Free Beacon Article Redirects to ZeroAccess Rootkit, Fake AV

Update: Aaron Harison, president of the Center for American Freedom, told Threatpost this morning that the issue has been resolved and the site is no longer serving malware. Hackers have latched on to the NSA surveillance story—literally. A news story on the outing of whistleblower Edward Snowden...

IRC Botnet Leveraging Unpatched Plesk Vulnerability

Researchers have found a botnet exploiting a vulnerability in the Plesk hosting control panel, ramping up calls from experts to upgrade to current versions of the product. A notice on the Plesk command injection vulnerability as well as exploit code was posted last week to the Full Disclosure lis...

Three Vulnerabilities Exist in HP's Insight Diagnostics

There are multiple vulnerabilities in HP’s Insight Diagnostics server management tool that could be exploited by an attacker to run code and let them take over an infected computer. There is currently no fix available for the problem. According to an alert from the CERT Coordination Center,...

Apple Store Vulnerable to XSS

There is a cross-site scripting vulnerability in the Apple Store Web site that is exposing visitors to potential attack. The vulnerability was discovered by a German security researcher who says he informed Apple about the problem in mid-May, but the vulnerability still exists. The XSS...

Threat, Attack Data Intelligence Sharing Efforts Fall Short

DENVER – When it comes to information sharing, are companies too scared or too selfish to trade attack data? A number of information security officers from high-profile companies debated the topic this week at the NG Security Summit and came to the conclusion that it’s a little bit of both. Shari...

Clappers Says NSA Programs Fully Authorized and Necessary

The top U.S. intelligence official addressed the recent revelations about the National Security Agency’s covert cell-phone and email data collection surveillance programs on Thursday, saying that the programs have been ongoing for years, are fully authorized under U.S. law and that the leaks...

Google Jacks Up Bug Bounties For Serious Vulnerabilities

Google has one of the older bug bounty programs in existence, and the company often makes changes to its rules in an effort to stay current with the security landscape. The latest change is another increase in the rewards that the company will pay to researchers who report certain bugs, including...

Five Bulletins, One Critical in Microsoft's June Patch

Microsoft announced today in an advanced patch Tuesday notification that it will ship just five bulletins in the June edition of patch Tuesday. Only one bulletin received the software giant’s most sever ‘critical’ rating: it will fix a vulnerability in Windows and Internet Explorer that could all...

Operation b54 Knocks 1,000+ Citadel Botnets Offline

UPDATE – Calling it the company’s “most aggressive” botnet operation operation to date, Microsoft has joined with the FBI for a massive disruption of the Citadel botnet. More than 1,400 individual botnets associated with the Citadel malware affecting more than five million people in total were...

Always Outmanned, Always Outgunned

We were warned. Over and over again. Not just by privacy advocates and by security experts and by civil liberties organizations and by the guy on the corner in the tin foil hat shouting about the government intercepting his brain waves. We were warned by some of the very people charged with...

Internet Systems Consortium Resolves Critical BIND Flaw

The Internet Systems Consortium ISC published a security advisory yesterday resolving a high priority, remotely exploitable denial-of-service vulnerability in BIND 9, the de facto software standard for implementing domain name system protocols online. There is a defect in BIND 9 that could...

Oracle's Java Security Plans Don't Address Sandbox Flaws

For all of Oracle’s bluster last Thursday about Java security enhancements, next to nothing was said about the real issue behind months of misery this year: the Java sandbox. Oracle broke its radio silence late last week with an out-of-the-blue blogpost full of promises about getting Java right...

China Accuses America of Hacking

The predominant narrative among U.S. officials and security experts is that Chinese hackers, allegedly at the behest of their government, are thoroughly compromising the computer networks of American government, defense, and public sector organizations in order to steal any valuable data. What yo...

Google Fixes Security Vulnerabilities with Chrome Update

Google released a stable channel update for its Chrome browser yesterday, resolving 12 vulnerabilities, one of which was considered ‘critical’, Google’s most severe rating, ten of which received second most severe ‘high’ ratings, and one receiving a third-in-line ‘medium’ rating. Google paid out ...

Schneider Patches 18-Month Old SCADA Bugs

More than 18 months after a security researcher revealed a long list of vulnerabilities in its SCADA products, Schneider Electric has released patches for a subset of those bugs for a couple of the affected products. In December 2011, security researcher Rubén Santamarta disclosed a series of...

Apple Patches Mass of Security Bugs in OS X and Safari

Apple has updated both OS X and its Safari browser, fixing a pile of security vulnerabilities, many of which can be used for remote code execution. The release of OS X Mountain Lion 10.8.4 includes patches for more than 30 bugs, most notably a set of fixes for vulnerabilities in Ruby, some of whi...

Attack on FIS More Widespread Than Reported

A previously reported attack against Fidelity National Information Services FIS two years ago was actually much more widespread than initially reported according to a document released to banks from the FDIC late last month. Compounding matters, as of the FDIC’s audit FIS had not taken the...

Peer-to-Peer Botnets Grow Fivefold

The resiliency of peer-to-peer botnets is too good to pass up for fraudsters and spam mavens tired of watching expensive and centralized command and control infrastructures be taken down by authorities and technology companies. Botnets such as ZeroAccess, TDL4/TDSS and Zeus v3 have shown the way...

Data Sharing, Cooperation Key to Critical Infrastructure Security

WASHINGTON–The topic of critical infrastructure security may be the prettiest girl at the dance right now for both politicians and technology companies, but the problem of attackers going after these targets is one that security people have been dealing with for some time. But that doesn’t mean...

NetTraveler Espionage Malware Campaign Ties to Gh0st RAT

A new cyberespionage malware campaign with ties to China going back to the Titan Rain and Gh0stNet attacks has been targeting diplomats, military contractors and government agencies in 40 countries. Researchers at Kaspersky Lab today unveiled details on NetTraveler, a data exfiltration tool, whic...

Politics, Uncertainty Slowing Down U.S. Response to Cyber Threats

WASHINGTON–The shift in the last few years to cyberespionage and online attacks against the nation’s critical infrastructure have left the United States government lagging behind, and “a day late and a dollar short”, the former director of the National Security Agency said. The ongoing campaigns...

Two-Factor Authentication Options for Web Services

LinkedIn is the latest in a long line of high profile Internet services companies to offer two-factor authentication to its user base, joining Twitter, Evernote, Gmail and myriad others. And much like those other services, the move to a stronger form authentication is a reactionary one, coming on...

Defeating Internet Blocking With Lahana VPN-Tor Bridge

As the anti-government protests in Turkey have escalated in the last few days, privacy activists and security experts have begun working on ways to help people inside Turkey get reliable access to the Internet and privacy tools such as Tor. A security researcher over the weekend released a new to...

Oracle Java Security Enhancements Get Mixed Reviews

Oracle is working hard to restore some faith in the security of the Java browser plug-in with a number of enhancements announced yesterday, specifically to in-house code testing, as well as policy changes regarding signed applets and certificate validation. But after a miserable year of targeted...

Peer-to-Peer Botnet Takedowns a Challenge

The FBI, Justice Department and technology companies have had success shutting down botnets that rely on a centralized infrastructure and command and control servers to communicate with bots, steal data or send malicious commands. Peer-to-peer botnets, however, have proven more difficult to take...

Evernote Two-Factor Authentication for Paid Accounts

Cloud-based note taking service Evernote this week pushed out three new security features including two-factor authentication for some users’ accounts in hopes of adding an extra layer of protection. The service is among the latest to hop on the two-step verification bandwagon, following Amazon...

Pills and Tattoos to Replace Passwords for Authentication

Motorola’s Regina Dugan suggested at the Wall Street Journal’s D11 conference that pills and tattoos could replace passwords as the radical solutions to the perennial authentication problem. Dugan was formerly the head of the Pentagon’s forward-looking Defense Advanced Research Projects Agency...

The Case for a Government Bug Bounty Program

Once upon an Internet, a security researcher who discovered a vulnerability had very limited options for what to do with that information. He could send it to the vendor and hope someone cared enough to patch it; he could post it to a mailing list for all to see; or, if he had the right contacts,...

Researchers, Vendors Await Google Disclosure Fallout

The endless loop that is the disclosure debate got a jolt of energy yesterday when Google said it would support researchers’ disclosure of details on actively exploited critical vulnerabilities just seven days after the researcher has notified the vendor in question. Google hopes the policy...

Beta Bot Trojan Emerges as New Type of Banking Malware

A new strain of banking malware, Beta Bot, has been refined over the last few months to target ecommerce and comes complete with an array of features to help prevent it from being caught by usual security measures. According to research conducted by RSA Security’s Limor Kessem, the bot started ou...

Amazon Joins Authentication Game

As attackers continue to target large databases of passwords and users grow wearier by the day of creating new accounts and login credentials on each site they visit, the larger Web players are positioning themselves as not just social networking or retail hubs, but also as authentication...

Google Advocates 7 Days to Go Public with Critical Vulnerabilities

Two security engineers for Google say the company will now support researchers publicizing details of critical vulnerabilities under active exploitation just seven days after they’ve alerted a company. That new grace period leaves vendors dramatically less time to create and test a patch than the...

Drupal.org Resets Passwords After Data Breach

The Drupal Association is urging all users of Drupal.org and groups.drupal.org to reset their passwords after discovering an intrusion that breached files holding usernames, e-mail addresses, countries and hashed passwords. Sites that run on Drupal do not appear to be impacted, though the...

Carna Botnet Analysis Enumerates Vulnerable Network Devices

The Carna botnet, more formally known as the Internet Census 2012, stirred up a hornet’s nest of controversy when it was unveiled in March to a number of popular security mailing lists. An unidentified researcher had found more than 420,000 embedded devices that were accessible online with defaul...

PayPal to Fix XSS Flaw, But No Reward For Researcher

PayPal is in the process of fixing the cross-site scripting flaw on its Web site that was disclosed last week. The teenage researcher who found and disclosed the bug said Wednesday that PayPal security officials told him that someone else had reported the same vulnerability to them earlier and...

Researchers Use Music, Light to Trigger Mobile Malware

Calling it a paradigm shift, university researchers were able to trigger mobile-device malware using a modest amount of music, lighting, magnetic fields or sound vibrations. “When you go to an arena or Starbucks, you don’t expect the music to have a hidden message, so this is a big paradigm shift...

Ruby on Rails Exploit Harvests IRC Botnet

Developers who have not updated their Ruby on Rails installations with a five-month-old security patch would do well to secure the Web development framework now. Exploit code has surfaced for CVE-2013-0156 that is being used to build a botnet of compromised servers. Exploit code has been publicly...

Liberty Reserve Domains Seized, Money Laundering Charged

Federal law enforcement officials in the United States seized domains belonging to the Costa Rican-based Liberty Reserve, a payment processor, money transfer service, and digital currency exchange reportedly used by criminals as a means for laundering money. Liberty Reserve was also the subject o...

PayPal Site Vulnerable to XSS Attack

A 17 year old German schoolboy posted information over the weekend regarding an apparent cross site scripting XSS vulnerability in the popular money transfer site PayPal. The problem lies in the site’s search function and at least in the German version of the website can be triggered by using a...

Facebook Patches Privacy Flaw in Pages Manager for Android

Facebook has plugged a privacy hole in its Pages Manager application for Android. Facebook Pages help businesses establish a presence on the social network, while the app enables an admin to manage posts, respond to comments and messages, push notifications to customers, manage photographs and...

Flame One Year Later

It’s been a year since the first reports of the Flame malware surfaced, and looking back at the 12 months since then, it seems more and more each day that the discovery of Flame should be seen as a seminal event in the evolution of malware. When Flame emerged in May 2012, some of the outside...

Small Businesses Lose £800 Million Per Year to Cybercrime

Small- and medium-sized businesses are losing a staggering £785 million per year to cybercrime, according to a joint report published by the Federation of Small Businesses FSB and the Home Office and Business Departments in the United Kingdom. Despite this, just fewer than 20 percent of businesse...

Hard-Coded Credentials Found in TURCK ICS Devices

Hard-coded credentials are a longstanding security no-no, but they’re also an ever-present reality because of developers and IT managers who require remote access to networks and systems for troubleshooting purposes. The level of risk in such cases depends on the system in question. But one thing...

Report Says Active Recovery Efforts Could Deter IP Theft By Foreign Attackers

An independent commission focused on the threat of intellectual property from U.S. companies says that between 50 percent and 80 percent of all IP theft originates in China and, in a new report, urges the government to take stronger action against government-sanctioned IP theft. The Commission on...

Thousands of DHS Personnel Notified of Data Breach

The Department of Homeland Security this week began notifying up to tens of thousands of employees, contractors and others with a DHS security clearance that their personal data may be at risk. The notifications began on Monday, according to an online statement, after officials learned of a...

Google Strengthening Keys on SSL Certificates to 2048 Bits

As attacks against cryptographic systems and the SSL infrastructure have advanced in recent years, experts have begun to fret about the future utility of the system. Companies that rely on the security of the SSL technology are beginning to take steps to address the issue, with the latest being...

Samsung Galaxy S4 Android Bootloader Unlocked

Those of you who like to tinker and jailbreak Android phones should take notice of some new research conducted on Samsung Galaxy S4 Android devices shipped by AT&T and Verizon. Both device makers ship the Galaxy S4 smartphones with a locked down bootloader that prevents users from uploading custo...

Apple Patches QuickTime on Windows, Fixes 12 Bugs

Apple pushed out version 7.7.4 of its multimedia framework QuickTime for Windows users on Wednesday, addressing a handful of issues, some which could have led to arbitrary code execution and caused the program to unexpectedly terminate. It’s Apple’s first QuickTime update of the year and the firs...

Twitter Enables Two-Factor Authentication

Responding to a wave of high-profile account takeovers in recent months, Twitter has implemented a phone-based two-factor authentication scheme that will require a numerical code along with a username and password when users log in to their accounts. The feature, known as login verification, is...

Mac OS X Backdoor Found in Wild

It was inevitable another sample of the Mac OS X spyware discovered last week would surface. Researchers said today that a German investigator informed its researchers of another instance in the wild. Spread via a spear phishing campaign that’s apparently been circulating since December, the...