Google Adds Continuous Monitoring of Android Apps

Google is adding a new security feature to Android designed to scan installed apps on a device and ensure that they’re not acting maliciously or taking unwanted actions. The system is built on Google’s existing app-verification model, which warns users if there’s a potential problem with an app...

What Have We Learned: OpenSSL Heartbleed Bug

There’s nothing the Internet loves more than a fat, juicy story that it can sink its sharpened, yellowing canines into. And for the security community, the OpenSSL heartbleed vulnerability has been the equivalent of a 72-ounce steak. But an Internet-breaking vulnerability like this one is no good...

Ensnare Web Application Attack Detection Utility Released

BOSTON – Two engineers from Netflix this week released to open source a security tool that detects attacks against web applications—and also reacts to those attacks with responses they hope will flummox a hacker to the point that he moves on to his next target. The utility is called Ensnare and i...

BlackBerry Patches Remote Code Execution Security Vulnerability

BlackBerry’s Security Incident Response Team BBSIRT today released a security advisory resolving a remote code execution vulnerability in BlackBerry 10. The company says it has no knowledge of attacks actively exploiting this bug in the wild. “BlackBerry is committed to protecting customers from...

Bruce Schneier on Surveillance at Source Boston keynote

BOSTON – History is not entirely kind to those responsible for the Industrial Age in the 19th century. How, for example, were the consequences of industrial innovation such as pollution largely ignored? Flash forward to today’s digital age and ask the same question: How are those responsible for...

Adobe Patches AIR, Pwn2Own Bug in Flash

Adobe has released updates for both its Flash Player and AIR software, patching four critical vulnerabilities, including one that was exposed at last month’s Pwn2Own hacking competition. The Flash Player vulnerabilities carry the company’s highest severity rating, Priority 1, and could lead to...

Difficulty of Detecting OpenSSL Heartbleed Attacks Adds to Problem

The list of products and sites affected by the OpenSSL heartbleed vulnerability continues to grow, and as security teams implement the patch and dig into the thornier work of revoking certificates, a new problem is emerging: It’s difficult to know whether an attacker has exploited the vulnerabili...

Siemens Ruggedcom Addresses BEAST Flaw in WiMax Products

The BEAST attack on some TLS implementations made major news when it was disclosed, showing that attackers could intercept and decrypt SSL-protected sessions in real time, breaking a significant portion of the confidentiality model of the protocol. Vendors rushed to patch and implement mitigation...

Etsy Feature Flags Keep Marketplace Online and Secure

BOSTON – Etsy is one of the Web’s biggest marketplaces. Its developers may be one of Web’s busiest teams. Proudly, the vintage and homemade goods online store, will push code to production upwards of 50 times a day. And, according to Kenneth Lee, senior product security engineer, they do so with...

April Patch Tuesday Fixes 11 Vulnerabilities, Last Updates for XP

As expected, Microsoft issued its final epitaph for Windows XP today, pushing out four security bulletins for 11 vulnerabilities, including the last updates for the oft-maligned, thirteen-year-old operating system. Despite it being XP’s last gasp from a security standpoint, it’s actually a...

Softer Skills Important to Maturity of Cyber Security Pros

BOSTON – The cynical security wonk wouldn’t necessarily lower himself to use the word “cyber” in an elevator pitch about his profession or day-to-day responsibilities. After all, how would that go over in the Twittersphere, or at an industry conference? At the risk of peer derision, security peop...

Google Patches 31 Flaws in Chrome

Google has patched a long list of serious security vulnerabilities in Chrome, including at least 19 highly rated flaws. The company patched a total of 31 vulnerabilities in Chrome 34 and paid out more than $28,000 in rewards to researchers who reported bugs to Google. Among the security fixes in...

Real-Time, Interactive Map Tracks Global Cyber Threats

Information security has become a global problem, and getting a handle on the scope of the threats to users is a difficult task. A new interactive infographic illustrates a variety of cyber threats in real time, as detected by the Kaspersky Security Network KSN. The threats are broken down by typ...

Seriousness of OpenSSL Heartbeat Bug Sets In

UPDATE–Site operators and software vendors are scrambling to fix the OpenSSL heartbleed bug revealed Monday, a vulnerability that enables an attacker to extract 64 KB of memory per request from a server. Attacks can leak private keys, usernames and passwords and other sensitive data, and some lar...

Unpatched Bugs, Windows XP End of Life and Public Disclosure

Windows XP security support ends Tuesday and until now, most of the public hand-wringing over XP’s end-of-life has been about the potential for malware outbreaks against unpatched vulnerabilities that have been stockpiled by hackers anxiously awaiting April 8, 2014. But what about vulnerabilities...

OpenSSL Fixes TLS Vulnerability

The maintainers of the OpenSSL library, one of the more widely deployed cryptographic libraries on the Web, have fixed a serious vulnerability that could have resulted in the revelation of 64 KB of memory to any client or server that was connected. The details of the vulnerability, fixed in versi...

New Zeus Variant Comes Complete With a Signed Certificate

Yet another variant of the Zeus banking Trojan has surfaced; this one comes disguised as an Internet Explorer document and uses an authentic digital certificate to download a rootkit onto infected machines. According to researchers at the SSL firm Comodo, more than 200 examples of the Trojan have...

Crypto Model Based on Human Cardiorespiratory Coupling

A novel and theoretical encryption scheme inspired by new insights into the way that the human heart and lungs communicate is said to be substantially different than existing crypto-methods and highly resistant to conventional attacks. The research was undertaken and published by Professors...

Connecting the Dots Between Cookies and Identities

A team of computer science engineers from Princeton have released a paper that explains how an adversary with a passive presence on a network or Internet backbone could track individuals by observing HTTP cookies. The motivation for the project was news in December that the National Security Agen...

Chrome Adds Ability to Force Ephemeral Mode

Google has made a subtle change to the admin console in its Chrome browser, which is used in enterprise environments to help set policies for employee use, which will allow administrators to force users to browse in ephemeral mode. The change won’t have any effect on typical individual users who...

IE 12 to Support HSTS Encryption Protocol

Microsoft confirmed today it will support HTTPS Strict Transport Protocol HSTS in Internet Explorer 12, bringing its browser in line with other major vendors in its support of the protocol. Browsers supporting HSTS force any sessions sent over HTTP to be sent instead over HTTPS, encrypting...

Microsoft To Block Unwanted Adware July 1

Microsoft has announced this summer it will change the way it classifies adware by beginning to block unwanted and intrusive advertisements from users. New objective criteria drafted up by the company stipulates that by July 1 internet ads must have a visible close button and must clearly state...

Windows XP End of Life Breeding FUD, Legit Concerns

For those of you anticipating the start of a Walking Dead-style malware apocalypse next Tuesday, calm yourselves. The official end of security support for Windows XP is upon us, but it’s important to check some anxiety at the door and keep some perspective. “I’ve been a forensics investigator 14...

Researchers Uncover Interesting Browser-Based Botnet

Security researchers discovered an odd DDoS attack against several sites recently that relied on a persistent cross-site scripting vulnerability in a major video Web site and hijacked users’ browsers in order to flood the site with traffic. The attack on the unnamed site involved the use of...

Facebook Bug Bounty Submissions Dramatically Increase

Facebook today reported a dramatic increase in 2013 submissions to its bug bounty program, and said that despite reports from researchers that it’s becoming difficult to find severe bugs on its various properties, the social network plans to increase rewards for critical bugs. “The volume of...

Microsoft to Fix Word Zero Day with Final XP Patch

In just five days, Microsoft will send off two critical and two important rated security bulletins in what will be the very last Patch Tuesday release providing support for the Redmond, Washington computer company’s ancient and always-vulnerable XP operating system. The critically rated bulletins...

Regulators To US Banks: Be Vigilant of ATM Fraud, DDoS

U.S. regulators are warning banks this week about a recent rash of “large dollar value” ATM fraud and the ongoing risks distributed denial of service DDoS attacks that target public bank websites can pose. Members of FFIEC, the Federal Financial Institutions Examination Council, an interagency se...

Cyberespionage, Not Cyber Terror, is the Major Threat, Former NSA Director Says

CHANTILLY, VA–The list of threats on the Internet is long and getting longer each day. Cybercrime, nation-state attackers, cyber espionage and hacktivists all threaten the security and stability of the network and its users in one way or another. But the one threat that some experts have warned...

Cyber Tool Estimates Incident Response Cost for Businesses

A thorough and freely available tool aims to help security professionals and executives anonymously tabulate the costs incurred on enterprises following all manner of cyber-incidents. Called CyberTab, the tool was created by The Economist Intelligence Unit and sponsored by the consulting firm Boo...

Yahoo Encrypts Data Center Communication Links

Yahoo certainly has taken its share of knocks during the past nine months of surveillance revelations and Snowden leaks for its encryption shortcomings. But the bruises are healing and the company is slowly working its way back into good graces. After months of being an encryption laggard, Yahoo...

Home Routers at Core of DNS-Based DDoS Amplification Attacks

DNS providers Nominum have published new data on DNS-based DDoS amplification attacks that are using home and small office routers as a jumping off point. The provider said that in February alone, more than five million home routers were used to generate attack traffic; that number represents mor...

Amazon Web Services Combing Third Parties for Credentials

Amazon Web Services is actively searching a number of sources, including code repositories and application stores, looking for exposed credentials that could put users’ accounts and services at risk. A week ago, a security consultant in Australia said that as many as 10,000 secret Amazon Web...

Researchers Divulge 30 Oracle Java Cloud Service Bugs

Upset with the vulnerability handling process at Oracle, researchers yesterday disclosed more than two dozen outstanding issues with the company’s Java Cloud Service platform. Researchers at Security Explorations published two reports, complete with proof of concept codes, explaining 30 different...

Matthew Green on the NSA and Crypto Backdoors

Dennis Fisher talks with Matthew Green of Johns Hopkins University about the paper he co-authored on the Extended Random extension for Dual EC DRBG and whether it could be considered a backdoor. Download: digitalunderground149.mp3...

Apple Fixes More Than 25 Flaws in Safari

Apple has updated its Safari browser, dropping a pile of security fixes that patch more than 25 vulnerabilities in the WebKit framework. Many of the vulnerabilities Apple repaired in Safari can lead to remote code execution, depending upon the attack vector. There are a number of use-after-free...

LinkedIn Sends Cease-and-Desist to Sell Hack Plug-In Maker

UPDATE: The makers of the controversial Sell Hack browser plug-in responded this afternoon to a cease-and-desist order from LinkedIn and confirmed their extension no longer works on LinkedIn pages and that all of the publicly visible data it had processed from LinkedIn profiles has been deleted...

Clapper: NSA Queries Databases for Information on U.S. Persons

UPDATE–The NSA searches the data it collects incidentally on Americans, including phone calls and emails, during the course of terrorism investigations. James Clapper, the director of national intelligence, confirmed the searches in a letter to Sen. Ron Wyden, the first time that such actions hav...

DVR Infected with Bitcoin Mining Malware

Johannes Ullrich of the SANS Institute claims to have found malware infecting digital video recorders DVR predominately used to record footage captured by surveillance camera systems. Oddly enough, Ullrich claims that one of the two binaries of malware implicated in this attack scheme appears to ...

Extended Random Extension Made Cracking BSAFE Trivial

UPDATE: Known theoretical attacks against TLS using the troubled Dual EC random number generator— something an intelligence agency might try its hand at—are in reality a bit more challenging than we’ve been led to believe. The addition of the Extended Random extension to RSA Security’s BSAFE...

Why Full Disclosure Still Matters

When the venerable Full Disclosure security mailing list shut down abruptly last month, many in the security community were surprised. But a lot of people, even those who had been members of the list for a long time, greeted the news with a shrug. Twitter, blogs and other outlets had obviated the...

Second NSA Crypto Tool Found in RSA BSafe

A team of academics released a study on the maligned Dual EC DRBG algorithm used in RSA Security’s BSafe and other cryptographic libraries that includes new evidence that the National Security Agency used a second cryptographic tool alongside Dual EC DRBG in Bsafe to facilitate spying. Allegation...

Researcher Identifies Potential Security Issues in Tesla S

The current move by auto makers to stuff their vehicles full of networked devices, Bluetooth radios and WiFi connectivity has not gone unnoticed by security researchers. Charlie Miller and Chris Valasek spent months taking apart–literally and figuratively–a Toyota Prius to see what vulnerabilitie...

Google DNS Intercepted in Turkey

Internet service providers in Turkey have been intercepting traffic to Google’s DNS servers and redirecting it, shutting off a workaround that Turkish users had employed to get to sites such as Twitter and YouTube after the government had blocked them. Google software engineers said they had...

WiFi Bug Plagues Philips Internet-Enabled TVs

UPDATE — Some versions of Philips’ internet-enabled SmartTVs are vulnerable to cookie theft and a mélange of other tricks that abuse a lax WiFi setting. The problem lies in Miracast, a WiFi feature that comes enabled by default, with a fixed password, no PIN, and no request of permission, accordi...

FTC Settles With Fandango, Credit Karma Over SSL Issues in Mobile Apps

The makers of two major mobile apps, Fandango and Credit Karma, have settled with the Federal Trade Commission after the commission charged that they deliberately misrepresented the security of their apps and failed to validate SSL certificates. The apps promised users that their data was being...

Cisco Patches Denial-of-Service Vulnerabilities in IOS

Cisco this week patched a handful of denial-of-service vulnerabilities in its IOS software. The security updates are part of a biannual release from Cisco; the next one is due in September. Five of the six patches handle denial-of-service vulnerabilities in its flagship IOS used in most of its...

Apple ID Phishing Scam Steals Credentials, Credit Cards

A new email phishing scam is making use of a realistic-looking Apple login page in order to pilfer Apple ID usernames and passwords before moving on to steal user credit card information. According to SANS Internet Storm Center forums member, Craig Cox, this phishing scam is particularly...

U.S. Government Seeks Laxer Hacking Rules for Law Enforcement

The federal government is looking for a way to relax the laws to make it simpler for law enforcement agents to target and compromise the computers of suspects involved in criminal cases. The Department of Justice has forwarded a request to the body that considers such changes, asking that judges ...

Patch Available for Schneider Electric Serial Modbus Driver

Schneider Electric, a leading provider of industrial control systems, recently patched a remotely exploitable vulnerability in a driver found in 11 of its products. The Industrial Control Systems Computer Emergency Response Team ICS-CERT released an advisory yesterday alerting users to the...

White House Releases Plan to End Section 215 Bulk Collection

The White House today unveiled a five-point plan to end the National Security Agency’s bulk collection of phone call metadata, preserving what it says is a balance between the intelligence community’s national security needs and the public’s desire to maintain its privacy. The proposal ends the...