Route-Injection Attacks Redirect Internet Traffic

Attackers are accessing routers running on the border gateway protocol BGP and injecting additional hops that redirect large blocks of Internet traffic to locations where it can be monitored and even manipulated before being sent to its intended destination. Internet intelligence company Renesys...

Going Back to the Future in the Name of Better Security

NEW YORK–If Bill Cheswick had his way, the future of computing and computer security would look a lot like the distant past, with trusted platforms, small programs, applications that can’t affect the operating system and resistance to user mistakes. Cheswick, a former Bell Labs computer scientist...

Cupid Media Hacked, Plaintext Passwords Stolen

Hackers reportedly breached servers in January belonging to Cupid Media, a niche dating service with 30 million users, stealing more than 42 million unencrypted passwords and various other sensitive data. Cupid Media operates a variety of niche dating sites based on ethnicity, religion, physical...

JBoss AS Attacks Up Since Exploit Code Disclosed

Attackers are exploiting a two-year-old vulnerability in JBoss Application Servers that enables a hacker to remotely get a shell on a vulnerable webserver. The number of infections has surged since exploit code called pwn.jsp was publicly disclosed Oct. 4. Researchers at Imperva said that a numbe...

Exploit Kit Adds Vector for Silverlight Vulnerability

Developers behind the Angler Exploit Kit have apparently added a new exploit over the last week that leverages a known vulnerability in Microsoft’s Silverlight browser framework. Silverlight, similar to Adobe Flash, is Microsoft’s plug-in for streaming media on browsers and is perhaps most known...

Google Pays $17 Million to Settle Privacy Violations

Thirty-seven states are claiming a privacy victory against Google and will split a $17 million settlement from the search giant. Google, which generated $2.97 billion in online advertising revenue in the third quarter, was deliberately bypassing default privacy settings in Apple’s Safari browser ...

Google Broadens its Patch Rewards Program

Microsoft and Google appear to be the primary belligerents in an anti-arms race that pays security researchers to sniff out bugs on the Internet. Yesterday it was Google’s turn to proliferate the scope of its bug bounty program. More robust, high paying, and far reaching bug bounties are good new...

Google upgrades SSL certificates to 2048-bit RSA

Google announced today that it has completed the upgrade of all its SSL certificates to 2048-bit RSA or better, coming in more than a month ahead of schedule. “We have completed this process which will allow the industry to start removing trust from weaker 1024-bit keys next year,” Google securit...

vBulletin Zero Day Used to Hack MacRumors, vBulletin

A hacker group calling itself Inj3ct0r is taking responsibility for the compromise of more than 860,000 passwords at MacRumors.com as well as a separate attack on vBulletin.com, makers of the vBulletin software powering a number of high-profile forums including MacRumors and Ubuntu Forums. The...

Yahoo to Give Users Option for SSL on All Web Properties

Following months of criticism from security experts and privacy advocates for not deploying SSL across its Web offerings, Yahoo on Monday announced that it will be giving users the option to encrypt all of the data they exchange with the company by the end of the first quarter next year. The chan...

CryptoLocker Spam Campaign Targets Millions in UK

Tens of millions of online banking customers in the U.K. are the targets of a dangerous spam campaign enticing users to open an attachment containing the CryptoLocker ransomware. The U.K.’s National Crime Agency’s National Cyber Crime Unit posted an advisory late last week warning people to be...

Supreme Court Refuses to Consider EPIC Challenge to NSA Surveillance

The challenge to the NSA’s domestic surveillance program filed with the Supreme Court by the Electronic Privacy Information Center ended Monday, with the court refusing to consider the challenge at all. EPIC had filed the challenge directly with the Supreme Court rather than going through the low...

Microsoft and Google Collaborate on Effort to Clean Web of Cild Abuse Images

Microsoft and Google are cooperating in an effort to make it much more difficult for child predators to find illegal images online by blocking search results for about 100,000 search terms. The companies also are collaborating on methods to better identify illegal abuse images and remove them mor...

VMware Patches Workstation, Player Vulnerabilities

VMware announced today it has patched a privilege escalation vulnerability in VMware Workstation. Workstation is the hypervisor software connecting multiple virtual machines on host hardware. Compromising a hypervisor would give an attacker remote control over a number guest machines; the risk is...

Passive Security Community Turned Activist

Security people like to call themselves a community, but until June some might say its greatest community achievement is turning Twitter into its own private and contentious echo chamber. But since the Snowden leaks, there’s been a palpable change and a marked swell in stand-taking. Tweeters have...

Apple iOS 7.04 Fixes App Store Purchase Flaw

Apple has released a new fix for iOS 7–no, it doesn’t roll your phone back to iOS 6–that patches a vulnerability that enabled a user to make app or in-app purchases without needing to enter a password. The release of iOS 7.04 marks the third update of the iPhone operating system in the short time...

Surveillance Infrastructure Showing Signs of Decay

Buried underneath the ever-growing pile of information about the mass surveillance methods of the NSA is a small but significant undercurrent of change that’s being driven by the anger and resentment of the large tech companies that the agency has used as tools in its collection programs. The...

HTTP/2 Supports only HTTPS URIs

The head of the working group designing the next version of HTTP said the HTTP/2 protocol will work only with encrypted URIs. “I believe the best way that we can meet the goal of increasing use of TLS on the Web is to encourage its use by only using HTTP/2.0 with https:// URIs,” wrote Mark...

11 China APTs Linked by Central Arms Dealer Infrastructure

As targeted Chinese espionage campaigns are disclosed, it’s easy to get caught up in the immediate impact and details with regard to the compromised site or malware samples involved. It’s also simple to discount them as separate endeavors, one-off projects targeting the secrets held so precious b...

U.S. Government Requests for Google User Data Doubled Since 2010

In the first six months of this year, Google received seven wiretap orders from the United States government and complied with all of them. The company also received 207 pen register requests in the same period and complied with 89 percent of them, according to Google’s new transparency report. T...

Cracked.com Compromised, Serving Malware

The popular humor website, Crackeddotcom reportedly hosted malware that infected the machines of its visitors over the weekend and may still be doing so, according to Barracuda Labs research. The malware proliferated via drive-by-downloads, and it is not known how many systems became infected as ...

Surveillance Transparency Act Would Limit NSA Spying

There have been countless hearings in both the House and Senate since the Snowden leaks began in June, and there seems to be no end in sight. The latest committee to get in on the action was the Senate Committee on the Judiciary’s Subcommittee on Privacy, Technology and the Law, which held a...

MacRumors Forums Hacked, Passwords Stolen

The hacker behind the MacRumors Forums breach said the attack was “friendly” and that none of the data accessed will be leaked. Editorial Director Arnold Kim confirmed to Threatpost that a post on the forums from the hacker is legitimate. Kim posted an advisory on the forum on Monday informing...

Stanford Metaphone Project Aims to Show Dangers of Metadata Collection

When the first NSA surveillance story broke in June, about the agency’s collection of phone metadata from Verizon, most people likely had never heard the word metadata before. Even some security and privacy experts weren’t sure what the term encompassed, and now a group of security researchers at...

Facebook Requires Password Resets Related to Adobe

The tentacles of the massive Adobe breach, called one of the worst in U.S. history by one security expert, have reached Facebook users, specifically those who used the same email and password combination for the social network as well as Adobe. A Facebook representative confirmed to Threatpost...

BlackBerry Patches Vulnerabilities in BlackBerry Link

BlackBerry addressed a pair of serious vulnerabilities yesterday in its BlackBerry Link product that enables users to sync content between a BlackBerry 10 device and a desktop or laptop. The vulnerability lies in the Peer Manager component of Link that provides remote file access, which according...

Surveillance Backdoors 'Contribute to Insecurity', Report Says

The existing state of affairs in which government agencies and intelligence services work to insert backdoors into various hardware, software and networks is not only a problem in terms of civil rights but also represents a serious security risk to most users and the Internet itself, a recent...

November 2013 Adobe Flash, ColdFusion security patches

Adobe patched two vulnerabilities in its ColdFusion web application server today, and also released a Flash Player update that patched a remote code execution bug in the software. A company spokesperson said none of the vulnerabilities are being exploited, nor are they related to the recent theft...

Automated Attack, Threat Intelligence Sharing Sought

BOSTON – If you’re looking for tangible information sharing success stories around attack intelligence, some might point to the prompt publishing of indicators of compromise IOC as an example. Security and forensics companies will publish MD5 hashes of malware, IP addresses involved in attacks,...

Microsoft Warns Customers Away From RC4, SHA-1

The RC4 and SHA-1 algorithms have taken a lot of hits in recent years, with new attacks popping up on a regular basis. Many security experts and cryptographers have been recommending that vendors begin phasing the two out, and Microsoft on Tuesday said that is now recommending to developers that...

Zero Day Fixed in Microsoft November 2013 Patch Tuesday

Microsoft today issued eight bulletins addressing 19 separate vulnerabilities in its Windows operating system, Internet Explorer Web browser, Office, and other products. Microsoft gave three of the bulletins its highest “critical” rating, while the remaining five received the second-most-severe...

12 Flaws Fixed in Google Chrome

Google has fixed 12 security vulnerabilities in Chrome, including six high-risk bugs. The new version of the browser includes a number of fixes for bugs discovered by external researchers as well as by Google’s own internal security team. Two of the more serious vulnerabilities patched in Chrome...

Bitcoin Selfish Miners

While researchers and academics are just at the beginning of the process of trying to judge the value of a recent paper on a vulnerability in the Bitcoin protocol, some are arguing that there is a smaller point that’s being missed in all of the back and forth: There is a problem with the...

IE Zero Day Patch Already in November Patch Tuesday Updates

Microsoft announced this afternoon that the zero-day vulnerability being exploited in a watering hole attack against an unnamed U.S.-based NGO website was already scheduled to be patched in a cumulative Internet Explorer update tomorrow. The zero-day was reported publicly on Friday by FireEye...

OpenSSH Fixes Memory Corruption Bug With Update

The developers behind OpenSSH, the suite of connectivity tools that helps users encrypt traffic on Internet sessions, acknowledged and patched over the weekend that a memory corruption vulnerability exists in some builds of the main suite. If exploited, the vulnerability, which can be found in bo...

IE Zero Day Watering Hole Attack Injects Malware into Memory

Microsoft may be promising a relatively light Patch Tuesday release tomorrow, but that doesn’t mean its researchers and developers won’t have their hands full. Not only is Microsoft busy on a patch for the TIFF zero day vulnerability reported two weeks ago, but now another previously unreported...

D-Link Router Vulnerable to Reflected, Stored XSS

D-Link’s 2760N DSL-2760U-BN routers allegedly contain a number of stored and reflective cross-site scripting XSS vulnerabilities. Researcher Liad Mizrachi said he contacted D-Link to disclose the details of the bugs to them on six separate occasions – twice in August, twice in September, and once...

Bitcoin Researcher Says It's 'Folly' to Ignore New Attack

The author of a paper that describes a new attack on the Bitcoin protocol says that criticisms of the paper are misguided and that there are serious problems with Bitcoin that need to be addressed. Ermin Gun Sirer, a professor at Cornell, published the paper earlier this week along with his...

millions stolen in Bitcoin heist

More trouble for Bitcoin this week after an Australian wallet service admitted that attackers broke into their systems and made off with more than $1.2 million worth of the the digital crypto-currency. The theft comes on the coat-tails of a contentious research paper claiming that a...

Stealing PIN Codes With a Wink and a Nod

Security researchers have developed a number of different methods to steal or bypass the passcodes on most of the common mobile phone platforms, some of which rely on software bugs and others that are simple social engineering techniques. Now, a pair of researchers from the University of Cambridg...

Dennis Fisher and Mike Mimoso Discuss Bug Bounties, Bitcoin and the Apple Report

Dennis Fisher and Mike Mimoso talk about the major stories from the last couple of weeks, including the changes to the Microsoft bug bounty program, the new Internet bug bounty, the Apple transparency report and a new paper on a weakness in Bitcoin. Download: digitalunderground133.mp3...

Father-Daughter Hacking Team Finds Valuable Facebook Bug

The Wysopal name has been on vulnerability advisories for better than 20 years now, and it doesn’t look like that is going to end anytime soon. But the name on those advisories in the future may be Renee rather than Chris Wysopal. Chris, one of the founding member of the L0pht hacking collective...

Obamacare Website Denial-of-Dervice Tool Discovered

Arbor Networks’ Security Engineering and Response Team ASERT has discovered a denial-of-service tool specifically designed to target the U.S. government’s healthcare enrollment marketplace, Healthcare.gov. Healthcare.gov is established by the Affordable Care Act ACA in the United States, perhaps...

Microsoft Won't Patch TIFF Zero Day on Patch Tuesday

A patch for the Windows zero-day disclosed this week will not be ready in time for next week’s monthly Patch Tuesday release, Microsoft said today. The vulnerability in several Windows and Office versions is being exploited in targeted attacks against Windows XP systems running Office 2007. The...

Internet Bug Bounty Pays $5,000 for Severe Bugs

A bounty program begun by a bevy of industry heavyweights, including Microsoft and Facebook, will pay good money to white hats, researchers and even aspiring young hackers who find bugs in any of a dozen technologies central to the vitality and trustworthiness of the Internet. Dubbed the Internet...

TrueCrypt Audit Team Creates Technical Advisory Board

As the TrueCrypt audit chugs along toward a deterministic, clean build of the open-source encryption software and a palatable license, the organizers have brought prominent security and legal experts aboard as a technical advisory team. The experts will not only provide guidance on the current...

Questions Arise About Bitcoin Security Paper

In the wake of the publication of a new academic paper that says there is a fundamental flaw in the Bitcoin protocol that could allow a small cartel of participants to become powerful enough that it could take over the mining process and gather a disproportionate amount of the value in the system...

Super Micro IPMI zero-day vulnerabilities disclosed

Metasploit creator and Rapid7 CSO HD Moore today disclosed seven zero-day vulnerabilities in IPMI firmware from vendor Super Micro. The security issues were reported to the vendor in August, however the vendor, beyond acknowledging receipt of the vulnerabilities never communicated with Rapid7...

Cisco Fixes Blank Admin Password Flaw in TelePresence Product

Cisco has patched a number of vulnerabilities in several separate products, including a serious remote code execution flaw in its Wide Area Application Services Mobile software that could allow an attacker to take complete control of a vulnerable device. Cisco also has patched a vulnerability in...

Twitter Fixes Bug that Enabled Takeover of Any Account

Security researcher Henry Hoggard recently discovered a cross site request forgery CSRF vulnerability in Twitter’s “add a mobile device” feature, giving him the ability to read direct messages and tweet from any account. Hoggard, a security researcher at MWRInfosecurity, told Threatpost via email...