New Platform Protects Data From Arbitrary Server Compromises

Researchers are in the midst of rolling out a secure new platform for building web applications that can protect confidential data from being stolen in the event attackers gain full access to servers. The platform, Mylar, is the result of a project spearheaded by students at the Massachusetts...

NTP Aplification, SYN Floods Drive Up DDoS Attack Volumes

There has been a steady but dramatic increase in the potency of distributed denial of service DDoS attacks from the beginning of 2013 through the first two months of this year. In large part, reason for this rise in volume has to do with the widespread adoption of two attack methods: large...

Government Requests for Google User Data Continue to Climb

While the number of requests for user information that Google receives from governments around the world continues to rise–climbing by 120 percent in the last four years–the company is turning over some data in fewer cases as time goes on. Google received more than 27,000 requests for user...

Android Malware Mines Digital Cryptocurrency

On its surface, the idea of turning a smartphone into a cryptocurrency mining machine sounds novel. But practical and profitable? Not so much. That hasn’t stopped thieves from corrupting a number of popular Android applications for just that purpose, including two on the Google Play store called...

Data Breaches Show Difficulty of Defenders' Task

When attackers broke into the network of the University of Maryland last month, the university’s wasn’t sure how to react. The organization had never had a major security incident before, and this one qualified as major: 310,000 Social Security numbers and other information was gone. And then thr...

NSA Surveillance Reform Demonstrate Need for Public Scrutiny

The Snowden leaks and the ensuing critical spotlight shone on the National Security Agency’s surveillance programs have nudged many technologists, privacy hounds and politicians away from their desks and onto the front lines calling for reforms. Two nights ago, the New York Times reported that...

GUI Bugs Expose Information Disclosure, Privilege Escalation

Developers are creating countless information disclosure and privilege escalation vulnerabilities by misusing elements of various graphical user interfaces as a mechanisms for access control, according to a new research paper from the Northeastern University College of Computer and Information...

Security the Facebook Way

Protecting the internal network as well as the users of Facebook is an unenviable task. Facebook users constantly are the target of all manner of phishing, malware and other attacks, and the company’s own network is a major prize for attackers, as well. To help better defend those assets,...

Full Disclosure List Rises From the Ashes For Fresh Start

When the Full Disclosure mailing list closed down last week, many in the security community wondered what, if anything, would fill the void. As it turns out, Full Disclosure will fill that void. John Cartwright, one of the creators of the list, announced on March 19 that he was shutting it down...

Malaysia Airlines Flight 370 spear phishing emails spotted

Hold off on the notion that watering hole attacks may supplant phishing as the initial means of compromise in advanced attacks. A number of recent targeted campaigns have used the crash of Malaysia Airlines 370 as a lure to infect government officials in the U.S. and Asia-Pacific. FireEye today...

Basecamp Back Online After DDoS, Extortion

The project management console Basecamp is back online and its developers are in the process of restoring customers’ network access Tuesday after the service was taken down by a distributed denial-of-service DDoS attack Monday. The attack started at 8:46 a.m. CST yesterday and flooded the site wi...

White House Proposal Would End NSA Metadata Program

Privacy advocates are cautiously applauding the reports that the Obama administration will unveil a legislative proposal to end the National Security Agency’s collection of Americans’ bulk phone records, but are concerned what the fine print on that proposal might hold. “Given all the various way...

Word Zero Day Attacks Use Complex Chain of Exploits

The exploit that attackers are using to target a zero day vulnerability in Microsoft Word relies on a complex series of pieces, including an ASLR bypass, ROP techniques and shellcode with several layers of tools designed to detect and defeat analysis. Microsoft officials said the exploit is being...

Hootsuite Recovers from Denial of Service Attack

Social media management system Hootsuite recovered rapidly from a denial of service DoS attack late last week, bouncing back after being offline for a few hours Thursday morning. During that time, starting around 9:45 a.m. EST., users of the site were unable to use the service after a malicious...

Microsoft Advisory Warns of Word Zero-Day Attacks

Targeted attacks have been spotted against a zero-day vulnerability in Microsoft Word 2010, leading Microsoft to issue a special security advisory and produce a Fix-it solution for users until a patch is ready. Microsoft also said that its Enhanced Mitigation Experience Toolkit EMET is a temporar...

Advocates Seek 'Smart Regulation' of Surveillance Technology

The long shadow cast by the use of surveillance technology and so-called lawful intercept tools has spread across much of the globe and has sparked a renewed push in some quarters for restrictions on the export of these systems. Politicians and policy analysts, discussing the issue in a panel...

Microsoft Reads User Email without Warrant

Late last week it emerged that Microsoft had searched through the contents of a French blogger’s Hotmail account in order to track down the source of a leak of proprietary information from the Redmond, Wash., tech giant. The Electronic Frontier Foundation and transparency advocates have expressed...

Time Warner Cable Publishes First Transparency Report

Time Warner Cable has joined a half-dozen telecommunications and technology companies that, in the past six months, have published their first transparency report on government and law enforcement requests for user data and content. Since the Edward Snowden leaks began last June, transparency...

WhiteHat Releases Aviator Browser for Windows

The privacy and anonymity of users’ online communications has been at the forefront of many discussions in the tech community and the general public in the last year as more and more information has leaked out about the NSA’s methods and how the agency collects vast amounts of user data. Keeping...

Malware Attacks Against Linux 2.6 Websites

The risks presented by unsupported operating systems are being called out in a large-scale attack on hundreds of websites. Hackers have hit web servers running a version of the Linux 2.6 kernel released seven years ago. The result is a multistage attack where compromised websites are spiked with...

NSA Targets Sys Admins to Access Networks

The latest set of Snowden documents reveal details on perhaps the biggest no-brainer from the National Security Agency’s point of view during these nine months of leaks: the targeting of system administrators. Classified presentations, documents and notes portray the NSA as confident and...

Cisco Patches AsyncOS Code Execution Vulnerability

Cisco fixed serious vulnerabilities this week in its email and content security management products that could have let an attacker execute code with the privileges of the root user. The company pushed a fix for its AsyncOS Software in both its Email Security Appliance ESA and the Content Securit...

ICS Vulnerabilities Afffect Critical Infrastructure Security

Industrial control systems manufacturer, Siemens, has released new versions of its SIMATIC S7-1200 CPU family, resolving six security vulnerabilities in that product, and its SIMATIC S7-1200 PLC programmable logic controller, resolving an addition two vulnerabilities there. These patches are...

Comcast Transparency Report

Another day, another transparency report from a company trying to put some distance between itself and the United States’ broad surveillance apparatus. Today’s report comes from Comcast, the largest Internet service provider in the U.S., who “takes customer privacy very seriously, and holds it in...

EA Games Site Hacked to Steal Apple IDs

Hackers were able to compromise a server belonging to Electronic Arts Games this week and rig one of its websites to resemble an Apple log-in page to dole out phishing attacks. U.K.-based security firm Netcraft discovered the hacked site on Tuesday and informed EA, which blocked it on Wednesday...

Bitcoin Transaction Malleability Flaw Resolved

The so-called transaction malleability software issue blamed for the dissolution of Bitcoin exchange Mt. Gox has been patched. Also, the Bitcoin-QT reference client was also rebranded to Bitcoin Core, in order to clear confusion users might have had between the Bitcoin network and software. Bitco...

Google Encrypts All Gmail Connections

Perhaps no company has been as vocal with its feelings about the revelations about the NSA’s collection methods as Google has, and the company has been making a series of changes to its infrastructure in recent months to make it more difficult for adversaries to snoop on users’ sessions. The...

Malicious iOS Tor Browser in Apple App Store

An iOS Tor Browser hosted for download on Apple’s notoriously restrictive App Store is reportedly a fake. Worse yet, not only is the application said to be illegitimate, but also allegedly malicious. According to a support ticket opened by a Tor Project volunteer operating under the handle Phobos...

Android PMS Privilege Escalation Vulnerabilities Found

The first deep look into the security of the Android patch installation process, specifically its Package Management Service PMS, has revealed a weakness that puts potentially every Android device at risk for privilege escalation attacks. Researchers from Indiana University and Microsoft publishe...

New Zorenium Bot Boasts Ability to Run on iOS

UPDATE–The iOS platform has been remarkably resistant to malware infections over the years and attackers interested in mobile devices mainly have focused their efforts on Android. But the developer of a little-known bot that has the ability to run on Linux and Windows machines now has a version...

Firefox 28 Patches Four Pwn2Own Zero-Day Vulnerabilities

The Firefox web browser took a beating during last week’s Pwn2Own contest with researchers bringing four zero-day vulnerabilities and exploits to the table, walking away with a collective $200,000 in prize money in the process. Yesterday, Mozilla capped all four bugs among 18 security advisories...

Research Finds MAC Address Hashing Not a Fix for Privacy Problems

UPDATE–Cryptographic algorithms and hash functions are designed to be resistant to a variety of attacks, but one of the things that they can’t defend against is time. Time and the inevitable advancement of technology have turned out to be the greatest enemies of cryptography, and a quick research...

NSA RETRO Tool Collects Content of Phone Calls

The latest in the slow but steady trickle of leaks dripping out of NSA whistleblower Edward Snowden reportedly shows that the U.S. spying agency has the capacity to recall entire foreign phone call conversations for as long a month after the fact. The program, according to a Washington Post repor...

Exploits for Two-Year-Old PHP Security Vulnerability Found

Close to two years ago, a serious vulnerability in PHP was accidentally disclosed after it was discovered months prior during a hacking contest. A patch was released in relatively short order, and one would assume that given PHP’s prevalence as a web development framework, the fix would have been...

Full Disclosure Security Mailing List Shuts Down

The Full Disclosure security mailing list, which has been one of the main discussion forums for vulnerability and exploit information for 12 years, is shutting down because “‘one of our own’ would undermine the efforts of the last 12 years”, one of the creators said. John Cartwright, one of the...

Windows Spy Tool Also Monitors Android Devices

Researchers have discovered that a commercial Windows-based spy program now comes equipped with capabilities for spying on Android devices as well. GimmeRAT, a secondary component of Win-Spy, was spotted during an investigation into a targeted attack against a financial institution in the United...

Sally Beauty Supply Acknowledges Breach of 25K

Twelve days after acknowledging that someone attempted to breach its system, Sally Beauty Supply confirmed this week that an attacker was able to penetrate the company and make off with fewer than 25,000 records of its customers’ sensitive banking information. The chain’s parent company Sally...

Gap Widens Between Attackers, BIOS Forensics, Research

Vendors have made important strides in locking down operating systems, patching memory-related vulnerabilities and other bugs that could lead to remote code execution or give hackers a stealthy presence on a machine. As the hurdles get higher for the bad guys, the better ones will certainly look...

Apache Update Resolves Security Vulnerabilities

Apache has released version 2.4.9 of its ubiquitous HTTP web server HTTPD, resolving two security vulnerabilities and a number of other bugs in the process. The Apache Software Foundation is recommending HTTPD 2.4.9 over all previous versions. The first patch fixes CVE-2014-0098. It aims to...

Threatglass Tool Gives Deep Look Inside Compromised Sites

Trying to enumerate the compromised sites on the Internet is a Sisyphian task. Luckily, it’s not a task that anyone really needs to perform any longer, especially now that Barracuda Labs has released its new Threatglass tool, a Web-based frontend that allows users to query a massive database of...

Browser Bugs, BIOS and Brokers dominate CanSecWest, Pwn2Own

Browsers, brokers and BIOS: you could safely call that triumvirate the past, present and future of security, but you’d be wrong. If last week’s CanSecWest conference, and Pwn2Own and Pwnium contests are indeed a point-in-time snapshot of the technical side of information security, then after last...

Google Patches Four Pwn2Own Bugs in Chrome 33

Now that the dust has settled after the Pwn2Own contest, the browser manufacturers are beginning to roll out patches for the vulnerabilities exploited by contestants. Google on Monday released fixes for a number of bugs in Chrome discovered and exploited during Pwn2Own, releasing new versions of...

Former Church Committee Members See Need for New Group to Investigate NSA

In a letter sent to President Obama and members of Congress, former members and staff of the Church Committee on intelligence said that the revelations of the NSA activities have caused “a crisis of public confidence” and encouraged the formation of a new committee to undertake “significant and...

Is It Time for Certified ICS Security Specialists?

The information security field is full of certifications – CompTIA, GIAC, CHE, ISC2 CISSP, CISM, with a vast number of areas and directions within these families. In the industrial space, the most “unsecured” enterprise sector compared to well-established information security practice in most...

SCADA Vulnerabilities Identified in Power, Petrochemical Plants

More than 7,600 different power, chemical and petrochemical plants may still be vulnerable to a handful of SCADA vulnerabilities made public this week. A researcher at Rapid 7, the Boston-based firm responsible for the popular pen testing software Metasploit, and an independent security researche...

Dennis Fisher and Mike Mimoso Discuss CanSecWest and Pwn2Own

Dennis Fisher and Mike Mimoso talk about the news from the CanSecWest conference, the drama and melodrama at Pwn2Own and the bad year that RNGs have had. Download: digitalunderground148.mp3 Photo via mayanais‘ Flickr photostream, Creative Commons...

The NSA and Mark Zuckerberg's Righteous Anger

Mark Zuckerberg is mad as hell, and he’s not going to take it anymore. Actually, he is going to take it, because we all are going to take it, at least for the foreseeable future. Zuckerberg is upset that the NSA is spying on his users, and even madder that the agency is allegedly using fake...

China's Keen Team Topples Safari, Flash at Pwn2Own

VANCOUVER – One is the bug hunter, the other the exploit specialist. Fang Jiahong and Liang Chen represented the Keen Team at Pwn2Own on Thursday, starting off the second day of the annual exploit festival with a quick takedown of Apple’s Safari browser. They then wrapped up the contest with a...

IE 11 Stands Up to Pwn2Own Exploit Attempt

VANCOUVER – Successful exploits at the Pwn2Own contest get all the glitz, but the rarities are the exploits that fail. A group of four young South Korean hackers from ASRT, all of them well shy of their thirtieth birthdays, stood in proxy for Jung Hoon Lee. Lee was home fulfilling a military...

NSA Denies Impersonating Facebook to Exploit Targets

The NSA on Thursday responded to media reports that it has been impersonating Facebook and other sites in order to compromise surveillance targets’ machines, saying that the agency “does not use its technical capabilities to impersonate U.S. company websites.” It is relatively rare for the NSA to...