15946 matches found
Bitcoin Makes Cybercrime Arrests Harder than Ever
WASHINGTON, D.C. – The good news is that cooperation between the various law enforcement agencies in different countries all over the world is at an all time high; the bad news is that cybercriminals have embraced a potent combination of the anonymous online currency Bitcoin and equally anonymous...
Adobe Acrobat, ColdFusion Source Code, Customer Data Stolen
Attackers accessed customer IDs, encrypted passwords as well as source code for a number of Adobe products, Adobe chief security officer Brad Arkin announced. Arkin said Adobe is working with law enforcement on the breach in which attackers accessed source code for Adobe Acrobat, ColdFusion,...
Microsoft Readies Eight Patches, IE Zero Day Fix
Microsoft has announced that it plans to release eight patches next week as part of its October Patch Tuesday release, addressing flaws in its Windows, the .NET Framework, Office, Server, Silverlight and most importantly its Internet Explorer browser. Four of the patches are marked critical,...
Yahoo Revamps Bug Bounty Vulnerability Rewards Program
Yahoo has promised to put the finishing touches on a new vulnerability reporting and rewards policy by Halloween after finding itself in the throes of a mini scandal this week over two $12.50 Yahoo company store discount codes handed out to one researcher in thanks for turning in a pair of...
Adobe Prepping October Patches for Reader, Acrobat
Adobe has announced that it plans to patch critical vulnerabilities in two products, Adobe Reader and Acrobat XI 11.0.04 for Windows, next week as part of its monthly Patch Tuesday updates. Adobe posted about the impending updates yesterday on its Product Security Incident Response Team PSIRT blo...
Ryan Naraine on Virus Bulletin 2013, Zero Days and Cyberwarfare
Dennis Fisher talks with Ryan Naraine about the news from the Virus Bulletin 2013 conference, whether the use of zero days is overrated and the collateral damage that can result from cyberwarfare attacks. Download: digitalunderground128.mp3...
Django Vulnerability Could Allow Attackers Access to Cookies
A security vulnerability in the web framework Django could make it easier for an attacker to steal a user’s cookie and log into their website even after they’ve logged out. The session invalidation vulnerability was discovered by G.S. McNamara, the same researcher who dug up a similar vulnerabili...
Behind the South Korean Government DDoS Attacks
BERLIN–In the last few years, there have been a series of DDoS attacks and intrusions on government networks in South Korea that have resulted in the loss of untold amounts of data. The four attacks haven’t been linked together or attributed to the same attackers, but there are some similarities ...
Pen Testing Using Live Malware Becoming a Must
BERLIN–Penetration testing has come a long way in the last decade, evolving from a somewhat controversial practice to a de facto best practice in the enterprise market. That evolution hasn’t stopped by any means, and one of the things that experts say must be a part of any comprehensive test now ...
NSA Director Alexander Confirms Cell Location Pilot Program
In between pleas to end the government shutdown that has upwards of 70 percent of the intelligence community furloughed until further notice, NSA director Gen. Keith Alexander and Director of National Intelligence James Clapper spent a significant amount of time before a Senate Judiciary Committe...
FBI Shuts Down Online Drug, Hacking Market Silk Road
The FBI has taken down the infamous Silk Road underground drug market, arresting Ross William Ulbricht in San Francisco yesterday and charging him not only with the distribution of illegal drugs including heroin and LSD, but also with a number of computer hacking crimes. Ulbricht, who was known a...
Researchers Ponder When to Notify Users of Public Vulnerability Exploits
BERLIN–Just whispering the words “vulnerability disclosure” within earshot of a security researcher or vendor security response team members can put you in fear for your life these days. The debate is so old and worn out that there is virtually nothing new left to say or chew on at this point...
A Decade of Microsoft Patch Tuesday Security Updates
On Oct. 9, 2003, Microsoft announced its new security patching process that would end up being a catalyst for significant change in the information security community. Ten years ago, the program was announced with a press release that promised “Improved patch management processes, policies and...
The Chilling Effect of the NSA Surveillance Leaks
BERLIN–In this city, one of the great world capitals, history is never far away. It permeates every aspect of daily life, and the German people are quite proud of much of that history. But there were dark days here too, and not so long ago, when the Stasi, the East German secret police, operated ...
Zero Days Are Not the Bugs You're Looking For
BERLIN–The technology industry often is used by politicians, executives and others as an example of how to adapt quickly and shift gears in the face of disruptive changes. But the security community has been doing defense in basically the same way for several decades now, despite the fact that th...
Three New APTs Spotted Piling On IE Zero Day
Attackers are continuing to pile on a critical Internet Explorer zero day that remains unpatched two weeks after it was reported. During the last two weeks, it appears that at least three separate targeted attack campaigns have been using the same bug previously used by Operation Deputy Dog, a...
Metasploit Exploit Module for IE Zero-Day Vulnerability
It’s been 14 days since Microsoft issued an advisory and temporary mitigation for a zero-day vulnerability in Internet Explorer, one being actively exploited in the wild and called by some experts as severe a browser bug as you can have. Yet users have since had little more to shield them from...
Ukrainian Banking App Vulnerable to Attack
Privat24, the mobile banking application for Ukraine’s largest commercial bank, contains an insufficient validation vulnerability in its iOS, Android, and Windows phone apps that could give an attacker the ability to steal money from user accounts after bypassing its two-factor authentication...
NSA Crypto Questions Resemble a 'Hall of Mirrors'
There’s been no shortage of discussion and debate in recent week about the possibility that the NSA has intentionally weakened some cryptographic algorithms and cipher suites in order to give it an advantage in its intelligence-gathering operations. If you subscribe to the worst-case scenario lin...
Linux Kernel Update Fixes DoS, Leakage Bugs
Debian developers alerted Linux users late last week of a new Linux kernel build, linux-2.6, that fixes 11 separate vulnerabilities that could open the kernel to a denial of service attack, information leak or privilege escalation. Dann Frazier, an administrator with Debian announced the security...
Law Enforcement Requests Report: No Skype Data Turned Over
Microsoft’s report on compliance with law enforcement requests for data demonstrates a status quo for the software giant from the last reporting period. While the number of requests from law enforcement dropped worldwide in the first six months of 2013, Microsoft complied with 79 percent of...
HD Moore, Project Sonar Crowdsources Vulnerability Analysis
The state of embedded device security is poor, and there hasn’t been much in the way of discussion to the contrary. It’s well established that vendors skimp on security, selling for example, routers and other networking gear protected only by default passwords, or other critical devices engineere...
4th Cybersecurity Framework Workshop: Good News and Bad News
I had a chance to visit a number of industrial events this year and can see the evolution of cybersecurity in the industrial field. One of these was the 4th National Institute of Standards and Technology’s NIST Cybersecurity Framework Workshop CFW. Kaspersky was in attendance at the previous...
Silent Circle Moving Away From NIST Ciphers in Wake of NSA Revelations
The first major domino to fall in the crypto world after the NSA leaks by Edward Snowden began was the decision by Lavabit, a secure email provider, to shut down in August rather than comply with a government order. Shortly thereafter, Silent Circle, another provider of secure email and other...
Dennis Fisher and Mike Mimoso Discuss The Week's NSA News and Icefog
Mike Mimoso and Dennis Fisher look back at the news of the last couple of weeks, including some new NSA PR efforts and the Icefog cyberespionage campaign. Download: digitalunderground127.mp3...
NSA Trying to Change the Surveillance Narrative
When things go badly in Washington, D.C., when a scandal breaks or damaging leaks begin to surface, there is an established and well-worn playbook that politicians and executives can turn to for solace. There’s a page for every conceivable situation, and it’s that playbook that the National...
LinkedIn Patches Multiple XSS Vulnerabilities
The professional social networking service LinkedIn was susceptible to four reflected cross site scripting XSS vulnerabilities, before issuing a fix for those flaws over the summer. XSS vulnerabilities are among the most prevalent bugs online. In this case an attacker could potentially exploit...
NSA Director Alexander Asked About Cell Location Collection
Did we hear the next shoe to drop in the NSA surveillance saga? Yesterday before a hearing of the Senate Intelligence Committee, Sen. Ron Wyden, D-Oregon, asked some pointed questions of NSA director Gen. Keith Alexander regarding whether the agency collects cell tower location data in addition t...
Cisco IOS Update Patches Eight Vulnerabilities
Telecommunications company Cisco this week is warning customers and those running their software of eight separate vulnerabilities it has patched in its internetwork operating system IOS infrastructure product. Cisco’s Product Security Incident Response Team PSIRT released the advisories yesterda...
Time For a Change in Security Thinking, Experts Say
WASHINGTON–Security, like a lot of other things, tends to go in phases. A new attack technique is developed, vendors respond with a new defensive technology and then attackers find a way to defeat it. It has always been that way. And right now, things seem to be in one of those periodic down cycl...
Sefnit Click-Fraud Malware Related to Mevade Tor Botnet
A malware family, likely developed by the same authors who built a massive botnet recently discovered on the Tor network, has been revived with a stealthy new click-fraud scam. Microsoft reports a rash of new click-fraud activity linked to the Sefnit malware, which was thought dead and buried as ...
Identity Seller Uses Botnet to Steal from Data Brokers
An online peddler of Social Security numbers, credit and background check reports, and other information valuable to identity thieves appears to have ascertained this data by compromising the systems of a number of prominent data brokerage firms, according to an investigative report published by...
Icefog Targeted APT Attacks Hit South Korea, Japan
An espionage campaign featuring precise targeting of victims and malware that allows the attackers one-on-one interaction with compromised systems has been uncovered. Government agencies, manufacturers, high tech companies and media organizations in South Korea and Japan have been the primary...
Some Versions of Ruby on Rails Could Expose Cookies
Versions 2.0 to 4.0 of the popular open source Web framework Ruby on Rails are vulnerable to a Web security issue involving cookies that could make it much easier for someone to log in to an app as another user. According to security researcher G.S. McNamara, Ruby on Rails’ defacto session storin...
Alexander: 'FISA is the Key to Connecting the Dots'
WASHINGTON–Faced with trying to accomplish its mission in an environment that suddenly has become quite hostile and inquisitive about its methods, the National Security Agency is becoming more and more public about the challenges that lie ahead and how the agency plans to address them. One of the...
Mailbox App for iOS Automatically Executes Javascript
UPDATE – The popular Mailbox app for iOS suffers from a bit of a security nightmare. A security researcher in Italy recently discovered that the app automatically executes javascript contained in any HTML email. “It is just a bad design choice,” said researcher Michele Spagnulo, a computer...
NSA's Alexander Appeals For Threat Information Sharing
WASHINGTON– While Congress and the technology community are still debating and discussing the intelligence gathering capabilities of NSA revealed in recent months, the agency’s director, Gen. Keith Alexander, is not just defending the use of these existing tools, but is pitching the idea of shari...
Dropbox Requests National Security Letter Transparency
Dropbox, as LinkedIn did a week ago, filed an amicus brief yesterday with the United States Foreign Intelligence Surveillance Court FISC requesting permission to publish the number of National Security Letter requests the cloud storage company receives. Dropbox followed LinkedIn’s lead, arguing i...
Apple Releases Apple TV 6.0, Fixes 50+ Bugs
After a botched software update over the weekend, Apple re-released version 6.0 of its Apple TV product last night, replete with the requisite bells and whistles but not without a slew of security updates and bug fixes. 57 bugs in total are addressed in 6.0; the third update the digital media...
iMessage Chat app for Android Worries Security Experts
UPDATE – Security experts and mobile developers are warning Android users to steer clear of an app purporting to be an Android version of Apple’s iMessage technology. The app has been pulled from Google Play according to a Google spokesperson, but it remains available on several third party sites...
Google to Block Many Plug-Ins Starting in 2014
Google is planning a major changes in the way that Chrome handles many plug-ins. Beginning early next year, Chrome will no longer support the old Netscape Plug-In API and will block plug-ins that use it. Eventually, that will mean that some plug-ins such as Google Earth, Microsoft Silverlight and...
ICS Vendor Fixes Hard-Coded Credential Bugs Nearly Two Years After Advisory
Nearly two years after a security researcher published details of the hard-coded credentials that ship with a slew of industrial control system products made by Schneider Electric, the company has released updated firmware that fix the problems. The vulnerabilities, which were discovered by...
IE Zero Day Used in Targeted Attacks Against Japanese Firms
Attackers exploiting a zero-day vulnerability in Microsoft’s Internet Explorer browser have compromised several popular local Japanese media outlets and have infected systems belonging to government, high tech and manufacturing organizations in Japan. Researchers at FireEye said the attacks appea...
Apache Upgrade Repairs Struts, Fixes Two Vulnerabilities
Developers behind the Apache Struts framework have released an update that fixes two vulnerabilities. Creators of the open-source web application framework are encouraging users to upgrade to Struts 2.3.15.2 immediately. One of the fixes addresses an issue CVE-2013-4316 in the Dynamic Method...
Hackers Bypass iPhone 5S Touch ID
Hackers from the venerable Chaos Computer Club in Germany have found a method for bypassing the new iPhone 5S Touch ID fingerprint security mechanism. The method, which is the first known technique for circumventing the iPhone’s newest security feature, involves taking a picture of a user’s...
In Wake of Latest Crypto Revelations, 'Everything is Suspect'
So now that RSA Security has urged developers to back away from the table and stop using the maligned Dual Elliptic Curve Deterministic Random Bit Generation Dual EC DRBG algorithm, the question begging to be asked is why did RSA use it in the first place? Going back to 2007 and a seminal...
iOS 7 Lockscreen Bypass Discovered
Another iOS, another iPhone lockscreen bypass flaw. Hackers have had a only few days to play around with Apple’s latest mobile operating system, iOS 7, but apparently that’s all the time one of them needed to find a flaw that can allow anyone to bypass the lockscreen on phones running the...
The Sky is Not Falling--It's Fallen
It’s no fun being a cynic, thinking that everything is bad and getting worse. It’s easy–especially in the security community–but it’s not fun. But, in light of the latest in the interminable string of revelations about the NSA’s efforts to eat away at the foundation of the security industry, the...
FBI Warning Users About Financial Malware Beta Bot
The FBI began warning computer users about the Beta Bot Trojan this week, sounding the alarm about malware that has targeted a variety of online payment platforms and financial institutions over the few last months. According to an intelligence note prepared by the Internet Crime Complaint Center...
Oil, Energy Watering Hole Attacks Linked to DOL attack
A string of watering hole attacks targeting oil and energy companies dating back to May could be linked to similar attacks against the U.S. Department of Labor website. Researchers at Cisco discovered the compromised domains of 10 oil and energy companies worldwide, including hydroelectric plants...