Google Changes Ciphers in Chrome on Android

The emergence of mobile platforms such as iOS and Android have presented a number of challenges in terms of security. Not much can be done about some of these, like users leaving their phones in bars. But engineers at Google have been working on one of the thornier ones of late–how to provide sol...

Apache Struts Zero Day Vulnerability Patch to be Re-Issued

The Apache Software Foundation today released an advisory warning that a patch issued in March for a zero-day vulnerability in Apache Struts did not fully patch the bug in question. Officials said a new patch is in development and will be released likely within the next 72 hours, said Rene Gielen...

NetSupport Manager Vulnerability Leads to Data Leakage

UPDATE – A vulnerability in older versions of NetSupport Manager, a platform that allows companies to remotely manage machines for desktop support, could yield sensitive configuration settings and lead to compromise. According David Kirkpatrick, the researcher who found the vulnerability, it took...

DDoS Attacks a Cover for Financial Fraud, IP Theft

It’s difficult to imagine a noisier attack than a distributed denial-of-service attack. They’re an ever-present threat to banks and other businesses where the uptime of Web-based services is critical to customers and the well-being of an enterprise. And as a handful proved throughout 2013, they a...

Mozilla Offers Bug Bounty for Heartbleed-like Crypto Bugs

As part of a special security bug bounty program, Mozilla Corporation is offering $10,000 to anyone who reports a qualifying security vulnerability in the new cryptography library it plans to deploy in a yet-to-be-released version of Firefox. Today, Mozilla’s security engineering team announced t...

Group Backed by Google, Microsoft and Others to Help Fund OpenSSL and Other Open Source Projects

After the dust had started to settle in the wake of the OpenSSL Heartbleed vulnerability earlier this month, one of the common sentiments that emerged was that the small group developing and maintaining the software needed some help. And money. And resources. But mostly money. Now, the OpenSSL...

New NIST AppVet Aims to Streamline Application Security

Apple and Google put developers’ apps through a relatively vigorous screening process before they make their way into their respective app stores. Now developers who produce apps intended for use on internal networks at government agencies can get a vetting process of their own. The National...

Google Recommends Developers Support OAuth 2.0

Google announced today that in the coming months it will be more stringent in securing users when they log in to their accounts by applying additional authorization checks. “These additional checks will ensure that only the intended user has access to their account, whether through a browser,...

OpenBSD Initiates Fork of OpenSSL, LibreSSL

Heartbleed may have been the final straw, but the movement to create a fork of OpenSSL called LibreSSL had its roots in another issue that made the crypto libraries untenable for folks at OpenBSD. LibreSSL is an initiative spurred on by OpenBSD founder Theo de Raadt to split off and develop a...

Iowa State Hacked--To Mine Bitcoins

It’s an odd week these days when there isn’t a data breach at some university or college. These institutions are prime targets for attackers for several reasons, not the least of which are their open network environments and databases bulging with personal information. But now attackers are looki...

OpenSSL Heartbleed Highlights Crypto Pitfalls

There is no shortage of bad advice online about crypto–or anything else, for that matter. And the recent mess involving the OpenSSL heartbleed vulnerability has brought out plenty of advice on building, implementing and repairing cryptosystems, but experts say that the fundamental truths about ho...

NIST removes Dual EC DRBG from SP 800-90A

The maligned Dual EC DRBG random number generator at the core of a $10 million secret contract between RSA Security and the National Security Agency has been removed from NIST’s draft guidance on random number generators. The National Institute for Standards and Technology said it will request...

AOL Email Hacked to Send Spam

In Internet years, AOL and its webmail counterpart AOL Mail are beyond ancient at this point. A relic of electronic mail history, the majority of users have long since jumped ship for Gmail or Yahoo. Yet those who still have accounts with AOL were no doubt unhappy when they discovered last weeken...

Apple Fixes Serious SSL Issue in OSX and iOS

Apple has fixed a serious security flaw that’s present in many versions of both iOS and OSX and could allow an attacker to intercept data on SSL connections. The bug is one of many that the company fixed Tuesday in its two main operating systems, and several of the other vulnerabilities have...

2014 Verizon Data Breach Investigations Report DBIR

Most of us—hopefully—awaken every day, shower and brush our teeth. If you own a home, you patch a leaky roof and paint the shutters so they don’t rot. You own a vehicle, you change the oil when you’re supposed to and make sure the brakes work the way they’re supposed to. It’s simple hygiene. Yet ...

2014 Verizon Data Breach Investigations Report DBIR

The attention given to the Target data breach elevated concerns about point-of-sale hacks and got us reacquainted with RAM scrapers and other threats to retailers big and small. And while it’s been a noteworthy highlight to the annual Verizon Data Breach Investigations Report for the past few...

CloudFlare Launches Bug Bounty Program

As the OpenSSL heartbleed saga unfolded over the last couple of weeks, one of the companies that was at the forefront of figuring out the scope and effects of the problem was CloudFlare. The company put up a challenge server, asking researchers to hit it with the heartbleed exploit to determine...

Oracle Gives Heartbleed Update, Patches 14 Products

As the dominoes continue to fall around Heartbleed, Oracle is doing its best to keep users apprised of its ongoing efforts to patch software that may be vulnerable to the OpenSSL vulnerability. In a document updated early this morning Oracle gave its customers five separate updates regarding:...

OpenICS ICS Protocol Decoder Builds Data Dictionaries

Industrial control system security has been called archaic, laughable and even non-existent. Most ICS and SCADA systems weren’t built with the Internet in mind, much less security, but yet they are at the forefront of manufacturing, building automation and critical infrastructure operations...

OpenSSL Heartbleed and the Value of CRLs

One of the consequences of the drama around the OpenSSL heartbleed vulnerability is that security experts have begun taking a hard look again at the certificate revocation process and whether it actually protects users or gives them any visibility into the validity of a given certificate. In a lo...

Targeted Attack Uses Heartbleed to Hijack VPN Sessions

A targeted attack against an unnamed organization exploited the Heartbleed OpenSSL vulnerability to hijack web sessions conducted over a virtual private network connection. Incident response and forensics firm Mandiant shared some details on a recent investigation of an incident that began April ...

3 Million Cards Implicated in Michaels Breach

Nearly four months after it first reported it was investigating a data breach, the arts and crafts retail chain Michaels confirmed yesterday that most of its U.S. stores were compromised on and off for eight months and that payment card information of nearly three million of its customers may hav...

ICS-CERT Warns of Heartbleed Vulnerabilities in Siemens Gear

A number of ICS products from Siemens and Innominate are vulnerable to the OpenSSL heartbleed flaw, some of which do not have updates available yet. The list of products affected by the heartbleed vulnerability continues to grow by the day, with OpenVPN being one of the latest. A researcher on...

Private Keys Stolen from OpenVPN Using Heartbleed

You can add OpenVPN to the growing list of products and services vulnerable to the Heartbleed OpenSSL vulnerability. Worse, researchers have been able to chain together exploits to steal private keys from traffic moving through the open source virtual private network software package. A Swedish V...

Experts Worry About Future of Critical Infrastructure Security

SAN FRANCISCO–The problem of critical infrastructure security has become a key issue in the last few years, as high-profile attacks such as Stuxnet and others have grabbed headlines and alerted politicians and others to the weaknesses facing these vital systems. It’s an issue that Eugene Kaspersk...

Like Apple's TouchID, Galaxy S5 Vulnerable to Fingerprint Hack

Researchers published a video this week demonstrating how Samsung’s latest entry in the smartphone arena, the Galaxy S5, is vulnerable to a hack that involves lifting and copying fingerprints to trick the phone’s biometric sensor. Much like the Apple iPhone 5S, the smartphone, which first hit the...

Certificate Revocations Shoot Up in Wake of OpenSSL Heartbleed Bug

The after effects of the OpenSSL heartbleed vulnerability continue to spread through the technology industry, nearly two weeks after the details of the flaw were disclosed. One of the latest repercussions is a huge increase in the number of SSL certificates being revoked, as site owners and hosti...

Tor Blacklisting Exit Nodes Vulnerable to Heartbleed Bug

The Tor Project has begun blacklisting exit nodes vulnerable to the Heartbleed vulnerability in OpenSSL. Researcher Collin Mulliner, with the Systems Security Lab at Northeastern University in Boston, published the results of an experiment he conducted using a publicly disclosed Heartbleed...

Kurt Baumgartner on APT Attacks in the Enterprise

Dennis Fisher talks with Kaspersky Lab security researcher Kurt Baumgartner about the specter of APT attacks in enterprises, what kind of tactics APT attackers are using now and the effect of the Heartbleed openSSL bug on the certificate authority system. Download: digitalunderground151.mp3...

Federal Court Rejects Lavabit's Contempt Appeal

A Federal court struck down Lavabit’s appeal today, affirming contempt of court sanctions against the now-shuttered secure email provider that was forced to release its SSL keys to the FBI last year. Those keys could have decrypted emails belonging to the company’s founder Ladar Levison along wit...

April 2014 Oracle Critical Patch Update

Software maker and database management company Oracle yesterday released its quarterly Critical Patch Update. The release resolves more than 100 security vulnerabilities, many of which received high common vulnerability scoring system base scores and should be applied as soon as possible. Product...

Certificate Revocation Slow on Heartbleed Web Servers

The rush to revoke and replace digital certificates on Heartbleed-vulnerable Web servers seems to be no rush at all. Internet research and security services firm Netcraft reports today that of the more than 500,000 servers it knows of that are running vulnerable versions of OpenSSL, only 80,000...

Eugene Kaspersky on Critical Infrastructure Security

Dennis Fisher talks with Eugene Kaspersky about the need for better critical infrastructure security, the major threats facing enterprises today and the specter of cyberwar. Download: digitalunderground150.mp3...

Cryptanalysis Remains for TrueCrypt Audit

Phase two of the TrueCrypt audit figures to be a labor-intensive, largely manual cryptanalysis, according to the two experts behind the Open Crypto Audit Project OCAP. Matthew Green, crypto expert and professor at Johns Hopkins University, said a small team of experts will have to, by hand, exami...

Financial Services Companies Facing Varied Threat Landscape

SAN FRANCISCO — Many of the stories about attacks on banks, payment processors and other portions of the financial services system around the world depict these intrusions as highly sophisticated operations conducted by top-level crews. However, the majority of the attacks these companies see...

Microsoft Releases Free Threat Modeling Tool 2014

Threat modeling has been part of the security culture at Microsoft for the better part of a decade, an important piece of the Security Development Lifecycle that’s at the core of Trustworthy Computing. Today, Microsoft updated its free Threat Modeling Tool with a number of enhancements that bring...

Install April Windows 8.1 Update If You Want Security Patches

In a bizarre and somewhat befuddling move, Microsoft announced yesterday on its Technet blog that it would no longer provide security updates to users running out-of-date versions of Windows 8.1. In order to receive updates, customers will have to have updated their machines with the most recent...

Government, Private Sector Must Have a 'Need to Share' Mindset on Threats

SAN FRANCISCO–The security of both government and private enterprise systems going forward relies on the ability of those two parties to share threat, attack and compromise information on a real-time basis, former Department of Homeland Security secretary Tom Ridge said. Without that cooperation,...

Hardware Maker LaCie Admits Yearlong Data Breach

The French computer hardware company LaCie, perhaps best known for their external hard drives, announced this week it fell victim to a data breach that may have put at risk the sensitive information of anyone who has purchased a product off their website during the last year. According to an...

Web Application Security Begins with Programming Language

When building an enterprise Web application, the most foundational decision your developers make will be the language in which the app is written. But is there a barometer that measures the security of the programming languages developers have at their disposal, or are comfortable with, versus...

Heartbleed OpenSSL Bug Exploited to Steal Private SSL Keys

Heartbleed went from a dangerous Internet-wide vulnerability over the weekend to one with real exploits, real victims and real problems for private SSL server keys. Mumsnet, a U.K.-based parenting website, said it was victimized by hackers exploiting the vulnerability in OpenSSL to steal password...

First Phase of TrueCrypt Audit Turns Up No Backdoors

A initial audit of the popular open source encryption software TrueCrypt turned up fewer than a dozen vulnerabilities, none of which so far point toward a backdoor surreptitiously inserted into the codebase. A report on the first phase of the audit was released today by iSEC Partners, which was...

With a Warning FTC Approves WhatsApp, Facebook Union

Facebook’s acquisition of messaging application WhatsApp was approved by the Federal Trade Commission late last week, but not without a stern notice from the agency, which warned that it would be keeping a watchful eye on the two companies going forward. In a letter addressed to officials at...

Arbitrary Code Execution Bug in Android Adobe Reader

The Android variety of Adobe Reader reportedly contains a vulnerability that could give an attacker the ability to execute arbitrary code on devices running Google’s mobile operating system. The problem arises from the fact that Adobe Reader for Android exposes a number of insecure JavaScript...

Private SSL Keys and the Heartbleed OpenSSL Vulnerability

Heartbleed can be patched, and passwords can be changed. But can you steal private keys by taking advantage of the Internet-wide bug in OpenSSL? Yes, but it’s difficult. Stealing private server SSL keys are a real pot at the end of a rainbow for criminal hackers and intelligence agencies alike...

Dennis Fisher and Mike Mimoso Discuss Heartbleed and Source Boston

Dennis Fisher and Mike Mimoso discuss–what else–the OpenSSL heart bleed vulnerability and the doings at the Source Boston conference this week. Download: digitalunderground149.mp3...

BlackBerry, Cisco Products Vulnerable to OpenSSL Bug

Vendors are continuing to check their products for potential effects from the OpenSSL heartbleed vulnerability, and both Cisco and BlackBerry have found that a variety of their products contain a vulnerable version of the software. BlackBerry on Thursday said that several of its software products...

Cyber Intelligence Asia 2014: CERTs and Industrial Security

In March I spoke at Cyber Intelligence Asia 2014, where CERTs from most Asians countries were presented. The fact is that only a few CERTs are now dealing in some way with industrial security, ICS and SCADA matters. One of the best of those is CERT of Japan, which is doing a great job here, and...

Cisco Patches DoS, VPN Issues, Looking Into Heartbleed Impact

Cisco patched four different vulnerabilities this week in one of its core operating systems and is now is beginning to look into the potential impact of this week’s Heartbleed vulnerability in at least 60 of its other products. The patches, released yesterday, fix problems in the company’s Adapti...

OpenSSL Heartbleed Bug Exploited Before This Week?

Bruce Schneier stood on the Source Boston keynote stage yesterday and used the word “ginormous” to describe the severity of the OpenSSL heartbleed bug. “My guess is that when heartbleed became public, the top 20 governments in the world started exploiting it immediately,” Schneier said. That’s...