Crowdsourcing a Tool for Application Vulnerability Research

Pulling in security help on a project has traditionally meant either hiring more full-time help, or bringing in an outside consultant. Enterprises and vendors alike, however, are starting to really go outside the perimeter these days and are taking advantage of crowdsourcing. Given the paranoia i...

Luuuk Bank Fraud Campaign Nets €500K in One Week

A fraud campaign siphoned more than half a million dollars from a European bank over the course of a week earlier this year, researchers with Kaspersky Lab announced this week. The campaign, dubbed Luuuk, extracted €500,000 roughly $679,700 USD from 190 victims, mostly in Italy and Turkey, from...

Dramatic Drop in Vulnerable NTP Servers Used in DDoS Attacks

While patching of webservers vulnerable to the Heartbleed OpenSSL bug may have stalled, the same cannot be said about repairs to NTP servers that could be leveraged in devastating amplification attacks. A spate of distributed denial-of-service attacks DDoS tore through companies in January and...

AskMen Purportedly Compromised by Nuclear Pack Kit

Users who visit AskMen.com, a men’s entertainment and lifestyle portal, are being hit with malicious code, potentially stemming from the Nuclear Pack exploit kit, researchers announced today. When a user stumbles across the site – or a localized version aus.askmen.com, etc. of it – malicious code...

Kaspersky, Citizen Lab Uncover HackingTeam Mobile Malware

Controversial spyware commercially developed by Italy’s HackingTeam and sold to governments and law enforcement for the purpose of surveillance, has a global command and control infrastructure and for the first time, security experts have insight into how its mobile malware components work...

OpenSSL Heartbleed Patch Progress Slowing Two Months Later

It’s been more than two months since news broke of the Heartbleed vulnerability in OpenSSL one of the Internet’s most widely deployed cryptographic libraries. In the days and weeks that followed the emergence of the bug, which affected an unknown but arguably vast swath of the Web, vendors were...

Threatpost News Wrap, June 23, 2014

Dennis Fisher and Mike Mimoso discuss the latest security news, including the possible fork of TrueCrypt, Microsoft’s new information sharing platform, the FBI’s cybercrime task force and the US team’s crushing tie with Portugal. Download: digitalunderground156.mp3 Music by Chris Gonsalves...

Google Announces its BoringSSL OpenSSL Fork

In the year-plus since surveillance, privacy and Snowden became part of the daily security conversation, technologies that safeguard online communication and commerce have become Job 1 for experts anxious to plug gaping flaws and shore up other usability deficiencies. OpenSSL is probably at the t...

Cisco Releases Open Source FNR Cipher

Cisco has released a new open-source block cipher called FNR that is designed for encrypting small chunks of data, such as MAC addresses or IP addresses. The cipher is still in the experimental stage, but Cisco has released the source code and a demo application. The company suggests that the new...

Microsoft Interflow Information-Sharing Platform Preview Open

Much like the Year of PKI that has never come to be, information sharing has been one of security’s more infamous non-starters. While successful in heavily siloed environments such as financial services, enterprises industry-wide are hesitant to share threat and security data for fear of losing a...

House Amendment Limits Funding for NSA Surveillance

The House of Representatives last night overwhelmingly passed an amendment to the Department of Defense Appropriations Act that would cut funding for two programs that grant intelligence agencies access to the private data and communications of U.S. citizens. The amendment shows that Congress is...

FBI, NYPD Form Financial Cybercrime Task Force

The FBI has formed a new cybercrime task force with the New York Police Department and the Metropolitan Transit Authority whose job will be to go after high-level financial cyber crimes, employing a model of interagency cooperation that the bureau and other federal law enforcement agencies have...

Supermicro IPMI BMCs plaintext passwords exposed

Much has been written about the insecurity of the IPMI protocol present inside embedded baseboard management controllers BMCs. Serious vulnerabilities can be exploited to gain remote control over big servers running BMCs, in particular in hosting environments where the controllers help admins wit...

Google, Microsoft to Implement Mobile 'Kill Switch'

Google and Microsoft will incorporate remote kill switch features into the default builds of their respective mobile operating systems for the first time. Oddly enough, the announcement comes in a joint press release issued by New York Attorney General, Eric Schneiderman, and San Francisco Distri...

Research Project Pays People to Infect their Machines

It’s been well documented that people will give up their computer passwords for a piece of chocolate. But what would they be willing to give up for a dollar—or even a penny? Plenty as it turns out. Incentivized by a minimal amount of cash, computer users who took part in a study conducted by...

Possible TrueCrypt Fork in the Works

Although the developers behind the TrueCrypt encryption software have given up the ghost and decided to no longer maintain the application, interest in the project has never been higher. But, one of the developers says that a nascent effort to fork TrueCrypt is unlikely to succeed. Matthew Green,...

Hacker Puts Hosting Service Code Spaces Out of Business

Code Spaces, a code-hosting and software collaboration platform, has been put out of business by an attacker who deleted the company’s data and backups. Officials wrote a lengthy explanation and apology on the company’s website, promising to spend its current resources helping customers recover...

Hacker Exploits NAS Vulns to Mine $620K in Dogecoin

A hacker, well-versed in malware and exploit development, took advantage of vulnerabilities in Synology network attached storage boxes popular with home users to mine more than $600,000 worth of the digital currency Dogecoin. Researchers Pat Litke and David Shear of Dell SecureWorks’ Counter Thre...

FTC Asking DEF CON to Help Catch Robocallers

The United States Federal Trade Commission is sick and tired of illegal robocalling, and it’s hosting a contest this year at the DEF CON hacker conference in Las Vegas in an attempt to do something about it. The consumer protection agency’s weariness likely stems from the more than 150,000...

Researchers Dissect Spammers' Economic Ecosystem

A profitable spam campaign has three key elements—a reliable email list, filter-busting content, and a botnet for distribution—and each has been individually dissected and understood. But in order to adequately protect users from spam, which thrives in an established economic ecosystem, researche...

Flaws Found in USCIS RFID Card Production System

The system that’s used to produce RFID-enabled identification cards–including permanent resident IDs–by the United States Citizenship and Immigration Service has a number of serious security issues, according to a new report from the Office of the Inspector General at DHS. Among the issues the OI...

Belkin Patches Directory Traversal Bug in Wireless Router

There’s a serious security vulnerability in the Belkin N150 wireless router that can enable a remote, unauthenticated attacker to read any system file on a vulnerable router. The bug is a directory traversal vulnerability and the CERT/CC advisory says that all versions of the router that are...

Microsoft Malware Protection Engine Denial of Service Bug

Microsoft today released a security advisory alerting users of a serious vulnerability in the antimalware engine present in a number of security products, including Windows Defender, Forefront and others. The update will be automatically pushed down to the Microsoft Malware Protection Engine in t...

Asprox Malware Borrowing Stealth from APT Campaigns

Cybercriminals and advanced attackers are freely borrowing from one another’s repertoires to great success. The latest example involves spammers firing off up to a half-million email messages during limited campaign segments without triggering any detection alarms. Security company FireEye said t...

Android Root Access Vulnerability Affecting Most Devices

A recently disclosed vulnerability in version 3.14.5 of the Linux kernel is also present in most versions of Android and could give attackers the ability to acquire root access on affected devices. Researchers at Lacoon Mobile Security are calling the bug “TowelRoot,” because it is the very same...

AT&T Warns Customers of Data Breach

AT&T has notified some of its mobile customers that employees of one of its contractors accessed some customer information, including birth dates and Social Security numbers, in an effort to generate codes that could be used to unlock devices. The company did not specify how many customers were...

Ten Years Later, Cabir Worm's Place in History is Unique

It’s difficult to remember now–and seems quaint even if you can recall it–but there was a time in the not-so-distant past when industry analysts and security experts were worried about the coming mobile malware apocalypse. Self-replicating malware would soon be flooding our phones, deleting our...

Hackers Breach Dominos France, Demand Ransom Payment

A group of hackers calling itself ‘Rex Mundi’ claims it has breached vulnerable servers belonging to Domino’s France and Belgium, stealing the sensitive information of nearly 600,000 customers. The group is demanding a payment of €30,000 from Domino’s in exchange for information about the...

Dyreza Banker Trojan Seen Bypassing SSL

Banker Trojans have proven to be reliable and effective tools for attackers interested in quietly stealing large amounts of money from unwitting victims. Zeus, Carberp and many others have made piles of money for their creators and the attackers who use them, and researchers have been looking at ...

SSL Pulse Scans Quantify Vulnerable OpenSSL Servers

Certain mitigating factors made the recent OpenSSL man-in-the-middle vulnerability a notch or two below Heartbleed in terms of criticality. With that in consideration, it’s probably no surprise that patching levels for CVE-2014-0224 aren’t as high out of the gate as they were for Heartbleed. Ivan...

Microsoft Privacy Policy Promises No Targeted Advertisements

In a series of revisions to its services agreement, Microsoft says it will not scan the contents of its users’ files nor will it monitor their communications in order to target advertising based on perceived customer interests. The move is a dramatic one when contrasted with many of the Redmond,...

ISC Patches Critical DoS Vulnerability in BIND

A critical, remotely exploitable bug in some BIND domain name system DNS servers could cause a denial of service situation and trigger them to crash. The defect lies in the extension mechanisms for DNS EDNS specification, the Internet Systems Consortium, which performs upkeep on the system,...

U.S. Marshals Auctioning Off Seized Silk Road Bitcoins

If any further evidence was required that up is down and black is white, the United States government is now in the business of selling Bitcoins. At least for one day. The U.S. Marshals Service is planning to hold a one-day auction on June 27 to sell nearly 30,000 Bitcoins the government seized i...

Google Play App Permissions Privacy, Security Concerns

Google’s revamped app permissions for Google Play are not being well received by Android users. Reddit threads are rife with adjectives such as “stupid” and “dangerous,” primarily because Google’s attempt to simplify permissions granted to automatically updated applications may in fact expose use...

Versatility of Zeus Framework Encourages Criminal Innovation

A new report on the Zeus trojan’s evolution shows that the malware was moved from harvesting online banking credentials to controlling botnets and launching distributed denial of service attacks attributes the evolution to the highly customized and incredibly versatile framework Zeus is today...

Facebook Set to Let Users Edit Own Advertising Info

Facebook announced today it will soon be rolling out a new feature to give users more control when it comes to the types of advertisements they see on the site. If users are tired of getting barraged with ads for shoes, video games or discount plane tickets, they’ll not only be able to stop the...

Austrian Teen Ground Zero Of TweetDeck Hack

The last 24 hours have been a sad, scary and frustrating time for an 19-year-old aspiring programmer in Austria who found himself smack in the middle of Wednesday’s TweetDeck mess—all because of a Unicode heart. Twitter’s real-time account dashboard was taken down for a brief time yesterday befor...

VMware Patches ESXi Against OpenSSL Flaw, But Many Other Products Still Vulnerable

While the group of vulnerabilities that the OpenSSL Project patched last week hasn’t grown into the kind of mess that the Heartbleed flaw did, the vulnerabilities still affect a huge range of products. Vendors are still making their way through the patching process, and VMware has released an...

TweetDeck Taken Down in Wake of XSS Attacks

TweetDeck services have been disabled for the time being as Twitter tries to get a handle on a cross-site scripting vulnerability that caused mountains of consternation on the social networking platform this morning. We've temporarily taken TweetDeck services down to assess today's earlier securi...

Google Patches Gmail Token Vulnerability

Google has patched a vulnerability that exposes an indefinite number of Gmail addresses, a potential gold mine for phishing and advanced attacks. Researcher Oren Hafif of Israel disclosed details on how he was able to abuse a token exposed in a URL in order to reveal every Gmail address. His work...

DDoS Attacks Take Down Evernote, Feedly

UPDATED — News aggregator Feedly is still offline Thursday as continues to battle a series of distributed denial of service attacks that’s kept the service down for two consecutive days. The site was able to get back online shortly after 3 p.m. Wednesday after it neutralized the first DDoS attack...

Mozilla Patches Seven Flaws in Firefox 30

Mozilla has fixed seven security vulnerabilities in Firefox 30, including five critical flaws that could enable remote code execution. Firefox 30 is a relatively minor release of the popular browser, with the most notable change being the addition of a sidebar button that allows users to quickly...

Alleged Oleg Pliss iPhone Hackers Arrested in Russia

The hackers behind last month’s iPhone ransomware campaign – in which many users were asked to pay $100 to unlock their devices – may be behind bars now. A press release on the Russian Interior Ministry’s website yesterday claims two men were recently arrested for the “blocking of Apple devices t...

June 2014 Microsoft Patch Tuesday security updates

As expected, Microsoft delivered a patch today for a zero-day vulnerability in Internet Explorer 8 that was disclosed by HP’s Zero Day Initiative three weeks ago, six months after it was reported to the ZDI. The IE8 patch, MS14-035, is included in a cumulative Internet Explorer rollup that patche...

Audit Project Released Verified Repositories of TrueCrypt 7.1a

As the uncertainty surrounding the end of TrueCrypt continues, members of the security community are working to preserve a known-good archive of the last version of the open source encryption software released before the developers inserted a warning about potential unfixed bugs in the software a...

China Putter Panda APT Attacks Linked to PLA Unit 61486

With indictments still fresh against a handful of Chinese nationals accused of hacking American companies and stealing intellectual property, another branch of the People’s Liberation Army and allegedly one of its officers have been outed for cyberespionage against U.S. and European aerospace and...

Cisco Patches XSS Flaw in Security Appliances

There’s a reflected cross-site scripting vulnerability in a variety of Cisco security appliances that enables a remote, unauthenticated attacker to execute arbitrary code in the context of the user. The vulnerability affects the Cisco Email Security Appliance, the Cisco Web Security Appliance and...

New Pandemiya Banking Trojan Written From Scratch

Brand new, written-from-scratch malware is a relatively rare undertaking on the underground. Aside from some private endeavors, source code is available for a number of popular Trojans, including Zeus, Citadel and Carberp, making it easy for attackers to simply grab one off the shelf and get...

Red Button Attack Could Compromise Smart TVs

A vulnerability in an emerging interactive television standard could expose smart TVs to untraceable drive-by hacking attacks that could steal personal information and wreak havoc on televisions and anything connected to them. The feature, HbbTV, Hybrid Broadcast Broadband Television was introduc...

RIG Exploit Kit Pushing Cryptowall Ransomware

With Cryptolocker quite possibly on its way to becoming yesterday’s ransomware news after the successful takedown of part of its distribution infrastructure, alternatives are already available. Cryptowall is the latest to grab some attention and traction on victimized computers. Cisco reported on...