerability in its Android app could allow an attacker to cause a denial-of-service condition on a device or run up the victim’s mobile bill by transferring large amounts of data to and from the device. The flaw lies in the way that the Facebook app handles HTTP requests. T...

seL4 Secure Microkernel Made Open Source

General Dynamics C4 Systems and Australia’s Information and Communications Technology Research Centre NICTA today open sourced the code-base of a secure microkernel project known as seL4. Touted as “the most trustworthy general purpose microkernel in the world,” seL4 has previously been adapted b...

NOAA, Satellite Data, Riddled with Vulnerabilities

The informational systems that the National Oceanic and Atmospheric Administration NOAA run are fraught with vulnerabilities and what the U.S. Department of Commerce deems “significant security deficiencies” that could leave it vulnerable to cyber attacks. That’s according to the findings of an...

New Signal App Brings Encrypted Calling to iPhone

iPhone users concerned about government surveillance efforts putting unencrypted calls at risk now have a free app at their disposal that brings secure communication to the Apple phone. Open WhisperSystems, developers of RedPhone for Android, have developed a similar app for iPhone called Signal,...

Leahy Introduces Bill to End Bulk Call Record Collection

Sen. Patrick Leahy has introduced an updated, tougher version of the USA FREEDOM Act that would end the bulk collection of data under Section 215 of FISA and also would require the appointment of a panel of special legal advocates who would represent the interests of individual privacy and civil...

Georgia Tech Releases BlackForest Threat Intelligence Tool

Enterprises longing for an automated system that sends up a smoke signal that attackers may be planning a move against a particular organization or are promoting a new tool that targets companies in a specific industry may have had their wish come true. Georgia Tech Research Institute has release...

Consumer Groups Urge FTC to Halt Facebook Data Collection Program

A collection of privacy and consumer groups from the United States and Europe has asked the Federal Trade Commission to force Facebook to suspend a recently installed program that mines information on sites that users’ visit around the Web in order to serve them interest-based ads. The groups say...

Critical Android FakeID Bug Allows Attackers to Impersonate Trusted Apps

There is a critical vulnerability in millions of Android devices that allows a malicious app to impersonate a trusted application in a transparent way, enabling an attacker to take a number of actions, including inserting malicious code into a legitimate app or even take complete control of an...

Israeli Defense Firms Hacked For 10-Month Span

Detailed schematics for a particular type of anti-ballistic missile, information about rockets, and pages upon pages of other mechanical documents were allegedly stolen from a trio of Israeli defense contractors between 2011 and 2012, it was revealed today. A Maryland-based threat intelligence fi...

DEF CON SOHOpelessly Broken Wireless Router Hacking Contest

Home and small office wireless routers are feature-rich networking devices, providing consumers and mom-and-pop shops with much more than an Internet gateway. Some, for example, have a print server function, while others store personal files—and very few are secure out of the box. Hackers and...

Harnessing the Power of an Android Cluster for Security Research

When the topic of mobile security comes up, users and researchers often discuss Android as if it’s one monolithic operating system like iOS is. But the fact is that there are nearly as many versions of Android as there are Android devices, which has led to plenty of confusion when it’s time to fi...