US-CERT Warns of More CryptoLocker Ransomware Infections

CryptoLocker is a devious evolution of now-familiar ransomware schemes in which the malware encrypts files it finds on a number of network resources and demands a ransom for the decryption key. US-CERT issued an advisory today warning businesses and consumers of the risks presented by CryptoLocke...

Vendor Customizations Lead to Android Security Issues

When Android phone manufacturers tweak devices and customize phones with special software, apps and code, it has a direct effect on the security of each device. In some cases, the changes made can account for more than 60 percent of vulnerabilities found in devices. That’s according to a paper “T...

Attacks on New Microsoft Zero Day Using Multi-Stage Malware

Attackers exploiting the Microsoft Windows and Office zero day revealed yesterday are using an exploit that includes a malicious RAR file as well as a fake Office document as the lure, and are installing a wide variety of malicious components on newly infected systems. The attacks seen thus far a...

Apple Says It Has 'Never Received an Order Under Section 215'

In a new report detailing the number and kind of requests for user information it’s gotten from various governments, Apple said it has never received a request for information under Section 215 of the USA PATROT Act and would likely fight one if it ever came. The company also disclosed that it ha...

Dragos Ruiu on the badBIOS Saga

Dennis Fisher talks with researcher Dragos Ruiu about his years-long struggle with a group of attackers who have infiltrated his network and are using malware that seems to resist all removal attempts and may have the ability to communicate using sound. Download: digitalunderground132.mp3 Dragos...

Mobile Android banking Trojan Svpeng Adds Phishing Know-How

An Android banking Trojan known as Svpeng has added phishing capabilities to its arsenal, and researchers have spotted it attacking Russian banking clients in what is perceived to be a dry run before it is adapted for other countries. “Typically, however, cybercriminals first test-run a technolog...

Microsoft Warns of Targeted Attacks on Windows 0-Day

Microsoft is warning users about targeted attacks against a new vulnerability in several versions of Windows and Office that could allow an attacker to take over a user’s machine. The bug, which is not yet patched, is being used as part of targeted attacks with malicious email attachments, mainly...

Twitter Underground for Phony Follower Accounts Thriving

Buying Twitter followers is standard practice for celebrities, politicians, startups, and even so-called social media experts who want to boost their online Q Score. So it shouldn’t be surprising that hackers have noticed this market opportunity and are building a formidable underground business...

Yahoo Formally Launches Bug Bounty Program

As promised, Yahoo formally kicked off its bug bounty program late last week, aiming to correct what many in the security industry viewed as misstep after it handed out a paltry $12.50 credit to a researcher for discovering a cross-site scripting error. The company caught flak when in September...

NIST Reviews Crypto Standards Development

The National Institute for Standards and Technology has taken an important step toward repairing what the National Security Agency has allegedly fractured by initiating a review of its cryptographic standards development processes. NIST-sponsored algorithms are at the heart of numerous crypto...

Department of Energy Susceptible to Attack

An audit of the Department of Energy has shown that 29 new weaknesses emerged on the agency’s networks this year in addition to 10 existing that the DoE failed to fix after a 2012 audit. The audit, undertaken by the Office of Inspector General and the Office of Audits and Inspections, revealed...

Microsoft Changes Bug Bounty Program to Include Incident Responders, Forensics Specialists

Having found some initial success with its first foray into the bug bounty world, Microsoft is expanding the program to open up payments of up to $100,000 to incident response teams and forensics experts who come across active attacks in the wild that include new techniques that bypass exploit...

Apple Turns on BEAST Attack Mitigation by Default in Safari

Apple enabled a feature in its recent OS X Mavericks update that neutered the BEAST cryptographic attacks. BEAST is a two-year-old attack tool that exploits a vulnerability in TLS 1.0 and SSL 3.0 and could lead to an attacker stealing HTTPS cookies or hijacking browser sessions. Apple’s Safari...

How I Got Here: Katie Moussouris

Dennis Fisher talks with Katie Moussouris of Microsoft about her childhood exploits with Commodore 64 programming, ignoring her Barbies, growing up as a hacker, her days as a pen tester and the challenges of working on security at Microsoft. Download: 12moussouris.mp3 Microsoft image via Robert...

Tech Giants Plead for U.S. Surveillance Reforms

Giant technology companies have been vocal about the need for more transparency with regard to the national security requests for user data they receive. But until now, they’ve stayed out of the political fight to address government surveillance, in particular by the National Security Agency...

Windows XP End of Life a Security Milestone

Forget for a moment the impending cryptoapocalypse because of aging and/or subverted encryption standards and algorithms. Microsoft this week put out the word on the scourge that is Windows XP. The latest Microsoft Security Intelligence Report goes to great pains to encourage users to move off th...

Upatre Malware Infections on the Rise

Researchers from the Microsoft Malware Protection Center MMPC have seen a spike in Win/32.Upatre infections in recent months. The trojan compromises host machines through malicious email attachments and, once installed, moves to download different malware from its command and control server. The...

Gary McGraw on BSIMM-V and Software Security

Dennis Fisher talks with Gary McGraw of Cigital about the progress of the BSIMM software security measurement model and how development organizations are addressing the challenges of securing their software. Download: digitalunderground131.mp3...

How Dark Mail Plans to Build an Open, Secure Email Platform

The new Dark Mail Alliance formed this week by Lavabit and Silent Circle will offer an open platform for secure email that will use existing protocols and cloud storage as a way to evade surveillance. The new system, which should be available next year, is in some ways a throwback to the...

Hacker Posts Facebook Bug Details on Zuckerberg's Wall

Back in August, Khalil Shreateh, a Palestinian security researcher listing his job status as “unemployee” discovered a bug on Facebook, the world’s largest social network, that gave him the ability to post content on any other user’s timeline. He then did what any entrepreneurial young security...

EFF: Fifth Amendment Protects Against Compelled Decryption

With new leaks about the extent of U.S. government surveillance coming almost daily, one constant remains among all the deterrents to the NSA’s prying eyes: encryption technology works. As far as we know, the math behind encryption is solid, despite the specter of some unnamed breakthrough made b...

Google Chrome to Automatically Block Malicious Downloads

Google is planning to add a new feature to its Chrome browser that will block malicious downloads automatically, helping to prevent drive-by downloads and the kind of malware that rides along with supposedly legitimate software. The new addition to Chrome already is in the development queue,...

EU Petition Seeks to Restrict Export of 'Digital Arms'

A Dutch member of the European parliament is supporting a grass-roots effort to restrict the export of surveillance software such as FinFisher and others, which are used by some governments and law-enforcement agencies to monitor their citizens’ activities. The effort, dubbed Stop Digital Arms, i...

Metasploit Modules Available for Seven Open Source Packages

Open source projects with anywhere between 100,000 and 1 million downloads are pretty sizable endeavors, and with the code open for scrutiny, you would think bugs would be found and some sort of disclosure process would be in place. If a spate of recently discovered issues in seven popular softwa...

Lavabit, Silent Circle Form New Anti-Surveillance Dark Mail Alliance

As the stunning revelations about the NSA’s collection methods and capabilities continue to mount, two secure email providers that have shut down their services in recent months have formed a new alliance to develop and deploy a new secure email platform that will be resistant to surveillance and...

Mozilla Fixes 10 Vulnerabilities with Firefox 25

Mozilla released the 25th version of its mobile and desktop Firefox browser yesterday, fixing 10 vulnerabilities, five of them critical. The United States Computer Emergency Readiness Team US-CERT warned yesterday the vulnerabilities could let an attacker execute arbitrary code, bypass access...

HTTP Request Hijacking Attacks Threaten Mobile Apps

Thousands of mobile apps developed for the Apple iOS platform can be forced to display phony, even malicious content, because of a vulnerability that allows an attacker to redirect traffic to a third-party site and persistently serve content from that location. Researchers from Israeli mobile...

British Man Indicted for Hacking U.S. Governement

The United States District Court in New Jersey is accusing British citizen Lauri Love, and others not named, of conspiring to and illegally accessing various government and military networks. The purpose of these attacks, prosecutors said, was to steal vast stores of personally identifiable and...

Researcher Finds Method to Insert Malicious Firmware Into Currency Validator

If espionage is the world’s second-oldest profession, counterfeiting may be in the running to be third on that list. People have been trying to forge currency for just about as long as currency has been circulating, and anti-counterfeiting methods have tried to keep pace with the state of the art...

NSA Director Alexander Denies Spying on Europeans

Intelligence officials appearing before the House Permanent Select Committee on Intelligence on Tuesday denied collecting the phone records of citizens in France, Spain and Italy, as recently reported by media outlets in those countries. “The assertions made by Le Monde of France, El Mundo of Spa...

New Injection Campaign Peddling Rogue Software Downloads

A mass injection campaign has surfaced over the last two weeks that’s already compromised at least 40,000 web pages worldwide and is tricking victims into downloading rogue, unwanted software to their computer. The campaign, dubbed GWload by researchers at Websense, relies on a Cost Per Action sc...

Major Companies Fall Victim to Social Engineering

The annual Social Engineering Capture the Flag contest held during DEF CON may seem on the surface to be just an opportunity for pen-testers and hackers to flex their pretexting muscles. But if you’re one of the 10 major technology, manufacturing and critical infrastructure organizations targeted...

Obama Administration to Review NSA Capabilities

President Barack Obama has initiated a review of the procedures and methods that the NSA uses to collect intelligence at home and overseas to ensure that the agency isn’t overstepping its bounds in phone and Internet data collection. The review comes at a time when Congress is set to consider...

New Bill Would End Mass Surveillance

UPDATE: Rep. Jim Sensenbrenner R-Wisc. is introducing a bill that would counteract many of the elements of the U.S. PATRIOT Act that enables the mass collection of data belonging to U.S. citizens. Sensenbrenner’s bill is called the USA FREEDOM Act, a quasi-acronym for Uniting and Strengthening...

Facebook Android Flaws Enable Any App to Get User's Access Tokens

A researcher has discovered serious vulnerabilities in the main Facebook and Facebook Messenger apps for Android that enable any other app on a device to access the user’s Facebook access token and take over her account. The same researcher also discovered a separate, similar flaw in the Facebook...

Google Retools reCAPTCHA Authentication System

Google announced a change to its reCAPTCHA authentication system late Friday wherein the company will begin creating different types of puzzles for different users, use numeric CAPTCHAs and move away from more obscure, hard-to-read distorted letters. CAPTCHAs are the series of distorted letter...

TrueCrypt Open Source License Audit Bringing Clarity

The list of objectors to the TrueCrypt open source license is a long one and includes some popular distributions such as Debian, Fedora—and by extension Red Hat. In fact, the wrangling over the TrueCrypt license dates back as far as 2006, long before there were serious inquiries as to the...

Crypto Party, Anti-Surveillance Rally in DC

WASHINGTON — Saturday marked the 12-year anniversary of the initial signing of the controversial USA PATRIOT Act, the anti-terrorism bill signed into law shortly after the terrorist attacks on Sept. 11, 2001, sections of which have allegedly given federal law enforcement the authority to...

Jeremiah Grossman on the Aviator Browser

Dennis Fisher talks with Jeremiah Grossman of WhiteHat Security about the company’s new Aviator browser, which employees have used for years, but the company just released as a public project. digitalunderground130.mp3...

LinkedIn Intro Data Can Be Spoofed, Leads to Phishing

LinkedIn stood up for its new Intro app for iOS by providing some high-level transparency into how it handles communication between devices and its network, and took time to call initial criticism of the app inaccurate and speculative. In the meantime, one security researcher posted details onlin...

Scan Shows 65% of ReadyNAS Boxes on Web Vulnerable to Critical Bug

It’s been known for some time now–several months, in fact–that there is a critical, remotely exploitable vulnerability in some of Netgear’s ReadyNAS storage boxes, and a patch has been available since July. However, many of the boxes exposed to the Web are still vulnerable, and a recent scan by H...

TrueCrypt Audit Endorsed by Development Team

UPDATE — The effort to audit TrueCrypt, the open source encryption tool, received an important endorsement in the last week when a member of its anonymous development team reached out to the organizers of IsTrueCryptAuditedYet? “He wrote us a friendly but formal letter stating that they were happ...

Netgear Routers Open to Remote Authentication Bypass, Command Injection

There is a vulnerability in some Netgear wireless routers that allows a remote attacker to completely compromise a device and gain root privileges. The bug is trivially exploitable and the researcher who discovered it has posted a proof-of-concept exploit. The vulnerability is a command-injection...

Cisco Fixes DoS, Remote Code Execution Bugs in Six Products

Telecommunications company Cisco rolled out three patches for multiple products yesterday, addressing vulnerabilities that could’ve led to a denial of service DoS attack or allowed an attacker to execute code and obtain sensitive information. Per usual, Cisco’s Product Security Incident Respoinse...

LinkedIn Intro App a Man in the Middle Attack

This is one introduction you may not want to make. LinkedIn’s release of its Intro app yesterday for Apple iOS mobile devices raised more than a few eyebrows for behaviors that are causing security experts to worry. Intro is an integrated service that works hand-in-hand with the Apple Mail app...

Adobe Flash Player sandbox for Safari OS X Mavericks

Mac OS X Mavericks may have brought with it iBooks and Maps to the Apple desktop operating system, but for security conscious users, perhaps the thing most worth noting is the addition of sandbox protection for Adobe Flash Player for the Safari browser, announced yesterday by Adobe. “By providing...

EFF: Congress Has Opportunity to Stop Mass Surveillance

Since the leaks of NSA surveillance methods began in June, there has been a flurry of activity in Congress, with members scurrying to line up on either side of the issue, either defending the agency’s methods or condemning them. That mad scramble also has included the introduction of a number of...

DARPA Cyber Grand Challenge Offers $2M to Winners

The bug bounty continues to be turned on its ear. Microsoft began the wave of paying premium money for mitigation technologies via its Blue Hat prizes, and now DARPA has gone all-in to the tune of $2 million for the development of an automated network defense system that not only scans for and...

Report: UN Nuclear Regulator Infected with Malware

The United Nations’ nuclear regulatory body, the International Atomic Energy Agency IAEA, announced yesterday that it found malicious software on a number of its machines, but that its networks have not been compromised. According to a Reuters report, the infected computers were housed in a commo...

Apple Patches Fix More Than 100 Vulnerabilities

While yesterday saw Apple refresh its iPad lineup and unveil its new operating system, Mavericks, it also saw the Cupertino conglomerate release a boatload of security updates. More than 100 issues were fixed across eight different products yesterday including updates for the company’s iTunes med...