FTC Reclaim Your Name Plan Would Regulate Big Data

Big data is big. So big in fact, Science Daily claimed in May that 90 percent of all the world’s data have been generated in the last two years. In early 2012, the New York Times’ Steve Lohr reported that the total amount of data in the entire world would double every two years from that point on...

Facebook Underplays Data Exposed by DYI Bug

It would seem that a bug in Facebook’s Download Your Information tool that exposed personal information for six million users of the social network also extends to non-users who happen to be in a contact list uploaded to the site. Facebook said it has repaired the bug and began informing users th...

14 Vulnerabilities Fixed in Firefox 22

Mozilla has fixed 14 security vulnerabilities in Firefox, including four critical flaws that could allow remote code execution. There also are six high-severity vulnerabilities fixed in Firefox 22. The new version of Mozilla’s flagship browser is a major release in many ways, not least because of...

LG Android Backup Software Vulnerable to Root Exploit

A vulnerability in backup software installed on some LG Android smartphones could enable an attacker with access to the device to gain root privileges. Sprite Software’s AndroidBackup tool is installed by OEM on a number of LG Optimus, Mach, Lollipop, and Prada devices. The backup tool, in...

Google Adds Phishing, Malware Info to Transparency Report

Google divulged new statistics today about its Safe Browsing program, a service it uses to flag websites it suspects of peddling malware and phishing. According to the numbers, most of the “unsafe website” warnings it pushes to users on Google Search and in browsers, stem from malware and not...

Researchers Uncover PinkStats APT Toolkit

The arsenal of tools that attack groups use to do their business is seemingly endless, and many of them remain unknown for years before they’re discovered. Often, it’s not until a tool has been compromised or sold on the open market that researchers get a close look at it, but that’s been changin...

WordPress Update 3.5.2 Patches Seven Vulnerabilities

WordPress, which has been a jumping off point for a number of targeted attacks and other high-profile hacks, has been updated and the latest version includes a number of security patches. Version 3.5.2, released late last week, includes seven security fixes and some additional hardening, accordin...

Carberp Source Code Leaked

The source code for the Carberp Trojan, which typically sells for $40,000 on the underground, has been leaked and is now available to anyone who wants it. The leak has echoes of the release of the Zeus crimeware source code a couple of years ago and has security researchers concerned that it may...

Google Adds Feature to Keep Malware Out of Chrome Web Store

Google is adding more security controls to its browser-based Chrome Web Store by adding a new application-vetting feature called ‘Enhanced Item Validation.’ For all intents and purposes, the search giant claims that the new policy will only impact application developers in that they will have to...

Bug Exposes Facebook Data Correlation, Privacy Practices

An information disclosure bug has drawn back the curtain on some of the data correlation Facebook does with users’ contact details and opened the social network’s policies up to criticism. Facebook said the bug in its Download Your Information DYI tool has been repaired but not before six million...

Apple Phishing Scams on the Rise

Apple has one of the more gilded consumer brands and the company spends a lot of time and money to keep it that way. Consumers love Apple. Scammers and attackers do too, though, and security researchers in recent months have seen a major spike in the volume of phishing emails abusing Apple’s bran...

Handling of Encryption, Tor Exposed in Leaked NSA Documents

New top-secret NSA documents released by the Guardian UK newspaper reveal that the United States’ top spy agency can retain encrypted communications for as long as it takes analysts to decrypt the secret messages—even if they’re collected by chance and without a warrant. In addition, the document...

New Dirt Jumper Variant 'Drive' More Refined Than Original

Researchers have detected new attacks originating from a souped-up variant of the DIY Dirt Jumper DDoS toolkit they’ve taken to calling Drive. While it hasn’t been seen spreading through any underground forums yet, the up-and-coming threat apparently boasts a “much more powerful DDoS engine than...

Ryan Naraine on Microsoft's New Bug Bounty Program

Dennis Fisher talks with Ryan Naraine about the new Microsoft bug bounty program, how it may affect prices for vulnerabilities on the private market and why it took the company so long to start the reward program. Download: digitalunderground116...

Popular WordPress Themes, Plug-Ins Vulnerable to Attack

Since late March, no fewer than a half-dozen high profile attacks have involved a compromised website built on the WordPress platform. Attackers abuse vulnerabilities in the content management system’s customizable plug-ins and themes to pull off anything from drive-by downloads to watering hole...

Yahoo ID recycling plan criticized

Yahoo has gone on the defensive this week, responding to critics who have concerns about a heightened risk for social engineering scams and identity theft that could result from the company’s forthcoming plan to recycle inactive user IDs. The Sunnyvale, Calif. search engine announced plans last...

Microsoft's Bug Bounty Program and the Law of Unintended Consequences

The Microsoft bug bounty program has been nearly a decade in the making and it is clear from the shape and size of it that the company did not simply slap the program together in order to join the cool kids. Rather, Microsoft’s security team spent years watching the way other programs work, seein...

Facebook No Longer Blocking Tor Visitors

UPDATE – Facebook’s automated malware detection system temporarily blocked visitors who use the Tor anonymity service to access the social network after it found someone trying to mass scrape publicly viewable information from Facebook. “A high volume of malicious activity across Tor exit nodes...

LinkedIn Outage Tied to DNS Issue

A site outage and redirection on LinkedIn’s site Wednesday night blamed on a DNS problem has security experts and users worried that the networking site’s DNS records may have been compromised, along with those of several other sites. But it appears the issue may have been caused by a simple...

65 Sites Compromised in ZeroAccess Trojan Attacks

As many as 65 websites have been compromised in an attack that has snared another Washington, D.C.-area media website as well as a number of travel and leisure sites. While the sites aren’t topically related, they’re all hosting advertisements injected with malicious code hosted on...

Microsoft Launches $100,000 Bug Bounty Program

After years of saying that the company didn’t need a bug bounty program, Microsoft is starting one. The company today will announce the start of a new program that will pay security researchers up to $100,000 for serious vulnerabilities and as much as $50,000 for new defensive techniques that hel...

iOS Generates Weak Default Passwords for iPhone Tethering

Business travelers who tether their iPhones as mobile hotspots beware. Researchers at the University of Erlangen-Nuremberg in Germany have discovered a weakness in the way iOS generates default passwords for such connections that can leave a user’s device vulnerable to man-in-the-middle attacks,...

Google Asks FISA Court to Allow it to Publish Data on Government Requests

Saying that inaccurate media reports about the PRISM program have damaged the company’s reputation, Google has asked the Foreign Intelligence Surveillance Court for permission to publish the number of requests the company gets for user data under various parts of the Foreign Intelligence...

Oracle Releases 40 Critical Java Patches in June Update

Oracle pushed out another 40 Java patches Tuesday night bringing the total number of Java security updates for 2013 to well over 100, exceeding already the number of Java patches released in 2012. Attackers have had a field day this year exploiting previously unreported vulnerabilities in Java, i...

Officials Call NSA PRISM Leaks 'Egregious', Say Program Has Foiled Many Terror Plots

Speaking before the House Intelligence Committee on Tuesday, senior intelligence and law enforcement officials said that the FISA-authorized collection of telephone records and other data revealed by Edward Snowden’s leaks has prevented more than 50 terror attacks against the United States since...

BlackBerry Z10 Privilege Escalation Security Vulnerability

BlackBerry has released a security update resolving an escalation of privilege vulnerability that existed in “BlackBerry Protect” enabled devices running version 10.0.10.261 and earlier operating systems. The company says that version 10.0.9.2743 is not affected and that they have found no eviden...

NetTraveler Attackers Using PRISM Program as Bait

Never let it be said that attackers don’t keep up with the news. The crew behind the NetTraveler cyberespionage attacks is now using the news about the NSA’s PRISM surveillance program as bait in a new spear-phishing campaign. Security researcher Brandon Dixon of 9bplus came across a malicious...

NSA Whistleblower Snowden on PRISM, surveillance, privacy

NSA whistleblower Edward Snowden said a “continuing litany of lies” from senior U.S. leaders prompted his public uncovering of widespread surveillance of Americans’ phone calls and alleged data sharing between large technology companies and the government. In a two-hour online question-and-answer...

Apple Fields Data Requests for 10,000 Users Accounts

Since December, U.S. law enforcement agencies have made between 4,000 and 5,000 requests for customer data from Apple on as many 10,000 user accounts, the company said in a statement released last night. Apple said in the wake of allegations that it participates in feeding the U.S. government...

Oracle to Patch 40 Java Bugs

There is a massive stack of Java patches on deck for tomorrow, with Oracle planning to fix 40 vulnerabilities in a number of different components of Java SE. Nearly all of the vulnerabilities are remotely exploitable. Oracle doesn’t release much in the way of information about the content of its...

Hard-Coded Passwords Found in Medical Devices: ICS-CERT

The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team ICS-CERT issued an alert yesterday warning that some 300 medical devices developed by roughly 40 different vendors contain hard-coded passwords that could be used by unauthorized individuals to access...

Yahoo, Bing Results Directing to Bitcoin Phishing Site

It looks like phishers have started poisoning Bing and Yahoo search results in hopes of duping users of the Bitcoin exchange site MtGox.com into giving away their log-in credentials. KrebsonSecurity.com reported that both the search engines have been redirecting unsuspecting clickers to MtPox.com...

More on Office 2003 Zero Day Vulnerability Patch

This week’s patch and security advisory for a vulnerability in Microsoft Office is the perfect example of why enterprise administrators need to take Microsoft’s criticality ratings as a suggestion and not gospel. Microsoft pushed security update MS13-051 through on Tuesday with a rating of...

New Autorun Malware Spiking

Autorun malware used to be kind of a big deal around here. Worms that jump directly from removable media such as USB drives as soon as they are connected to a PC can cause some major trouble, spreading quickly through a network. Microsoft made a change to newer versions of Windows that disables t...

FDA Issues Security Guidelines For Medical Device Manufacturers

Hoping to strengthen the security of medical devices, the Food and Drug Administration today issued a new series of guidelines for manufacturers. The document was released to encourage companies to mitigate viruses and malware on devices such as defibrillators, insulin pumps and pacemakers before...

iOS 7 Beta Vulnerable to Screen-Lock Bypass

An iPhone user in Spain who downloaded the beta version of Apple iOS 7, which was made available Monday, was able to bypass its screen-lock security feature. The revamped mobile operating system was unveiled by the Cupertino, California technology giant last week at its annual World Wide Develope...

CareerBuilder man in the browser attack

No one can say that hackers don’t have a sense of irony. In search of money mules, attackers behind a variant of the Zeus Trojan have configured the malware to activate when users visit careerbuilder.com with code that redirects victims to an advertisement for a mule-recruitment website...

Google Warns of Spike in Iranian Phishing Attacks

With a key election in Iran looming on Friday, Google officials say they have seen a major uptick in the volume of phishing attacks against users in Iran, possibly coming from the same group that was using fake Google certificates to attack Iranian targets in 2011 after the compromise of DigiNota...

NSA Director Alexander Grilled by Senate Committee

National Security Agency director Gen. Keith Alexander was asked some pointed questions by the Senate Appropriations Committee this afternoon regarding the spy agency’s surveillance of Americans’ phone calls and electronic communication in the name of fighting terrorism. Alexander provided little...

Feds Bust Ukrainian Cybercrime Ring

Federal officials charged eight members of a Ukrainian cybercrime ring this week after they allegedly tried to illegally access the networks of a number of financial institutions including Citibank, JP Morgan Chase, TD Ameritrade and PayPal, along with the U.S. Department of Defense’s Finance and...

iPhones Automatically Connect to Rogue Networks

Some iPhone users are vulnerable to having their devices automatically join rogue Wi-Fi networks because of a combination of an iOS feature that allows devices to reconnect to known networks and a directory of carrier-specific wireless network SSIDs that are preloaded into iOS, according to mobil...

New Bill Would Declassify FISC Opinions

A group of eight senators from both parties have introduced a new bill that would require the attorney general to declassify as many of the rulings of the secret Foreign Intelligence Surveillance Court as possible as a way of bringing into the sunlight much of the law and opinion that guides the...

BlackBerry Warns of Z10, PlayBook Security Vulnerabilities

BlackBerry’s security incident response team has issued two advisories warning Z10 smartphone and PlayBook tablet users to upgrade to the latest version of the operating system and software on both platforms. The patches address a remote code-execution vulnerability in the Adobe Flash Player...

CSP 1.0 Added to Firefox to Block XSS Attacks

After years of discussion and waiting, Mozilla has finally added Content Security Policy 1.0, a defense against some common attacks such as XSS, to its Firefox browser. CSP already has been implemented in Google Chrome and Internet Explorer and there was a limited implementation of it in Firefox...

Google Requests More Transparency to Dispel PRISM

Google’s chief legal officer addressed a letter to Attorney General Eric Holder and FBI Director Robert Mueller contesting recent media reports regarding the breadth of the National Security Agency’s surveillance programs and requesting that his company be allowed to publish more national securit...

Microsoft June 2013 Patch Tuesday updates IE Again

Microsoft took advantage today of its lightest batch of Patch Tuesday security updates this year to release an update to its certificate handling infrastructure. Meanwhile, administrators looking for a patch for a recently disclosed vulnerability by Google engineer Tavis Ormandy will have to wait...

EU: Harsher Penalties for Convicted Hackers in Europe

Legislation filed late last week in the European Parliament that could broadly reform how convicted cybercriminals are prosecuted, fails to adequately differentiate good hackers from bad hackers, a political group argued today. Jan Philipp Albrech, a spokesman for the Greens/European Free Allianc...

Cleartext Credential Found in ICS Device Firmware

Industrial control systems are rife with security issues, not the least of which is the use of hard-coded credentials. In order to minimize downtime, developers and administrators build in passwords to expedite remote troubleshooting in the event of a system crash or failure. Problems arise when ...

Suit Filed Against NSA, Obama Over Surveillance Program

A group of people, including a former federal prosecutor and the parents of a Navy SEAL sniper killed in action, have filed a class-action law suit against the National Security Agency, Verizon and President Obama over the NSA’s collection of cell phone data. The suit says the order that enabled...

Microsoft FixIt Tool Blocks Java Attacks in IE

Java is a security headache, not just for users and Oracle, its provider, but also for other software companies that have to deal with it, as well. Microsoft has taken steps to address this problem by releasing a FixIt tool that is designed to block all of the Web-based Java attack vectors in...