News

News

• October 26, 2016 26 Oct'16

  FBI queried on use of vulnerabilities equities process in Playpen case

  A U.S. district judge grants the defendants in a child porn case the right to know whether the FBI used the vulnerabilities equities process before the hack of the Playpen Tor hidden service site.

• October 25, 2016 25 Oct'16

  Drammer proves Rowhammer can be used to root Android

  Researchers devised a way to exploit the Rowhammer hardware vulnerability on Android devices and gain root access by using an app with no special permissions.

• October 24, 2016 24 Oct'16

  Questions still loom after Dyn DNS DDoS disrupts internet access

  Users and companies suffer after Dyn DNS DDoS attacks disrupt access to top sites; links to the Mirai botnet raise more questions, as Dyn mops up.

• October 21, 2016 21 Oct'16

  Dirty COW Linux vulnerability has existed for nine years

  A Linux vulnerability called Dirty COW has existed in the Linux kernel for nine years and allowed attackers to gain root access to virtually all Linux systems.

• October 21, 2016 21 Oct'16

  Malicious links led to Clinton campaign and Colin Powell hacks

  Malicious links from the DNC hacker group were responsible for account takeovers and leaked emails from the Clinton campaign chairman and Colin Powell.

• Sponsored News

  • Keep out vulnerable third-party scripts that help steal data from your website

    Sponsored by Akamai - Visiting a website today, users gain access to a rich, interactive experience that is often customized to their preferences and enhanced for their convenience. See More

  • DDoS attacks are growing in frequency and scale during the pandemic. What can businesses do?

    Sponsored by Akamai - At a time when many businesses have their resources stretched to the limit, the scourge of distributed denial-of-service (DDoS) attacks has continued unabated and added to the difficulties faced by many during this ongoing pandemic. See More

  • Product Video: Page Integrity Manager

    Sponsored by Akamai - With modern web pages relying heavily on scripts to run services and access data, attackers are exploiting those scripts as a new attack vector to steal sensitive customer information. See More

  • Product Video: Web Application Protector

    Sponsored by Akamai - With limited security expertise, protecting your web applications is a daunting task. Web Application Protector provides automated web application firewall (WAF) and distributed denial-of-service (DDoS) protection that’s designed to offload the complexity associated with a traditional WAF. See More

  View All Sponsored News
• October 21, 2016 21 Oct'16

  Dyn hit by massive DNS DDoS, Eastern U.S. bears brunt of attacks

  At least two DNS DDoS attacks on Dyn are disrupting access to many popular websites, users and companies on the Eastern U.S. are impacted.

• October 21, 2016 21 Oct'16

  Mozilla set to dump SHA-1 certificates by early 2017

  Roundup: Firefox browser will reject SHA-1 certificates as soon as Mozilla announces further details relating to the deprecation of the outdated algorithm; plus, Oracle patches and more.

• October 21, 2016 21 Oct'16

  EU-U.S. Privacy Shield certification process picks up steam, slowly

  After a slow start, some U.S. companies are starting to address the questions and challenges of EU-U.S. Privacy Shield certification. But most haven't started the process.

• October 19, 2016 19 Oct'16

  Intel chip flaw allows attackers to bypass ASLR protection

  Researchers devised an exploit of an Intel chip flaw that allows an adversary to bypass ASLR protection and potentially boost the effectiveness of an attack on any platform.

• October 19, 2016 19 Oct'16

  IBM yanks POC code in coordinated vulnerability disclosure

  IBM asks, and researcher pulls proof of concept code from a coordinated vulnerability disclosure, internet explodes.

• October 18, 2016 18 Oct'16

  Secret Service cybersecurity audit shows 'unacceptable' flaws

  A cybersecurity audit of the U.S. Secret Service found 'unacceptable vulnerabilities' that leave the possibility of insider-threat activity and privacy violations.

• October 17, 2016 17 Oct'16

  The Shadow Brokers cancel the auction of NSA cyberweapons

  The first auction of NSA cyberweapons didn't generate much money for the Shadow Brokers, so the group is changing tactics with a direct sale of the files.

• October 14, 2016 14 Oct'16

  Certificate revocation list error strands sites signed by GlobalSign

  Attempting to tidy its root certificates, a mis-issued GlobalSign certificate revocation list left website owners scrambling to address cert errors, restore safe browsing icons.

• October 14, 2016 14 Oct'16

  Pork Explosion opens Android backdoor, roasts branded vulnerabilities

  The Pork Explosion flaw in the app bootloader provided by Foxconn creates an Android backdoor which could give an attacker dangerous levels of access.

• October 14, 2016 14 Oct'16

  Odinaff banking Trojan linked to Carbanak group, attacks SWIFT

  The Odinaff banking Trojan has been found targeting the SWIFT messaging system at financial institutions around the world and may have links to the infamous Carbanak group.

• October 14, 2016 14 Oct'16

  Adobe patches 83 vulnerabilities in latest crop of fixes

  News roundup: As Adobe patches 83 vulnerabilities in Flash Player, Acrobat and Reader, the good news is none have been exploited in the wild -- yet. Plus, IoT threats and more.

• October 13, 2016 13 Oct'16

  Hackers leverage 12-year-old OpenSSH vulnerability for IoT attack

  Akamai researchers discovered how unknown threat actors are using an SSH flaw to secretly gain control of IoT devices and turn them into proxies for malicious traffic.

• October 13, 2016 13 Oct'16

  Researchers demonstrate undetectable encryption backdoor in crypto keys

  Academic researchers show how to place undetectable encryption backdoors in cryptographic keys and passively decrypt data, which could undermine confidence in certain algorithms.

• October 12, 2016 12 Oct'16

  Lack of awareness may hamper GDPR compliance, Dell reports

  With EU's new privacy regulation set to take effect in May 2018, GDPR compliance may be hampered by lack of planning and awareness, Dell research finds.

• October 12, 2016 12 Oct'16

  White House considers proportional response to Russian hackers

  U.S. intelligence agencies officially attributed potential election-tampering activity to government-led Russian hackers, and the White House said it is considering a proportional response.

• October 11, 2016 11 Oct'16

  October 2016 Patch Tuesday fixes five zero-day flaws in monthly rollup

  Microsoft's October 2016 Patch Tuesday changes the structure of the release to the monthly rollup and starts out by taking on five zero-day flaws.

• October 07, 2016 07 Oct'16

  Expired domains present an opportunity for malicious activity

  Security researchers said expired domains and abandoned SDKs could present a way to hide malicious activity targeting vulnerable mobile devices.

• October 07, 2016 07 Oct'16

  October's Android Security Bulletin patches 78 vulnerabilities

  Google patches 78 vulnerabilities, including half a dozen critical flaws -- but none exploited in the wild -- in two patch levels in October's Android Security Bulletin.

• October 06, 2016 06 Oct'16

  Patent race picks up speed in the cloud access security broker market

  SkyHigh Networks was awarded another patent for its CASB platform. The newest patent is for technology for managing encrypted enterprise data used in cloud applications and services.

• October 06, 2016 06 Oct'16

  Yahoo implicated in secret surveillance program, but questions remain

  A report claims Yahoo built custom software under order of the U.S. government to perform secret surveillance on all incoming emails, though questions about the program remain.

• October 04, 2016 04 Oct'16

  DNS monitoring can help deanonymize Tor users

  Researchers found a way to use DNS monitoring to deanonymize Tor users by enhancing the effectiveness of fingerprinting attacks.

• October 04, 2016 04 Oct'16

  Cisco Talos finds severe JPEG 2000 flaw for remote code execution

  Cisco Talos discovered a severe flaw in the JPEG 2000 image file-format parser -- which is often used in PDF documents -- that could allow remote code execution on affected systems.

• October 04, 2016 04 Oct'16

  Release of Mirai IoT botnet malware highlights bad password security

  Mirai, the IoT botnet malware code used in the massive DDoS attack on Brian Krebs' website, has been released to the public and highlights a problem of using default passwords.

• October 03, 2016 03 Oct'16

  Will Apple become a HIPAA covered entity or business associate?

  Whether Apple is a HIPAA covered entity was called into question when it advertised for a health regulations lawyer. Expert Mike Chapple discusses Apple's relationship with HIPAA.

• September 30, 2016 30 Sep'16

  Patched OpenSSL vulnerability creates new critical flaw; patched again

  The cure for a low-severity OpenSSL vulnerability proves worse than the disease, as it opened a new, critical flaw, forcing the OpenSSL Project to rush out a new set of patches.

• September 30, 2016 30 Sep'16

  James Plouffe talks 'Mr. Robot' hacks and the show's technical accuracy

  In part two of his interview with SearchSecurity, MobileIron's James Plouffe talks about his role as a technical consultant on 'Mr. Robot' and how the show achieves its authenticity.

• September 30, 2016 30 Sep'16

  FBI confirms more state voter databases targeted by attackers

  The FBI confirmed many state voter databases have been scanned or attacked by malicious actors, and it urged states to ensure security is in place and ready.

• September 29, 2016 29 Sep'16

  Mozilla to drop WoSign as a trusted certificate authority

  Citing a long list of transgressions, Mozilla prepares to sanction Chinese certificate authority WoSign by removing it from its list of trusted certificate issuers.

• September 29, 2016 29 Sep'16

  Yahoo breach calls into question detection and remediation practices

  The Yahoo breach was the largest in history and the fallout is widespread, including a lawsuit, possible SEC investigation and questions about Yahoo's breach detection and response.

• September 29, 2016 29 Sep'16

  MobileIron: Enterprises aren't focusing enough on mobile threats

  A new report from MobileIron shows enterprises aren't taking mobile threats seriously enough. MobileIron's James Plouffe explains what that is and what's to be done about it.

• September 28, 2016 28 Sep'16

  SWIFT security controls to be mandatory by 2018

  New SWIFT security policy will mandate baseline controls for banking partners, but experts are unsure how effectively the changes can be enforced.

• September 28, 2016 28 Sep'16

  ICANN grinds forward on crucial DNS root zone signing key update

  Domain name system watchdog ICANN has begun the process of updating the DNS root zone signing key to strengthen DNSSEC protection against man-in-the-middle attacks.

• September 26, 2016 26 Sep'16

  Latest iOS 10 release includes password-verification flaw

  A Russian cyberforensics firm discovered a password-verification flaw in iOS 10 that leaves local backups exposed, allowing hackers to obtain passwords and other valuable data.

• September 26, 2016 26 Sep'16

  Powerful DDoS attacks leveraging IoT devices hit several companies

  A series of potent, record-setting DDoS attacks hit several targets last week and apparently used IoT malware to infect and leverage a large number of internet connect devices.

• September 23, 2016 23 Sep'16

  Yahoo breach leaves 500 million accounts compromised

  Yahoo confirmed it was the victim of one of the largest breaches in history two years ago, when information on at least 500 million user accounts was stolen.

• September 23, 2016 23 Sep'16

  FBI ransomware alert: Don't pay; report, defend against attacks

  A new FBI ransomware alert urges victims to report incidents to federal law enforcement, gives defense tips and urges victims to avoid paying a ransom, if possible.

• September 21, 2016 21 Sep'16

  Symantec patches two more flaws after Google Project Zero discoveries

  Symantec patched another set of serious file parsing flaws in its antivirus products, which were discovered by Google Project Zero researcher Tavis Ormandy.

• September 21, 2016 21 Sep'16

  Risk & Repeat: OPM breach report sheds light on infosec failings

  In this Risk & Repeat podcast, SearchSecurity editors discuss the recent OPM breach report from Congress and what it means for the state of federal government cybersecurity.

• September 21, 2016 21 Sep'16

  Anomaly detection in new SWIFT antifraud reports may fall short

  The SWIFT messaging system aims to improve the security of supported banks with new antifraud reports, but experts are unsure how useful the anomaly detection will be.

• September 20, 2016 20 Sep'16

  Shadow Brokers' Cisco vulnerability exploited in the wild

  Cisco warns that an as-yet unpatched vulnerability derived from Shadow Brokers' BENIGNCERTAIN hacking tool is being exploited in the wild.

• September 20, 2016 20 Sep'16

  NAND-mirroring iPhone hack would have made the FBI's job much easier

  A researcher has demonstrated a NAND-mirroring iPhone hack that could have helped the FBI crack the San Bernardino iPhone 5c at a far lower cost.

• September 16, 2016 16 Sep'16

  Most popular exploit kits target Flash, Java and IE

  Exploit kits make the job of an attacker much easier but can be defended against easily by understanding the vulnerabilities and software they most often target.

• September 16, 2016 16 Sep'16

  Google Project Zero Prize competition set to tighten Android security

  Google Project Zero Prize hacking competition is set to improve Android security by rewarding remote code execution exploits with prizes up to $200,000.

• September 15, 2016 15 Sep'16

  MySQL vulnerability disclosed, status of patches uncertain

  Oracle's lack of response to security researchers raises more questions after a zero-day MySQL vulnerability was reported, though patches may have already been released.

• September 15, 2016 15 Sep'16

  Law enforcement hacking declared search under Fourth Amendment

  A new ruling in a Texas court declared law enforcement hacking to be search in the definition of the Fourth Amendment, but experts say further clarification is needed.

• September 14, 2016 14 Sep'16

  Monthly Windows rollup: Simplification or loss of patching control?

  Microsoft's Patch Tuesday will change drastically in October, and experts disagree whether the new monthly Windows rollup will make patching simpler or more of a hassle.

• September 13, 2016 13 Sep'16

  September 2016 Patch Tuesday: Browser security takes center stage

  Microsoft's September 2016 Patch Tuesday is what many would consider a standard bulletin release with a major focus on fixes related to web browser security.

• September 13, 2016 13 Sep'16

  Burr-Feinstein bill still looks to force companies to break encryption

  Revisions to the Burr-Feinstein Compliance with Court Orders Act are allegedly circulating, but there are questions about how close the bill is to being resurrected.

• September 09, 2016 09 Sep'16

  RSA: No major changes expected following Dell-EMC merger

  Following the Dell-EMC merger, RSA executives expect no significant changes to the business -- although, there will be some product overlap to deal with.

• September 09, 2016 09 Sep'16

  Google to tweak Chrome browser security in 2017, flag HTTP as insecure

  Google's campaign to encrypt the web continues, as Chrome browser security will flag any sites using HTTP for passwords or payment info as insecure, starting in 2017.

• September 09, 2016 09 Sep'16

  OPM breach report blames leadership inaction for data loss

  A House committee investigation into the OPM breach said leadership failed to implement the recommended security improvements that could have prevented the attack and data loss.

• September 08, 2016 08 Sep'16

  Intel Security sale finalized, McAfee brand resurrected

  After completion of the Intel Security sale to private equity firm TPG, the new jointly-held cybersecurity company will resurrect the McAfee brand and net $3.1 billion for Intel.

• September 07, 2016 07 Sep'16

  Experts split on whether we're in a cyber arms race or open conflict

  While President Obama said we can still defuse a potential cyber arms race, some experts believe we are already in such competition or already past it and in open conflict.

• September 06, 2016 06 Sep'16

  President Obama urges focus on non-state actors, not cyber arms race

  President Obama said he wants to avoid a cyber-Cold War and urged nations to focus more on the dangers of non-state actors and less on a potential cyber arms race.

• September 02, 2016 02 Sep'16

  The original hacker, Guccifer, sentenced to 52 months in prison

  Romanian hacker Guccifer, made famous for exposing the misuse of Hillary Clinton's personal email servers, was sentenced to 52 months in prison for unrelated crimes.

• September 02, 2016 02 Sep'16

  Apple patches Pegasus spyware bugs in OS X, Safari

  Apple patched spyware bugs in OS X and Safari that enabled the 'lawful intercept' Pegasus cyberweapon exploit against iOS because the desktop and mobile OSes shared vulnerable code.

• September 01, 2016 01 Sep'16

  FBI wants 'adult' conversation about 'going dark' encryption debate

  FBI Director James Comey wants to have an 'adult' conversation on the encryption debate, but many think that means ignoring experts and embracing the 'going dark' argument.

• August 31, 2016 31 Aug'16

  Windows 10 Anniversary update adds headaches for antivirus vendors

  The antivirus industry has been under fire lately, and Microsoft's Windows 10 Anniversary update has added new troubles for antivirus software vendors.

• August 31, 2016 31 Aug'16

  SWIFT discloses new attacks and bank thefts in private letter

  SWIFT told clients there have been more attacks on its bank messaging system and some have resulted in bank thefts, but no solutions to security are available.

• August 30, 2016 30 Aug'16

  Voter data breach leads to questions of tampering and state security

  Election registration databases in two states were attacked and the resulting voter data breach has led to questions of possible election tampering and inadequate state security.

• August 29, 2016 29 Aug'16

  Pegasus iOS exploit uses three zero days to attack high-value targets

  A new remote iOS exploit called Pegasus leverages three zero days in what appear to be state-sponsored targeted attack campaigns against political dissidents.

• August 26, 2016 26 Aug'16

  Ransomware decryption tool from Intel and Kaspersky quenches Wildfire

  Intel and Kaspersky cooperate with authorities to snuff out Wildfire with a ransomware decryption tool and end the threat from a $79,000 per month campaign with over 5,000 victims.

• August 25, 2016 25 Aug'16

  NSA's SNMP exploit cyberweapon affects all Cisco ASA software

  Researchers easily modified the NSA's EXTRABACON SNMP exploit to target newer versions of Cisco ASA software, but Cisco has patches rolling out.

• August 25, 2016 25 Aug'16

  Questions swirl around Shadow Brokers' cyberweapons dump

  More unanswered questions remain about the Shadow Brokers' release of NSA/Equation Group cyberweapons cache, as vendors move to mitigate and researchers search for vulnerabilities.

• August 23, 2016 23 Aug'16

  Hospital cybersecurity failing to encrypt transmitted health records

  New research found a number of troubling issues with hospital cybersecurity, including transmitting unencrypted health records and failing to deploy cybersecurity measures.

• August 23, 2016 23 Aug'16

  Leaked Cisco security vulnerability found in NSA exploit stockpile

  A Cisco security vulnerability affecting routers was found in the Shadow Brokers cyberweapon dump, and it may have been used by the NSA for years to decrypt VPN traffic.

• August 19, 2016 19 Aug'16

  Fallout from Equation Group cyberweapons leak continues to mount

  Mystery continues to surround the Shadow Brokers' release of Equation Group vulnerability exploits and hacking tools, as vendors scramble to patch zero days.

• August 19, 2016 19 Aug'16

  Dell: Machine learning security hard to explain, harder to beat

  Dell's Brett Hansen explains why machine learning security is better than signature-based detection and how it can stop emerging threats.

• August 19, 2016 19 Aug'16

  Google AdSense malware silently delivers to Android users

  Google AdSense malware has been silently delivered to Android devices, but the danger seems to be mitigated by Google itself.

• August 18, 2016 18 Aug'16

  SWIFT banking execs admit to ignoring security before hacks

  The SWIFT banking system had a number of high-profile hacks earlier this year, and execs are now admitting they ignored security issues until it was too late.

• August 18, 2016 18 Aug'16

  Netskope nabs another patent for CASB technology

  Netskope's second patent for its cloud access security broker techhnology illustrates how the CASB market is evolving and what that means for potential investors and suitors.

• August 17, 2016 17 Aug'16

  PGP collision attack on Linux creator highlights flaws with short IDs

  A PGP short ID collision attack on the creator of Linux brings to light a flaw that experts have known about for years with short ID keys.

• August 17, 2016 17 Aug'16

  Windows Bash could open the door to more Linux-based attacks

  Will Windows 10's new native version of the Ubuntu Linux command line, Windows Bash, enable new attack vectors? Experts weigh in on Windows Subsystem for Linux.

• August 16, 2016 16 Aug'16

  New Vawtrak Trojan variant leverages SSL pinning, HTTPS

  Fidelis Cybersecurity reports notorious Vawtrak banking Trojan gets upgrades to increase security and evade detection, including SSL pinning and domain generation algorithm.

• August 16, 2016 16 Aug'16

  Equation Group cyberweapons auctioned off; WikiLeaks promises release

  Cyberweapons purportedly stolen from the NSA-linked Equation Group have been put up for auction; WikiLeaks promises it will publish a 'pristine copy in due course.'

• August 15, 2016 15 Aug'16

  DNC forms cybersecurity advisory board after breach

  Following an embarrassing data breach, the Democratic National Committee has formed a cybersecurity advisory board, but experts have questioned the pedigree of board members.

• August 15, 2016 15 Aug'16

  Windows Secure Boot broken after Microsoft leaks golden key

  Microsoft accidentally released the golden key for Windows Secure Boot, causing a serious security issue for the company despite putting only less popular devices at risk.

• August 12, 2016 12 Aug'16

  White House aims to secure open source government programs

  The White House unveils a new open source government policy and new research estimates the government's zero-day exploit stockpile to be smaller than expected.

• August 11, 2016 11 Aug'16

  Risk & Repeat: Highlights and lowlights from Black Hat 2016

  In this Risk & Repeat podcast, SearchSecurity editors discuss the good and bad news from Black Hat 2016 in Las Vegas, including critical flaws in web protocols.

• August 09, 2016 09 Aug'16

  Browser vulnerabilities, Office flaws lead August 2016 Patch Tuesday

  Microsoft's August 2016 Patch Tuesday focuses on critical browser vulnerabilities in Edge and Internet Explorer, as well as flaws with Microsoft Office and PDF Library.

• August 09, 2016 09 Aug'16

  More DDoS DNS amplification attacks use SSDP than NTP

  Black Hat: New research finds DDoS DNS amplification attacks are more likely to use SSDP than NTP and DDoS attacks may generally be smaller than reported.

• August 09, 2016 09 Aug'16

  Bluetooth LE security hit with GATTack at Black Hat

  Amid varying attacks targeting IoT devices at Black Hat 2016, a new software proxy offered leverage against the latest Bluetooth LE security protections.

• August 09, 2016 09 Aug'16

  Oracle MICROS breached, password reset recommended

  Oracle's MICROS PoS systems breached, possibly by Carbanak cybergang; Oracle issues mandatory password reset for customers.

• August 05, 2016 05 Aug'16

  Security of HTTP/2 protocol takes big hit at Black Hat 2016

  Black Hat researchers report flaws in key web protocols, demonstrating widespread flaws in HTTP/2 implementations; Banner Health announces breach affecting 3.7 million.

• August 05, 2016 05 Aug'16

  Apple starting its own bug bounty program with big rewards

  Apple will be starting a bug bounty program for researchers who find critical vulnerabilities in iOS or iCloud and offer big rewards.

• August 05, 2016 05 Aug'16

  Government data requests have little legal backing say experts

  Experts find law enforcement data requests have little legal support and suggest enterprises use independent judgment when deciding whether to comply or push back.

• August 04, 2016 04 Aug'16

  EMV cards, PIN pads vulnerable to man in the middle attacks

  Researchers at Black Hat 2016 poked holes in chip and PIN security by demonstrating simple attacks that can intercept EMV card transaction data, including CVV codes and PINs.

• August 03, 2016 03 Aug'16

  Black Hat 2016 keynote: We need sharing, not competition, in security

  Black Hat 2016 keynote speaker Dan Kaminsky called for more information sharing and in security and more long-term public work in the cybersecurity space.

• August 03, 2016 03 Aug'16

  Barclays replaces passwords with voice authentication

  Barclays is offering U.K. retail banking customers the option to do voice authentication instead of using passwords, with voiceprints that are as unique as fingerprints.

• July 29, 2016 29 Jul'16

  Android security boosted with memory protection of Linux kernel, more

  Google details how it is improving Android security with better memory protections and reduction of the Linux kernel's attack surface.

• July 29, 2016 29 Jul'16

  White House unveils federal cybersecurity plan and attack rating system

  The White House's new federal cybersecurity plan outlines the responsibilities of each agency in a cyberattack and creates a rating system to determine the severity of an attack.

• July 29, 2016 29 Jul'16

  Researchers uncover malicious probing of Tor hidden services

  Researchers discovered attempts to snoop on dark web servers through malicious changes to Tor Project hidden services directories.

• July 28, 2016 28 Jul'16

  Dell: Signature-based detection must give way to machine learning

  Dell's Brett Hansen discusses his company's new approach to advanced threat protection, which leaves behind signature-based detection and embraces machine learning.

• July 27, 2016 27 Jul'16

  LastPass security flaws put passwords at risk; patch rolling out

  Problems with LastPass security might have been improperly disclosed, putting user passwords at higher risk, but the flaws have already been fixed, with an update rolling out now.

• July 27, 2016 27 Jul'16

  KeySniffer vulnerability enables eavesdropping on wireless keyboards

  The KeySniffer wireless vulnerability goes beyond the similar MouseJack flaw in exposing users of inexpensive wireless keyboards to sniffing, injection attacks.