Many Flash, Java Users Running Older, Vulnerable Versions

It’s long been known that Java and Flash are favored targets of attackers, thanks to their huge install bases and numerous security issues. And the users who are targeted by these attacks aren’t doing themselves any favors either, as new research shows that 19 percent of business users are runnin...

Office, SharePoint Patches Await September Patch Tuesday

Today’s monthly advance notification of Microsoft’s upcoming security bulletin release on Tuesday includes a number of critical Office patches that have experts worried. Of particular concern are remote code execution vulnerabilities in Outlook 2007 and 2010 that can be exploited by merely...

Watchwatch-like Heartbeat Monitor to Replace Passwords

The heart beating in our chests contains in its right atrium a bundle of nerve cells and synapses known as the cardiac pacemaker. The cardiac pacemaker emits electrical impulses that cause the human heart to beat. These electrical impulses and the heart rhythm they produce can be measured by an...

Huge Botnet Found Using Tor Network for Communications

In the wake of the revelations surrounding the NSA’s domestic surveillance and intelligence-gathering operations, security experts said there would likely be a natural uptick in the usage of privacy focused tools such as Tor, PGP and other encryption services. In the case of Tor, there has been...

Obad Trojan First to Spread Via Mobile Botnet

The keepers of the mobile Obad Trojan realize the window of opportunity they have to spread the malware on Android devices may be closing since the vulnerability the Trojan exploits has been patched in Android 4.3. That could explain why Kaspersky Lab researchers have spotted a recent spike in...

Yahoo Fantasy Football Mobile App Vulnerable to Attack

All but the most recent version of the mobile application for Yahoo’s popular fantasy football service are vulnerable to a session hijack attack in which an unauthenticated person could remotely change team lineups, post messages and perform other mischief on behalf of the legitimate user...

Government to Release Hundreds of Documents Related to NSA Surveillance

In response to a lawsuit by the Electronic Frontier Foundation, the Department of Justice is preparing to release a trove of documents related to the government’s secret interpretation of Section 215 of the PATRIOT Act. The declassified documents will include previously secret opinions of the...

Java Code-Signing, Security Prompts Fail with Developers

Why would a software company require developers to sign code, thereby ensuring a modicum of trust—but not security—and then shatter that trust by allowing signed applets to bypass their own application sandbox? Welcome to the world of Oracle and Java, where a once healthy programming language has...

Update to Bitcoin Client Fixes DoS Bug, Password Strength

The developers behind Bitcoin-QT, a software wallet used to protect and back up Bitcoin currency, have pushed out a new version of the client, fixing a critical denial-of-service bug, three security issues and fortifying password security. Version 0.8.4 of the original Bitcoin client was posted t...

Windows 8 Picture Gesture Authentication Research

Typing on a smartphone or tablet keyboard lends itself to a lot of fat-fingered mistakes. Recent updates to mobile operating systems and desktop OSes such as Windows 8, however, have tried to better leverage the touch screen for things such as authentication. Users, for example, have the option o...

Apple Safari Vulnerable to Buffer Overflow Exploit

Packet Storm made public today a proof-of-concept exploiting a known and patched heap buffer overflow vulnerability in Apple’s Safari browser. Packet Storm acquired the details of the exploit, which affects Safari version 6.0.1 and possibly earlier versions as well for iOS 6 and OS X 10.7 and 10....

Hand of Thief Linux Banking Trojan Not Ready For Primetime

Upon further examination, a new banking Trojan variant may not be as commercially viable as it was thought to be. Researchers at RSA Security have peeled back the layers this week on the Hand of Thief banking Trojan, a piece of malware that made headlines over the summer after it was thought to b...

Njw0rm RAT Spreads Via USB Drives, Steals No-IP Credentials

Remote access Trojans, or RATs, are typically stay-at-home creatures. Central to a good many targeted attacks for their ability to steal data from compromised computers, RATs aren’t generally built with the capability to spread to more machines. A variant of njRAT, however, has broken that mold...

Cisco Issues Four Security Advisories

Cisco issued four, moderate-severity security notices over the weekend, informing users of vulnerabilities in the company’s Adaptive Security Appliance and IOS XR software, its unified computing system, and wireless LAN controllers. Cisco warned of a vulnerability CVE-2013-3470, affecting the...

NetTraveler Now Using Java Exploits, Watering Hole Attacks

When NetTravler was unveiled in June, Costin Raiu of Kaspersky Lab warned that the espionage campaign was an “ugly gorilla with a thousand faces” and that we hadn’t seen them all yet. A little more than two months later, another profile of the malware targeting activists, diplomats, government...

Snowden-Leaked NSA Budget Shows Code-Breaking Investments

New documents leaked by Edward Snowden quantify the resources supporting an extensive intelligence community crypto-cracking program. Tens of thousands of people and billions of dollars are behind the Consolidated Cryptologic Program, as reported yesterday by The Washington Post. Signals...

Facebook Malware Hijacks Users' Chrome Browsers

An attack on the world’s largest social network is drawing users to a third party site with fake tag notifications and prompting victims to download malware masquerading as a video-codec extension. The malware is reportedly capable of hijacking the Facebook accounts and Chrome Web browsers of...

Dennis Fisher and Mike Mimoso Discuss the NYT Attack, News of the Week

Dennis Fisher and Mike Mimoso discuss the big stories of the last couple of weeks, including the Syrian Electronic Army’s attacks against the registrar for the New York Times and Twitter, and the release of Facebook’s first transparency report. Download: digitalunderground124 Subscribe to the...

Researchers Reverse Engineer Dropbox

Researchers have cracked open cloud storage service Dropbox, reverse engineering the encryption protecting the client in order to open it up to further security analysis. The engineers, Dhiru Kholia of Openwall and Przemyslaw Wegrzyn of CodePainters, also managed to demonstrate how to use...

Arabic Text String Crashes iOS, Mac OS X

A string of Arabic text is causing some chaos with iOS and Mac OS X users. It seems wherever the text sequence shows up, whether in a tweet, webpage, or a SMS message on the Apple platform, it’s crashing apps or Safari browser sessions. The problem has been traced to the Apple Core Text technolog...

Metasploit Module Adds Sudo Vulnerability for OS X

Attackers looking to exploit a previously disclosed and apparently still unpatched bug in sudo, a Unix-based Linux command found in most Apple OS X builds have gotten a little more help this week. As Threatpost reported in March, the vulnerability CVE-2013-1775 can essentially set back the...

Inside the Response to the New York Times Attack

Late Tuesday morning, one of the engineers in CloudFlare’s San Francisco office saw a message on Twitter saying that the New York Times Web site was down. Minutes later, more messages appeared, as security researchers and others began looking into the situation and realized that someone may have...

Remote Unauthenticated Bug Haunts Cisco ACS Server

There is a critical remotely exploitable vulnerability in Cisco’s Secure Access Control Server which allows a remote attacker to take complete control of a vulnerable server. The bug results from a bad implementation of the EAP-FAST protocol and it affects a number of versions of the Cisco ACS. T...

Opera 16 Fixes Bugs, Improves HTML5 Performance

Norwegian software company Opera pushed out version 16 of its eponymous Internet browser this week, complete with what it’s calling “tons of bug fixes,” improved performance and a slew of new features and APIs. While the full changelog hasn’t been published yet, Ruarí Ødegaard, a member of Opera’...

Kelihos P2P Botnet Leveraging Composite Blocking Lists

Kelihos, the peer-to-peer botnet with nine lives, keeps popping up with new capabilities that enable it to sustain itself and make money for its keepers by pushing spam, harvesting credentials and even stealing Bitcoins. According to a number of sources, Kelihos is now leveraging legitimate and...

Another Java 6 Vulnerability Found in the Wild

Unless you have an Oracle product that requires Java 6 or are paying for support for that version of the platform, you’d seen the last publicly available updates as of February. That doesn’t mean attackers have pushed back from targeting Java 6, and that certainly doesn’t mean that organizations...

Registrar Hack at Root of NY Times and Twitter Attacks

UPDATE–The attack that took down the New York Times Web site Tuesday afternoon, along with domains belonging to Twitter and the Huffington Post, was accomplished through the use of compromised credentials belonging to a reseller for the registrar that those companies use to buy their domains...

Syrian Electronic Army Hack Results in Compromise of Domain Data For NY Times, Twitter

The Syrian Electronic Army, a group known for attacking high-profile media sites in the last year or so, has in the last few hours compromised the domain information for a large number of sites, including the New York Times home page and some of Twitter’s domains. Security researchers say that th...

Firefox Extension HTTP Nowhere Allows Users to Surf in Encrypted-Only Mode

It’s no secret that the Web wasn’t really meant to be a secure platform, for communications or commerce or anything else. But it’s used for all of these functions every day, and for the most part they depend upon the sites they deal with using SSL and doing so correctly. That’s not always a sure...

Facebook Complied with 79 Percent of Requests for User Data

Facebook, a holdout among major technology companies in divulging figures on the numbers of government requests for its users’ data, today delivered its first semblance of a transparency report. The Global Government Requests Report quantifies the number of data requests against how many accounts...

DHS and FBI Warn About Android Security Threats

The Department of Homeland Security and the FBI are warning police and fire departments as well as emergency medical service providers and other security personnel that out-of-date Android devices pose a serious security risk to those organizations. The warning came via an unclassified memo...

DirtJumper Variant Drive Now Includes Mitigation Bypass

Drive, a variant of the do-it-yourself DDoS toolkit DirtJumper, holds a unique position among malware that organizations targeted by these debilitating attacks need to be aware of. Researchers at Arbor Networks revealed today that a new version of Drive has been spotted with features that enable ...

How I Got Here: Jeremiah Grossman

Dennis Fisher talks with Jeremiah Grossman about his days cobbling together old x8s machines, designing Web sites in the heyday of the spinning GIF, becoming Yahoo’s first hacker and then founding WhiteHat Security. Download: 09grossman.mp3...

APT Groups Using G20 Summit as Lure in Targeted Attacks

As political and financial leaders from around the world gear up for the upcoming G20 Summit, attackers have been making their plans, as well. A spate of known cyberespionage groups have been using the summit as a lure for new waves of attacks, and security researchers say one of the groups is...

Adobe Photo Loader Malware Posts Craigslist Spam

An attacker is going to a lot of trouble to post spam messages to Craigslist. Researchers at Solera Networks have come across an attack where malware is using compromised machines to post poorly worded ads for an Android application marketed at parents for the purposes of monitoring the activitie...

Phone Hack Could Block Messages, Calls on GSM Networks

By tweaking the firmware on certain kinds of phones, a hacker could make it so other phones in the area are unable to receive incoming calls or SMS messages, according to research presented at the USENIX Security Symposium earlier this month. The hack involves modifying the baseband processor on...

China .cn Domain Available Again after DDoS Attack

Long fingered as the source of denial-of-service attacks and other hacks against foreign interests, China’s .cn domain was targeted on Sunday and approximately one-third of the sites registered to that domain were kept offline for a period of time. A statement from the China Internet Network...

Pinterest Closes Hole That Allowed Anyone to View User's Email Address

A security researcher has discovered a vulnerability in Pinterest, the rapidly growing social network, that enables an attacker who knows a target’s username or user ID to discover that user’s email address. The bug is quite simple to exploit and could give an ambitious attacker a huge target lis...

Norwich University Receives $9.9 M for Cybersecurity Research

Norwich University, a small military college nestled in the Green Mountains of Vermont, secured another round of funding for cybersecurity research this week. The grant, $9.9 million in federal funds, will feed into a project that ensures groups in the private and public sector can better plan fo...

New Mozilla Plug-N-Hack Tool Integrates Browsers and Security Tools

The Mozilla security team is developing a new proposed standard that will make it easier for researchers to integrate some of their tools with Firefox and other browsers. The standard, known as Plug-n-Hack, is an open project that Mozilla hopes will be adopted by researchers and tool makers. A lo...

With No Facebook Bug Bounty In Sight, Researcher Gets $12k Reward From Security Community

Like most major Web and software companies, Facebook receives a lot of bug reports. And since the company started its bug bounty program, security researchers have become even more interested in looking for vulnerabilities in the Facebook ecosystem. But, as one researcher learned recently, not al...

VMware Patches Root Privilege-Escalation Flaw

VMware has fixed a privilege-escalation flaw in two of its major products that could allow a local attacker to gain root privileges on a vulnerable machine. The bug affects VMware Workstation and Player on certain Linux platforms. The vulnerability, which VMware patched on Thursday, does not enab...

Google, Mozilla Considering Limiting Certificate Validity to 60 Months

In the wake of a parade of problems with certificate authorities and attackers using stolen digital certificates, both Google and Mozilla are poised to enforce new rules in their browsers for how long end-entity certificates should be trusted. The changes will begin taking effect at the beginning...

Cisco Patches DoS, Buffer Overflow Vulnerabilities in UCM

Cisco has again pushed out an update for its Unified Communications Manager product, fixing several vulnerabilities that if left unpatched could lead to a denial of service attack, allow attackers to modify data or execute arbitrary commands, among other problems. The problems exist in versions...

Declassified 2011 FISC Opinion Shows Court Found Some NSA Surveillance Unconstitutional

Newly declassified documents released in response to a Freedom of Information Act request by the EFF show that the secret Foreign Intelligence Surveillance Court in 2011 declared that the National Security Agency’s techniques for collecting upstream Internet communications was unconstitutional an...

FDA Issues Recommendations on the Security of Wireless Medical Devices

The Food and Drug Administration FDA has issued a series of guidelines regarding the regulation of radio frequency RF technology in medical devices, moves that if put into practice, could eventually help shore up the increasingly vulnerable medical device security model. In a 24-page document .PD...

Jumping Out of IE's Sandbox With One Click

Software vendors often give intentionally vague and boring names to the updates they use to fix security vulnerabilities. The lamer the name, the less attention it may attract from attackers looking to reverse-engineer the patch. There was one patch in Microsoft’s August Patch Tuesday release...

Petition Seeks Removal of Alexander as NSA Director

It has been a rough few months for the National Security Agency, and specifically for its director, Gen. Keith Alexander. The leaks of details of NSA surveillance programs by former contractor Edward Snowden have taken over the news cycle this summer and put the agency’s business out in the open...

Poison Ivy RAT Spotted in Three New China Attacks

The Poison Ivy remote access Trojan may be old, but it’s not losing favor with nation states that continue to make it the center piece of targeted attacks. Three groups of hackers, reportedly all with ties to China and possibly related in terms of their funding and training, are currently managin...

Adware Spotted Spreading Via Google App Engine

Spammy websites distributing adware as Java or other kinds of software updates are nothing new but researchers have recently noticed two sites pushing that malware to users through sites that leverage Google’s App Engine. Both sites were started just over a week ago and make use of the appspot.co...