Bug Bounty to Reward Researchers with Redeemable Points

IntegraXor, a manufacturer of supervisory control and data acquisition SCADA equipment, announced last week that it would implement a bug bounty program offering points redeemable for company services to researchers that disclose security vulnerabilities in their IGX SCADA system. In most bug...

Verizon Network Extender femtocell hack intercepts calls

A $250 piece of hardware known as a femtocell, used to boost mobile phone signals for consumers and small businesses, is vulnerable to a complete takeover that attackers can use to intercept Internet traffic and cell phone calls. Two researchers from iSEC Partners are expected to provide more...

Amazon 1Button App for Chrome, Firefox Leaks Private Data

Amazon 1Button, a browser add-on that provides users with easy access to the Amazon online marketplace, is leaking private information like a sieve, according to a security researcher. Krzysztof Kotowicz, a researcher specializing in Web security, said the app reports every URL to visit to...

New App ReKey Fixes Android Master Key Vulnerability

The Android master key vulnerability disclosed a couple of weeks ago puts nearly all Android phones at risk of attacks that can modify legitimate apps with malicious code that would give the attacker full control of the device. Google has released a patch, but Android users are dependent upon the...

Another Android Master Key Attack Published

A second Android Master Key attack has been reported that takes advantage of the vulnerability in the way Android reads APK files, enabling hackers to modify signed legitimate apps with malware. The vulnerability occurs in the way Android conducts integrity checks on APK files. An attacker could...

Dennis Fisher Talks With Chris Soghoian on NSA, PRISM and Privacy

Dennis Fisher talks with Chris Soghoian of the ACLU about the NSA surveillance leaks, the PRISM data collection program, the lack of good privacy options for consumers and his upcoming talk at DEF CON on government hacking operations. Download: digitalunderground118...

Tortilla Open Source Anonymous Traffic Routing Tool for Tor

Update: Malware analysts are in a constant cat-and-mouse game with hackers when it comes to studying malicious code behaviors. Researchers handle malware samples gingerly, in a test network away from production machines and away from the Internet. Samples are opened in virtual machines and analys...

Japanese Gaming Company Konami Hacked, Info on 35K Leaked

Just days after Nintendo reported it had been the victim of a security breach, Konami, another popular Japanese video game company, has begun warning users that thousands of gamers may have had their information hacked. According to a notice on its site .PDF earlier this week, Konami ID, a portal...

Mixed Reaction to DEF CON Ban of Feds

For over two decades DEF CON has been an open nexus of hacker culture, a place where seasoned pros, hackers, academics, and feds can meet, share ideas and party on neutral territory. Our community operates in the spirit of openness, verified trust, and mutual respect. When it comes to sharing and...

HP to Patch Remote Backdoor in StoreVirtual Systems

A few weeks after admitting that it had put an administrative backdoor in its StoreOnce backup servers, HP has said it has a similar mechanism in its StoreVirtual storage systems that allows a remote user to access the operating system. The company said the function is meant for remote support us...

Study Finds Internet Users Follow Browser Security Warnings

Users heed Web browser security warnings more than previously thought, according to research unveiled this week. The research is part of first in-depth large-scale field study of browser security warnings, according to Devdatta Akhawe of the University of California, Berkeley and Adrienne Porter...

TrueType Font Exploits Gateway to Kernel Attacks

Font-parsing vulnerabilities weren’t part of the security consciousness much until the discovery of Duqu at the end of 2011. The spy malware hooked into the Windows kernel through bugs in the TrueType font file parsing engine, and not only breathed new life into the concept of cyber espionage, bu...

Microsoft to Pay First Bug Bounty for IE 11

Just a few weeks after announcing its first bug bounty programs, Microsoft is already set to pay out a reward to a researcher from Google who discovered a vulnerability in Internet Explorer 11. Microsoft officials say that they have several other qualifying entries for the IE 11 reward program...

IRS Exposes Social Security Numbers Online

The Social Security Numbers of tens of thousands of Americans ended up in a searchable public database that provides access to the tax filing applications of Section 527 political organizations on the Internal Revenue Service’s website. According to OpenSecrets.org, 527s are “…tax-exempt groups...

Attackers Targeting MS13-055 IE Vulnerability

Attackers are using an Internet Explorer vulnerability, which Microsoft patched yesterday, in targeted attacks that also employ a malicious Flash file installed through a drive-by download launched by compromised Web pages. The exploit that’s being used is capable of bypassing both ASLR and DEP...

Google, Microsoft Seek Help in Lifting FISA Gag Order

Google and Microsoft have locked arms with a number of civil liberties advocates in filing a brief with the secret Foreign Intelligence Surveillance Court hoping to lift a gag order preventing the two tech giants from releasing information on their role in the NSA’s surveillance activities. To...

Bug Bounty Programs Pay Economic Rewards

Bug bounty programs can be as much as 100 times more cost-effective for finding security vulnerabilities than hiring full-time security researchers to do the same thing. New research from the University of California at Berkeley, which focused on bug bounty programs run by Google and Mozilla, fou...

Google Fixes 17 Flaws in Chrome 28

Google has fixed more than 15 vulnerabilities in Chrome and paid out nearly $35,000 in rewards to security researchers for reporting the bugs. One researcher earned an unusually large reward of $21,500 for a series of vulnerabilities he reported in Chrome. Google Chrome 28 includes fixes for thre...

TrueType Font Flaws in July 2013 Microsoft Patch Tuesday

Going all the way back to the Duqu attacks, font-parsing vulnerabilities and exploits have been symptomatic of some high-end espionage attacks targeting the Windows kernel. As a result, with hackers paying more attention to the core of the Windows OS, this year Microsoft has had to address a numb...

July 2013 Adobe Security Bulletins, Patches Released

Adobe today released its monthly round of security updates with patches available for Flash Player, Shockwave and ColdFusion. None of the vulnerabilities are being exploited in the wild, according to Adobe. The flaws in Flash Player and Shockwave could allow hackers to remotely install and run...

Android Master Key Bug Details Made Public

The details of the Android vulnerability that enables an attacker to create a malicious update to an APK file without breaking its cryptographic signature have become public but it appears as though Google will have a patch ready for the flaw by the time it’s fully disclosed early next month. The...

Apache CXF Denial of Service Vulnerabilities Patched

The Apache Software Foundation has patched a denial of service vulnerability in the XML parser of the Apache CXF Web services framework. Researchers, Andreas Falkenberg from Sec Consult Vulnerability Labs, and Christian Mainka, Juraj Somorovsky, and Joerg Schwenk from Ruhr-University Bochum,...

Brute Force Attack on Club Nintendo Yields Info on 25K

Hackers executed a coordinated attack, hitting servers belonging to the popular gaming company Nintendo hard for nearly a month, resulting in the breach of information of nearly 25,000 gamers. The brute-force attack targeted Club Nintendo, a fan/membership site run by the Kyoto-based company. Fro...

NIST Seeks Guidance on Incident Response and Forensics

The federal government is looking for some help in figuring out how to respond to security incidents. As attacks continue to escalate against both government agencies and private enterprises, NIST is developing a set of standards for best practices in incident response and computer forensics. The...

EAS Devices Shipping with Compromised Root SSH Key

UPDATE – Firmware images for the application servers that distribute messages for the Emergency Alert System in the United States were shipping with a private root SSH key that has been disclosed. Hackers who have this key can access one of these servers and interrupt or manipulate an EAS message...

FAA Civil Aviation Registry Vulnerable to Data Breach

The Federal Aviation Administration’s FAA Civil Aviation Registry lacks proper security controls to prevent unauthorized access to its systems, according to a report based on a recent audit undertaken by the Office of the Inspector General OIG for the United States Department of Transportation Do...

Cryptocat Key Generation Vulnerability Put Chats at Risk

Cryptocat, an open source encrypted Web-based chat application, is taking heat from numerous places after a vulnerability was discovered that put chats at risk for relatively simple decryption, experts say. Worse, says researcher Steve Thomas who found the flaw, is that it likely was present in t...

July 2013 Microsoft Patch Tuesday Security Updates

A critical Windows kernel vulnerability, publicly disclosed in May by a Google security engineer, will be patched tomorrow when Microsoft releases its July Patch Tuesday security updates. Tavis Ormandy, who has controversially disclosed Windows vulnerability details in the past, made a posting to...

IPMI Vulnerabilities on BMCs expose servers to attack

Baseboard management controllers, embedded computers present in most servers, are vulnerable to a half dozen critical vulnerabilities that could enable an attacker to gain remote control over the host machine. The vulnerabilities are in the Intelligent Platform Management Interface IPMI protocol...

Android Vulnerability Bypasses App's Digital Signature

A vulnerability exists in the Android code base that would allow a hacker to modify a legitimate, digitally signed Android application package file APK and not break the app’s cryptographic signature—an action that would normally set off a red flag that something is amiss. Researchers at startup...

California to Focus on Unencrypted Data in Breach Investigations

Data breaches affected more than 2.5 million California residents last year, and the state’s attorney general said that the information belonging to more than half of those victims would have been unaffected had the data been encrypted by the companies storing it. In an effort to remedy this...

Passwords, Email, Usernames Accessed in Ubisoft Hack

The video game publishing company Ubisoft is urging its users to create new passwords after announcing late last week on a support forum that attackers exploited a vulnerability in one of the company’s websites to gain unauthorized access to some of their online systems. The attackers compromised...

DNI Clapper Says Statement to Congress About NSA Data Collection Was 'Erroneous'

In a highly unusual move, James Clapper, the director of national intelligence, said Tuesday that he misspoke when he told a Congressional committee in March that the National Security Agency does not assemble dossiers on Americans. Clapper said at the time that the agency does not do so...

njRAT Attacks Spike Against Middle East High-Value Targets

Government agencies, telecom and energy organizations in the Middle East are being targeted by espionage malware known as njRAT. The remote access Trojan is thorough in its data-stealing capabilities. Beyond dropping a keylogger, variants are capable of accessing a computer’s camera, stealing...

Screen Lock Bypass Bug Exists in Skype Android App

A vulnerability in Skype’s Android application could enable an attacker to bypass the lockscreen on some Android phones, giving them full access to the device if it’s in their possession. According to Pulser, a moderator at the popular Android forum XDA Developers, the bug is in Skype version...

FAQ: The NSA Metadata and PRISM Programs

The details of extensive government surveillance of U.S. citizens through collection of cell phone metadata, and email and Internet activities through the PRISM program has raised a lot of questions and caused quite a bit of confusion about what’s actually happening. To help users sort through th...

ICS, SCADA Attacks Targeted and Disruptive

Honeypots and honeynets have long been used as enticements to lure hackers into a false network in order to study attacks. While long a favorite of many high-end enterprises and security researchers studying attacks against traditional IT infrastructures, a number of industrial control system...

Vobfus Worm, Beebone Trojan Create Malware Infection Loop

It’s often difficult to say what came first. This is certainly the case when it comes to recent interactions between the Vobfus worm and Beebone Trojan families. Microsoft’s Malware Protection Center observed an infection cycle in the wild where Vobfus variants download Beebone variants that in...

How I Got Here: Robert "Rsnake" Hansen

Dennis Fisher talks with Robert Hansen, a renowned security researcher, about his early days climbing telephone poles to clip into phone lines, how he got his start in the security world, the evolution of [email protected] from early webrings and what he’s learned along the way. Download: 07rsnake.mp3...

Exploiting the Twitter Underground for Fun and Profit

The underground economy on Twitter is still flourishing, and it appears to be a buyer’s market for followers right now, with new research showing that the price for 1,000 followers has dropped nearly 50 percent in the last few months. Barracuda Labs has been tracking the volume of fake accounts o...

Several Flaws Discovered in ZRTPCPP Library Used in Secure Phone Apps

A security researcher has uncovered a number of serious vulnerabilities in one of the core security components of several secure telephony applications, including the Silent Circle system developed by PGP creator Phil Zimmermann. The vulnerabilities in the GNU ZRTPCPP library already have been...

Dennis Fisher and Mike Mimoso Discuss NSA PRISM and Privacy

Dennis Fisher and Mike Mimoso talk about the implications of the NSA PRISM and metadata program leaks and what they mean for privacy and security. Download: digitalunderground117...

General Talks Security at Brookings Institution

General Martin Dempsey, Chairman of the Joint Chiefs of Staff, made clear yesterday in a speech to the Brookings Institution that the military, government, and private sector each has a role to play in hardening the U.S. against cyberattacks. General Dempsey also called out the maintainers of...

Opera Hack, Certificate Theft Redirects Thousands to Malware

Several thousand Opera users may have been presented with script redirecting them to a server hosting malware as a result of a hack of the Opera network and theft of a code-signing certificate. A new version of the browser is available and Opera representatives urge users to update as soon as...

Firefox Adds Mixed Content Blocking by Default

The proliferation of SSL-protected sites has been a boon for security conscious Web users in the last couple of years, as more and more sites have taken the step of offering encrypted connections for sensitive sessions. But one of the problems that’s cropped up is that the dynamic nature of today...

Cisco June 2013 Security Updates

Cisco’s Product Security Incident Response Team pushed out software updates for four different network security products. The fixes contain workarounds that can help users mitigate multiple denial-of-service and command-injection vulnerabilities recently found in Cisco’s software. The holes exist...

Researcher Hijacks Facebook Accounts Via Mobile

A vulnerability existed in Facebook that an attacker could have exploited via SMS in order to take complete control of any mobile-linked account on the world’s largest social network. A United Kingdom-based researcher operating under the handle ‘fin1te’ reported the bug to Facebook on May 23...

Citadel Banking Malaware Variant Delivers Localized Content

With builders for the Citadel Trojan freely available on any number of underground criminal forums, it’s no surprise to see some legs left in the malware despite a takedown of more than 1,400 Citadel botnets less than a month ago by U.S. law enforcement and Microsoft. A new variant has popped up ...

Stolen Opera Code-Signing Certificate Used to Sign Malware

Opera Software said it was able to contain the impact of a security breach that resulted in the theft of an expired code-signing certificate used to sign malware distributed to Windows users during a 36-minute stretch on June 19. Opera developer Sigbjorn Vik said the browser maker was victimized ...

OpenSSL Man-in-the-middle flaw fixed in Ruby

The maintainers of Ruby have fixed a serious flaw in its SSL client that could have allowed an attacker to conduct man-in-the-middle attacks by spoofing an SSL server. The vulnerability lies in the OpenSSL toolkit that’s built in to Ruby and is present in several versions of the software from 1.8...