15946 matches found
Backdoor in Samsung Galaxy Devices Could Give Attackers Access
UPDATE – Samsung is contending claims last week that several of their Galaxy branded devices have a backdoor that could give an attacker “over-the-air remote control,” access to the phone’s file system and turn them into spying tools. Developers behind the Replicant project, a Cyanogen-based...
Energy Watering Hole Attack Used LightsOut Exploit Kit
A recent watering-hole attack targeted firms in the energy sector using a compromised site belonging to a law firm that works with energy companies and led victims to a separate site that used the LightsOut exploit kit to compromise their machines. The attack, which was active during late Februar...
Study Shows 'Metadata is Highly Sensitive'
The term metadata and the implications of its collection and analysis have been one of the key points in the debate surrounding the NSA’s broad surveillance programs over the last year. Legislators, policy makers and others continue to argue about whether metadata can actually reveal anything abo...
Charitable Prelude to Pwn2Own Not Without Its Critics
VANCOUVER – The prelude to the annual Pwn2Own contest between sponsor HP’s Zero Day Initiative and Pwnium contest sponsor Google produced not only zero-day exploits for Internet Explorer and Safari, but some skepticism about whether the exploits and details on the vulnerabilities were held for th...
Weak Early Random PRNG Threatens iOS 7 Kernel Mitigations
VANCOUVER – A revamped early random number generator in iOS 7 is weaker than its vulnerable predecessor and generates predictable outcomes. A researcher today at CanSecWest said an attacker could brute force the Early Random PRNG used by Apple in its mobile operating system to bypass a number of...
Vupen Cashes in Four Times at Pwn2Own 2014
VANCOUVER – It’s become a familiar walk for Chaouki Bekrar. Year after year at the Pwn2Own contest, the controversial Vupen founder is scurried from a small room in the basement of the Sheraton hotel to a suite several floors above. It’s a short journey from where a string of zero-day exploits ar...
162,000 WordPress Sites Used in DDoS Attack
More than 162,000 “popular and clean” WordPress sites were recently used in a large-scale distributed denial of service attack DDoS that exploited the content management system’s pingback feature. While the WordPress team is aware of the issue it’s not expected to be patched as it’s a default...
Google Fixes Four High-Risk Flaws in Chrome Before Pwn2Own
Google has fixed several serious security vulnerabilities in Chrome 33, just ahead of the Pwn2Own hacking competition at CanSecWest this week, which surely will reveal several more new bugs in the browser. The company’s Chrome browser is always at the top of the target list for contestants in...
NTP Amplification DDoS Attacks Increasing
An ever-shrinking number of vulnerable network time protocol NTP servers are being used with customized distributed denial of service DDoS toolkits to perform increasingly potent NTP amplification attacks. According to the DDoS mitigation specialists at Prolexic, who issued a high alert DDoS atta...
Agent.btz Malware May Have Served as Starting Point for Red October, Turla
Researchers looking into the recently uncovered Turla, or Snake, cyber espionage campaign have discovered some similarities connecting it to older pieces of malware such as Agent.btz, the worm that several years ago infected U.S. military networks and eventually caused the Department of Defense t...
Joomla Fixes Critical SQL Injection Vulnerability
The open-source content management framework Joomla pushed out version 3.2.3 of its product last week, fixing a SQL injection zero-day vulnerability that could have let attackers steal information from databases or insert code into sites running the CMS. While little is being disclosed by Joomla,...
Microsoft Resolves IE Zero Day with Patch Tuesday Release
UPDATE: a previous version of this story mistakenly stated that Microsoft’s March patch Tuesday would be the last one providing support for Windows XP. Windows XP’s last patches will in fact be shipped with next month’s patch Tuesday release. Microsoft has finally pushed a fix for a stubborn and...
IE Zero Day Exploits Increase Just Before Patch
Attackers have increased their exploitation of an Internet Explorer zero day vulnerability CVE-2014-0322 set to be fixed by Microsoft in its regularly scheduled patch Tuesday release later this afternoon. According to a Websense report, the exploit source code deployed in at least two incidents –...
The NSA, Snowden and the Internet's Offensive Future
Despite everything that has transpired in the last year, Edward Snowden sounded calm, reflective and in some ways wistful yesterday discussing the fallout and consequences of the multitude of NSA programs and methods he’s revealed. Snowden bemoaned the fact that the NSA specifically and the...
Apple iOS 7.1 Fixes More Than 20 Code-Execution Flaws
Apple has fixed a slew of vulnerabilities that could lead to code execution on the iPhone, along with a number of other security vulnerabilities in the latest version of its mobile operating system, iOS 7.1. The new release comes just a little more than two weeks after Apple released iOS 7.06 to...
Millions of Customer Records Leaked in Experian ID Theft Case
An ongoing investigative report has revealed that a man posing as a private investigator may have compromised millions of Americans’ personal and financial records from 2007 to 2013. The news is the latest fallout from last year’s discovery that Experian, one of the “big three” national credit...
Researcher Eric Filiol Withdraws CanSecWest Presentation
A presenter at this week’s CanSecWest security conference has withdrawn his scheduled talk for fear the information could be used to attack critical infrastructure worldwide. Eric Filiol, scientific director of the Operational Cryptology and Virology lab. CTO/CSO of the ESIEA in France, pulled hi...
Snowden: Surveillance Has Damaged Internet, U.S. Economy
The mass surveillance programs that he revealed through media leaks in the last year have not only compromised the privacy and security of Americans, but have damaged the country’s economy, Edward Snowden said in an interview Monday. Snowden, the former National Security Agency contractor who sto...
Pinterest Issues First Transparency Report
Pinterest, the social image-sharing site known predominately for wedding planning and recipe dissemination, released its first transparency report on Friday. While the government – unsurprisingly – makes few requests of this most bubbly of social networks, the report seems to carry a broader...
GnuTLS Bug Exposes Shortcomings in TLS Test Suites
Code audits are often ugly tasks and can sometimes find ugly things. Case in point: the GnuTLS goto bug. Chief architect and Red Hat engineer Nikos Mavrogiannopoulos initiated a code audit of the open source crypto library that eventually turned up last week’s critical bug. The bad code has been...
Microsoft Disclosed User Content in 10% of U.S. Law Enforcement Requests
Microsoft supplied user content in response to 10.8 percent of the law enforcement requests it received from United States agencies in the second half of 2013. The company got more than 5,600 requests from U.S. agencies in the last six months of the year, and in the vast majority of those–68...
Privacy Groups Seek to Halt Facebook Acquisition of WhatsApp
The appeal of WhatsApp, the cross-platform mobile messaging app recently acquired by Facebook for a stunning $19 billion price tag, was that it kept to its promise of not collecting user information that would be converted to ad revenue. The acquisition by Facebook, however, likely changes that...
HTTPS Traffic Attacks Leak Sensitive Personal Details
One thing that’s been made abundantly clear by mathematicians and cryptographers alike is that despite the NSA’s dragnet surveillance of phone calls and Internet traffic, the spy agency has not been able to crack the math holding up encryption technology. Those who wish to spy and steal on the...
Dexter, Project Hook Point of Sale Malware Still Prevalent
While the Target data breach may be in the rear view mirror, research this week shows it’s clear that many attackers are still using point of sale malware, namely Dexter and Project Hook, in active attacks. Researchers at Arbor Networks’ Security Engineering & Response Team ASERT looked at severa...
Microsoft to Patch IE 10 Zero Day March 2014 Patch Tuesday
Microsoft will patch a lingering zero-day vulnerability in Internet Explorer next Tuesday, one of five bulletins it will release as part of its March 2014 Patch Tuesday security updates. The IE 10 zero-day was disclosed close to a month ago when researchers at FireEye reported on Operation SnowMa...
Microsoft, Kaspersky Shed Light on Sefnit Tor Botnet
Alarm bells went off last August when spikes in Tor client downloads were traced to a large click-fraud and Bitcoin-mining botnet called Sefnit. The malware was using the popular anonymity network to communicate with hackers in order to transmit stolen data and receive additional commands. In...
Hacking Team Hosting in U.S.
Milan-based Hacking Team relies on servers in the United States and hosted by American companies to support its clients’ state-sponsored surveillance operations in some of the world’s most repressive regimes. Hacking Team is an Italian security firm that develops surveillance equipment and sells ...
Cisco Patches Authentication Flaw in Wireless Routers
There’s a serious security flaw in some of Cisco’s wireless routers that could allow a remote attacker to take complete control of the router. The bug is in a number of the Cisco small business routers, as well as a wireless VPN firewall. Cisco has released patches to fix the vulnerability in its...
Meetup.com Back Online After DDoS Attacks, Extortion
Social networking site Meetup.com is finally back online today, yet officials at the site are warning it could still face future outages following a series of sustained distributed denial of service attacks DDoS over the weekend. Meetup is a social networking portal that allows individuals with...
GnuTLS Goto Bug Different from Apple Goto Fail Bug
The similarities between the GnuTLS bug and Apple’s goto fail bug begin and end at their respective failure to verify TLS and SSL certificates. Otherwise, they’re neither siblings, nor distant cousins. The GnuTLS bug is very different, though like Apple’s infamous goto fail error, it will also...
Researchers Investing in EMET Bypasses More than Hackers
Exploits bypassing Microsoft’s Enhanced Mitigation Experience Toolkit, or EMET, are quickly becoming a parlor game for security researchers. With increasing frequency, white hats are poking holes in EMET, and to its credit, Microsoft has been quick to not only address those issues but challenge a...
GnuTLS certificate verification security vulnerability found
GnuTLS, an open source SSL and TLS implementation used in hundreds of software packages including Red Hat desktop and server products and all Debian and Ubuntu Linux distributions, is the latest crypto package to improperly verify digital certificates as authentic. The vulnerability, discovered a...
Institute for Electric Grid Cybersecurity Girds Utilities
Critical infrastructure policymakers are advocating the foundation of a new entity, the Institute for Electric Grid Cybersecurity, along with a new set of guidelines, to better protect the North American electric grid from cyber-attacks and determine how to respond if the grid is ever compromised...
Triple Handshake TLS Attacks Target Resumption, Renegotiation
A team of researchers has published a paper that explains a number of attacks against websites and Web-based applications running TLS. The researchers’ techniques do not exploit implementation errors, the most common attack vector against encryption securing online communication, instead focus on...
Google Fixes Nearly 20 Bugs in Chrome 33
Google has fixed 19 security flaws in its Chrome browser, including more than a dozen high-risk bugs. The company paid out $3,500 in rewards to security researchers who reported flaws. Two of the high-risk vulnerabilities fixed in Chrome 33 are use-after-free flaws, one in SVG images and the othe...
Verizon Updates 2013 Transparency Report With FISA Data
Verizon updated its transparency report yesterday, breaking down National Security Letter and Foreign Intelligence Surveillance Act FISA orders for the first and second halves of 2013. The telecommunications giant released its first transparency report in late January, responding to pressure from...
Cisco Grand Challenge to Fix Internet of Things Security
As seemingly every new gadget and electronic device is coming retrofitted with an Internet connection these days – appliances, cars and medical devices a few chief examples, the floodgates have opened ever wider for an alarming number of new attack vectors. The burgeoning evolution of “Internet o...
DNS SOHO Router Pharming Attack Takes 300,000 Routers
More than 300,000 small office and home office routers, most in Europe and Asia, were compromised in a campaign that started in mid-December, continuing a rash of security incidents involving home and small business networking equipment. Researchers at Team Cymru published a report today on the...
Schneider Electric Patches SCADA, ICS Security Vulnerabilities
The Industrial Control Systems Cyber Emergency Response Team ICS-CERT last week issued advisories warning of serious vulnerabilities in Schneider Electric SCADA gear. Schneider Electric is a supplier of energy management control products that are used in a number of critical industries in North...
Apple Updates iOS Security Guide
Apple rarely offers anyone a glimpse inside its walled-off security garden. The last time it did was in the spring of 2012 when it released a detailed paper on the security of its iOS operating system for iPhones and iPads. The company also presented a much-anticipated if not anticlimactic...
Four Oracle Demantra Security Vulnerabilities Found
Oracle’s Demantra, part of the company’s Value Chain Planning suite of software, is fraught with vulnerabilities according to several bug disclosures issued over the weekend. Researchers at the London-based computer security firm Portcullis claim the application is plagued by a four vulnerabiliti...
CloudFlare Issues Transparency Report
CloudFlare claims government requests for user data are affecting fewer than .017 percent of their two million global customers The Web performance and security company yesterday issued the report in accordance with the Department of Justice’s new regulations for publishing information pertaining...
Fixing Trust Through Certificate Transparency
SAN FRANCISCO–The security of data being transmitted over the Web relies on a large number of moving parts, from the integrity of the machine sending the data, to the security of the browser, to the implementation of encryption, to the fragility of the certificate authority system. Experts have...
Government Surveillance Could Targeted Automated Updates
SAN FRANCISCO – As more Web-based services are encrypted, privacy advocates are concerned the next wave of aggressive surveillance activity could target automated update services that essentially provide Internet companies root access to machines. Chris Soghoian, principal technologist with the...
Lavabit Case May Be One of Many in Coming Years
SAN FRANCISCO–The Lavabit case, which saw the secure email provider’s owner shut the company down after being forced to hand over to the government the encryption key that protected his users’ data, may seem like an extreme reaction to a unique situation. But, experts say it’s likely that there...
Dennis Fisher and Mike Mimoso Discuss Day Two at the RSA Conference
Dennis Fisher and Mike Mimoso run down the news from day two of the RSA Conference, including the new FBI director’s speech and preview Trusty Con. Download: digitalunderground147.mp3...
RSA Conference Mobile App Vulnerable
The official mobile application for the ongoing RSA Conference contains a half-dozen security vulnerabilities, according to an analysis performed by researchers from the security service provider IOActive. IOActive chief technical officer Gunter Ollmann claims the most severe of the vulnerabiliti...
FBI Director James B. Comey RSA Conference Keynote
SAN FRANCISCO – Outgoing FBI Director Robert Mueller predicted to his successor James B. Comey that cybersecurity would dominate his 10-year tenure much the same way terrorism did Mueller’s. “After five months, he’s right,” Comey said today during his keynote address at RSA Conference 2014. Comey...
Google, Microsoft Privacy Officers Lobby for Transparency
SAN FRANCISCO – Privacy has been in a stranglehold for a long time. Some believe it’s a fleeting concept done irreparable harm by the Snowden revelations. Others believe it’s merely in a transition until the norms of Internet behavior are sorted out. The privacy chiefs of Google, Microsoft and...
iOS 7 Bug Could Allow Background Monitoring
It’s only been a few days since Apple fixed the nasty certificate-validation “goto fail” vulnerability in iOS and OSX and now word comes that another bug, one that could allow an attacker to monitor keystrokes on iOS 7 devices without the user being any the wiser, also exists. The problem...