Threat Modeling, Legos and Dancing Babies

SAN FRANCISCO–The concept of threat modeling has evolved quite a lot in the last few years, moving from an activity that massive software companies such as Microsoft and Google use to anticipate and defend against potential threats to their products to something that many smaller organizations...

Avaya to Patch one-X IP phone zero-day vulnerability

SAN FRANCISCO — Two zero-day vulnerabilities in Avaya’s latest one-X 9608 IP telephones have been discovered and are expected to be patched on Friday by the provider. Researcher Ang Cui, a Ph.D. candidate at Columbia University and chief scientist at Red Balloon Security, will demonstrate an...

Dennis Fisher and Mike Mimoso Discuss Day One at the RSA Conference 2014

Dennis Fisher and Mike Mimoso discuss the happenings on day one of the RSA Conference, including Art Coviello’s keynote and what makes the NSA mad. Download: digitalunderground146.mp3...

The NSA is 'Not Made of Magic'

SAN FRANCISCO–Of the small pool of people who have seen the Snowden documents, few, if any, are as technically savvy and knowledgeable about security and surveillance as Bruce Schneier. And after reading through stacks and stacks of them, Schneier says that yes, the NSA is extremely capable and...

Microsoft EMET 5.0 Technical Preview Released

SAN FRANCISCO – Enterprises beat up by wave after wave of Java exploits and calls to disable the platform may soon have some relief in sight. Microsoft’s free Enhanced Mitigation Experience Toolkit will soon have a new feature that allows users to configure where plug-ins, especially those target...

Apple Ships Critical OS X 10.9.2 Security Update

Apple today shipped a security update resolving a critical certificate-validation vulnerability in its OS X Mavericks operating system. Details of the bug, which exists in OS X version 10.9.1 and is resolved by version 10.9.2, emerged on Friday after the company patched essentially the same bug i...

Pony Botnet Steals $200,000, 700,000 Usernames, Passwords

Attackers leveraged a Pony botnet controller to not only siphon away a large batch of account credentials but also to make off with over $200,000 in Bitcoin and other virtual currencies over a four month span, according to researchers this week. It’s the second high profile instance of the Pony...

Experts Urge Conservatism on Crypto Standards

SAN FRANCISCO–Security people are, by nature, cautious and methodical, and that is even more true of cryptographers. And in the current environment, when new adversaries seem to emerge on a daily basis and cryptographic standards are under intense scrutiny, a panel of some of the biggest names in...

RSA Conference 2014 Art Coviello RSA keynote

SAN FRANCISCO – RSA Security executive chairman Art Coviello today at RSA Conference 2014 made his first public comments about the security company’s relationship with the National Security Agency, painting the landmark firm as a victim of the spy agency’s blurring of the lines between its...

After a Turbulent Year, Still Some Optimism in the Security World

SAN FRANCISCO–Despite all of the revelations and accusations and recriminations in the security industry in the last year, Microsoft’s Scott Charney said he is still optimistic about the industry’s ability to defend users. However, that optimism is tempered by concern about the threats those user...

TextSecure Provides Seamless Encryption for All Levels

TextSecure, the secure messaging app developed by the encrypted communication provider WhisperSystems, is no longer merely a private short messaging service SMS application. According to a blog post penned by WhisperSystems co-founder Moxie Marlinspike, TextSecure is now a private, asynchronous...

Ransomware Scam Plagued by Weak Crypto

A new piece of ransomware that emerged earlier this month is encrypting its victim’s files with an easily breakable cryptographic algorithm. BitCrypt, as it is known, purports to lock down files with 1024-bit RSA encryption but actually only deploys a much weaker 426-bit key. According to...

Bruce Schneier on Surveillance and Trust

Dennis Fisher talks with Bruce Schneier about the differences between bulk and targeted surveillance, the most concerning NSA revelations and making surveillance more expensive for intelligence agencies. Download: digitalunderground145.mp3...

Complete Microsoft EMET Bypass Developed

SAN FRANCISCO — Researchers at Bromium Labs are expected to announce today they have developed an exploit that bypasses all of the mitigations in Microsoft’s Enhanced Mitigation Experience Toolkit EMET. Principal security researcher Jared DeMott is scheduled to deliver a presentation this morning...

SSL Vulnerability Affects OSX Too

The certificate-validation vulnerability that Apple patched in iOS yesterday also affected Mac OS X up to 10.9.1, the current version. Several security researchers analyzed the patch and looked at the code in question in OS X and found that the same error exists there as in iOS. Researcher Adam...

Apple Fixes Certificate Validation Flaw in iOS

Apple on Friday quietly pushed out a security update to iOS that restores some certificate-validation checks that had apparently been missing from the operating system for an unspecified amount of time. Apple released iOS 7.06 on Friday and the only content in the update was a small security fix...

Dropbox Updates Privacy Policy in Response to Surveillance

The online storage service Dropbox has amended its privacy policy at least in part to better address increased concerns regarding how the service perceives, responds to, and handles government requests for user-data. The new government data requests principles come as part of broader and fairly...

Dennis Fisher and Mike Mimoso Preview RSA 2014

Dennis Fisher and Mike Mimoso preview next week’s RSA conference, discuss the sessions they’re looking forward to covering and what the fallout from the NSA controversy will be during the week...

Researchers Find SSL Problems WithWhatsApp

The Facebook acquisition of mobile messaging service WhatsApp has captivated the tech world this week. Much of that has to do with the massive $19 billion price tag and, to a lesser extent, the incredibly fast rise of the company. But while analysts and customers have been examining the deal, som...

Tinder Patches Vulnerability That Exposed User Locations

Developers with the popular dating application Tinder have fixed a vulnerability that up until last year could’ve allowed users to track other users, thanks to a hole in the app’s API and some old fashioned trigonometry. Max Veytsman, a Toronto-based researcher with Include Security disclosed the...

University Maryland Breach Exposes SocialSecurity numbers

Attackers breached a University of Maryland database containing more than 300,000 student, faculty, staff, and other affiliated records on Tuesday, according to an apology issued by the university’s president, Wallace D. Loh. While it is not clear exactly how many individuals are affected by the...

Google Fixes 28 Security Flaws in Chrome 33

Google Chrome 33 is out, and the new version of the browser includes fixes for 28 security vulnerabilities, including a number of high-severity bugs. The company paid out more than $13,000 in rewards to researchers who reported vulnerabilities that were fixed in this release. One of the...

Emergency Adobe Flash Update Handles Zero Day Under Attack

Adobe rushed out an unscheduled Flash Player update today to counter exploits of a zero-day vulnerability in the software. A number of national security, foreign policy and public policy websites are hosting exploits that redirect to espionage malware, including the Peter G. Peterson Institute fo...

Microsoft Ships IE 10 Zero Day Fix-It Tool

Microsoft last night released a Fix-It tool as a temporary mitigation for a zero-day vulnerability in Internet Explorer 10 being exploited by two hacker groups against the Veterans of Foreign Wars in the U.S. as well as a French aerospace manufacturer. IE 9 also contains the same use-after free...

Internet Bug Bounty Pays $10k for Flash Vulnerability

The Internet Bug Bounty program, a cooperative effort among security experts and vendors, paid out its first $10,000 bounty this week for a serious Flash vulnerability. The flaw, which Adobe fixed in December, was a serious one that has been used in targeted attacks. Started in November, the...

Healthcare IT Security Practices Poor, Systems Compromised

A new report from the SANS Institute warns that the push to digitize all health care records along with the emergence of HealthCare.gov and the general proliferation of electronic protected health information ePHI online will only exacerbate the security problems faced by those that store sensiti...

DuoSecurity Finds Two-Factor Authentication Vulnerability

Hosted two-factor authentication firm Duo Security acknowledged late last week that it discovered a vulnerability in its WordPress plugin duowordpress plugin that could allow a user to bypass two-factor authentication 2FA on a multisite network. Jon Oberheide, one of Duo’s founders, stressed last...

Metasploit Module Targets Old Android Vulnerability

Android devices prior to version 4.2.1 of the operating system—70 percent of the phones and tablets in circulation—have been vulnerable to a serious and simple remote code execution vulnerability in the Android browser for more than 93 weeks. Metasploit recently added an exploit module that targe...

Cisco UCS Director Software Has Default Credentials Open to Attackers

Cisco’s UCS Director infrastructure management product contains a set of default credentials that any remote attacker can exploit to take complete control of any vulnerable machine. The flaw is in UCS Director versions 4.0.0.2 and below. The Cisco UCS Director software is designed to allow...

Windows Error Reporting Used to Find Advanced Exploits

Windows Error Reporting, also known as Dr. Watson reports, are Windows crash reports sent by default unencrypted to Microsoft, which uses them to fix bugs. The reports are rich with system data that Microsoft also uses to enhance user interaction with its products. Since, however, they are sent i...

Second Group Seen Using IE 10 Zero Day

There are at least two different groups running attacks exploiting the recently published zero day vulnerability in Internet Explorer 10, and researchers say one of the groups used the bug to impersonate a French aerospace manufacturer and compromise victims visiting the spoofed Web page. The...

Swiss Firm Digs Up 300,000+ Usernames/Passwords on Pastebin

More than 300,000 credentials, usernames and passwords, were posted on the clipboard website Pastebin.com in the year 2013 alone according to a recent analysis by a Swiss security firm. As part of an experiment to determine how big the hacking industry is, High-Tech Bridge, a company until now...

Microsoft Mitigation Bypass Bug Bounty Winner Yang Yu

Yang Yu is no stranger to writing mitigation bypasses for Microsoft Windows products. A year ago at the CanSecWest conference in Vancouver, the 35-year-old security researcher from Beijing did an extensive presentation on bypassing Address Space Layout Randomization ASLR and Data Execution...

Linksys Routers Vulnerable to Remote Access Vulnerability

Linksys routers sold to consumers as a home or small office networking box are vulnerable to a simple exploit that could give an attacker remote access to the router. The vulnerabilities are wormable, yet are unrelated to the Moon worm reported last week by the SANS Institute. Linksys, which was...

First AT&T Transparency Report Shows 2,000+ NSL Requests

AT&T, in its first transparency report, said that it received at least 2,000 National Security Letters and nearly 38,000 requests for location data on its subscribers in 2013. The new report from AT&T is the latest in a growing list of publications from telecom companies, Web providers and cell...

Researchers Find Serious Flaws in WeMo Home Automation Devices

UPDATE–There has been a joke going around the tech industry for years about refrigerators and other home appliances one day being connected to the Internet and being able to order more milk for you or allow you to turn off your lights remotely. That day is today, and those Internet-connected...

Kickstarter Compromised, User Data Stolen

Attackers broke into the network of Kickstarter, the crowdfunding platform, and stole a variety of user data, including usernames, addresses, email addresses and encrypted passwords. Company officials didn’t specify exactly how many users were affected and said that “no credit card data of any ki...

Microsoft Mitigation Bypass Bug Bounty Winner Yang Yu

Microsoft has paid out another $100,000 bounty as part of its Security Response Center’s bounty program. A researcher from Asia named Yang Yu was awarded the prize today for three mitigation bypass variants, Microsoft announced. “This payout reflects the fact that we learned something new that wi...

New IE Zero Day Found Targeting Military Intelligence

Attackers were able to compromise the U.S. Veterans of Foreign Wars’ website this week and serve up a previously unknown zero day exploit in Internet Explorer 10, and while motivation behind the campaign is still unclear, experts are speculating its aim was to procure military intelligence...

List of 8,000 FTP Credentials for Sale in Underground Forums

Hackers are targeting FTP upload sites with the hopes of redirecting victims to spam or even infecting webservers that rely on FTP applications for updates. Hold Security reported yesterday it had secured a list of credentials for close to 7,800 FTP sites being circulated in cybercrime forums. Th...

Moon Worm Spreading on Linksys Home and SMB Routers

A self-replicating worm is spreading among a number of different Linksys home and small business routers. Researchers at the SANS Institute reported the outbreak yesterday and have not been able to determine whether there is a malicious payload or if the worm connects to a command and control...

Phony SSL Certs Spoof Google, Facebook, GoDaddy, others

Dozens of phony SSL certificates were discovered this week mocking legitimate certs from banks, e-commerce sites, ISPs and social networks. If a user stumbled over one of the bogus certificates on a mobile device it could put them at risk for a man-in-the-middle attack. Disguised as official...

400 Gbps NTP Amplification DDoS Attack Alarmingly Simple

The largest distributed denial of service attack on public record was reported this week, and with it came many alarming numbers, not only in the volume of traffic generated 400 Gbps at its peak, but in the number of Network Time Protocol servers involved 4,592 on 1,298 networks as well as the...

BlackBerry Releases Guidelines to Deter Privacy-Infringing Apps

Aiming to shore up user security BlackBerry this week released a new set of privacy guidelines it’s encouraging third-party app developers to follow to better protect their customers. The guidelines apply to customers’ personally identifiable information PII – the bits of information that apps...

Cybersecurity Framework for U.S. Critical Infrastructure

Critical infrastructure operators have been delivered a cybersecurity framework by the U.S. government that paints broad strokes as to how to defend IT and SCADA networks in some of the country’s most sensitive industries such as energy, water and financial services. NIST today announced the...

Dropbox Publishes 2013 Transparency Report

Dropbox yesterday released a new set of principles that explain how it deals with government requests for customer data. The principles were a companion to its 2013 Transparency Report, which for the first time included National Security Letter requests made to the file hosting service. “We belie...

CoinThief Bitcoin Trojan Found on Popular Download Sites

Phony Bitcoin ticker apps hosted on popular sites Download.com and MacUpdate.com are fronts for the OSX/CoinThief Trojan, which was built to steal Bitcoin wallet credentials and keys, and to date has drained a small number of accounts. SecureMac lead developer Nicholas Ptacek said new variants of...

Facebook Fixes CSRF Vulnerability in Instagram

Until last week, some parts of the API that Instagram uses were vulnerable to a cross-site request forgery CSRF attack, something that could have put photos users thought were private, out in the open. It took almost six months but Facebook, the photo sharing application’s parent company, patched...

Grim Picture for Law Enforcement in Cyberspace

PUNTA CANA -The use of surveillance tactics by law enforcement in the performance of precisely targeted criminal investigations is still widely accepted and supported by much of the global public. The water gets murky and support evaporates altogether when allegations emerge that law enforcement ...

February 2014 Microsoft Patch Tuesday Security Bulletins

The expected continued respite from deploying Internet Explorer patches was apparently a mirage as Microsoft changed course from last Thursday’s advance notification and added two more bulletins to the February 2014 Patch Tuesday security updates, including the first IE rollup of 2014. IE had...