Google Chrome 29 Fixes 25 Vulnerabilities

There are 25 fresh security patches in the newest version of Google Chrome, including fixes for a number of high-severity vulnerabilities. Chrome 29 also includes a number of performance enhancements. Google regularly pushes out new versions of its browser every few weeks, and sometimes will only...

Twitter OAuth Data Leaked From Third-Party App

An attacker, who may have gotten the information from the database of a third party, claims to have access to the OAuth login tokens and secrets for every Twitter user. He has posted more than 15,000 of the entries online and claims that he can now access the account of any user he wishes. Twitte...

Sirefef Malware Found Using Unicode Right-to-Left Override Technique

Old malware tricks never really die, they just get recycled and passed down to the next generation of attackers. The latest technique to get run through the wayback machine is the use of the right-to-left override character in Unicode, a tactic that enables malware authors to hide the real name o...

Facebook Stands By Bug Disclosure Policy, Patches Wall Bug

A member of Facebook’s security team acknowledged over the weekend that the group could have taken further steps to verify a vulnerability initially brought to their attention by an independent security researcher last week but that the company largely adhered to its bug disclosure policy. That...

Microsoft Reissues MS13-066 Windows Server Patch

Microsoft has re-released one of the August security patches for Windows Server 2008 in order to fix a regression issue that would cause some servers to stop working. The MS13-066 patch was released again Monday after Microsoft discovered the problem last week. The patch in the MS13-066 update...

Scanning the Internet in 45 Minutes

The Internet is a big thing. Or, more accurately, a big collection of things. Figuring out exactly how many things, and what vulnerabilities those things contain has always been a challenge for researchers, but a new tool released by a group from the University of Michigan that is capable of...

How I Got Here: Rich Mogull

Dennis Fisher talks with Rich Mogull of Securosis about his days as a teen wannabe hacker, his meandering path through Navy ROTC, software development, near miss with medical school, mountain rescues and his life as a security industry analyst. Download: 08mogull.mp3...

New Jigsaw Hacking Tool Spotted in Attacks

If you’ve run an internal phishing exercise, chances are you may have used Jigsaw, an open source penetration testing tool that enables security teams to automatically generate email address combinations from a minimal amount of public information. As with other open source security and networkin...

Joe Grand on Hardware Hacking and the JTAGulator

Dennis Fisher talks with Joe Grand of Grand Idea Studio about his current project, the JTAGulator, which helps hardware hackers find the OCD connections on devices. They also discuss Joe’s hardware-hacking background and the current resurgence of hardware research. Download: digitalunderground123...

Cracking Cryptography and Encryption Exponentially Easier

It’s been a brutal month for crypto. Starting with the Black Hat conference, researchers, engineers and hackers have been unveiling new weaknesses and attacks in different cryptographic implementations that threaten the security of communication and commerce on the Web. Not only have holes been...

Philips Light Bulb Vulnerability Could Leave Some In the Dark

According to research unveiled this week some types of web-enabled light bulbs are vulnerable to a flaw wherein an attacker could literally leave users of the bulbs in the dark. Philips’ Hue brand lighting systems can be exploited, according to independent researcher Nitesh Dhanjani who published...

Syrian Electronic Army Hacks Washington Post

One day after the New York Times Web site was offline for several hours due to what experts speculated was an attack, the site of the Washington Post was hacked, apparently by the Syrian Electronic Army. Officials at the Post said that the attack followed closely on the heels of the SEA hacking t...

Twitter Account 'Classifier' Detects Fraudulent Accounts

Fraudulent Twitter accounts are a booming business, accounting for significant underground money for spammers, fake antivirus scams, drive-by downloads and phishing schemes. But research presented at USENIX yesterday proposes a means for driving up the cost for attackers to get these campaigns of...

Faulty Microsoft Exchange Server 2013 Patch Pulled Back

Microsoft announced Wednesday afternoon that it has pulled MS13-061, one of the patches issued yesterday for vulnerabilities in Exchange Server 2013. Microsoft said the patch is causing issues with the content index for mailbox databases. Organizations would still be able to send and receive emai...

Android Malware Found Exploiting Google Cloud Messaging Service

Researchers have discovered a number of malicious Android apps are using Google’s Cloud Messaging service and leveraging it as a command and control server to carry out attacks. A post on Securelist today by Kaspersky Lab’s Roman Unuchek, breaks down five Trojans that have been spotted checking i...

Microsoft to Eliminate Weak MD5 Crypto Algorithm

The clock is running on Windows administrators to sweep out MD5 implementations before a February 2014 patch from Microsoft slams the door shut on the broken, aged crypto algorithm. Microsoft released a pair of advisories yesterday in addition to its regular Patch Tuesday security updates alertin...

BIND Vulnerablilty Enables DNS Cache Poisoning Attack

A vulnerability in the BIND domain name system DNS software could give an attacker the ability to easily and reliably control queried name servers chosen by the most widely deployed DNS software on the Internet, according to new research presented at the Woot Conference in Washington D.C. today...

NHTSA Website Back Online After Hack

The National Highway Traffic Safety Administration restored its servers yesterday, 10 days after an attack knocked the agency’s website offline. The government agency confirmed last Tuesday that 10 of its servers had been hacked in early August after it received an alert from the United States...

Microsoft Fixes ASLR/DEP Bypass Bug

Buried in the details of the Microsoft Patch Tuesday release for August is the explanation of an important change that the company made to Windows that defeats a group of exploit mitigation bypasses. The change is a small one, but it prevents dangerous attacks that previously worked on most...

August 2013 Microsoft Patch Tuesday Security Updates

Microsoft took less than a month to incorporate an Oracle Outside In patch and fix a critically rated remote code execution bug in Exchange Servers. The Microsoft patch is among three critical bulletins—eight overall—released today as part of its August 2013 Patch Tuesday security updates. Oracle...

Joomla Patches Blackhole Zero Day Vulnerability

Attackers have been abusing websites for months that are hosted on Joomla, WordPress and other content management platforms. One gaping vulnerability can open the door for a cybercrime group, for example, to build a formidable botnet, or lure victims to malware that can cash out a bank account or...

After Paying $2M in Rewards, Google Multiplies Some Bug Bounties Five Times

Google’s bug bounty program has been one of the more successful reward systems of its kind, and the company has regularly modified and expanded the program over the years to keep pace with what’s going on in the industry. Google also has increased the rewards it offers for certain kinds of...

Counter.php Redirecting to Sites Peddling Styx Exploit Kit

The Counter.php strain of malware has been spotted in the past redirecting users to a handful of malicious sites and now appears to be leveraging that ability to send victims to websites serving up the Styx exploit kit. According to a post on Securelist today, Vincente Diaz, a researcher with...

Aumlib, Ixeshe Malware Updated in Targeted China Attacks

After a quiet period, the state-sponsored hacker group blamed for attacks on the New York Times late last year has begun a number of new campaigns that feature updated versions of malware used in attacks going back to 2009. Researchers at FireEye said the group, identified as APT 12 by forensics...

Watering-Hole Attack Compromises Key Tibetan Site

In what has become a familiar scenario over the last couple of years, attackers have compromised a key Tibetan web site and loaded it with code that redirects some users to a third-party site that installs an APT-style backdoor. The attack has hit the Web site of the Central Tibetan Administratio...

Bitcoin Wallets on Android Vulnerable to Theft

Bitcoin wallets on the Android platform are vulnerable to theft after a vulnerability was discovered that could allow an attacker to guess a private key used to secure transactions involving the virtual currency. A post to a Bitcoin forum over the weekend pointed to a report of one address having...

New Attack Leverages Mobile Ad Network to Deliver Android Malware

Ad networks have been a key component of the malware and cybercrime ecosystem for a long time and their role is becoming more and more complicated, as researchers from WhiteHat Security showed at Black Hat recently. That problem is now moving to the mobile Web, and researchers at Palo Alto Networ...

Inside the Decision to Shut Down Silent Mail

Silent Circle’s decision to shut down its Silent Mail email service may have come quickly yesterday, and the timing of the announcement admittedly was prompted by Lavabit’s decision to suspend operations hours before. But the seeds for this decision may have been sown long before Edward Snowden,...

BYOD Gives Vulnerable Devices Corporate Network Access

Policies allowing employees to bring their own devices to work BYOD have the unintended consequence of increasing the total number of vulnerable devices connecting to corporate networks and accessing corporate data, a report released today by Rapid 7 said. While the general consensus says that BY...

Dennis Fisher and Mike Mimoso Recap Black Hat and DEF CON 2013

Dennis Fisher and Mike Mimoso discuss the news from Black Hat and DEF CON, particularly the fact that the Web seems to be broken and that a lot of the attacks revealed in Las Vegas don’t have easy solutions. Download: digitalunderground122 Subscribe to the Digital Underground podcast on...

August 2013 Microsoft Patch Tuesday Security Updates

Another month, another set of Microsoft Patch Tuesday security updates for Internet Explorer. For what seems to be the umpteenth month in a row, Microsoft will patch its browser, one of three critical updates expected to be shipped on Tuesday among eight bulletins. While IE patches remain a...

Cellular IDS Enables Monitoring of BYOD Devices for Malware

Organizations struggle with securing consumer mobile devices in the enterprise because A they don’t own the device; and B mobile traffic often isn’t accessible to network managers making it difficult to scan for infections or anomalous behavior. At DEF CON last weekend, a team of researchers...

Relax, You Don't Have to Fix Every Vulnerability

Here’s an idea: stop fixing every vulnerability you read about. The best thing to do, it turns out, is to look at the vulnerabilities that are in both Metasploit and the Exploit Database and fix those. That gives you the highest chance of fixing bugs that are likely to be used in an actual attack...

Matthew Green on Crypto Advances, the BREACH Attack and Whether the Longevity of the RSA Algorithm

Dennis Fisher talks with Matthew Green of Johns Hopkins University about the crypto advances in recent years, the BREACH attack revealed at Black Hat and whether it’s time to start moving away from the RSA algorithm. Download: digitalunderground121 Subscribe to the Digital Underground podcast on...

Questions Linger About New Linux 'Hand of Thief' Trojan

It looks like cybercriminals will soon be able to add yet another Trojan to their hacking repertoire, the Hand of Thief banking malware that targets Linux machines. Currently being sold on the Russian black market, Hand of Thief is fetching $2,000 USD €1,500 EUR but could be poised to run a cool...

Remotely Exploitable Bug Affects Wide Range of Cisco TelePresence Systems

There’s a serious vulnerability in Cisco’s popular TelePresence system that could give an attacker complete control of the affected system. The vulnerability affects a broad range of TelePresence models, although there are workarounds available. The vulnerability results from the fact that there...

Google WebLogin Tokens Expose Google Apps, User Data

An exposure in the way Google handles authentication is an illustration of the unintended consequences of trading security for a little bit of convenience. Craig Young, a researcher from security company Tripwire, demonstrated at Def Con over the weekend how an Android single sign-on token known ...

Tor Users Should Leave Insecure Windows Operating System

In a critical security advisory issued over the weekend, the Tor Project told its users that they should seriously consider migrating away from Microsoft’s Windows operating system and disabling JavaScript. The Tor Project security advisory was a response to revelations on Sunday that an attack h...

New Twitter Login Verification System Avoids SMS Codes

Twitter is rolling out an updated login verification system for iPhone and Android that uses a novel cryptographic scheme that is designed to be resilient against attack and ensures that the private key never leaves the user’s device. The system doesn’t rely on SMS to send codes to users for logi...

Fort Disco Botnet Uses Brute-Force Attacks Against CMS Sites

More than 6,000 websites built on content management systems such as WordPress, Joomla and Datalife Engine were compromised in a new brute-force attack campaign, according to a researcher at Arbor Networks. A botnet called Fort Disco, currently made up of 25,000 Windows machines, is responsible f...

Mixed Content Blocking Appears in Firefox 23

The long-anticipated inclusion of mixed-content blocking in Mozilla Firefox is now at hand, with the security feature showing up in the just-released Firefox 23. The feature, which helps defend users against certain kinds of man-in-the-middle attacks, is on by default in the new browser. Mixed...

Scenes from Black Hat USA 2013

!More from Wednesday’s Legal Access Panel Briefinghttps://media.threatpost.com/wp-content/uploads/sites/103/2013/08/07043123/panel.j...

Windows 8 Phone Authentication Protocol Weakness

Microsoft issued a security advisory on Sunday, warning of a potential data leakage issue for Windows Phone users connecting to Wi-Fi hotspots. Hackers love to set traps for wireless users promising free Wi-Fi in airports, restaurants and other public areas. Once a mobile device connects to the...

Black Hat 2013: What Have We Learned

LAS VEGAS–The Black Hat conference is one of the best opportunities each year to see new and innovative research, commune with some of the smartest folks in the industry and generally get a sense of where things stand and where they’re going. This year’s conference was one of the larger in histor...

Android Master Key Vulnerability Responsible Disclosure

The researcher behind the now well known Android Master Key vulnerability shared more details about the disclosure process, during which attackers somehow managed to reverse engineer a patch for the bug, and write and distribute malware days before Google released the patch to the public. Jeff...

Web security hacks dominate Black Hat USA 2013

The security of the Web is looking a little like Al Bundy right about now look it up kids. Granted Black Hat is fresh on our minds and you always come away from that event less willing to use the Internet, but this year seemed especially bad in terms of new attacks—or new twists on old attacks—th...

Jeff Forristal on the Android Master-Key Vulnerability

When news of the Android master-key vulnerability began leaking out in early July, details were hard to come by, and that was done intentionally. The researchers at Bluebox Security, a mobile-security start-up, had discovered the vulnerability and were planning to disclose the details of the bug ...

BREACH Compression Attack Steals HTTPS Response Secrets

A serious attack against ciphertext secrets buried inside HTTPS responses has prompted an advisory from Homeland Security. The BREACH attack is an offshoot of CRIME, which was thought dead and buried after it was disclosed in September. Released at last week’s Black Hat USA 2013, BREACH enables a...

Tor Users Hit With Firefox Exploit, But No Large Compromise of Network Seen

The vulnerability in Firefox that was being used to exploit some users of Tor in recent days was fixed in a previous Firefox release and the exploit in circulation only works against people running Firefox 17. Over the weekend, word spread that the exploit was in the wild and that the Tor network...

Gen. Keith Alexander Black Hat Keynote

When Gen. Keith Alexander, the director of the National Security Agency and chief of U.S. Cyber Command, agreed to deliver the opening keynote at Black Hat USA 2013, he had no idea that by the time he took the stage many of the NSA’s most secret information-collection programs would be public...