15946 matches found
Bitly Compromised, Users Urged to Change Passwords
Link shortening service Bitly informed its users Thursday that it believes user credentials – passwords, API keys and OAuth tokens – have been compromised. While the company claims there’s no real indication that any accounts were accessed without authorization, in a post on its blog the company...
Twitter Upgrades Account Security Features
Twitter has made a couple of changes to the service’s login process to help prevent account takeovers and enable users to reset their passwords in a simpler way. A Twitter account is among the more valuable assets for an attacker who is targeting a specific person. Accounts typically are tied to ...
Digi International Gateways Vulnerable to Heartbleed
Wireless Web mesh gateways used everywhere from industrial control environments to home area networks are vulnerable to the Heartbleed OpenSSL vulnerability. The Industrial Control System Computer Emergency Response Team ICS-CERT issued an advisory Thursday warning SCADA and ICS managers with Dig...
May 2014 Microsoft Patch Tuesday Security Updates
One week after releasing an out-of-band patch for an Internet Explorer zero day, Microsoft has provided a head’s up that next week’s Patch Tuesday security updates will include another critical patch for the browser. The IE roll-up is one of two critical bulletins expected next week; interestingl...
Health and Fitness Apps Poor at Protecting Privacy FTC Says
A recent study conducted by the Federal Trade Commission examined 12 mobile health and fitness apps and found them sending users’ personal information to 76 different third parties. Jah-Juin Ho, an attorney in the FTC’s Mobile Technology Unit shared the research yesterday during a seminar regardi...
Snapchat Settles With FTC Over Privacy and Security Concerns
Snapachat, the maker of the popular video and photo chat app, has agreed to settle charges by the Federal Trade Commission that the company misrepresented the supposedly ephemeral nature of the messages users send and failed to take adequate security precautions with the data it collects, leading...
Former NSA Director Addresses Crypto Standard Subversion
During the last 11 months of mounting leaks and revelations about the government’s surveillance operations and the lengths it will go to gain intelligence on foreign threats, perhaps the most disturbing revelation was the intentional subversion of widely used cryptographic standards. It’s also be...
Judiciary Committee Approves Bill Limiting NSA Surveillance
The House Judiciary Committee met yesterday in a hearing to discuss, amend and approve the USA FREEDOM Act, which aims to rein in the National Security Agency’s surveillance powers and place new limits on authority granted under the USA PATRIOT Act and the Foreign Intelligence Surveillance Act...
Cisco Fixes Remote Code Execution Flaws in Several WebEx Products
Cisco has patched a handful of buffer overflows in several of its WebEx products that could allow an attacker to execute arbitrary code or crash a vulnerable application. The bugs affect the WebEx WRF and ARF players and some of Cisco’s Business Suite builds, WebEx 11 and WebEx Meetings Server al...
Legal Guidelines Say Apple Can Extract Data From Locked iOS Devices
If law enforcement gets hold of your locked iPhone and has some interest in its contents, Apple can pull all kinds of content from the device, including texts, contacts, photos and videos, call history and audio recordings. The company said in a new document that provides guidance for law...
FTC Discusses Regulating User-Generated Health Information
The proliferation of wearable devices coupled with smartphone apps that monitor heart rates and other health metrics raises an important question: How exactly should the information generated by these devices be regulated? If there’s a fist fight in a bar can a person’s Fitbit accelerator be...
Microsoft Identifies New Malware Dropping Sefnit Botnet
Plenty has been written about the Sefnit malware family and its favor with using Tor to mask communication, as well as the money it’s made for criminals via click-fraud schemes. Sefnit, however, has had a pair of accomplices that until recently were regarded as harmless programs by most security...
Google Chrome Canary Bug Could Facilitate Phishing Attacks
Borrowing a tactic from the mobile Safari browser in iOS, Google may soon abandon displaying complete URLs in Chrome. The Canary version of the browser, an unstable version designed for developers and early adopters, is toying with the idea of no longer displaying full URLs in its Omnibox—what...
Device-Locking Ransomware Moves to Android
UPDATE–Ransomware has been wreaking havoc on desktops for many years now, with attackers demanding that victims pay a fee to unlock the infected system. This kind of malware hasn’t been a huge issue yet on mobile devices, but that’s beginning to change, albeit slowly. A new piece of mobile malwar...
USA FREEDOM Act Revised to Limit NSA Surveillance
UPDATE: A prior version of this story incorrectly noted that the bill revisions included a clause that would require an earlier re-authorization to the PATRIOT Act, when in fact the revisions push that re-authorization date more than two years further into the future. The House Judiciary Committe...
Coalition Calls For Net Reset in June
A new alliance composed of privacy and digital rights advocates are encouraging internet users to block mass surveillance and fight back against the National Security Agency on June 5. The coalition, dubbed Reset the Net is hoping to carry out its goal through the further implementation of SSL,...
Dropbox Patches Shared Links Privacy Vulnerability
Dropbox has acknowledged and disabled a vulnerable shared links feature that exposed documents stored by the service to third parties. Shared links are a collaboration feature that allows user, especially in a business environment, to share and edit documents. Dropbox rival Intralinks reported th...
TLS 1.3 Has Consensus to Deprectate RSA Key Transport
The IETF working group responsible for the TLS 1.3 standard is closing in on a decision to remove RSA key transport cipher suites from the protocol. Decades-old RSA-based handshakes don’t cut it anymore, according to experts, who are anxious to put a modern protocol in place, one that can fend of...
Passcode Bypass Bug and Email Attachment Encryption Plague iOS 7.1.1
Another iPhone passcode bypass is making the rounds this week that reportedly allows users to trick Siri into skirting around the device’s usual lockscreen to view, edit and call any of the phone’s contacts. The flaw apparently affects the most recent iOS build, 7.1.1 and allows the bypass of bot...
NIST SP 800-52 Revision 1 Recommends TLS 1.2 by Jan. 1, 2015
U.S. federal government agencies are being told they should move to TLS 1.2 by the beginning of 2015. The National Institute for Standards and Technology, NIST, recently released NIST Special Publication 800-52 Revision 1, which includes the final public comments made since SP 800-52 was withdraw...
White House Calls for Transparency from Data Brokers
The White House redirected attention away from the data collection efforts of the intelligence community yesterday with the release of a report that urged data brokers to be more transparent about their own data harvesting. Companies such as Facebook, Google and others make a living collecting th...
Researchers: Accelerometers Perfect for Pervasive Tracking
Minute manufacturing imperfections in popular accelerometers cause that hardware to emit uniquely identifiable data that could give third parties the ability to single out specific mobile devices, regardless of any privacy protections deployed on them. In a paper published by the University of...
Critical Holes in OAuth, OpenID Could Leak Information, Redirect Users
UPDATE — A serious vulnerability in the OAuth and OpenID protocols could lead to complications for those who use the services to log in to websites like Facebook, Google, LinkedIn, Yahoo, and Microsoft among many others. OpenID and OAuth are commonly used authorization protocols. The protocols ar...
PHP Updated to Fix Heartbleed, Other Bugs
The maintainers of PHP have released two new versions of the scripting language that fix a number of bugs, including a pair of vulnerabilities related to OpenSSL. Versions 5.4.28 and 5.5.12 both contain that important patch, as well as fixes for more than a dozen other vulnerabilities. The fix fo...
Adobe Adds Security Upgrades to ColdFusion 11
Suffice it to say, the security of Adobe’s ColdFusion web application platform hasn’t had the best 18-month stretch. Hackers have had their way with vulnerabilities in the software, which have been used in a number of high-profile data breaches, including some suspect, one involving Adobe itself...
Yahoo Drops Support for Do Not Track
Yahoo, one of the first large Web companies to recognize the Do Not Track header from browsers on its properties, has now backtracked and said it will no longer support DNT. Officials said the lack of an industry standard for DNT that’s effective led to the decision. DNT is an option in the major...
Apple Fixes Critical Hole in Developer Center, Radar
Apple patched a potentially serious hole in its Developer Center earlier this week that could have given anyone unfettered access to the personal contact information of company developers, retail employees and even executives. Ironically enough, the bug existed in Apple’s internal bug reporting a...
Google to Stop Scanning Student Accounts
Google yesterday announced it will no longer scan the contents of Gmail accounts associated with the company’s Apps for Education service for the purpose of generating advertisements. It is unclear if Google will continue to scan those accounts for other purposes. This decision is one of two...
Emergency IE Zero Day Patch Fixes XP Systems Too
UPDATE – Microsoft announced it will release an out-of-band security update today to patch a zero-day vulnerability in Internet Explorer, and that the patch will also be made available for Windows XP machines through Automatic Update. At the same time, researchers said they are now seeing attacks...
Facebook Enhances Privacy Settings with Anonymous Login
Anonymous is the new black for Facebook. The social network announced a number of changes to how users interact with third-party apps via Facebook logins, the most interesting being a service called Anonymous Login. Facebook chief executive officer Mark Zuckerberg told developers at the company’s...
Google Fixes XSS Flaw in Search Appliance
There’s a remotely exploitable vulnerability in several versions of the Google Search Appliance that could allow an unauthenticated attacker to execute a cross-site scripting attack and run a script in the context of the user’s browser. The Google Search Appliance is an enterprise product that...
Bug Bounties Expanding to Individual Developers
Bug bounties once were restricted mainly to large software companies such as Mozilla and Google. But the success of these programs has led many other infrastructure and product companies, including Yahoo, Facebook, Barracuda, PayPal and even Microsoft, to launch their own reward systems. Now, the...
UltraDNS Dealing with DDoS Attack
UPDATE – UltraDNS said it has mitigated a distributed denial of service DDoS attack for most of its customers after the service was held down for most of the day. “Currently, only customers utilizing a segment of UltraDNS Name Server addresses are experiencing resolution latency due to intermitte...
Two New Vulnerabilities Linked to Latest IE Zero Day
UPDATE – Researchers at Websense said today they may have isolated two components within the VGX library that are being exploited by attackers targeting the latest Internet Explorer zero-day vulnerability. By combing through millions of Windows crash reports sent via the Windows Error Reporting...
Target Accelerates Chip-and-Pin Roll Out, Hires New CIO
As Target continues to deal with the consequences of its massive data breach last year, the company is accelerating plans to move to a full chip-and-pin system for its branded credit and debit cards, and also plans to have terminals capable of accepting chip-and-pin cards in all of its nearly 2,0...
Hacking Traffic Systems for Fun and Chaos
It has been a running joke in the tech industry for years that the hacking scenes in movies are, well, a joke. Hackers in hoodies pushing a few keys and taking down the power grid or causing massive traffic pileups by turning all the stoplights green at once. While those scenes provide endless...
Mozilla Redesigns Firefox, Fixes Security Vulnerabilities
Mozilla yesterday released the substantially redesigned version 29 of its Firefox browser. The latest iteration includes fixes for a number of critical and highly rated security vulnerabilities. Among the five critical vulnerabilities are user-after-free bugs in nsHostResolve, imgLoader while...
Vishing Attacks Targeting Dozens of Banks, Users' Card Data
A recent VoIP-based phishing campaign has been netting the payment card information of up to 250 Americans per day. Voice over IP phishing, or vishing, is a form of phishing that relies on users getting tricked into giving up their payment card information after receiving phone or SMS messages –...
Draft Bill to Protect Threat Information Sharing
The fear of lawsuits has – for a very long time – been among the primary reasons that public-private cyber-threat information sharing practices have never really materialized. This failure is reality in spite of repeated calls for such partnerships year after year from government and industry...
Volume of NTP Amplification Attacks Getting Louder
No security arena is better representative of the cat and mouse game between hackers and defenders than DDoS attacks and prevention/mitigation. Enterprises and service providers have invested heavily in DDoS mitigations in order to keep critical services available. That’s forced hackers to crank ...
The White House and Zero Day Sleight of Hand
The White House wants you to know that it did not know about the OpenSSL Heartbleed vulnerability before you did. The White House also wants you to know that administration officials don’t think stockpiling zero days isn’t necessarily good for national security. That’s all well and good, except...
Click-Fraud Sefnit Variant Shuns Tor for SSH
Sefnit was the first malware family to shed light on the problem of botnets and other malicious code using the Tor anonymity network as a communication protocol. While others before and since have done the same, Sefnit made the biggest splash at the end of last summer when the botnet caused a 600...
Google Removes Bitcoin Mining Android Malware from Play
Google recently removed five bogus wallpaper apps from its Play marketplace after they were deemed malicious and found sneakily mining Bitcoins. The malware, dubbed BadLepricon, was spotted funneling Bitcoin into wallets and allowed the attacker to change mining pools easily to maximize the minin...
AOL Breached, Investigating Spam from Spoofed Accounts
AOL reported today that it has been breached and urges users of its web-based email and other online services to change their passwords. AOL’s investigation of a breach of its internal network and systems is under way with the help of federal authorities and a forensics firm, the company said. La...
Siemens Update on Heartbleed Patches in ICS, SCADA
Industrial control equipment manufacturer Siemens has produced a security update that mitigates the OpenSSL Heartbleed vulnerability in its eLAN systems and now its WinCC OA supervisory control and data acquisition SCADA software as well. The company is continuing to work on patches to resolve th...
Flash Zero Day Used to Target Victims in Syria
A couple days after Microsoft warned users about a new vulnerability in Internet Explorer that’s being used in targeted attacks, Adobe on Monday said that researchers have discovered a zero day in Flash, as well, which attackers are using to target victims in Syria through a watering hole attack ...
New Internet Explorer Zero Day Used in Targeted Attacks
There’s a new zero-day vulnerability in many of the current versions of Internet Explorer and is being used in active attacks right now. The exploit that’s in use has the ability to bypass both DEP and ASLR and researchers say it’s being used by a known APT group. Microsoft has issued an advisory...
Vulnerability in Viber Allows Snooping of Images, Videos
UPDATE – Viber, a messaging and VoIP application similar to WhatsApp, is in the middle of patching a vulnerability that could allow an attacker to view sensitive information shared between users like images, videos and location information. The problem is that information transferred by Viber is...
Exploiting Facebook Notes to Launch DDoS
The way Facebook Notes handles HTML image tags could could give an attacker the ability to launch distributed denial of service attacks against external sources, using the power of the massive network to amplify the attack. Facebook Notes is a sort of Tumblr-like internal blogging feature built...
Dennis Fisher and Mike Mimoso Discuss Heartbleed, Apple's Patches and the DBIR Report
Dennis Fisher and Mike Mimoso discuss the Apple OSX and iOS patches, the continuing OpenSSL Heartbleed soap opera and the Verizon DBIR report. Download: digitalunderground152.mp3...