News
News
- August 05, 2016
05 Aug'16
Apple starting its own bug bounty program with big rewards
Apple will be starting a bug bounty program for researchers who find critical vulnerabilities in iOS or iCloud and offer big rewards.
- August 05, 2016
05 Aug'16
Government data requests have little legal backing say experts
Experts find law enforcement data requests have little legal support and suggest enterprises use independent judgment when deciding whether to comply or push back.
- August 04, 2016
04 Aug'16
EMV cards, PIN pads vulnerable to man in the middle attacks
Researchers at Black Hat 2016 poked holes in chip and PIN security by demonstrating simple attacks that can intercept EMV card transaction data, including CVV codes and PINs.
-
- August 03, 2016
03 Aug'16
Black Hat 2016 keynote: We need sharing, not competition, in security
Black Hat 2016 keynote speaker Dan Kaminsky called for more information sharing and in security and more long-term public work in the cybersecurity space.
- August 03, 2016
03 Aug'16
Barclays replaces passwords with voice authentication
Barclays is offering U.K. retail banking customers the option to do voice authentication instead of using passwords, with voiceprints that are as unique as fingerprints.
- July 29, 2016
29 Jul'16
Android security boosted with memory protection of Linux kernel, more
Google details how it is improving Android security with better memory protections and reduction of the Linux kernel's attack surface.
- July 29, 2016
29 Jul'16
White House unveils federal cybersecurity plan and attack rating system
The White House's new federal cybersecurity plan outlines the responsibilities of each agency in a cyberattack and creates a rating system to determine the severity of an attack.
- July 29, 2016
29 Jul'16
Researchers uncover malicious probing of Tor hidden services
Researchers discovered attempts to snoop on dark web servers through malicious changes to Tor Project hidden services directories.
- July 28, 2016
28 Jul'16
Dell: Signature-based detection must give way to machine learning
Dell's Brett Hansen discusses his company's new approach to advanced threat protection, which leaves behind signature-based detection and embraces machine learning.
- July 27, 2016
27 Jul'16
LastPass security flaws put passwords at risk; patch rolling out
Problems with LastPass security might have been improperly disclosed, putting user passwords at higher risk, but the flaws have already been fixed, with an update rolling out now.
-
- July 27, 2016
27 Jul'16
KeySniffer vulnerability enables eavesdropping on wireless keyboards
The KeySniffer wireless vulnerability goes beyond the similar MouseJack flaw in exposing users of inexpensive wireless keyboards to sniffing, injection attacks.
- July 26, 2016
26 Jul'16
Experts say NIST deprecating SMS 2FA is long overdue
America's National Institute for Standards and Technology is advising the deprecation of using SMS-based two-factor authentication in order to improve security.
- July 22, 2016
22 Jul'16
Oracle CPU fixes record crop of critical flaws in quarterly patchfest
Oracle patches its biggest batch yet of security fixes in this quarter's CPU cycle.
- July 22, 2016
22 Jul'16
DNS DDoS attack shuts down Library of Congress websites for three days
A DNS DDoS attack hit the Library of Congress, disrupting various Library services and websites for three days before IT staff was able to restore normal functionality.
- July 21, 2016
21 Jul'16
FBI accused of avoiding FOIA requests in the name of security
A lawsuit against the Department of Justice claims the FBI is using outdated technology in order to avoid fulfilling FOIA requests.
- July 20, 2016
20 Jul'16
Flaw in ASN.1 compiler potentially critical, hard to find
A critical flaw was discovered in the ASN.1 compiler used by leading telecommunications and networking vendors, and the extent of the vulnerability has yet to be determined.
- July 18, 2016
18 Jul'16
Responsible disclosure of latest named vulnerability, 'httpoxy'
Responsible disclosure wins as researchers roll out branded website for 'httpoxy,' a set of vulnerabilities in server-side web apps that use the HTTP_PROXY variable.
- July 18, 2016
18 Jul'16
John Curran explains benefits of IPv6 connectivity progress
John Curran, ARIN chief, explains IPv6 connectivity progress and gives compelling security arguments in favor of IPv6 support sooner rather than later.
- July 15, 2016
15 Jul'16
FDIC found hiding multiple APT attacks and more from investigators
An investigation by a federal committee found the FDIC had multiple breaches, including an APT attack, spanning years but hid the hacks from Congress.
- July 15, 2016
15 Jul'16
EU member states approve EU-U.S. Privacy Shield data flow framework
The EU-U.S. Privacy Shield framework takes effect, replacing Safe Harbor for transatlantic data flows; U.S. beefs up Cyber Command.
- July 14, 2016
14 Jul'16
John Curran explains the importance of IPv6 connectivity
A year after the depletion of the IPv4 address space, ARIN chief John Curran talks about IPv6 benefits, the IPv6 NAT conundrum and the importance of offering IPv6 connectivity.
- July 14, 2016
14 Jul'16
New 'ransomware' variant proves there's no honor among thieves
A new 'ransomware' variant, which could be considered more scareware, doesn't encrypt files at all and instead deletes data and tricks victims into paying anyway.
- July 13, 2016
13 Jul'16
Pokémon GO reveals full account access flaw for Google authentication
The wildly popular Pokémon GO mobile game obtained a full account access token to iOS users' Google accounts, revealing a major issue with Google's OAuth authentication system.
- July 12, 2016
12 Jul'16
July 2016 Patch Tuesday is more about Adobe Reader bugs than Microsoft
Adobe Reader bugs take center stage for the July 2016 Patch Tuesday, as Microsoft has a smaller bulletin list of fixes for its products.
- July 12, 2016
12 Jul'16
SWIFT banking security adds a dedicated cyberintelligence team
SWIFT attempts to improve banking security include partnerships with two cybersecurity firms, and the creation of a new Customer Security Intelligence team.
- July 08, 2016
08 Jul'16
Avast purchase of AVG shows uncertainty in antivirus market
Avast purchased competitor AVG to improve consumer and enterprise products, but one expert said the purchase price proves the antivirus market may be on the decline.
- July 08, 2016
08 Jul'16
Microsoft calls for independent body to address cyber attribution
In a move to support the development of global cybersecurity norms, Microsoft calls for improved cyber attribution to identify cyberattack perpetrators.
- July 08, 2016
08 Jul'16
Risk & Repeat: More critical Symantec vulnerabilities emerge
In this Risk & Repeat podcast, SearchSecurity editors discuss a new Google Project Zero report on yet another round of critical Symantec vulnerabilities.
- July 07, 2016
07 Jul'16
New EU GDPR privacy regulation set to take effect in 2018
As the new General Data Protection Regulation privacy regulation looms, many firms face new rules and challenges to protect the privacy of EU citizens, regardless of location.
- July 07, 2016
07 Jul'16
Android full-disk encryption is flawed enough for government work
Vulnerabilities on devices with Qualcomm chipsets can allow Android full-disk encryption to be bypassed by malicious actors or law enforcement.
- July 06, 2016
06 Jul'16
FBI says Hillary Clinton's email setup was irresponsible, not illegal
The FBI gave a scathing review of Hillary Clinton's email setup, using personal servers for sensitive federal information, but deemed her actions were not illegal.
- July 01, 2016
01 Jul'16
House Homeland Security Committee proposes encryption debate commission
The House Homeland Security Committee officially proposed the creation of a commission to study both sides of the encryption debate and provide official recommendations.
- July 01, 2016
01 Jul'16
Enterprise encryption strategies rise as firms' use of encryption grows
Report: Enterprise encryption is on the rise as firms embrace use of encryption strategies; also, new Bart ransomware, IRS drops e-file PIN tool, and more.
- June 30, 2016
30 Jun'16
The healthcare industry is making it far too easy for hackers
Hospitals and healthcare organizations are far too vulnerable to cyberattacks, and a recent healthcare security study shows the issue isn't just outdated legacy technology -- medical professionals ...
- June 29, 2016
29 Jun'16
Nearly 10 million hospital patient records for sale on dark web market
Nearly 10 million patient records have been posted for sale on a dark web market, putting the personally identifiable information of many at risk for abuse.
- June 29, 2016
29 Jun'16
Google Project Zero exposes more critical Symantec vulnerabilities
A raft of new Symantec and Norton antivirus vulnerabilities exposed by Google Project Zero are 'as bad as it gets,' according to Tavis Ormandy: RCE, no user interaction and wormable.
- June 27, 2016
27 Jun'16
Intel reportedly considering selling its security business
New reports suggest Intel may be looking into selling off its security business, and experts are unclear whether it means Intel's McAfee acquisition has gone sour.
- June 27, 2016
27 Jun'16
NASCAR race team hit with ransomware attack
Hit by a ransomware attack, a NASCAR race team paid to restore data worth millions, then called on Malwarebytes to secure their systems -- and Malwarebytes joined up as a sponsor.
- June 24, 2016
24 Jun'16
Cyber attribution relies on human intelligence, not technical info
Experts said human intelligence was the key to the cyber attribution effort for the Democratic National Committee attack, which confirmed Russian agents were to blame.
- June 24, 2016
24 Jun'16
FBI surveillance access with National Security Letter unchanged, for now
U.S. Senate fails to pass National Security Letter regulation to enhance warrantless FBI surveillance access to metadata, including email headers and browser history.
- June 22, 2016
22 Jun'16
Activists, DOJ spar over Rule 41 changes to enhance FBI searches
EFF and privacy activists oppose Rule 41 changes, while the Department of Justice claims the changes do not alter 'traditional protections' under the Fourth Amendment.
- June 21, 2016
21 Jun'16
Acer's e-commerce website hit by a customer data breach
Computer maker Acer was hit by a customer data breach of its e-commerce website, leaving approximately 34,500 customers' contact and payment information exposed for about a year.
- June 20, 2016
20 Jun'16
CIA chief denies encryption backdoor effect on U.S. business
The director of the CIA denied that a government-mandated encryption backdoor would have an effect on U.S. business, but experts said the statement ignores the global market.
- June 17, 2016
17 Jun'16
DNC hack raises questions about cyber attribution methods
The hack of the Democratic National Committee has called into question methods for cyber attribution after the alleged attacker comes forward.
- June 17, 2016
17 Jun'16
FBI facial recognition systems draw criticism over privacy, accuracy
GAO report blasts FBI facial recognition programs over privacy and accuracy concerns; FBI systems offer access to over 411 million photos from federal and state sources.
- June 17, 2016
17 Jun'16
What Symantec's acquisition of Blue Coat says about the CASB market
Symantec's $4.65 billion acquisition of Blue Coat Systems could lead to a dramatic shift at the antivirus vendor, but what does the deal mean for the cloud access security broker space?
- June 16, 2016
16 Jun'16
Russian hacker arrests linked to ransomware and exploit kit shutdowns
The Lurk group hacker arrests in Russia came at the same time as the shutdown of a major exploit kit, ransomware family and botnet, but no one is sure if it is coincidence or causation.
- June 15, 2016
15 Jun'16
SAP vulnerability, reported in 2010, finally patched
SAP vulnerability patched, finally: The Java flaw was originally patched in 2010 but became the subject of an unprecedented US-CERT alert in May.
- June 15, 2016
15 Jun'16
Ransomware worm raises concerns for enterprise security
In this Risk & Repeat podcast, SearchSecurity editors break down the discovery of the ZCryptor ransomware worm and what it means for future ransomware threats.
- June 14, 2016
14 Jun'16
Adobe Flash zero-day overshadows June 2016 Microsoft Patch Tuesday
Microsoft's June 2016 Patch Tuesday release is not the most important of the day according to experts, instead another Adobe Flash zero-day vulnerability gets the spotlight.
- June 14, 2016
14 Jun'16
Ransomware attack, education highlight 2016 Information Security Summit
User education, ransomware attacks and cyberliability insurance are among the hot topics for infosec attendees at the annual 2016 Information Security Summit.
- June 13, 2016
13 Jun'16
Symantec acquisition of Blue Coat shakes up security industry
Symantec agreed to acquire Blue Coat Systems for $4.65 billion, with Blue Coat CEO Greg Clark taking over as new CEO of the combined company.
- June 10, 2016
10 Jun'16
Mozilla Secure Open Source Fund to aid developers with audits
Mozilla created the Secure Open Source Fund to help developers perform security audits on software in an effort to reduce the potential of another Heartbleed or Shellshock.
- June 10, 2016
10 Jun'16
Ransomware attack hits UCalgary as CryptXXX devs up their game
As the University of Calgary contends with a ransomware attack, the actors behind CryptXXX are rolling out patches and upgrades and attackers are shifting from Angler to Neutrino EK.
- June 09, 2016
09 Jun'16
TeamViewer hacks have everyone placing blame
A rash of TeamViewer hacks has led to confusion concerning what the issues are and who is responsible for user security in this case.
- June 09, 2016
09 Jun'16
Petraeus slams encryption backdoors, supports Apple
Speaking at the Cloud Identity Summit, Gen. David H. Petraeus blasted the FBI's recent efforts to compel Apple to break the company's own encryption protection.
- June 08, 2016
08 Jun'16
SWIFT banking system boosts security following cyberattacks
Following a number of attacks on the SWIFT banking system that led to the theft of millions of dollars, SWIFT promised new rules to improve security for bank transfers.
- June 07, 2016
07 Jun'16
Angler exploit kit skips Microsoft EMET to subvert Flash, Silverlight
FireEye researchers spotted the Angler exploit kit bypassing the current Microsoft EMET version 5.5 security tool running on Windows 7 to subvert Flash and Silverlight.
- June 03, 2016
03 Jun'16
SandJacking attack enables installation of rogue apps on iOS devices
Roundup: The new SandJacking attack technique allows attackers with physical access to iOS devices to install rogue apps. Plus, more on medical software security and Privacy Shield obstacles.
- June 02, 2016
02 Jun'16
Crypto-confusion: The search for the real bitcoin creator continues
In this Risk & Repeat podcast, SearchSecurity editors discuss Craig Wright's failed effort to prove he is bitcoin creator Satoshi Nakamoto and what that means for cryptocurrency.
- June 02, 2016
02 Jun'16
Lack of bug bounty programs won't deter cyber extortion attacks
IBM reports 30 'bug poaching' cyber extortion attacks in the past year, as black hat hackers aim to "help" enterprises by exploiting SQL injection vulnerabilities.
- June 01, 2016
01 Jun'16
Microsoft warns of rare ransomware worm
Microsoft warned users of a rare ransomware worm affecting older versions of Windows, but experts are wary of the recommended mitigation technique.
- May 27, 2016
27 May'16
House Reps tackle Rule 41 to limit government hacking
US Reps. Poe and Conyers join Sen. Wyden's fight against changes to Rule 41 that would remove limits on government hacking, introduce companion bill to quash changes.
- May 27, 2016
27 May'16
'Ingenious' attack mixes memory deduplication with Rowhammer
Researchers demonstrated an exploit that combines rare attacks on memory deduplication and Rowhammer in order to allow an adversary access to read or write system memory.
- May 27, 2016
27 May'16
RSA: Cloud visibility, analytics crucial to enterprises
RSA's Rashmi Knowles spoke with SearchCloudSecurity about enterprises struggling with security visibility, and how analytics and data science can help.
- May 26, 2016
26 May'16
Retiring obsolete SHA-1 and RC4 cryptographic algorithms, SSLv3 protocol
Microsoft speeds deprecation of SHA-1, Google dropping support for RC4, SSLv3, as web software publishers approach end of life for obsolete cryptographic algorithms and protocols.
- May 26, 2016
26 May'16
New spec aims to improve DNS privacy with TLS
In order to stop metadata snooping by law enforcement and hackers, a proposed spec aims to improve DNS privacy with TLS.
- May 24, 2016
24 May'16
Lieu, Hurd school House colleagues on cyberhygiene, defense
Former computer science majors Lieu and Hurd wrote to their U.S. House of Representatives colleagues, urging improved awareness of cyber risks and cyberhygiene.
- May 24, 2016
24 May'16
Paul Vixie on IPv6 NAT, IPv6 security and Internet of Things
Internet pioneer Paul Vixie spoke with SearchSecurity about IPv6 NAT, IPv6 and the Internet of Things, and the long, thankless path to deploying IPv6.
- May 24, 2016
24 May'16
Sorry Mr. Snowden -- encryption isn't the only path to security
Encryption shouldn't be used to protect people from themselves, especially if it gets in the way of innovation.
- May 24, 2016
24 May'16
Android N security updates leave unanswered questions
Google unveiled the next version of its mobile OS, and Android N security will be improved in a few ways, although Google still can't fix OS updates.
- May 20, 2016
20 May'16
Senate bill would quash unlimited Rule 41 government hacks
Rule 41 changes face bipartisan opposition in Senate with the Wyden-Paul bill to rein in the expansion of authority to let the government hack unlimited numbers of devices with a single warrant.
- May 19, 2016
19 May'16
ImageMagick calls into question responsible disclosure reporting
The ImageTragick bug raises questions over responsible disclosure, as the flaw in the ImageMagick image-processing library exposes millions of websites to remote code execution.
- May 19, 2016
19 May'16
TeslaCrypt master key release confounds experts
In a move that surprised and confused experts, the TeslaCrypt master key was released, effectively killing the ransomware.
- May 18, 2016
18 May'16
Android clickjacking attack research updated but questions remain
New research claims more than 95% of Android devices are vulnerable to clickjacking attacks, but the true danger may not be that severe.
- May 18, 2016
18 May'16
Paul Vixie on the glibc bug, Internet crime and more
Internet pioneer Paul Vixie spoke with SearchSecurity about Internet crime, the glibc bug and other pervasive vulnerabilities that may never be eradicated.
- May 17, 2016
17 May'16
Google Project Zero discloses dangerous Symantec vulnerability
Google Project Zero disclosed a Symantec vulnerability that can be exploited with zero interaction and was described being as bad as it can possibly get.
- May 13, 2016
13 May'16
EMM software on every device? MobileIron makes the case
MobileIron's enterprise mobile management software wasn't installed on the iPhone of San Bernardino shooter Syed Rizwan Farook. Was that the right move?
- May 13, 2016
13 May'16
FBI asked for responsible disclosure of Tor vulnerability
A court filing is asking the FBI for responsible disclosure of the Tor vulnerability used to exploit the Tor browser and de-anonymize users during a criminal investigation.
- May 13, 2016
13 May'16
Google insider data breach exposed employee personal info
Roundup: Google experiences an insider data breach, but the data leakage is cleaned up by a conscientious benefits manager. Plus, the FDIC reports five 'major' incidents, and more.
- May 13, 2016
13 May'16
DHS warns on actively exploited SAP Java vulnerability
DHS US-CERT warns of a patched SAP Java vulnerability from 2010 that has enabled breaches at three dozen global enterprises due to configuration issues.
- May 12, 2016
12 May'16
Senate asks President Obama for a cyber act-of-war definition
A new bill from the Senate asked President Obama for a cyber act-of-war definition in order to enable a proper response following a cyberattack.
- May 12, 2016
12 May'16
EU regulatory critics, Rule 41 pose threat to Privacy Shield
The new Privacy Shield framework for transatlantic data flows faces challenges from Article 29 Working Party criticism, as well as U.S. changes to Rule 41 for computer searches.
- May 11, 2016
11 May'16
Ransomware warning issued to Congress following attack
Representatives in Congress have received a ransomware warning following an increased number of attacks perpetrated via phishing schemes.
- May 10, 2016
10 May'16
May 2016 Patch Tuesday: IE zero-day patch tops the list
Microsoft's May 2016 Patch Tuesday takes aim at an IE zero-day vulnerability, which experts say is the top priority, as well as a couple server-side flaws to keep an eye on.
- May 10, 2016
10 May'16
U.S. intelligence agencies cut off from Twitter firehose
Twitter ordered its business partner Dataminr to cut off the Twitter firehose feed access for U.S. intelligence agencies, but experts expect the NSA won't miss much.
- May 06, 2016
06 May'16
Commercial code riddled with open source vulnerabilities
Roundup: Customers, vendors both unaware of unpatched open source vulnerabilities in commercial software. Plus OpenSSL patches, warrantless wiretaps and more.
- May 05, 2016
05 May'16
DARPA to build a cyber attribution system to ID criminals
DARPA has decided to take on one of the most difficult tasks in cybersecurity -- building a cyber attribution system to be able to identify attackers and maybe prevent attacks.
- May 03, 2016
03 May'16
Craig Wright fails, again, to prove he's the bitcoin creator
Craig Wright's second attempt to prove he's the bitcoin creator, Satoshi Nakamoto, was debunked after fooling the mainstream press, but his motives are still a mystery.
- April 29, 2016
29 Apr'16
Apple/FBI battle continues over iPhone vulnerabilities
More fallout from the Apple/FBI conflict: The second iPhone suit was dropped; the FBI can't provide details of a tool used to unlock the San Bernardino shooter's phone.
- April 28, 2016
28 Apr'16
PCI DSS 3.2 focuses on encryption and multifactor authentication
PCI DSS 3.2 marks the start of refining the payment data regulations, rather than minor changes, and includes requirements to strengthen encryption and multifactor authentication.
- April 26, 2016
26 Apr'16
Verizon DBIR 2016 shows we haven't learned how to improve security
The 2016 Verizon DBIR skimps on data breach analysis and instead focuses on common issues, such as phishing, vulnerability management and access controls, which are still befuddling IT pros.
- April 26, 2016
26 Apr'16
Simple, yet undetectable Windows AppLocker bypass discovered
A Windows command-line utility dating back to XP, Regsvr32, reportedly enables a simple and virtually undetectable Windows AppLocker whitelist bypass.
- April 22, 2016
22 Apr'16
'Going dark' battle moves to Congressional encryption hearing
Experts face off in Congress over 'going dark' encryption debate, stake out positions on security, privacy and government access; polls show support for strong encryption.
- April 21, 2016
21 Apr'16
Oracle patches now more critically rated with CVSS 3.0
Oracle patches 136 security flaws in various products and a number of vulnerabilities were rated more critical because of a switch to CVSS 3.0.
- April 21, 2016
21 Apr'16
JBoss vulnerability highlights dangers of unpatched systems
Up to 3.2 million servers with unpatched JBoss vulnerability from 2010 are open to spread ransomware through networks; experts urge keeping up with software patches to stay safe.
- April 21, 2016
21 Apr'16
Google's second Android Security Report is a mixed bag
The second annual Android Security Report details a number of ways Google has been working to improve security on its mobile platform but also highlights persistent problems.
- April 19, 2016
19 Apr'16
Apple won't patch zero days so uninstall QuickTime now
DHS says users need to uninstall QuickTime for Windows immediately as Apple quietly sends the software to its end of life following the disclosure of two zero-day flaws.
- April 15, 2016
15 Apr'16
Microsoft fights to notify users of FBI surveillance
Microsoft has sued the Department of Justice in an effort to be allowed to notify users of FBI surveillance requests; expert worried about continuous surveillance.
- April 15, 2016
15 Apr'16
Burr-Feinstein draft bill fuels encryption debate
The encryption debate continues with release of the official draft of Burr-Feinstein 'Compliance with Court Orders Act of 2016' mandating court order compliance.