15946 matches found
NIST Publishes Preliminary Cybersecurity Framework
Following an Executive Order issued by U.S. President Barack Obama in February of this year, the National Institute of Standards and Technology NIST yesterday made public a provisional copy of the government’s cybersecurity framework and says it will accept public comment on the draft for the nex...
ProSoft Technology RadioLinx ControlScape PRNG vulnerability
Industrial automation software used worldwide to create and configure wireless radios that connect devices in environments such as oil and gas is vulnerable to attack by a hacker armed with an antenna from as far as 30 miles away. Though the vulnerability in the ProSoft Technology RadioLinx...
Google, FireEye Demand Change from Vulna Ad Network
An Android ad library containing a maliciously potent cocktail of features and vulnerabilities is less of a danger to Android users today after Google and the ad network made a series of changes spurred by security firm FireEye’s insistence. Despite fixes from the ad network, updates implemented ...
Critical NETGEAR ReadyNAS Frontview security vulnerability
A popular NETGEAR network-attached storage product used primarily in medium-sized organizations has a gaping vulnerability that puts any data moving through a network in jeopardy. The flaw in ReadyNAS, specifically its Frontview front end, was patched via a firmware update three months ago. But...
Apache Fixes Information Disclosure Vuln in Shindig
The Apache Software Foundation released a new version of Shindig, a framework for Web applications yesterday, fixing what the collective has deemed an important information disclosure vulnerability. According to a post on Seclists.org by Ryan Baxter, an Apache Shindig committer, the problem affec...
Months Later, EAS Equipment Still Vulnerable to SSH Bugs
More than three months ago, a researcher from IOActive published details of some serious problems he’d found with equipment used to run the Emergency Alert System, which is used to send out notifications in the case of a natural disaster or other serious situation. The researcher notified the...
FBstalker Does Data Mining on Facebook Graph Search
Facebook’s Graph Search feature connects a lot of dots between friends on the social network—as well as between others who interact with your Facebook friends. Anyone with a keyboard has a nifty data mining tool at their fingertips that can bring up an intricate list of friends and acquaintances,...
Google Project Shield to Protect Sensitive Sites from DDoS Attacks
DDoS attacks have been a problem for nearly as long as the Internet has been a thing, but they’re difficult to visualize and understand on a practical level. A whole bunch of traffic is going to a Web site. So what? Now, Google and Arbor Networks are collaborating on a project that shows exactly...
Experian Sells Data to Identity theives
The credit bureau Experian appears to have sold an unknown amount of highly sensitive personal information to a Vietnamese national who maintained an online identity theft service, according to a long-running investigative report published by Krebs on Security reporter Brian Krebs. Experian, whic...
Snoopy Project mobile tracking and intelligence grows up
A year ago, the Snoopy Project was a neat research initiative that packaged a number of existing technologies into a framework to profile and track mobile devices. After a summer of Snowden revelations, something like Snoopy takes on a whole new meaning. Snoopy devices, called drones by researche...
Fake Dropbox Password Reset Spam Leads to Malware
A new spam campaign has been circulating over the last few weeks aiming to dupe users of the popular cloud storage service Dropbox. The e-mails purport to come from the service but instead lead those who click through to a malware landing page. Some of the emails start off fairly convincingly:...
Ransomware Now Accepting Bitcoin
A family of ransomware known as CryptoLocker has added the popular digital currency Bitcoin to the list of payment methods it accepts in exchange for the private key that will decrypt the files encrypted by the malware. According to a blogpost penned by AlienVault researcher Alberto Ortega, Bitco...
Simple Bug Exposed Verizon Wireless Users' SMS History
A security researcher discovered a simple vulnerability in Verizon Wireless’s Web-based customer portal that enabled anyone who knows a subscriber’s phone number to download that user’s SMS message history, including the numbers of the people he communicated with. The vulnerability, which has bee...
Dennis Fisher and Mike Mimoso Discuss Truecrypt, iMessage Security and More
Dennis Fisher and Mike Mimoso discuss the big stories of the last couple of weeks, including the grassroots effort to audit the TrueCrypt source code, the Apple iMessage security model and Yahoo enabling SSL by default. Download: digitalunderground129.mp3...
Apache Struts Update Patches Two Vulnerabilities
The group behind Apache have pushed out a new version of Struts, fixing two issues in the framework that were giving developers difficulties over the past several weeks. The Apache Software Foundation posted version 2.3.15.3 of the framework online Tuesday. The release fixes an access control...
/Dev/Random PRNG in Linux Questioned
The sanctity of the dev/random random number generator used in the Linux kernel has been a hot-button issue for more than a month. A petition posted to change.org in September to remove RdRand from dev/random, for example, was met with fury from Linus Torvalds who called the developer who posted ...
VMware Patches Flaws in ESX, vCenter
VMware has released a slew of patches that fix vulnerabilities in a number of its products, including vCenter Server, vCenter Server Appliance, vSphere Update Manager, ESX and ESXi. Some of the flaws can lead to authentication bypass or denial of service on affected products. The most serious...
TrueCrypt Audit to Answer Backdoor Question
The grassroots movement to audit TrueCrypt, the popular open source encryption tool, is gaining steam with tens of thousands of dollars already raised to fund the effort to not only professionally review the source code behind the tool, but also to legally review the custom license governing its...
Snapchat Complies with Govt., Sends Images to Law Enforcement
Snapchat cleared up any doubts users may have had about the privacy surrounding images sent back and forth on its photo messaging service when the company confirmed this week that it has shared some images with law enforcement. Snapchat, started in 2011, has gained popularity over the last year –...
Apple iMessage Open to Man in the Middle, Spoofing Attacks
The Apple iMessage protocol has been shrouded in secrecy for years now, but a pair of security researchers have reverse-engineered the protocol and found that Apple controls the encryption key infrastructure for the system and therefore has the ability to read users’ text messages–or decrypt them...
HTTPS, SSL Minimal Security, Privacy Standard for Email
Yahoo is being second-guessed more today than a mediocre baseball manager. Two days after announcing it would finally turn SSL on by default for its email users starting in January, the company is getting a halfhearted pat on the back from the security industry, which can’t help but ask: “What to...
DDoS Attacks, Attacks from Asia/Pacific Up in Q2
Three-quarters of the world’s attack traffic emanates from source IP addresses in Indonesia and China, according to Akamai’s latest quarterly State of the Internet report. The report is a deep dive into traffic trends crossing the Cambridge, Ma.-based company’s network during the second quarter...
SCADA ICS Bug Expose Critical Infrastructure to Attack
A trio of researchers have uncovered 25 security vulnerabilities in various supervisory control and data acquisition SCADA and industrial control system ICS protocols. The researchers, Adam Crain, Chris Sistrunk, and Adam Todorski–though Todorski has not yet been credited with finding any of the...
Lavabit Gives Users Chance to Recover Email Archives
Lavabit, the now-shuttered secure email provider that has become something of a rallying point for privacy advocates and security experts in the ongoing NSA surveillance saga, is giving its former users until Thursday night to change their passwords on the service. They will then have a short...
October 2013 Oracle Java Critical Patch Update
On Tuesday, for the first time, Java security updates were included with the quarterly Oracle Critical Patch Update – and just as quickly, Java wasted no time elevating itself as the top concern for Oracle admins and security experts. Of the 51 Java patches released, 50 allow for remote code...
Yahoo Turns on SSL by Default for Email Users
Yahoo, one of the last email holdouts to implement SSL by default, announced it will do so in January. The company has been criticized as one of the few remaining giant Internet companies for its delay in turning on encryption by default for its web-based email users. It will now do so on Jan. 8,...
Metasploit Registrar Duped by Social Engineering, Not Fax
The registrar for the Metasploit and Rapid7 websites, both of which were victims of a DNS hijacking attack on Friday, was not duped by a spoofed change request sent via fax as it originally reported. Instead, a Register.com employee likely fell victim to a social engineering scam that resulted in...
Google Fixes Three High-Risk Flaws in Chrome
There is a trio of high-risk security vulnerabilities in Google Chrome that have been patched in a new version of the browser released on Tuesday. The vulnerabilities all are use-after-free bugs, and Google paid a total of $5,000 in rewards to researchers who discovered and reported them. Google...
D-Link Planning to Patch Router Backdoor Bug
D-Link is in the process of developing a patch for a serious security vulnerability in some of its older routers that essentially functions as a backdoor. The bug, discovered by a security researcher and publicized over the weekend, enables a remote user to log into an affected router as an...
Lavabit Founder Refused to be FBI 'Listening Post'
Faced with the untenable decision of becoming what he called a “listening post” for the FBI, Lavabit founder Ladar Levison said he had an ethical obligation to his customers and the community to shut down the secure email service used by NSA whistleblower Edward Snowden. Levison, who this week...
Phony Fax Leads to Metasploit, Rapid7 DNS Hijacking
A pro-Palestine hacker collective went old-school in its takedown of the Metasploit and Rapid7 websites today. Metasploit creator and HD Moore confirmed via Twitter that Metasploit.com was hacked via a spoofed DNS change request sent via fax to its registrar, Register.com. “Hacking like it’s 1964...
Facebook Privacy Feature Gone for Good
Late last year the world’s largest social network announced that it would begin removing a popular privacy feature that let users regulate whether other users could search for and locate their profiles with the Facebook search function. At the time of its initial announcement, the social networki...
Google Malaysia Site Hijacked
The Google domain for Malaysia was hijacked on Thursday night, redirecting visitors to a page that said a group called Madleets from Pakistan had performed the attack. The domain has been restored now, but the name servers for the domain had been changed to a pair controlled by the attackers...
WhatsApp Crypto Implementation Vulnerability Discovered
WhatsApp, a popular mobile message application, suffers from crypto implementation vulnerability that leaves messages exposed. Thijs Alkemade, a computer science student at Utrecht University in The Netherlands who works on the open source Adium instant messaging project, disclosed a serious issu...
Cisco Patches 11 Vulnerabilities in FWSM, ASA Products
Cisco pushed out patches for two products this week, addressing a handful of vulnerabilities in its Firewall Services Module FWSM software and Adaptive Security Appliance ASA software. According to security updates posted on the company’s Advisory page yesterday, at least nine separate...
Microsoft Mitigation Bypass Bounty Winner James Forshaw
Give James Forshaw a good logic bug over a memory-corruption vulnerability any day of the week. The British researcher says he would rather manipulate weaknesses in code to climb out of an application sandbox than turn a fuzzer against a piece of software and spot a memory leak. But incentivized ...
Google to Pay Rewards For Patches to Open Source Projects
Google, one of the first companies to offer a significant bug bounty program, is extending its rewards to researchers and developers who contribute patches to a variety of open source projects and have an effect on the security of the project. The new rewards will range from $500 to $3,133.70, an...
Technologists Scrutinize Impact of Surveillance on Economy
If you’re looking for silver linings among the Snowden leaks and the breadth of the NSA’s surveillance activities, they could be found in two things: 1 the math upholding encryption technology is, as far as we know, solid; and 2 Tor apparently drives the U.S. spy agency batty. “I’m surprised,” sa...
Unexpected IE Zero Day Used in Banking, Gaming Attacks
This was a two-for-one deal that Windows administrators could have done without. Already expecting one patch for an Internet Explorer zero-day being actively exploited, admins got fixes for two zero days instead yesterday as part of Microsoft’s October 2013 Patch Tuesday security updates. The...
BlackBerry Fixes Remote Code Vulnerability in BES10
Microsoft and Adobe weren’t the only companies releasing security updates yesterday. BlackBerry piled on the patch parade with an update for its BlackBerry Enterprise Service 10 mobile device management product, fixing a remote code execution vulnerability. The problem lies in the Universal Devic...
October Patch Tuesday Fixes Critical IE Bugs, 28 Vulnerabilities
As expected, Microsoft began shipping its latest batch of Patch Tuesday patches earlier this afternoon. However, while it was heavily presumed the update would fix at least one Internet Explorer zero day, the update actually fixes two critical vulnerabilities in the browser. Eight bulletins — fou...
Researcher Takes Home $100k Prize From Microsoft For New Attack
One day after announcing that it had paid researchers $28,000 for reporting a number of vulnerabilities in Internet Explorer 11, Microsoft revealed that it has written a much bigger check–this one for $100,000–to a researcher who has discovered a new attack technique that bypasses all of the...
October 2013 Adobe Patches Unrelated to Adobe Hack, Breach
Adobe, still reeling from the public disclosure of a massive breach of source code and customer information, released two security advisories today patching vulnerabilities unrelated to the recent break-in. The first concerns a vulnerability in Adobe RoboHelp 10 for Windows that could allow an...
Unnamed Android Vulna Ad Library Abused to Steal User Data
A popular Android mobile ad library available on Google Play can be used to collect device data or execute malicious code, security researchers have discovered. The most alarming aspect to the library is that close to 2 percent of Android apps with more than 1 million downloads on Google Play use...
Blackhole Exploit Kit author Paunch arrested
An out-of-the-blue tweet from a Dutch researcher kicked off an unprecedented 24-hour rumor mill yesterday concerning the arrest of Paunch, a hacker allegedly behind the notorious Blackhole Exploit Kit. The arrest, finally confirmed today by the head of the European Cybercrime Centre EC3, is likel...
Researchers Nab $28k in Microsoft Bug Bounty Program
As part of its first-ever bounty program, Microsoft has paid out $28,000 to a small group of researchers who identified and reported vulnerabilities in Internet Explorer 11. The IE 11 bounty program only ran for one month during the summer, but it attracted a number of submissions from well-known...
Router Flaw Exposes Sensitive Configuration, Password Info
Taiwanese electronics company Asus has released an update for one of its routers that corrects an authentication bypass vulnerability discovered in the devices over the summer. The vulnerability is in Asus’ RT-N10E brand of routers, sold primarily throughout Europe, China and South America...
Experts Petition NSA Review Board to Include Technologist
A long list of influential security, privacy and technology experts, largely from academic circles, has petitioned the NSA review board to include a technologist among its ranks. The board, established on Aug. 12 by Director of National Intelligence James R. Clapper upon the orders of the...
Latest Snowden Leak Explains NSA Subversion of Tor Users
The latest Snowden documents, made public today, suggest the National Security Agency is able to peel back the veil on a small fraction of Tor users at a time, but overall the integrity of the anonymity network remains intact. Tor promises its users a level of anonymity online for their Web...
Adobe Hackers Hit Other Companies
The attackers behind the Adobe hack and breaches against data brokers such as LexisNexis have also been linked to similar intrusions against other unnamed organizations. Security expert Alex Holden, who along with security blogger Brian Krebs uncovered the data lost in the Adobe breach, said thos...