News

News

• December 22, 2016 22 Dec'16

  Yahoo breach data reveals the need for ethical breach reporting

  Yahoo breach data from 1 billion users was sold to multiple groups on the deep web and questionable breach reporting kept Yahoo from informing users for months.

• December 22, 2016 22 Dec'16

  Work group attempts to reconcile 'going dark' with strong cryptography

  The congressional encryption working group convened earlier this year to investigate the issues behind strong cryptography and 'going dark' offers some guidance.

• December 20, 2016 20 Dec'16

  Google Project Wycheproof offers testing suite for crypto libraries

  Google offers developers a new tool, Project Wycheproof, to strengthen crypto libraries with a testing suite to check libraries for known weaknesses.

• December 19, 2016 19 Dec'16

  Gas stations get three extra years before EMV liability shift

  Gas stations get an extra three years to support new chip card payments, as the EMV liability shift date for automated fuel dispensers is pushed to 2020.

• December 16, 2016 16 Dec'16

  Google and Microsoft herald death of Flash with default browser blocks

  Microsoft followed Google's lead in promising to block Flash Player content by default in some situations and experts say the moves should expedite the death of Flash.

• December 16, 2016 16 Dec'16

  Vulnerable websites make up half of the internet's top sites

  News roundup: A report finds nearly half the internet is filled with vulnerable websites. Plus, SWIFT confirms more hacks, Amit Yoran steps down from RSA and more.

• December 15, 2016 15 Dec'16

  Yet another Yahoo breach compromises more than 1 billion accounts

  A second Yahoo breach was disclosed, with more than 1 billion accounts compromised and users left at risk of further attacks for three years.

• December 14, 2016 14 Dec'16

  Major Netgear security flaw in routers gets a beta patch

  A major Netgear security vulnerability in routers prompted experts to suggest abandoning products, as Netgear finally releases a beta patch.

• December 14, 2016 14 Dec'16

  Risk & Repeat: Avalanche crimeware as a service busted

  In this episode of SearchSecurity's Risk & Repeat podcast, editors discuss the takedown of Avalanche, the crimeware as a service operation, and why the victory may be short lived.

• December 14, 2016 14 Dec'16

  Facebook Certificate Transparency Monitoring tool will help secure web

  A new Certificate Transparency Monitoring tool from Facebook may help webmasters track and vet TLS certificates, as well as improve integrity and security for HTTPS traffic.

• December 13, 2016 13 Dec'16

  Dec. 2016 Patch Tuesday caps off a record-breaking year for Windows

  Microsoft's Dec. 2016 Patch Tuesday was a fairly routine monthly entry in a year that ended up setting a new record for most Windows patch bulletins.

• December 12, 2016 12 Dec'16

  Unique threat offers victims ransomware decryption to spread infections

  New unpublished ransomware includes a number of unique tactics including offering victims ransomware decryption keys in exchange for infecting more targets.

• December 09, 2016 09 Dec'16

  IBM's Watson for Cyber Security puts a new face on machine learning

  The IBM Watson for Cyber Security beta program aims to augment human intelligence, but experts question if IBM can distinguish it from other machine learning products.

• December 09, 2016 09 Dec'16

  Experts unsure if cyber attribution research will yield results

  Georgia Tech received a contract to research the science of cyber attribution, but experts disagree on whether it is possible to succeed in this endeavor.

• December 09, 2016 09 Dec'16

  More internet-connected devices plagued by attacks, vulnerabilities

  News roundup: Internet-connected devices, including 3.2 million routers; 80-plus models of CCTV cameras have backdoors; Dirty Cow gets patched; NSA suffers 'brain drain' and more.

• December 07, 2016 07 Dec'16

  Exploit kit delivered via malvertising targets unpatched systems

  A malvertising campaign could put millions at risk of attack as the Stegano exploit kit is being delivered by this new method and is targeting unpatched systems.

• December 07, 2016 07 Dec'16

  Experts debate the key points of the final Obama cybersecurity report

  The final cybersecurity report from the Obama administration covered issues, including authentication, identity, infrastructure, cyberthreats and cooperation, but experts disagree on the key points.

• December 02, 2016 02 Dec'16

  Android app security tested by malware and vulnerabilities

  Android app security is under attack this week with vulnerabilities in the popular app, AirDroid, and malware that steals Google account authentication tokens.

• December 02, 2016 02 Dec'16

  C-level unclear on governance, risk and compliance responsibility

  A new survey uncovered confusion in the C-suite about governance, risk and compliance responsibilities and which security compliance requirements may affect companies.

• December 02, 2016 02 Dec'16

  EU, U.S. authorities take down Avalanche global crimeware network

  Authorities from 30 countries have dismantled Avalanche, the crimeware-as-a-service network used to steal hundreds of millions from victims around the globe.

• December 02, 2016 02 Dec'16

  Patched Tor browser vulnerability puts users' identity at risk

  News roundup: Tor browser patches de-anonymizing vulnerability. Plus, Senators ask Obama to release information on Russia's impact on the election, Mirai botnet for rent and more.

• November 30, 2016 30 Nov'16

  How cloud file sharing is creating new headaches for security teams

  A sharp rise in cloud file sharing and collaboration activity is creating big problems for security teams – even when the number of security incidents is miniscule.

• November 30, 2016 30 Nov'16

  Modified Mirai botnet could infect five million routers

  Researchers said a modified version of the Mirai botnet code has been attacking routers by exploiting a specific vulnerability and may leave millions at risk.

• November 30, 2016 30 Nov'16

  Last ditch Senate efforts fail to stall Rule 41 changes

  After a final push to delay changes to Rule 41 failed in the Senate, the U.S. government now has much wider authority to legally search computers whose location is unknown.

• November 29, 2016 29 Nov'16

  SF Municipal Railway restores systems after ransomware attack

  The San Francisco Municipal Transportation Authority restored systems without paying following a ransomware attack that allowed free rides for travelers over the weekend.

• November 29, 2016 29 Nov'16

  How ad fraud botnets are costing companies billions of dollars

  Ad fraud is a costly problem, but it's often overlooked. White Ops CEO Michael Tiffany talks with SearchSecurity about why it's time to address this cybercrime scheme.

• November 29, 2016 29 Nov'16

  Cisco expands responsible disclosure timeline from 60 to 90 days

  Vendors get an extra 30 days to patch under Cisco Talos' new responsible disclosure guidelines, as Talos notes key differences in time to patch among vendors.

• November 23, 2016 23 Nov'16

  DHS hiring puts into question the cybersecurity skills shortage

  A successful hiring event by the Department of Homeland Security calls into question the existence of the cybersecurity skills shortage, but experts wonder if the event was an outlier.

• November 22, 2016 22 Nov'16

  N.Y. DA wants to turn back the clock on smartphone encryption

  The Manhattan district attorney said his office has hundreds of locked iOS devices and called on Apple to open up its smartphone encryption to warrants.

• November 21, 2016 21 Nov'16

  Symantec acquires identity protection firm LifeLock for $2.3B

  In its first move following the Blue Coat Systems merger, Symantec agreed to acquire identity protection firm LifeLock for $2.3 billion to bolster its consumer security business.

• November 21, 2016 21 Nov'16

  Android backdoor discovered in firmware for budget devices

  A new Android backdoor leaves as many as 3 million users vulnerable, and one expert said enterprises must be careful about using budget devices.

• November 21, 2016 21 Nov'16

  Sunset for SHA-1 certificates, as Google firms up plans for deprecation

  As the internet prepares for deprecation of the obsolete secure hashing algorithm, Google and other browser companies prepare to drop support for SHA-1 certificates.

• November 18, 2016 18 Nov'16

  White House confirms it warned Russia about election hacking

  The White House has confirmed that it warned the Russian government about potential election hacking before the presidential election was held.

• November 18, 2016 18 Nov'16

  Congress floats last-chance bill to delay Rule 41 changes

  Just two weeks before the deadline, U.S. lawmakers seek to postpone until next summer the acceptance of controversial updates to Rule 41, allowing legal access to unspecified systems.

• November 18, 2016 18 Nov'16

  DLL code flaw marks the latest Symantec vulnerability

  News roundup: The latest chapter of Symantec's security struggles involves a high-severity DLL code flaw. Plus, Dyn attacker might be a lone gamer, James Clapper resigns and more.

• November 17, 2016 17 Nov'16

  Chinese company caught preinstalling Android spyware on budget devices

  A Chinese company was found to be preinstalling Android spyware on budget smartphones and collecting phone call and messaging data without consent.

• November 17, 2016 17 Nov'16

  DHS and NIST release complementary IoT security guidance

  New IoT security guidance from government agencies take on different aspects, with DHS tackling the basics and NIST giving a deeper take on securing new devices.

• November 16, 2016 16 Nov'16

  Android spyware detected in wild being used by government

  Researchers discover Italian-sourced Android spyware linked to Hacking Team, but it could be the work of another surveillance software vendor.

• November 15, 2016 15 Nov'16

  Massive FriendFinder Network breach prompts password security debate

  Experts debated various aspects of password security in the aftermath of the FriendFinder Network breach, which left 400 million user accounts exposed.

• November 14, 2016 14 Nov'16

  BlackNurse hits big routers with low-volume denial-of-service attack

  Researchers claim 'BlackNurse,' a low-volume ICMP denial-of-service attack, can allow a laptop to bring down routers and firewalls with as little as 4 Mbps of malicious packets.

• November 11, 2016 11 Nov'16

  Postelection Russian hacker cyberattacks evade malware detection

  A rash of spear-phishing attacks by Russian hacker groups were seen following the presidential election this week, but antivirus and malware detection has been failing enterprises.

• November 11, 2016 11 Nov'16

  Pawn Storm APT ramps up attacks after Google's zero-day disclosure

  Roundup: Russia-based APT group Pawn Storm expands spear-phishing attacks after Google's disclosure of a Windows zero-day. Plus, OpenSSL updates, IoT security and more.

• November 11, 2016 11 Nov'16

  Adobe data breach settlement pays $1 million to 15 states

  Adobe agreed to pay several states a total of $1 million and agreed to new compliance measures as part of a settlement over the company's 2013 data breach.

• November 11, 2016 11 Nov'16

  Yahoo breach investigation adds more questions than answers

  An SEC filing updated what was learned in the investigation into the Yahoo breach in late 2014, but the language in the filing has created more confusion about the incident.

• November 09, 2016 09 Nov'16

  Google releases supplemental Android patch for Dirty COW

  Google released an Android patch for the Dirty COW vulnerability, but the fix won't be part of a mandatory security update until December.

• November 08, 2016 08 Nov'16

  Microsoft kills Windows zero-day flaw in November 2016 Patch Tuesday

  The November 2016 Patch Tuesday includes a patch for a Windows zero-day reportedly being exploited by Russian hackers, as well as bulletins experts think may be underrated by Microsoft.

• November 08, 2016 08 Nov'16

  Poor OAuth implementation leaves millions at risk of stolen data

  Researchers find widespread risk for users of apps with insecure OAuth implementation, which could lead to attackers being able to access the data held within a vulnerable app.

• November 04, 2016 04 Nov'16

  Dark web markets get warning shots from global law enforcement

  Law enforcement agencies around the world arrested and questioned users of dark web markets allegedly connected to the sale of illegal goods.

• November 04, 2016 04 Nov'16

  Mirai botnet attacks Liberia as new and improved IoT malware looms

  Roundup: Mirai botnet attacks take down Liberia internet, as a new IoT botnet adapts old malware. Plus, the latest on Dirty COW and the WoSign certificate authority controversy.

• November 03, 2016 03 Nov'16

  Experts question Microsoft's Windows zero-day response

  A Windows zero-day disclosed by Google caught Microsoft between patch cycles, and experts questioned whether Microsoft downplayed the severity of the vulnerability.

• November 02, 2016 02 Nov'16

  Microsoft claims Windows zero-day exploited by Russian state actors

  Google disclosed an unpatched Windows zero-day vulnerability, which Microsoft claims is actively being exploited by a Russian APT group connected to the DNC hack.

• November 01, 2016 01 Nov'16

  Nematode worm could dismantle Mirai IoT botnet

  A new nematode worm proof of concept could help the internet avoid the next massive Mirai IoT botnet DDoS attack, but experts are unsure of the legality of the option.

• October 31, 2016 31 Oct'16

  Mandatory certificate transparency for Chrome trust starts Oct 2017

  Certificate transparency compliance will be mandatory for publicly trusted website certificates in order to be considered secure by Google's Chrome browser.

• October 31, 2016 31 Oct'16

  The Shadow Brokers dumps list of NSA-targeted servers

  In its latest data dump, The Shadow Brokers dropped a list of Equation Group-targeted servers across the globe that may have been used to stage NSA exploits and hacking tools.

• October 28, 2016 28 Oct'16

  Mozilla drops WoSign as trusted certificate authority, adopts TLS 1.3

  Mozilla boots WoSign as a trusted certificate authority for backdating SHA-1 certs and other controversial behavior, and it prepares to add default support for TLS 1.3 in 2017.

• October 28, 2016 28 Oct'16

  FCC passes new ISP privacy rules to protect customers

  The FCC passed new ISP privacy rules that increase transparency from broadband providers and mandate that customers must opt in before ISPs can use or share sensitive user data.

• October 28, 2016 28 Oct'16

  Details emerging on Dyn DNS DDoS attack, Mirai IoT botnet

  As more details emerge on last week's massive Dyn DNS DDoS, new analysis indicated as few as 100,000 Mirai IoT botnet nodes were enlisted in the incident and reported attack rates up to 1.2 Tbps.

• October 28, 2016 28 Oct'16

  Windows atom tables vulnerable to code-injection attack

  A new attack, called AtomBombing, allows malicious code injection into atom tables by a threat actor. And while all versions of Windows are vulnerable to attack, no patch will fix the flaw.

• October 28, 2016 28 Oct'16

  Risk & Repeat: DNS DDoS attacks raise concerns over IoT devices

  In this Risk & Repeat podcast, SearchSecurity editors discuss the DDoS DNS attacks on Dyn and what they mean for DNS providers, IoT device manufacturers and enterprises.

• October 27, 2016 27 Oct'16

  XNU kernel vulnerability patched for iOS and macOS

  An XNU kernel vulnerability in iOS and macOS was patched after being reported by Google's Project Zero. And hackers at Pwn2Own 2016 cracked the Nexus 6P and iPhone 6s.

• October 27, 2016 27 Oct'16

  Adobe Flash patch for Flash zero-day exploit on Windows

  Surprise! It's time, again, for another critical Adobe Flash patch to fix a remote code execution vulnerability reported by the Google Threat Analysis Group.

• October 26, 2016 26 Oct'16

  Android malware delivery is harder than you might think

  Headlines about Android malware often gloss over just how difficult the process is for a user to install a malicious app on a device. Let's talk about that.

• October 26, 2016 26 Oct'16

  Clapper, Flashpoint: Dyn DNS DDoS attacker likely not a state actor

  As the dust settles around the Dyn DNS DDoS attack, the perpetrator is most likely not a state actor, according to the director of national intelligence and Flashpoint.

• October 26, 2016 26 Oct'16

  FBI queried on use of vulnerabilities equities process in Playpen case

  A U.S. district judge grants the defendants in a child porn case the right to know whether the FBI used the vulnerabilities equities process before the hack of the Playpen Tor hidden service site.

• October 25, 2016 25 Oct'16

  Drammer proves Rowhammer can be used to root Android

  Researchers devised a way to exploit the Rowhammer hardware vulnerability on Android devices and gain root access by using an app with no special permissions.

• October 24, 2016 24 Oct'16

  Questions still loom after Dyn DNS DDoS disrupts internet access

  Users and companies suffer after Dyn DNS DDoS attacks disrupt access to top sites; links to the Mirai botnet raise more questions, as Dyn mops up.

• October 21, 2016 21 Oct'16

  Dirty COW Linux vulnerability has existed for nine years

  A Linux vulnerability called Dirty COW has existed in the Linux kernel for nine years and allowed attackers to gain root access to virtually all Linux systems.

• October 21, 2016 21 Oct'16

  Malicious links led to Clinton campaign and Colin Powell hacks

  Malicious links from the DNC hacker group were responsible for account takeovers and leaked emails from the Clinton campaign chairman and Colin Powell.

• October 21, 2016 21 Oct'16

  Dyn hit by massive DNS DDoS, Eastern U.S. bears brunt of attacks

  At least two DNS DDoS attacks on Dyn are disrupting access to many popular websites, users and companies on the Eastern U.S. are impacted.

• October 21, 2016 21 Oct'16

  Mozilla set to dump SHA-1 certificates by early 2017

  Roundup: Firefox browser will reject SHA-1 certificates as soon as Mozilla announces further details relating to the deprecation of the outdated algorithm; plus, Oracle patches and more.

• October 21, 2016 21 Oct'16

  EU-U.S. Privacy Shield certification process picks up steam, slowly

  After a slow start, some U.S. companies are starting to address the questions and challenges of EU-U.S. Privacy Shield certification. But most haven't started the process.

• October 19, 2016 19 Oct'16

  Intel chip flaw allows attackers to bypass ASLR protection

  Researchers devised an exploit of an Intel chip flaw that allows an adversary to bypass ASLR protection and potentially boost the effectiveness of an attack on any platform.

• October 19, 2016 19 Oct'16

  IBM yanks POC code in coordinated vulnerability disclosure

  IBM asks, and researcher pulls proof of concept code from a coordinated vulnerability disclosure, internet explodes.

• October 18, 2016 18 Oct'16

  Secret Service cybersecurity audit shows 'unacceptable' flaws

  A cybersecurity audit of the U.S. Secret Service found 'unacceptable vulnerabilities' that leave the possibility of insider-threat activity and privacy violations.

• October 17, 2016 17 Oct'16

  The Shadow Brokers cancel the auction of NSA cyberweapons

  The first auction of NSA cyberweapons didn't generate much money for the Shadow Brokers, so the group is changing tactics with a direct sale of the files.

• October 14, 2016 14 Oct'16

  Certificate revocation list error strands sites signed by GlobalSign

  Attempting to tidy its root certificates, a mis-issued GlobalSign certificate revocation list left website owners scrambling to address cert errors, restore safe browsing icons.

• October 14, 2016 14 Oct'16

  Pork Explosion opens Android backdoor, roasts branded vulnerabilities

  The Pork Explosion flaw in the app bootloader provided by Foxconn creates an Android backdoor which could give an attacker dangerous levels of access.

• October 14, 2016 14 Oct'16

  Odinaff banking Trojan linked to Carbanak group, attacks SWIFT

  The Odinaff banking Trojan has been found targeting the SWIFT messaging system at financial institutions around the world and may have links to the infamous Carbanak group.

• October 14, 2016 14 Oct'16

  Adobe patches 83 vulnerabilities in latest crop of fixes

  News roundup: As Adobe patches 83 vulnerabilities in Flash Player, Acrobat and Reader, the good news is none have been exploited in the wild -- yet. Plus, IoT threats and more.

• October 13, 2016 13 Oct'16

  Hackers leverage 12-year-old OpenSSH vulnerability for IoT attack

  Akamai researchers discovered how unknown threat actors are using an SSH flaw to secretly gain control of IoT devices and turn them into proxies for malicious traffic.

• October 13, 2016 13 Oct'16

  Researchers demonstrate undetectable encryption backdoor in crypto keys

  Academic researchers show how to place undetectable encryption backdoors in cryptographic keys and passively decrypt data, which could undermine confidence in certain algorithms.

• October 12, 2016 12 Oct'16

  Lack of awareness may hamper GDPR compliance, Dell reports

  With EU's new privacy regulation set to take effect in May 2018, GDPR compliance may be hampered by lack of planning and awareness, Dell research finds.

• October 12, 2016 12 Oct'16

  White House considers proportional response to Russian hackers

  U.S. intelligence agencies officially attributed potential election-tampering activity to government-led Russian hackers, and the White House said it is considering a proportional response.

• October 11, 2016 11 Oct'16

  October 2016 Patch Tuesday fixes five zero-day flaws in monthly rollup

  Microsoft's October 2016 Patch Tuesday changes the structure of the release to the monthly rollup and starts out by taking on five zero-day flaws.

• October 07, 2016 07 Oct'16

  Expired domains present an opportunity for malicious activity

  Security researchers said expired domains and abandoned SDKs could present a way to hide malicious activity targeting vulnerable mobile devices.

• October 07, 2016 07 Oct'16

  October's Android Security Bulletin patches 78 vulnerabilities

  Google patches 78 vulnerabilities, including half a dozen critical flaws -- but none exploited in the wild -- in two patch levels in October's Android Security Bulletin.

• October 06, 2016 06 Oct'16

  Patent race picks up speed in the cloud access security broker market

  SkyHigh Networks was awarded another patent for its CASB platform. The newest patent is for technology for managing encrypted enterprise data used in cloud applications and services.

• October 06, 2016 06 Oct'16

  Yahoo implicated in secret surveillance program, but questions remain

  A report claims Yahoo built custom software under order of the U.S. government to perform secret surveillance on all incoming emails, though questions about the program remain.

• October 04, 2016 04 Oct'16

  DNS monitoring can help deanonymize Tor users

  Researchers found a way to use DNS monitoring to deanonymize Tor users by enhancing the effectiveness of fingerprinting attacks.

• October 04, 2016 04 Oct'16

  Cisco Talos finds severe JPEG 2000 flaw for remote code execution

  Cisco Talos discovered a severe flaw in the JPEG 2000 image file-format parser -- which is often used in PDF documents -- that could allow remote code execution on affected systems.

• October 04, 2016 04 Oct'16

  Release of Mirai IoT botnet malware highlights bad password security

  Mirai, the IoT botnet malware code used in the massive DDoS attack on Brian Krebs' website, has been released to the public and highlights a problem of using default passwords.

• October 03, 2016 03 Oct'16

  Will Apple become a HIPAA covered entity or business associate?

  Whether Apple is a HIPAA covered entity was called into question when it advertised for a health regulations lawyer. Expert Mike Chapple discusses Apple's relationship with HIPAA.

• September 30, 2016 30 Sep'16

  Patched OpenSSL vulnerability creates new critical flaw; patched again

  The cure for a low-severity OpenSSL vulnerability proves worse than the disease, as it opened a new, critical flaw, forcing the OpenSSL Project to rush out a new set of patches.

• September 30, 2016 30 Sep'16

  James Plouffe talks 'Mr. Robot' hacks and the show's technical accuracy

  In part two of his interview with SearchSecurity, MobileIron's James Plouffe talks about his role as a technical consultant on 'Mr. Robot' and how the show achieves its authenticity.

• September 30, 2016 30 Sep'16

  FBI confirms more state voter databases targeted by attackers

  The FBI confirmed many state voter databases have been scanned or attacked by malicious actors, and it urged states to ensure security is in place and ready.

• September 29, 2016 29 Sep'16

  Mozilla to drop WoSign as a trusted certificate authority

  Citing a long list of transgressions, Mozilla prepares to sanction Chinese certificate authority WoSign by removing it from its list of trusted certificate issuers.

• September 29, 2016 29 Sep'16

  Yahoo breach calls into question detection and remediation practices

  The Yahoo breach was the largest in history and the fallout is widespread, including a lawsuit, possible SEC investigation and questions about Yahoo's breach detection and response.

• September 29, 2016 29 Sep'16

  MobileIron: Enterprises aren't focusing enough on mobile threats

  A new report from MobileIron shows enterprises aren't taking mobile threats seriously enough. MobileIron's James Plouffe explains what that is and what's to be done about it.

• September 28, 2016 28 Sep'16

  SWIFT security controls to be mandatory by 2018

  New SWIFT security policy will mandate baseline controls for banking partners, but experts are unsure how effectively the changes can be enforced.

• September 28, 2016 28 Sep'16

  ICANN grinds forward on crucial DNS root zone signing key update

  Domain name system watchdog ICANN has begun the process of updating the DNS root zone signing key to strengthen DNSSEC protection against man-in-the-middle attacks.