Executive Agencies Pass on New Cybersecurity Regulations

Three Executive Branch federal agencies crucial to critical infrastructure protection will be allowed to continue to voluntarily assess cyber risk, rather than force the development and implementation of additional regulations. The White House yesterday released its conclusions as they relate to...

Threatpost News Wrap, May 23, 2014

Dennis Fisher and Mike Mimoso discuss the US indictments of Chinese army officers for hacking, the Blackshades malware arrests, the new IE 8 zero day and the US prospects in the World Cup. Download: digitalunderground154.mp3 Music by Chris Gonsalves...

May 2014 Apple Safari Browser Security Patches

Apple released an update to Safari yesterday patching 22 vulnerabilities in the WebKit browser engine that allow code execution or a browser crash. Safari 7.0.4 is available for OS X Mavericks 10.9 and Safari 6.1.4 for OS X Mountain Lion 10.8. The vulnerabilities could be exploited if the user wa...

Android Outlook App Could Expose Emails, Attachments

There are two issues with the way Microsoft’s Outlook application encrypts content on older versions of Android that could expose users’ emails and email attachments. Paolo Soto, a researcher with the security firm Include Security, said his team initially dug up the vulnerabilities in November...

eBay Password Database Hack Raises Questions

As is the case with most high-profile data breaches, despite an initial disclosure of information, more questions are inevitable. The eBay password database hack is a prime example. Inquiring minds still want to know more about how the stolen passwords are secured and why the online auction house...

Microsoft Working on Patch for IE 8 Zero Day

UPDATE–Microsoft officials say they’re well aware of the Internet Explorer 8 zero day disclosed Wednesday by the Zero Day Initiative and have been working on a fix for it. However, there’s no stated timeline for releasing that patch. The vulnerability in IE 8 is a use-after-free bug in the way th...

Adobe to Patch Vulnerable Flash Player in Shockwave

It’s bad enough that the Flash runtime bundled with Adobe’s Shockwave player is deficient in security patches going back to January 2013, but what’s worse is that the increased attack surface provided by Shockwave might make it easier to exploit. And, in the bargain, Adobe has known about the iss...

Better Security, 'Progressive Encryption' in Silent Text 2.0

Silent Circle has released a new version of its private text messaging and secure file transfer service for Android and iOS mobile devices. Silent Text 2.0 includes a number of security and user-interface upgrades. The company claims this version eliminates a keying delay issue that existed in...

Chip and PIN EMV Protocol security vulnerabilities found

Chip-and-PIN payment cards are coming to the United States after a long head start as a standard card-present payment method in Europe and Asia. Already, retailer Target accelerated its plan to move its branded debit and credit cards to chip-and-PIN, also known as EMV Europay, MasterCard and Visa...

Samsung Eyeing Iris Recognition for New Phones

Samsung announced this week that in order to bolster security, it plans to incorporate biometric sensors such as eye scanners into more of its products – even its low-end devices – in the near future. The move would bring an added layer of security to its devices and could wind up tying into in t...

Another Internet Explorer Zero Day Surfaces

Researchers have disclosed a new zero day vulnerability in Internet Explorer 8 that could enable an attacker to run arbitrary code on vulnerable machines via drive-by downloads or malicious attachments in email messages. The vulnerability was discovered and disclosed to Microsoft in October, but...

VUPEN Discloses Details of Patched Firefox Pwn2Own Zero-Days

Contestants at this year’s Pwn2Own contest made no bones about it: they were going after browsers and as it turned out, Firefox had the biggest target on its back. Mozilla’s popular browser was popped four times during the Canadian hacker festival accounting for a quarter of the $800,000-plus in...

eBay Compromised in Data Breach, Urges Password Change

The online retail and auction giant eBay will be asking its customers to change their passwords later today because of a cyberattack that compromised a server containing encrypted passwords and other non-financial information. The company says it does not believe that there has been any...

ICS-CERT Confirms Public Utility Compromised Recently

Attackers recently compromised a utility in the United States through an Internet-connected system that gave the attackers access to the utility’s internal control system network. The utility, which has not been named, had remote access enabled on some of its Internet-connected hosts and the...

Trustwave Global Security Report: Breach Containment Better

For all that gets written about how poorly organizations have responded to data breaches as of late, believe it or not, one new study has deduced that companies are getting better. Almost three quarters of victims who sustained a compromise last year were able to contain it within 10 days. The st...

Chrome 35 Fixes 23 Security Flaws

Google has fixed 23 security vulnerabilities in Chrome, including three high-risk flaws, and handed out $9,500 in rewards to researchers. Among the vulnerabilities that the company fixed in Chrome 35 are use-after-free flaws and an integer overflow, all of which are rated high. Google didn’t...

Privileged User Access Lacking Trust But Verify

Jerome Kerviel, Terry Childs, Edward Snowden: All infamous insiders; all reviled to differing degrees for abusing their access to computer-based resources. And likely, all of them could have been stopped if their respective employers had a better grasp on what these privileged users were doing. N...

The U.S., China and Glass Houses

That was quite a show the government put on Monday. The dramatic press conference featuring Attorney General Eric Holder, the coordinated press leaks ahead of the announcement, the strong statements about the sanctity of American commerce and how the United States will prosecute those who conduct...

Blackshades RAT Takedown Leads to 90 Arrests

More than 90 arrests have been made in connection with development and sales of a remote access Trojan used worldwide to steal data and spy on victims, including Syrian dissidents. The FBI and the Manhattan U.S. Attorney’s office yesterday announced the takedown of the Blackshades operation...

XMPP Mandating Encryption on Messaging Service Operators

Beginning today, the operators of instant messaging services that rely on the extensible messaging and presence protocol XMPP are expected to deploy encryption into the platforms they maintain. The XMPP Standard Foundation XSF announced today that a large number of services on the public XMPP...

Malvertising Redirecting to Angler EK, Silverlight Exploits

The fact that Netflix accounts for one-third of Internet traffic during peak evening hours, and that it runs on the Microsoft Silverlight platform, is just too tempting a combination for hackers to pass up. For the second time in six months, criminal hacker groups are zeroing in on Silverlight...

Facebook CSRF Tokens in Heavy Rotation to Ward off BREACH

The BREACH attack was the talk of Black Hat last summer. It was disclosed less than two months after the first Snowden leaks and helped renew focus on the security of online communication and the protocols guarding ecommerce and messaging. What BREACH did was throw a wrench into cross-site reques...

U.S. Indicts Five Chinese Army Officers for Alleged Cyberespionage Operations

The United States government on Monday made an unprecedented move in its efforts to combat cyberespionage operations against American companies, efforts that until now had mainly consisted of strongly worded statements and diplomacy. The Department of Justice indicted five officers of the Chinese...

Retailers Form ISAC to Share Threat Data

From the beginning of the cybercrime epidemic, retailers have been among the most frequent targets, and the last year has seen some of the larger compromises in history. The Target data breach is at the top of that list, involving more than 100 million customers, and after years of increasingly...

SNMP Public Community String Zero Day in Routers Disclosed

Researchers have discovered previously unreported problems in SNMP on embedded devices where devices such as secondary market home routers and a popular enterprise-grade load balancer are leaking authentication details in plain text. The data could be extracted by gaining access to the read-only...

PayPal Fixes Serious Account Hijacking Bug in Manager

PayPal patched a hole in its Manager portal this week that could have made it easy for an attacker to hijack an admin’s account, change their password and steal their personal information — not to mention their savings. Manager is a feature of the service that allows users to manage their Payflow...

EFF Who Has Your Back Privacy Report Hails Apple, Yahoo

Technology companies have responded to the challenge to privacy and civil liberties unearthed by the Snowden leaks with a determined effort to increase transparency around government requests for user data. Some have done a better job than others. Large ISPs such as AT&T, Verizon and Comcast...

Critical Infrastructure Continues to Patch Heartbleed

Unified Automation issued a security advisory warning that its OPC UA software developers kit SDK for Windows contains the OpenSSL cryptography library that is vulnerable to Heartbleed. Schneider Electric, another industrial control system ICS manufacturer, posted its own advisory with mitigation...

Apple Releases OS X 10.9.3, Fixes Serious Flaw in iTunes

Apple has released a new version of OS X Mavericks, which includes all of the security fixes it pushed out last month. OS X 10.9.3 includes the patches for the so-called triple handshake SSL vulnerability, as well as fixes for several remote code-execution vulnerabilities. The company also releas...

Al Qaeda Homegrown Encryption Likely Aids NSA Intelligence

Terrorist organization Al Qaeda has reportedly stepped up its development of homegrown encryption technology since the Edward Snowden leaks began last June. The question puzzling some security experts is: Why? “This is hard, and the odds they are doing it correctly are low,” said cryptographer an...

IETF To Mitigate Pervasive Monitoring In Future Protocols

The Internet Engineering Task Force IETF has defined pervasive monitoring, otherwise known as unwarranted surveillance and analysis of Internet traffic and even the subversion of cryptographic keys, as an attack and wants future versions of IETF-sponsored protocols to be designed to mitigate it...

Five Year Old Security Vulnerability Patched in Linux Kernel

A serious and reportedly five-year-old bug in the Linux kernel could give attackers the ability to run malicious code or, at the very least, cause crashes on a variety of affected systems. Some, though not necessarily all, Linux distributions would be vulnerable without installing the patch. What...

The Emerging Threat to Satellite Communications

DUBAI–When new technologies or platforms emerge, they tend to follow a familiar trajectory in terms of security. The evolution typically goes through something like the following stages: Hey, look what we built; huh, no, we didn’t think about that problem; we’re very serious about security; ok, n...

Google Fixes Three Critical Vulnerabilities in Chrome

UPDATE: An earlier version of this story included the incorrect version of Chrome. Google yesterday released a stable channel update for Chrome, paying some $4,500 worth of bug bounties, and fixing three highly rated security vulnerabilities in the Windows, Mac, and Linux versions of its popular...

Zeus Peer to Peer Trojan Hits Banks in 10 New Countries

The Zeus financial malware may be old, but it’s hardly slowing down. The peer-to-peer version of the prolific Trojan was especially busy in the first quarter with infections reported by banks in 10 countries that previously had eluded Zeus’ reach. CSIS Security of Denmark said the gang behind Zeu...

Microsoft Giving .NET Users The Option to Shed RC4

Microsoft didn’t beat around the bush when it warned customers to stay away from the deprecated RC4 algorithm last fall. Now it’s giving those who use its .NET software framework an option to disable the cipher in Transport Layer Security TLS as well. In a security advisory issued on its Security...

NSF Awards $15m for New Secure Internet Architecture

The National Science Foundation NSF is awarding $15 million in grants for the development, deployment and testing of future Internet architectures that are designed to enhance security, respond to emerging service challenges, and increase scalability. In 2010, the NSF Directorate for Computer and...

Buffer Overflows Patched in Yokogawa Control System Products

Patches for critical vulnerabilities in production control system software built by Yokogawa Electric Corp. of Japan are available, according to an advisory issued Tuesday by the Industrial Control System Cyber Emergency Response Team ICS-CERT. The advisory warns that there are publicly available...

Mozilla Asks CAs for Details on Subordinate Certificate Controls

Mozilla has warned certificate authorities included in its root CA Certificate Program that they only have a few weeks left to comply with the company’s new policy, which requires CAs to adhere to the CA/Browser Forum Baseline Requirements and provide proof of audits of their subordinate...

May 2014 Microsoft Patch Tuesday Security Updates

As expected, Microsoft today pushed its largest batch of Patch Tuesday updates so far this year today – eight bulletins, two critical – addressing 13 issues in Internet Explorer and Sharepoint Server, along with Windows, Office and its .NET Framework. The first critical issue that involves IE...

BlackBerry Updates Products Affected by Heartbleed

BlackBerry issued an advisory today that updates are available for all of its products affected by the Heartbleed OpenSSL vulnerability. The mobile device maker said that it is not aware of any exploits targeting BlackBerry products. BlackBerry Messenger BBM for Android and iPhone, as well as...

Iranian Hackers Target US Defense Contractors

An Iranian hacking group has moved from politically motivated website defacements to a new specialty – cyberespionage. The group known as the Ajax Security Team has been outed as the perpetrators of a number of espionage operations against U.S.-based defense contractors in addition to targeting...

SMTP STARTTLS Deployments Better than Expected

As more service providers understand and embrace the importance of encrypting online communication, certain technologies are being elevated to the forefront of conversations. Perfect Forward Secrecy and HTTP Strict Transport Security HSTS are two that generally top most lists, but another, SMTP...

Bitly Developing Two Factor Authentication Following Compromise

The link-shortening service Bitly announced late last week that it’s ramping up its development of two-factor authentication following a compromise that leaked user information on Thursday. The breach, first discovered Thursday morning, spilled users’ email addresses, encrypted salted and hashed...

PointDNS Recovers from Massive DDoS Attack

PointDNS says most of its DNS servers are online again after a massive DDoS attack late last week took down the service provider. A post on the company’s Twitter account on Friday said the provider was adding nameservers and working with network providers to restore service to its customers. Many...

Regulators Planning Cybersecurity Assessments for Banks

A government agency in charge of developing standards for the nation’s banks announced last week that it will work harder to try to identify vulnerabilities in smaller community banks and that it’s planning to better raise awareness when it comes to cyber threats. The Federal Financial Institutio...

Research Quantifies Forged SSL Certificates in the Wild

An attacker with a forged SSL certificate is quite the Internet villain these days, be he a criminal or government spy. In possession of such a cert, an attacker can easily decrypt and monitor traffic, steal credentials and other sensitive information from a network. And with sensitivity over...

Points of Sale Poorly Secured, Facing Sophisticated Attacks

The point-of-sale PoS systems on which financial transactions are conducted at nearly every physical retail location in the U.S. and and beyond are fast becoming a favorite target for sophisticated criminal organizations as well as standalone attackers. The emergence of this trend is unsurprising...

IBM Patches Predictable Output Problem in SecureRandom PRNG

Details have surfaced on a recently patched vulnerability in IBM’s SecureRandom pseudo-random number generator that could allow an attacker to predict its output. Only the default SecureRandom implementation in the IBM Java Cryptography Extension JCE framework is vulnerable; IBM recommends that...

Threatpost News Wrap, May 9, 2014

Dennis Fisher and Mike Mimoso discuss the major news stories of the last couple of weeks, including the proposal in TLS 1.3 to drop RSA key transport, the Snapchat FTC settlement and the end of Windows XP support. And no Heartbleed talk! Download: digitalunderground153.mp3 Music by Chris Gonsalve...