Hasbro Serving Drive-By Download Malware Attack

Hasbro.com, a leading toy and game distributor in the United States, is infected and serving malware to visitors of the site. Researchers at Barracuda Networks said the site remained infected as of this morning and Hasbro has not responded to an email from the security firm disclosing the issue...

Congressmen Call For DNI Clapper's Ouster

A group of six Congressmen have asked President Barack Obama to remove James Clapper as director of national intelligence as a result of his misstatements to Congress about the NSA’s dragnet data-collection programs. The group, led by Rep. Darrell Issa R-Calif., said that Clapper’s role as DNI “i...

Syrian Electronic Army Hits CNN, Microsoft

Just like it’s done time and time before, the Syrian Electronic Army SEA broke into yet another media outlet late last week, hacking a handful of social media accounts belonging to CNN, including seven Twitter accounts and two Facebook accounts. CNN admitted the accounts were compromised in a pos...

XtremeRAT Malware Used in Targeted Attacks Against Israel

Espionage malware used in attacks against Israel, as well as Syrian activists, in the last 18 months has been linked to a new attack against Israel’s Civil Administration, the country’s governing body in the West Bank. Researchers at Seculert reported today that samples of XtremeRAT, a...

Mozilla Fixes Filter Bypass Bug in Thunderbird

Mozilla has fixed a serious vulnerability in its Thunderbird email application that enables an attacker to bypass the filter in Thunderbird that prevents HTML tags from being used in messages. Exploiting the bug could give an attacker the ability to run code on a user’s machine. The vulnerability...

Michaels Data Breach Under Investigation

Officials at Michaels, the large craft and home goods retailer, are investigating a potential data breach that has apparently affected an unknown number of cards used in the chain’s stores in the last few weeks. The company has released very little detail about the compromise but said that it is...

Dennis Fisher and Mike Mimoso Discuss the Target Breach, SCADA Security and the NSA

Dennis Fisher and Mike Mimoso talk about the big security stories of the last couple of weeks, including the developments in the Target data breach, the president’s speech on NSA surveillance reforms and SCADA security woes...

Snapchat's CAPTCHA Hacked in 30 Minutes, 100 Line of Code

It was only going to be a matter of time before someone figured out a way past Snapchat’s new CAPTCHA verification method. Just one day after the photo sharing application announced its latest security measure, one researcher claimed Wednesday that he was able to hack it with as few as 100 lines ...

Crypto Pioneers Write Letter on NSA Surveillance to Obama

Perhaps the biggest condemnation of President Obama’s address last Friday announcing reforms to the NSA’s surveillance programs was his failure to mention any of the agency’s alleged involvement in subverting cryptography standards and the impact that has had on the trustworthiness of products...

Electric Cybersecurity Regulations Have Serial Problem

A class of SCADA vulnerabilities discussed at a recent conference is getting attention not only for the risks they pose to master control systems at electric utilities, but also for illuminating a dangerous gap in important critical infrastructure regulations. Researchers Adam Crain and Chris...

Neiman Marcus Says 1.1M Cards Compromised in Data Breach

The attackers who penetrated the Neiman Marcus network last year were on the network for at least three months and made off with credit and debit card data belonging to 1.1 million customers. The company said that the data breach was the result of a compromise that began in mid-July and ran until...

Google Pwnium 4 to Offer $2.7M in Prizes at CanSecWest

Building on the success of the last couple of years, Google plans to offer more than $2.7 million in potential rewards in the next iteration of its Pwnium hacking competition at this year’s CanSecWest conference in Vancouver. The company has run the contest in parallel with the older Pwn2Own...

Oversight Board Calls NSA Metadata Collection Illegal

Another independent review board investigating the National Security Agency’s collection of phone records metadata has come down hard on the program, calling it illegal, recommending the government end the program, and questioning its effectiveness in ferreting out terrorists. The Privacy and Civ...

Bluetooth Gas Pump Skimmer Scam Nets $2 Million

Thirteen men were indicted this week for allegedly using Bluetooth-enabled skimmers to steal more than $2 million from customers at gas stations across the Southern United States between 2012 and 2013. Documents released on Tuesday by the offices of Manhattan District Attorney Cyrus R. Vance, Jr...

Congress to Consider Critical Infrastructure Protection Bill

The National Cybersecurity and Critical Infrastructure Protection Act of 2013 would amend the Homeland Security Act of 2002 to better protect the country against potentially destructive cyber attacks targeting national utilities and other critical infrastructure systems. The House Subcommittee on...

Google Chrome Eavesdropping Exploit Published

The developer of the annyang speech recognition JavaScript library has published exploit code for a bug in Google’s Chrome browser that could allow a malicious website to eavesdrop using a computer’s microphone long after a visitor has left a website. The code disclosure is in response, said...

Facebook Pays $33,500 Bounty for Major Code Execution Flaw

Remote code execution bugs are the gold nuggets of security research. They’re the ones that researchers stay up all night looking for and they’re the kind of vulnerabilities that often are worth big money, whether it’s from a vulnerability broker, a government agency or a bug bounty program. For...

New Android Malware Steals Messages, Intercepts Calls

A new strain of Android malware has been spotted that masquerades as an Android security app but once installed, can steal text messages and intercept phone calls without the device’s owner being any the wiser. Dubbed Android.HeHe, the malware has six variants according to a blog post yesterday b...

Small Number of Malicious Tor Exit Relays Snooping Traffic

A small number of Tor exit relays are misbehaving, conducting man-in-the-middle attacks and monitoring encrypted traffic from users of the anonymity network. Researchers from Karlstad University in Sweden published a paper this week examining the malicious behavior of some Tor exit relays and fou...

U.S. Oil, Gas Targeted by Espionage Malware Campaign

American gas and oil companies have been targeted by a hacking group with ties to the Russian Federation for close to 18 months, a new research report indicates. The attackers have leveraged watering hole attacks to infect users inside the critical infrastructure organizations to spread a remote...

Verizon Releases First Transparency Report, Says Government Requests INcreasing

After months of public calls from privacy advocates and security experts, Verizon on Wednesday released its first transparency report, revealing that it received more than 164,000 subpoenas and between 1,000 and 2,000 National Security Letters in 2013. The report, which covers Verizon’s landline,...

Chinese DNS Flaw Leads Web-Surfers to Anti-Censorship Firm

Much of the Internet was inaccessible to Chinese users for more than an hour yesterday after a domain name system error – believed by some to have been the result of a censorship error – led Web-surfers to a blank page hosted by an American technology company. While users were able to access...

XSS Filter Bypass Bug Found in Chrome and Safari

There is a bug in the anti-cross site scripting filter in Chrome and Safari that enables an attacker to bypass the filter in some cases and use an XSS flaw on a given site to compromise visitors’s machines. The vulnerability is fairly simple to exploit and a researcher has posted proof-of-concept...

WhatsApp Spam Campaing Leads to Banking Trojan

Spam emails promoting a non-existent PC version of the popular WhatsApp messaging service could be leading unsuspecting users to a malicious banking Trojan. The emails, written in Portuguese, trick the recipient into thinking they already have 11 pending friend invitations, according to Kaspersky...

Google Pulls Adware Extensions from Chrome Store

Two Chrome extensions went from legitimate browsing ad-ons to adware-spewing nuisances in the blink of a legitimate transaction. Google recently took action against the Add to Feedly and Tweet this Page extensions, removing both from the Chrome Store after they were sold to adware brokers and fou...

'Password' is No Longer the Worst Password

If you think you’re being clever by basing your password on the site you’re visiting or adding a zero to the end of 123456789, you’re not. A new list of the 25 worst passwords, culled from public dumps of passwords stolen in data breaches, shows that these are some of the least useful passwords y...

Cutwail-Like Wigon.PH_44 Trojan Sends Spam, Steals Data

A new spambot has been discovered that generates copious amounts of HTTP POST and GET requests in an attempt to disguise what it’s really up to and throw off the scent of detection capabilities. “In this case, it seems like it’s trying to hide impactful communication where there are actual payloa...

Starbucks Patches Vulnerable iOS App

Starbucks has patched a vulnerability in its iOS app that was found last week spilling user data, including usernames and passwords, by adding what it’s called an “additional safeguard measure” to protect its customers. While it’s a relatively quick turnaround for the company – it only took about...

The NSA, Obama and Straw Men

For the people expecting President Barack Obama to announce sweeping changes to the NSA’s surveillance programs, his speech on Friday likely was a major disappointment. Obama laid out some new controls and limits for some of the more controversial programs, specifically the phone metadata...

Android VPN Vulnerability Exposes Secure Data

A vulnerability in the Android mobile operating system could allow hackers to write applications that would bypass a secure virtual private network connection and redirect traffic in clear text to an attacker. Researchers from Israel’s Ben Gurion University claim that the vulnerability can be...

Patched Microsoft Office 365 XSS Vulnerability Disclosed

A researcher in the UK disclosed the details of a serious cross-site scripting vulnerability in Office 365 that would allow an attacker with a mailbox on Office 365 to gain administrator rights over the Microsoft Web-based application in an organization. An exploit in an enterprise environment...

EFF Activists, Journalists Hit By Targeted Malware Attack

Phishing and malware attacks are among the more democratic and populist threats on the Internet. You don’t have to stand in the crowd in order to be targeted; the attackers will get to you sooner or later. But while most malware campaigns are aimed at the masses, attackers often save their best...

Obama Orders NSA Bulk Metadata Surveillance Reforms

President Obama today announced reforms to the National Security Agency’s bulk metadata collection program under Section 215 of the PATRIOT Act, ordering a transition that would end the program as it exists today, and prohibit the government from storing and accessing the data without secret cour...

Target Attackers Took 11 GB of Data, Researchers Say

The attackers who infiltrated Target’s network several weeks ago and made off with 40 million credit and debit card numbers used a multi-stage attack, funneling their stolen data through an FTP server and then a VPS server in Russia. It took more than two weeks, but the attackers eventually...

Zero Day Vulnerability Patched in SCADA HMI Software

Malaysian SCADA software company Ecava released a patch yesterday for a zero-day vulnerability in its flagship human machine interface HMI that was publicly disclosed at a conference this week. The patch repairs a buffer overflow vulnerability in the company’s IntegraXor Web-based HMI software. H...

EE BrightBox Router Vulnerabilities Exposed

Leave it to a software test engineer to be thorough about his home networking gear. Scott Helme, an engineer in the U.K., likes to take a close look at traffic coming and going from new devices installed at his home. Recently, he signed up for fiber service from Everything Everywhere, an ISP in t...

Microsoft Security Essentials Support Continues Beyond XP

Microsoft announced yesterday that it plans to continue updating signatures on the antimalware engine it uses to protect Windows XP for more than a year beyond the date from which it plans to cut off support for the operating system. That means enterprises still running System Center Endpoint...

Privacy Advocates Anxious Ahead of Obama NSA Speech

It’s been more than seven months since Edward Snowden began feeding stolen NSA documents to reporters, and in that time, virtually everyone in Washington who could find a microphone or keyboard has voiced an opinion on the agency’s methods and Snowden’s actions. Everyone except President Barack...

DHS Warns of Schneider Electric ClearSCADA Vulnerability

The Department of Homeland Security is warning the maintainers of industrial control systems ICS about a remotely exploitable uncontrolled resource consumption vulnerability in Schneider Electric’s ClearSCADA software. Schneider Electric says that it has developed a new version of ClearSCADA that...

Model Predicts Optimal Timing of a Cyber Conflict

Security researchers from the Ford School of Public Policy at the University of Michigan have published a mathematical model they said will produce the proper timing for the delivery of offensive cyberweapons. Defenders can also make use of the model to understand attackers and when an targeted...

Starbucks Mobile App Vulnerability Puts Data At Risk

A vulnerability in Starbucks’ mobile app could be putting coffee drinkers’ information–including their usernames, email addresses and passwords–at risk. The problem stems from the way session.clslog, the Crashlytics log file, handles those credentials in the event of a crash. Within the file ther...

Cisco Fixes Three Bugs in Secure ACS Platform

Cisco has released patches for three vulnerabilities in its Secure Access Control System, including two flaws that could enable a remote attacker to take complete control of an affected system. Cisco’s Secure ACS is part of the company’s TrustSec solution, which the company says “supports the...

Twitter Forces HTTPS Connections to its API

UPDATE: As of yesterday, Twitter’s application programming interface API will only recognize traffic traveling via Transport Layer Security TLS or Secure Sockets Layer SSL. Any applications connecting to the API in plaintext will no longer work. There is a vast selection of third-party Twitter...

Oracle Patches 36 Java Flaws in January 2014 CPU

All has been relatively quiet of late on the Java security front, which is in stark contrast to a year ago when Java was the scourge of the Internet. Vulnerabilities in Java were being exploited at an alarming rate in a number of targeted attacks including watering hole attacks against prominent...

Private Messaging App Vendor Wickr Offers Hackers $100,000 for Bugs

Bug bounty programs, for the most part, have been the domain of large software vendors and Web companies such as Google, Mozilla, Microsoft, PayPal and Facebook. But some smaller companies are now getting involved, with the latest one to announce a bounty being Wickr, the maker of secure messagin...

Metadata Program 'Not Uniquely Valuable'

In a mostly friendly and non-confrontational hearing on Tuesday, members of the Senate Judiciary Committee spent a couple of hours talking to members of the White House-appointed NSA review board about the extent of the agency’s surveillance and the panel’s recommendations for reform. The hearing...

Adobe Updates Flash, Reader, Acrobat on Patch Tuesday

Adobe has issued security bulletins addressing five critical vulnerabilities in its Flash, Reader and Acrobat Players that could give attackers the ability to cause crashes and wrest control of affected machines. Adobe claims it is not aware of any in-the-wild exploits targeting these bugs...

Microsoft January 2014 Patch Tuesday Security Updates

Microsoft is entering softly into 2014 with a minimalist version of Patch Tuesday, which is likely to be a welcome reprieve. Windows shops can expect a busy re-tooling year ahead as Microsoft not only ends support—including security updates—for Windows XP, but also will restrict the use of MD5 in...

Google Blocks Malicious File Downloads Automatically in Chome

Google has fixed five vulnerabilities in its Chrome browser and also has activated a feature that will block malicious file downloads automatically. The change is a major security upgrade for Chrome and will help prevent users from unwittingly downloading harmful files, an attack vector that...

NTP Amplification Flaw To Blame For Gaming DDoS Attacks

US-CERT has issued an advisory that warns enterprises about distributed denial of service attacks flooding networks with massive amounts of UDP traffic using publicly available network time protocol NTP servers. Known as NTP amplification attacks, hackers are exploiting something known as the...