15946 matches found
Jason Geffner on Tortilla
Dennis Fisher talks with Jason Geffner of CrowdStrike about the new tool he released at Black Hat called Tortilla and his research on malware that uses domain-generating algorithms. audio https://media.threatpost.com/wp-content/uploads/sites/103/2013/08/07043604/digitalunderground120.mp3 Download...
JavaScript and Timing Attacks Used to Steal Browser Data
LAS VEGAS–Security researchers have been warning about the weaknesses and issues with JavaScript and iframes for years now, but the problem goes far deeper than even many of them thought. A researcher in the U.K. has developed a new technique that uses a combination of JavaScript-based timing...
Apple to Fix Malicious Fake USB Charger Flaw
Apple claims it will fix a previously disclosed flaw in the current iteration of its mobile operating system, iOS 6, that can allow hackers complete access to an iPhone or iPad via a fake USB charger. Reuters confirmed the impending fix Wednesday after speaking with Apple spokesman Tom Numayr at...
Experts Urge ECC crytpo over RSA algorithm
LAS VEGAS – Cryptographic breakthroughs have accelerated in the past six months in areas such as discrete logarithm computations that lead experts to believe that breaking the stalwart RSA algorithm may be in the not-too-distant future. A team of crypto experts today at Black Hat USA 2013 present...
Karsten Nohl Demonstrates SIM Card Root Attack At Black Hat
LAS VEGAS–Thanks to manufacturers employing old, weak encryption on SIM cards, researchers have found a way to root the cards and get access to billions of mobile devices. German security researcher Karsten Nohl of Security Research Labs demonstrated the SIM card attack in his talk at the Black H...
Surveillance, Legal Access Could Be Weakening Internet Infrastructure
LAS VEGAS–The pervasive bulk surveillance performed by the NSA and other government agencies that’s been revealed in recent weeks relies on court orders, as do other kinds of legal access operations, such as wiretapping or lawful intercepts. Those orders are shrouded in secrecy and the...
Online Ad Networks Leverages to Launch Javascript Attacks
LAS VEGAS – Researchers have figured out how to leverage the reach of online advertising networks to distribute javascript of their choosing, creating the equivalent of a botnet of ad impressions capable of crashing underlying webservers or distributing malware on a massive scale for pennies on t...
Inside the Security Model of BlackBerry 10
LAS VEGAS–The new BlackBerry 10 operating system contains a number of security improvements and upgrades over earlier versions, but there are still some features and functions that an attacker may be able to exploit. The OS also contains a diagnostic tool called QUIP that has the ability to colle...
Google Swapping 1024-bit Keys for 2048-bit Keys
Google announced this week that it has begun upgrading its SSL certificates from 1024-bit keys to 2048-bit keys, a move that should help add an extra layer of security for anyone who uses the search giant’s services. According to a post on Google’s Developers blog by Identity Team member Tim Bray...
NSA Director Alexander Defends Surveillance at Black Hat
LAS VEGAS –NSA director Gen. Keith Alexander’s keynote today at Black Hat USA 2013 was a tense confessional, an hour-long emotional and sometimes angry ride that shed some new insight into the spy agency’s two notorious data collection programs, inspired moments of loud applause in support of the...
Mozilla, Blackberry To Test Website Security Via Fuzzing
Mozilla and Blackberry have announced a new collaboration project; the two companies will begin working in tandem to more fully flesh out Peach – a free software fuzzing application first developed nearly a decade ago – for testing the security of web browsers. In a post on its company blog by...
Researchers Hack GPS, Yacht Veers Off Course
A 213-foot luxury yacht veered off course while cruising in the Mediterranean Sea this summer after a radio navigation research team led by global positioning systems expert Todd Humphreys of the University of Texas Austin built a custom-made device capable of overriding the ship’s GPS receivers...
Software Obfuscation Mechanism Hampers Reverse Engineering
Researchers at UCLA said they’ve developed a game-changing obfuscation mechanism that will put a dent in hackers’ efforts to reverse engineer patches and understand how an underlying piece of software works. “You write your software in a nice, reasonable, human-understandable way and then feed th...
CrowdSource Tool Aims to Improve Automated Malware Analysis
When a new piece of malware surfaces, it’s typically analyzed eight ways from Sunday by a long list of antimalware and other security companies, government agencies, CERTs and other organizations who try to break it down and classify its capabilities. There’s a lot of duplicated effort there, and...
Microsoft Expands MAPP Program to Incident Response Teams
Microsoft is expanding its MAPP program that shares attack and protection information with other security vendors and will now be sharing some data with incident responders, as well. The new system will enable organizations such as CERTs and internal IR teams to exchange information on specific...
Pinterest Announces Support for DNT Header
Pinterest is the latest major Internet service to support Do Not Track. The social site, which allows its users to organize items of interest, made the announcement on Friday in a note that explained how it was going to suggest personalized pins based on websites the user has visited and placed a...
BIND 9 Denial of Service Flaw Patched
A denial-of-service vulnerability in certain versions of BIND name servers has been patched, and network managers are urged to upgrade quickly to a secure version of the DNS software. Attackers sending specially crafted queries with malformed data to a vulnerable BIND server could cause the syste...
Remembering Barnaby Jack
It’s said that each man’s death diminishes us all in some way. But some passings take a bigger piece than others. The death of Barnaby Jack is one of those, having left a major hole in the security community and let a lot of air out of the room. Jack, who died suddenly on July 25 of as-yet unknow...
Martin Roesch on Snort's History and the Sourcefire Acquisition
Dennis Fisher talks with Martin Roesch, the author of the Snort IDS and founder of Sourcefire, about the evolution of Snort from a side project to an open-source security powerhouse to the technological basis for a hugely successful company. Download: digitalunderground119 Subscribe to the Digita...
Throwback Barnaby Jack: Jackpotting ATMs
Barnaby Jack always seemed to find a way to make the process of banging away on an application–or a pacemaker or an ATM–look like the most fun anyone has ever had. And he wanted all of his friends to join in the fun. Jack, a respected and much-admired security researcher at IOActive, died on July...
Malware Evasion Techniques Dissected at Black Hat
Malware ingenuity isn’t limited to its functionality or its ability to propagate. Sometimes malicious code has to have guile to survive. That means for the most part having an innate understanding of when it’s being analyzed by a security expert. Numerous samples from different malware families...
Microsoft: 88 Percent of Citadel Botnets Down
Nearly two months after the company was part of an operation to disrupt a large number of Citadel botnets, Microsoft said that 88 percent of the botnets spawned by that malware have been taken down. Citadel is a Trojan designed specifically to steal financial information from a variety of sources...
How to Fail at Black Hat
Every summer, the hacker intelligentsia descends on Las Vegas like a swarm of thirsty locusts that spends seven days chasing free drinks and avoiding sunlight at all costs. Black Hat and DEF CON week can be an overwhelming and confusing experience, especially for the uninitiated or agoraphobic. B...
House Rejects Amendment to Sever NSA Data Collection Funding
By a narrow dozen votes, the U.S. House of Representatives yesterday failed to pass an amendment to the Department of Defense Appropriations Act of 2014 that would have severed funding for the NSA’s phone record surveillance program turned out by Edward Snowden. The amendment, put forth by Rep...
Hacking Ring Steals $300 Million, 160 Million Card Numbers
The U.S. Attorney’s Office in the District of New Jersey is expected to further discuss charges today against five hackers who allegedly stole at least 160 million credit and debit card numbers and netted more than $300 million over the course of seven years in what could be the largest cybercrim...
EFF: Forced Decryption Violates Fifth Amendment
If the government would like to force Jeffrey Feldman to decrypt the contents of the hard-drives and Dell computer found in his apartment, then they must offer him immunity and cannot use any of the information found on the devices as part of their case against him. That is what the Electronic...
Weaknesses in CFAA language exposed at Black Hat
The Computer Fraud and Abuse Act CFAA can be unsettling even to the most stalwart security researcher. The law, enacted in 1986 and revisited several times since, is still littered with loopholes and nuances that can be leveraged by a prosecutor in a criminal case, or turned against a white hat i...
Royal Baby Spam Campaign Leads to Black Hole-Infected Site
Everyone loves babies, especially magical royal ones who are destined to pull a sword from a stone. As it turns out, the baby admiring demographic also includes spammers, who are using the current frenzy over the birth of Prince William and Duchess Kate’s baby boy to direct victims to a site...
US Top Source of Web Application Attacks
The United States is no longer the most obese country in the world thanks to Mexico, but it still ranks No. 1 as the preeminent global source of Web-based attacks, according to the Imperva Web Application Attack Report. The report also notes that attackers are targeting retail-related application...
Long range RFID hacking tool to be released at Black Hat
Out of necessity come many interesting inventions. Fran Brown, a year ago, was working a penetration test for an electric utility doing an assessment of its SCADA network. His first challenge was to get inside the facility, meaning, in short that he had to break in. To do so, he decided to test t...
SEA Hacks Messaging App Tango, Leaks User Information
The Syrian Electronic Army SEA reportedly hacked into a database belonging to the free messaging and video sharing app Tango over the weekend, potentially compromising millions of users’ information. The SEA – a group of hackers that attacks websites to spread pro-Bashar al-Assad propaganda –...
KINS Banking Trojan For Sale in Underground Forum
It seems the cybercrime underground is pining for a new breed of banking Trojan. With heavyweights such as Citadel no longer generally available for purchase, rumblings on forums for months have indicated that a new project would be welcomed and financed. Since February, researchers at RSA’s...
Appropriations Amendment Threatens to Cut Funding for NSA Collection Program
A small group of Congressmen is trying to cut off the funding for the NSA’s widespread collection of phone and Internet records under the “business records” collection provision of the Foreign Intelligence Surveillance Act. The provision in FISA that enables law enforcement agencies to get access...
SIM Card Vulnerability Could Affect Millions of Cell Phones
As many as 750 million mobile phones could be vulnerable to an encryption flaw on certain types of SIM cards, a German cryptographer and researcher warned over the weekend. Karsten Nohl, the founder of Security Research Labs in Berlin, unveiled preliminary research on his blog behind the flaw in...
Ubuntu Forums Password Breach Exposes 1.8 Million Users
Every username, password and email address used by members of the Ubuntu Forums was accessed in a breach reported on Saturday by the free Linux distribution. More than 1.82 million accounts stored in the forums’ database were stolen, according to a notice posted on the forums’ home page Saturday...
Apple Developer Site Compromised
Several days after taking its developer Web site down without a mention of the reason, Apple has revealed that attackers had breached the site. The company said that while it can’t rule out the theft of developers’ data, all of the sensitive personal information was encrypted. Apple posted a noti...
BlackBerry Refutes Claim Private Email Passwords Sent to RIM
BlackBerry is refuting a claim made by a German researcher that private email credentials are sent by the new BlackBerry 10 mobile devices to the company without consent, possibly in the clear, and that they’re also stored without permission. Frank Rieger said that when users enter their POP/IMAP...
Edward Snowden, Congress and the Summer of Outrage
Congress is mad. Maybe it’s the heat. Or maybe it’s them wanting to get it all out of their systems before the August recess. But whatever the case, there are some genuinely angry politicians in Washington right now, trying to figure who they should yell at next for making them deal with the...
Fake FBI Ransomware Targeting OS X Users
The Federal Bureau of Investigation issued an alert yesterday warning users about a strain of ransomware purporting to come from the FBI that is targeting Mac OS X machines. This time, the ransomware isn’t malware at all, but a website that uses JavaScript to load numerous iframes. The webpage...
Google Patches QR Code Vulnerability in Google Glass
A Google Glass feature that gives the device the ability to automatically read text also leaves it vulnerable to malicious wireless networks. The feature is made possible by a technology called optical character recognition. It’s this feature that reportedly allows Google Glass to understand...
Tumblr Patches Password Sniffing Bug for iOS
Popular blogging platform Tumblr pushed out an emergency update to its iOS app yesterday, patching an apparent password sniffing bug that attackers may have been using to steal users’ logins and passwords. The update, version 3.4.1 on iOS addresses “an issue that allowed passwords to be compromis...
Java Reflection API Vulnerability Exploited
No Java component has had a bigger bull’s eye on its back this year than the Java Reflection API. Bug hunters and hackers alike have found a number of zero-days related to the Reflection API, most of which enable the remote execution of code outside the Java sandbox that’s supposed to prevent suc...
Congress Warns Section 215 May Not Be Renewed
Incensed at the way that the Department of Justice and the intelligence community have used the controversial section 215 of the PATRIOT Act, members of the House Judiciary Committee on Wednesday angrily questioned Justice and NSA officials about their surveillance of U.S. citizens and said that...
Privacy Advocates File Complaint Over Jay-Z's 'MCHG' App,
Privacy advocates called out rapper/entrepreneur Jay-Z this week, filing a complaint with the Federal Trade Commission over an app he released earlier this month that many critics feel goes overboard in the amount of the information it requests from users. Citing “deceptive business practices,”...
DDoS Attack Takes Down DNS Provider Network Solutions
A distributed denial of service attack knocked the website of the domain name registrar Network Solutions LLC offline this morning and affected an unknown number of its clients’ sites as well. Network Solutions announced on its Facebook page that it was experiencing a DDoS attack just before 11...
Oracle July 2013 Critical Patch Update patches 89 Flaws
It may not be the highest priority patch among the 89 released by Oracle yesterday in its July Critical Patch Update CPU, but a fix for an Outside In Technology vulnerability in Oracle’s Fusion middleware merits some extra attention. Oracle provides the technology in several of its products in...
Microsoft Asks AG to Let It Publish Detailed Data Request Information
Microsoft, responding to allegations that the company has helped the NSA circumvent encryption in Skype and Outlook.com and provided direct access to data from those and other services, says that it does none of those things and is petitioning the government for permission to publish more...
College Student Gets Year in Prison for Wire Fraud in Tampering With Student Election
A former Cal State San Marcos student was sentenced to a year in prison this week for wire fraud and other charges related to election tampering by using keystroke loggers to grab student credentials and then vote for himself. Matthew Weaver, 22, of Huntington Beach, Calif., stole almost 750...
EFF, Eclectic Group of Organizations Sue NSA Over Data Collection
If politics makes strange bedfellows, as the saying goes, wholesale government surveillance takes that to an entirely new level. The clearest evidence yet of the broad and diverse set of groups opposed to the NSA’s domestic spying programs came Tuesday when the EFF said that is representing a...
ASUS Home Routers Vulnerable to Remote Attacks
Asus home routers are open to a number of potential remote attacks because of vulnerabilities in the AiCloud service bundled with the hardware. Security researcher Kyle Lovett posted on Sunday to the Full Disclosure mailing list today a follow up to a June disclosure of a directory traversal bug ...