Experts Worry About Long-Term Implications of NSA Revelations

With all of the disturbing revelations that have come to light in the last few weeks regarding the NSA’s collection methods and its efforts to weaken cryptographic protocols and security products, experts say that perhaps the most worrisome result of all of this is that no one knows who or what...

Hackers Pool Money and Offer it For iPhone Fingerprint Hack

UPDATE: In an earlier version of this story, we failed to give proper credit to Robert Graham for his involvement in this project. A group of researchers, hackers, and other security enthusiast are pooling their money and offering it as a bounty to the first person that can successfully crack the...

NSA's Reactive Security Measures Too Late to Stop Snowden

The National Security Agency, as it turns out, is just as reactive when it comes to information security as 99 percent of the enterprises out there. America’s top spy agency gives out too much privileged access to employees and contractors, allows removable storage devices in sensitive areas, and...

Apple's iOS 7 Update Fixes 80 Security Bugs

We are one day in and Apple’s sleek new mobile operating system, iOS 7, has been dissected to death – the colors, the similarities to Android’s OS, the amount of time it took some users to download the update from Apple’s servers. Those talking points aside, the update also brought a slew of bug...

Facebook Android Bug Sent Users' Photos in the Clear

A researcher has discovered a privacy bug in the Facebook Android app that enables an attacker to view and download any images that a user sends to Facebook. The problem derives from the fact that the app, along with the official Facebook Messenger app for Android, don’t send those images over...

How I Got Here: Brad Arkin

Dennis Fisher talks with Brad Arkin, CSO of Adobe, about his start with punch cards, finding bugs in online poker software, working at @stake and his challenges at Adobe. Download: 11arkin.mp3...

Shylock/Caphaw Banking Malware Infections on the Rise

Two dozen major U.S. and European banks are in the crosshairs of the Shylock, or Caphaw, financial malware of late, and victims who trade with one of the 24 financial institutions are at risk of giving up their credentials and losing assets in their accounts. Malware researchers have noticed a ri...

LinkedIn Asks for Transparency on National Security Letters

LinkedIn on Tuesday joined the fray of Internet companies requesting permission from the Foreign Intelligence Surveillance Court to publish data on the number of National Security Letters it receives. Unlike Google, Microsoft and others that have petitioned the FISA court to lift its ban on the...

FISC: No Phone Company Ever Challenged Metadata Collection Orders

A newly declassified opinion from the Foreign Intelligence Surveillance Court from this summer shows the court’s interpretation of the controversial Section 215 of the USA PATRIOT Act that’s used to justify the National Security Agency’s bulk telephone metadata collections, and reveals that none ...

Mozilla 24 Resolves 17 Security Vulnerabilities

The Mozilla Foundation released Firefox 24 yesterday, issuing 17 security patches for the browser. Seven of the bulletins received the highest, critical impact rating, four are considered high impact advisories, the second most severe rating, and the remaining six are of moderate impact. Mozilla’...

Researchers Build Undetectable Dopant Hardware Trojans

Is it so outlandish anymore to consider that an attacker interested in military, political or corporate espionage would be able to infiltrate a supply chain and drop malware onto an integrated circuit? Evidence of hardware-based Trojans is anecdotal at best, and experts believe a change in...

Microsoft Warns of New IE Zero Day

UPDATE–Microsoft is looking into reports of targeted attacks against a new vulnerability that exists in all supported versions of Internet Explorer. The attacks are targeting IE 8 and 9 and there’s no patch for the vulnerability right now, though Microsoft has developed a FixIt tool for it. “The...

Patches for Django Framework Fix DoS Vuln

Developers behind the Web framework Django have pushed out a new build that fixes a handful of security issues, including a denial of service vulnerability in the framework’s password hasher. Django 1.4.8, Django 1.5.4, and Django 1.6 beta 4 were released over the weekend and users are urged to...

NASDAQ Patches Reported XSS Vulnerability

A NASDAQ representative confirmed this morning that a cross-site scripting vulnerability on the exchange’s website discovered by an ethical hacker has been patched. The issue was reported on Sept. 2 by Ilia Kolochenko, chief executive of High-Tech Bridge, a Swiss penetration testing company...

Decision in Street View WiFi Case Could Hinder Some Security Research

The decision by the Ninth Circuit Court last week to allow the class-action suit against Google over its collection of WiFi data to continue was welcomed as good news by privacy advocates, but it may have considerable consequences for security researchers who collect such data during legitimate...

NSA Bought Exploit Service From VUPEN, Contract Shows

The U.S. government–particularly the National Security Agency–are often regarded as having advanced offensive cybersecurity capabilities. But that doesn’t mean that they’re above bringing in a little outside help when it’s needed. A newly public contract shows that the NSA last year bought a...

Revoyem DirtyDecrypt Ransomware Spreads Internationally

A strain of the Revoyem ransomware, also known as DirtyDecrypt, is aggressively spreading beyond Germany and Great Britain, the first two countries in which it was spotted back in March. A researcher who goes by the handle Kafeine reports on his Malware Don’t Need Coffee website that Revoyem is...

BEAST Cryptographic Attack Mitigations Overturned

The BEAST cryptographic attack, once thought to be largely mitigated, has two things conspiring against it to make breaches potentially possible again. Not only has a server-side mitigation essentially been rendered moot by recent research into the RC4 cryptographic protocol, but Apple has yet to...

Apple Fixes 30 Bugs With Mountain Lion Update

Apple pushed a handful of patches late last week and updated its OS X Mountain Lion to 10.8.5, improving “stability, compatibility and security” issues and fixing 30 different vulnerabilities in the operating system. The update fixes multiple vulnerabilities in Apache that could have led to a...

Dropbox installations hinder effectiveness of ASLR.

UPDATE: The popular cloud storage service Dropbox was reportedly undercutting the efficacy of access space layout randomization ASLR by failing to enable that feature within the dynamic link libraries DLLs it injects into other applications. The company now claims it has resolved the issue. Graha...

UK Cryptographers Call For Publication of Deliberately Weakened Protocols, Products

A group of cryptographers in the UK has published a letter that calls on authorities in that country and the United States to conduct an investigation to determine which security products, protocols and standards have been deliberately weakened by the countries’ intelligence services. The letter,...

Belgian Telco Belgacom Compromised

A Belgian telecom company that handles some of the undersea cables that carry international voice traffic said Monday that its internal network had been compromised sometime in the last few months and malware had planted on some of its systems. Belgacom said the attack only affected its own...

On The Latest NSA Revelations, the Tor Botnet and Kimsuky

Dennis Fisher and Mike Mimoso talk about the news of the last couple of weeks, including the revelations of the NSA’s anti-cryptography capabilities, the botnet making use of Tor and the Kimsuky cyberespionage attack. Download: digitalunderground126.mp3...

Frequently Unanswered Questions on the NSA Leaks

The flood of documents regarding the NSA’s collection methods and capabilities that have been leaked this summer has produced thousands of news stories and several metric tons of speculation about what it all means. But for all of the postulating, analysis and reporting, there are still a lot of...

2 Million Customer Records Stolen in Vodafone Germany breach

Security experts are warning Vodafone customers, particularly those in Germany, of a possible increase in phishing attacks after an insider at the telecommunications giant accessed a database and stole personal information on as many as two million customers. German police have a suspect, adding...

Tor Botnet Makes Bad Move to Anonymity Network

MEvade, the massive botnet using Tor as a communication protocol, may have moved operations to the network in order to hamper potential takedown efforts, but according to security researchers, the move just served to shine a spotlight on the botnet’s activities. Rather than hide traffic from bots...

Oracle Updates Java 7

Oracle released on Tuesday the Java standard edition version 7 update 40. Java 7u40 includes fixes for a long list of bugs and a number of new features as well. The most notable security patch appears to be a fix for a plugin deployment bug that failed to block expired certificates for users that...

Email Spam Campaign Spreading Android Malware

At first it seems like email spammers relying on old tricks – but a further look into a new campaign spotted by security firm FireEye reveals that the messages are not spreading drive-by downloads or even peddling ordinary PC malware. Instead, attackers are beginning to drop Android malware, in...

Mobile Pwn2Own Offers $300k For Zero Days

It’s a good time to be a security researcher. If you have the time and talent to find vulnerabilities in widely deployed applications, there is a lot of money out there for the taking, and not just from the bug bounty programs and regular exploit buyers. The latest iteration of the Pwn2Own hackin...

WordPress Fixes Remote Code Execution Flaw With 3.6.1 Release

WordPress has fixed a number of security vulnerabilities, including one that could lead to remote code execution on vulnerable installations. WordPress 3.6.1 is the new, updated release that contains the fixes and also includes some non-security bug fixes and stability changes. The most serious...

How I Got Here: Marc Maiffret

Dennis Fisher talks with Marc Maiffret about his teenage years as a phone phreaker and BBS denizen, the early years of the vulnerability research scene, the Code Red worm and its aftermath and how the security scene has changed in the past 15 years. Download: 10maiffret.mp3...

North Korea Spying on South Korea Using Espionage Malware

For the time being, things on the Korean peninsula may have quieted down politically and militarily. But hackers on both sides continue to take shots at each other. The latest salvo appears to be coming from North Korea, which has been conducting an extensive espionage campaign against specific...

Apple Puts Fingerprint reader in iPhone

If you haven’t heard, Apple unveiled two new iterations of the iPhone at one of the Cupertino company’s typically grandiose product events yesterday. As usual, there was plenty of hype to go around, but the biggest change as far as security is concerned is the addition of a fingerprint scanner on...

DNI Releases FISC Docs, But Legislators Say Much More Remains Hidden

The federal government has released hundreds of pages of documents, including orders and opinions from the secretive Foreign Intelligence Surveillance Court, related to the NSA’s surveillance programs, but legislators who have been involved in the process say that there still are significant...

Embedded Devices Vulnerable by Default from Manufacturer

Embedded device manufacturers have been warned for ages about the risks of making networking, telecom and critical infrastructure gear reachable online, worse yet, leaving default credentials in place for authenticating to those devices. Clearly, most are not listening. An Australian researcher...

NIST Refutes Allegations NSA Compromised Crypto Standards

UPDATE–The revelations last week in leaked NSA documents that the intelligence agency had influenced the standards process at NIST to allegedly deliberately weaken unnamed cryptographic algorithms have spurred a huge amount of speculation and discussion in the security community about the...

Bruce Schneier on the NSA, Cryptography and Trust

Dennis Fisher talks with cryptographer Bruce Schneier about the revelations of the NSA’s capabilities to subvert and weaken cryptographic algorithms, security products and standards, and what it will take to help defeat these capabilities. Download: digitalunderground125.mp3 Subscribe to the...

BlackBerry Patches Security Flaws in Z10, Q10, PlayBook

BlackBerry climbed aboard the Patch Tuesday bandwagon today with four advisories patching vulnerabilities in Adobe Flash, Webkit and libexif on the company’s mobile devices. Adrian Stone, director of BlackBerry’s security incident response and threat analysis, said the company is not aware of any...

SharePoint Fixes Priority for September 2013 Patch Tuesday

It’s no secret that putting SharePoint installations online and making them accessible without authentication is standard practice in many organizations. Those SharePoint administrators, however, may want to rethink their policies after today’s Microsoft Patch Tuesday security bulletins release...

IETF Discussing Ways to Protect Internet Against Pervasive Surveillance

The IETF is considering a range of options to help reengineer some of the fundamental protocols that underpin the Internet in response to revelations that the NSA and other intelligence agencies are conducting widespread, dragnet-style surveillance online. The group, which is responsible for...

Email Spam Claims US Attacks Syria and Leads to Malware

A new phishing campaign is disseminating malicious links with emails purporting to come from CNN saying that the United States has initiated military strikes against the embattled regime of Syrian President Bashar al Assad. One such email, obtained by Kaspersky Lab and posted on Securelist, comes...

Adobe Fixes Code Execution Bugs in Flash, Reader

It’s Patch Tuesday, and that means not just fixes from Microsoft, but also new updates from Adobe, which has released a number of patches for vulnerabilities in Flash, Reader, Acrobat and Shockwave. The details of the vulnerabilities are scarce, but Adobe said that many of them can be used to run...

GlobalSign Commits to Certificate Transparency Framework

If you were going to try and determine who has had a worse go of it recently, the NSA or certificate authorities, you’d likely have to just flip a coin. And the coin would probably end up balanced on its edge. While the National Security Agency is scrambling to respond to and recover from the...

Google, Facebook, Yahoo File NSL Transparency Motions

Google, Yahoo and Facebook filed amended requests today with the U.S. Foreign Intelligence Surveillance Court FISC reiterating their desire to publish numbers on requests for user data related to national security. Google, meanwhile, went a step further asking for an open, public hearing with the...

Marketing Firms Advertise Largely to Bots; Waste $9.5B

It may not come as a surprise that online advertising firms waste billions of dollars each year, but a new report claims that – even if you were to assume that the entire practice of targeting users with online ads is an effective and lucrative one – $9.5 billion this year will be wasted...

Call for Ban on Vulnerable PHP SuperGlobal Variables

The ease with which PHP applications can be subverted should be pretty apparent by now given the number of botnets supported by compromised sites hosting PHP code. The biggest culprit in the PHP universe may be a set of nine variables called SuperGlobals that provide programmers with development...

Protecting Critical Infrastructure: Input Data

Kaspersky Lab is always working to develop new technologies for protecting critical computer systems from cybercriminals. In July, I had the opportunity to represent Kaspersky at a symposium sponsored by the National Institute of Standards and Technology NIST, focused on the national Cybersecurit...

Questions About Crypto Security Follow Latest NSA Revelations

As security experts and cryptographers continue to debate and discuss the implications of the revelations of the NSA’s capabilities against various encryption protocols and systems, some of the larger Internet companies are taking steps to protect their users’ data against the new threat. Google,...

Malvertising Campaign Redirects to Blackhole Exploit Kit

Online ad networks have proven efficient tools in spreading malware to a large number of sites simultaneously. Attackers who manage to spike an ad distribution service can potentially have millions of eyeballs on a malicious ad for a fraction of the cost it would take to buy or build spam lists,...

Yahoo Transparency Report Reveals More Than 12K U.S. Government Data Requests

Following the lead of Google, Twitter and other major Internet companies, Yahoo has issued its first transparency report, revealing that it received more than 12,000 requests for user data from the U.S. government in the first half of 2013. The company disclosed user content in nearly a third of...