News

News

• September 16, 2016 16 Sep'16

  Most popular exploit kits target Flash, Java and IE

  Exploit kits make the job of an attacker much easier but can be defended against easily by understanding the vulnerabilities and software they most often target.

• September 16, 2016 16 Sep'16

  Google Project Zero Prize competition set to tighten Android security

  Google Project Zero Prize hacking competition is set to improve Android security by rewarding remote code execution exploits with prizes up to $200,000.

• September 15, 2016 15 Sep'16

  MySQL vulnerability disclosed, status of patches uncertain

  Oracle's lack of response to security researchers raises more questions after a zero-day MySQL vulnerability was reported, though patches may have already been released.

• September 15, 2016 15 Sep'16

  Law enforcement hacking declared search under Fourth Amendment

  A new ruling in a Texas court declared law enforcement hacking to be search in the definition of the Fourth Amendment, but experts say further clarification is needed.

• September 14, 2016 14 Sep'16

  Monthly Windows rollup: Simplification or loss of patching control?

  Microsoft's Patch Tuesday will change drastically in October, and experts disagree whether the new monthly Windows rollup will make patching simpler or more of a hassle.

• Sponsored News

  • Part I: Keep the Cloud Your Safe Place

    Sponsored by Forcepoint - Organizations of all sizes have been called upon to swiftly support remote work in order to safeguard the health of their workforce and local communities. As businesses are called upon to scale up remote work procedures for the physical safety of employees, IT teams must accelerate the adoption of technology that ensures their people and data are secure—without hurting productivity or morale. See More

  • Part II: Safeguard Data Everywhere

    Sponsored by Forcepoint - As security teams are tasked with the duty of rapidly scaling up protections for remote workers, one of the key considerations they must keep in mind is how to safeguard data no matter where it resides or travels. This is hardly a new problem. However, the vastly broadened scope of remote work today requires security teams to revisit policies and technologies. Some solutions that may have been sufficient for isolated use cases don't adequately protect a completely distributed workforce. See More

  • Part III: Protect Your People

    Sponsored by Forcepoint - In response to the rapid rise in remote work, cybersecurity teams have increased their efforts to protect their dispersed team’s cyber hygiene. The rapid rise in remote work to protect the health of employees has required cybersecurity teams to scale their efforts to similarly protect the cyber hygiene of these workers as they operate in new conditions. One of the key directives for cybersecurity departments looking to safeguard the people and data within a distributed enterprise is the implementation of cyber defenses that can move with employees and protect them—regardless of their location or device. See More

  View All Sponsored News
• September 13, 2016 13 Sep'16

  September 2016 Patch Tuesday: Browser security takes center stage

  Microsoft's September 2016 Patch Tuesday is what many would consider a standard bulletin release with a major focus on fixes related to web browser security.

• September 13, 2016 13 Sep'16

  Burr-Feinstein bill still looks to force companies to break encryption

  Revisions to the Burr-Feinstein Compliance with Court Orders Act are allegedly circulating, but there are questions about how close the bill is to being resurrected.

• September 09, 2016 09 Sep'16

  RSA: No major changes expected following Dell-EMC merger

  Following the Dell-EMC merger, RSA executives expect no significant changes to the business -- although, there will be some product overlap to deal with.

• September 09, 2016 09 Sep'16

  Google to tweak Chrome browser security in 2017, flag HTTP as insecure

  Google's campaign to encrypt the web continues, as Chrome browser security will flag any sites using HTTP for passwords or payment info as insecure, starting in 2017.

• September 09, 2016 09 Sep'16

  OPM breach report blames leadership inaction for data loss

  A House committee investigation into the OPM breach said leadership failed to implement the recommended security improvements that could have prevented the attack and data loss.

• September 08, 2016 08 Sep'16

  Intel Security sale finalized, McAfee brand resurrected

  After completion of the Intel Security sale to private equity firm TPG, the new jointly-held cybersecurity company will resurrect the McAfee brand and net $3.1 billion for Intel.

• September 07, 2016 07 Sep'16

  Experts split on whether we're in a cyber arms race or open conflict

  While President Obama said we can still defuse a potential cyber arms race, some experts believe we are already in such competition or already past it and in open conflict.

• September 06, 2016 06 Sep'16

  President Obama urges focus on non-state actors, not cyber arms race

  President Obama said he wants to avoid a cyber-Cold War and urged nations to focus more on the dangers of non-state actors and less on a potential cyber arms race.

• September 02, 2016 02 Sep'16

  The original hacker, Guccifer, sentenced to 52 months in prison

  Romanian hacker Guccifer, made famous for exposing the misuse of Hillary Clinton's personal email servers, was sentenced to 52 months in prison for unrelated crimes.

• September 02, 2016 02 Sep'16

  Apple patches Pegasus spyware bugs in OS X, Safari

  Apple patched spyware bugs in OS X and Safari that enabled the 'lawful intercept' Pegasus cyberweapon exploit against iOS because the desktop and mobile OSes shared vulnerable code.

• September 01, 2016 01 Sep'16

  FBI wants 'adult' conversation about 'going dark' encryption debate

  FBI Director James Comey wants to have an 'adult' conversation on the encryption debate, but many think that means ignoring experts and embracing the 'going dark' argument.

• August 31, 2016 31 Aug'16

  Windows 10 Anniversary update adds headaches for antivirus vendors

  The antivirus industry has been under fire lately, and Microsoft's Windows 10 Anniversary update has added new troubles for antivirus software vendors.

• August 31, 2016 31 Aug'16

  SWIFT discloses new attacks and bank thefts in private letter

  SWIFT told clients there have been more attacks on its bank messaging system and some have resulted in bank thefts, but no solutions to security are available.

• August 30, 2016 30 Aug'16

  Voter data breach leads to questions of tampering and state security

  Election registration databases in two states were attacked and the resulting voter data breach has led to questions of possible election tampering and inadequate state security.

• August 29, 2016 29 Aug'16

  Pegasus iOS exploit uses three zero days to attack high-value targets

  A new remote iOS exploit called Pegasus leverages three zero days in what appear to be state-sponsored targeted attack campaigns against political dissidents.

• August 26, 2016 26 Aug'16

  Ransomware decryption tool from Intel and Kaspersky quenches Wildfire

  Intel and Kaspersky cooperate with authorities to snuff out Wildfire with a ransomware decryption tool and end the threat from a $79,000 per month campaign with over 5,000 victims.

• August 25, 2016 25 Aug'16

  NSA's SNMP exploit cyberweapon affects all Cisco ASA software

  Researchers easily modified the NSA's EXTRABACON SNMP exploit to target newer versions of Cisco ASA software, but Cisco has patches rolling out.

• August 25, 2016 25 Aug'16

  Questions swirl around Shadow Brokers' cyberweapons dump

  More unanswered questions remain about the Shadow Brokers' release of NSA/Equation Group cyberweapons cache, as vendors move to mitigate and researchers search for vulnerabilities.

• August 23, 2016 23 Aug'16

  Hospital cybersecurity failing to encrypt transmitted health records

  New research found a number of troubling issues with hospital cybersecurity, including transmitting unencrypted health records and failing to deploy cybersecurity measures.

• August 23, 2016 23 Aug'16

  Leaked Cisco security vulnerability found in NSA exploit stockpile

  A Cisco security vulnerability affecting routers was found in the Shadow Brokers cyberweapon dump, and it may have been used by the NSA for years to decrypt VPN traffic.

• August 19, 2016 19 Aug'16

  Fallout from Equation Group cyberweapons leak continues to mount

  Mystery continues to surround the Shadow Brokers' release of Equation Group vulnerability exploits and hacking tools, as vendors scramble to patch zero days.

• August 19, 2016 19 Aug'16

  Dell: Machine learning security hard to explain, harder to beat

  Dell's Brett Hansen explains why machine learning security is better than signature-based detection and how it can stop emerging threats.

• August 19, 2016 19 Aug'16

  Google AdSense malware silently delivers to Android users

  Google AdSense malware has been silently delivered to Android devices, but the danger seems to be mitigated by Google itself.

• August 18, 2016 18 Aug'16

  SWIFT banking execs admit to ignoring security before hacks

  The SWIFT banking system had a number of high-profile hacks earlier this year, and execs are now admitting they ignored security issues until it was too late.

• August 18, 2016 18 Aug'16

  Netskope nabs another patent for CASB technology

  Netskope's second patent for its cloud access security broker techhnology illustrates how the CASB market is evolving and what that means for potential investors and suitors.

• August 17, 2016 17 Aug'16

  PGP collision attack on Linux creator highlights flaws with short IDs

  A PGP short ID collision attack on the creator of Linux brings to light a flaw that experts have known about for years with short ID keys.

• August 17, 2016 17 Aug'16

  Windows Bash could open the door to more Linux-based attacks

  Will Windows 10's new native version of the Ubuntu Linux command line, Windows Bash, enable new attack vectors? Experts weigh in on Windows Subsystem for Linux.

• August 16, 2016 16 Aug'16

  New Vawtrak Trojan variant leverages SSL pinning, HTTPS

  Fidelis Cybersecurity reports notorious Vawtrak banking Trojan gets upgrades to increase security and evade detection, including SSL pinning and domain generation algorithm.

• August 16, 2016 16 Aug'16

  Equation Group cyberweapons auctioned off; WikiLeaks promises release

  Cyberweapons purportedly stolen from the NSA-linked Equation Group have been put up for auction; WikiLeaks promises it will publish a 'pristine copy in due course.'

• August 15, 2016 15 Aug'16

  DNC forms cybersecurity advisory board after breach

  Following an embarrassing data breach, the Democratic National Committee has formed a cybersecurity advisory board, but experts have questioned the pedigree of board members.

• August 15, 2016 15 Aug'16

  Windows Secure Boot broken after Microsoft leaks golden key

  Microsoft accidentally released the golden key for Windows Secure Boot, causing a serious security issue for the company despite putting only less popular devices at risk.

• August 12, 2016 12 Aug'16

  White House aims to secure open source government programs

  The White House unveils a new open source government policy and new research estimates the government's zero-day exploit stockpile to be smaller than expected.

• August 11, 2016 11 Aug'16

  Risk & Repeat: Highlights and lowlights from Black Hat 2016

  In this Risk & Repeat podcast, SearchSecurity editors discuss the good and bad news from Black Hat 2016 in Las Vegas, including critical flaws in web protocols.

• August 09, 2016 09 Aug'16

  Browser vulnerabilities, Office flaws lead August 2016 Patch Tuesday

  Microsoft's August 2016 Patch Tuesday focuses on critical browser vulnerabilities in Edge and Internet Explorer, as well as flaws with Microsoft Office and PDF Library.

• August 09, 2016 09 Aug'16

  More DDoS DNS amplification attacks use SSDP than NTP

  Black Hat: New research finds DDoS DNS amplification attacks are more likely to use SSDP than NTP and DDoS attacks may generally be smaller than reported.

• August 09, 2016 09 Aug'16

  Bluetooth LE security hit with GATTack at Black Hat

  Amid varying attacks targeting IoT devices at Black Hat 2016, a new software proxy offered leverage against the latest Bluetooth LE security protections.

• August 09, 2016 09 Aug'16

  Oracle MICROS breached, password reset recommended

  Oracle's MICROS PoS systems breached, possibly by Carbanak cybergang; Oracle issues mandatory password reset for customers.

• August 05, 2016 05 Aug'16

  Security of HTTP/2 protocol takes big hit at Black Hat 2016

  Black Hat researchers report flaws in key web protocols, demonstrating widespread flaws in HTTP/2 implementations; Banner Health announces breach affecting 3.7 million.

• August 05, 2016 05 Aug'16

  Apple starting its own bug bounty program with big rewards

  Apple will be starting a bug bounty program for researchers who find critical vulnerabilities in iOS or iCloud and offer big rewards.

• August 05, 2016 05 Aug'16

  Government data requests have little legal backing say experts

  Experts find law enforcement data requests have little legal support and suggest enterprises use independent judgment when deciding whether to comply or push back.

• August 04, 2016 04 Aug'16

  EMV cards, PIN pads vulnerable to man in the middle attacks

  Researchers at Black Hat 2016 poked holes in chip and PIN security by demonstrating simple attacks that can intercept EMV card transaction data, including CVV codes and PINs.

• August 03, 2016 03 Aug'16

  Black Hat 2016 keynote: We need sharing, not competition, in security

  Black Hat 2016 keynote speaker Dan Kaminsky called for more information sharing and in security and more long-term public work in the cybersecurity space.

• August 03, 2016 03 Aug'16

  Barclays replaces passwords with voice authentication

  Barclays is offering U.K. retail banking customers the option to do voice authentication instead of using passwords, with voiceprints that are as unique as fingerprints.

• July 29, 2016 29 Jul'16

  Android security boosted with memory protection of Linux kernel, more

  Google details how it is improving Android security with better memory protections and reduction of the Linux kernel's attack surface.

• July 29, 2016 29 Jul'16

  White House unveils federal cybersecurity plan and attack rating system

  The White House's new federal cybersecurity plan outlines the responsibilities of each agency in a cyberattack and creates a rating system to determine the severity of an attack.

• July 29, 2016 29 Jul'16

  Researchers uncover malicious probing of Tor hidden services

  Researchers discovered attempts to snoop on dark web servers through malicious changes to Tor Project hidden services directories.

• July 28, 2016 28 Jul'16

  Dell: Signature-based detection must give way to machine learning

  Dell's Brett Hansen discusses his company's new approach to advanced threat protection, which leaves behind signature-based detection and embraces machine learning.

• July 27, 2016 27 Jul'16

  LastPass security flaws put passwords at risk; patch rolling out

  Problems with LastPass security might have been improperly disclosed, putting user passwords at higher risk, but the flaws have already been fixed, with an update rolling out now.

• July 27, 2016 27 Jul'16

  KeySniffer vulnerability enables eavesdropping on wireless keyboards

  The KeySniffer wireless vulnerability goes beyond the similar MouseJack flaw in exposing users of inexpensive wireless keyboards to sniffing, injection attacks.

• July 26, 2016 26 Jul'16

  Experts say NIST deprecating SMS 2FA is long overdue

  America's National Institute for Standards and Technology is advising the deprecation of using SMS-based two-factor authentication in order to improve security.

• July 22, 2016 22 Jul'16

  Oracle CPU fixes record crop of critical flaws in quarterly patchfest

  Oracle patches its biggest batch yet of security fixes in this quarter's CPU cycle.

• July 22, 2016 22 Jul'16

  DNS DDoS attack shuts down Library of Congress websites for three days

  A DNS DDoS attack hit the Library of Congress, disrupting various Library services and websites for three days before IT staff was able to restore normal functionality.

• July 21, 2016 21 Jul'16

  FBI accused of avoiding FOIA requests in the name of security

  A lawsuit against the Department of Justice claims the FBI is using outdated technology in order to avoid fulfilling FOIA requests.

• July 20, 2016 20 Jul'16

  Flaw in ASN.1 compiler potentially critical, hard to find

  A critical flaw was discovered in the ASN.1 compiler used by leading telecommunications and networking vendors, and the extent of the vulnerability has yet to be determined.

• July 18, 2016 18 Jul'16

  Responsible disclosure of latest named vulnerability, 'httpoxy'

  Responsible disclosure wins as researchers roll out branded website for 'httpoxy,' a set of vulnerabilities in server-side web apps that use the HTTP_PROXY variable.

• July 18, 2016 18 Jul'16

  John Curran explains benefits of IPv6 connectivity progress

  John Curran, ARIN chief, explains IPv6 connectivity progress and gives compelling security arguments in favor of IPv6 support sooner rather than later.

• July 15, 2016 15 Jul'16

  FDIC found hiding multiple APT attacks and more from investigators

  An investigation by a federal committee found the FDIC had multiple breaches, including an APT attack, spanning years but hid the hacks from Congress.

• July 15, 2016 15 Jul'16

  EU member states approve EU-U.S. Privacy Shield data flow framework

  The EU-U.S. Privacy Shield framework takes effect, replacing Safe Harbor for transatlantic data flows; U.S. beefs up Cyber Command.

• July 14, 2016 14 Jul'16

  John Curran explains the importance of IPv6 connectivity

  A year after the depletion of the IPv4 address space, ARIN chief John Curran talks about IPv6 benefits, the IPv6 NAT conundrum and the importance of offering IPv6 connectivity.

• July 14, 2016 14 Jul'16

  New 'ransomware' variant proves there's no honor among thieves

  A new 'ransomware' variant, which could be considered more scareware, doesn't encrypt files at all and instead deletes data and tricks victims into paying anyway.

• July 13, 2016 13 Jul'16

  Pokémon GO reveals full account access flaw for Google authentication

  The wildly popular Pokémon GO mobile game obtained a full account access token to iOS users' Google accounts, revealing a major issue with Google's OAuth authentication system.

• July 12, 2016 12 Jul'16

  July 2016 Patch Tuesday is more about Adobe Reader bugs than Microsoft

  Adobe Reader bugs take center stage for the July 2016 Patch Tuesday, as Microsoft has a smaller bulletin list of fixes for its products.

• July 12, 2016 12 Jul'16

  SWIFT banking security adds a dedicated cyberintelligence team

  SWIFT attempts to improve banking security include partnerships with two cybersecurity firms, and the creation of a new Customer Security Intelligence team.

• July 08, 2016 08 Jul'16

  Avast purchase of AVG shows uncertainty in antivirus market

  Avast purchased competitor AVG to improve consumer and enterprise products, but one expert said the purchase price proves the antivirus market may be on the decline.

• July 08, 2016 08 Jul'16

  Microsoft calls for independent body to address cyber attribution

  In a move to support the development of global cybersecurity norms, Microsoft calls for improved cyber attribution to identify cyberattack perpetrators.

• July 08, 2016 08 Jul'16

  Risk & Repeat: More critical Symantec vulnerabilities emerge

  In this Risk & Repeat podcast, SearchSecurity editors discuss a new Google Project Zero report on yet another round of critical Symantec vulnerabilities.

• July 07, 2016 07 Jul'16

  New EU GDPR privacy regulation set to take effect in 2018

  As the new General Data Protection Regulation privacy regulation looms, many firms face new rules and challenges to protect the privacy of EU citizens, regardless of location.

• July 07, 2016 07 Jul'16

  Android full-disk encryption is flawed enough for government work

  Vulnerabilities on devices with Qualcomm chipsets can allow Android full-disk encryption to be bypassed by malicious actors or law enforcement.

• July 06, 2016 06 Jul'16

  FBI says Hillary Clinton's email setup was irresponsible, not illegal

  The FBI gave a scathing review of Hillary Clinton's email setup, using personal servers for sensitive federal information, but deemed her actions were not illegal.

• July 01, 2016 01 Jul'16

  House Homeland Security Committee proposes encryption debate commission

  The House Homeland Security Committee officially proposed the creation of a commission to study both sides of the encryption debate and provide official recommendations.

• July 01, 2016 01 Jul'16

  Enterprise encryption strategies rise as firms' use of encryption grows

  Report: Enterprise encryption is on the rise as firms embrace use of encryption strategies; also, new Bart ransomware, IRS drops e-file PIN tool, and more.

• June 30, 2016 30 Jun'16

  The healthcare industry is making it far too easy for hackers

  Hospitals and healthcare organizations are far too vulnerable to cyberattacks, and a recent healthcare security study shows the issue isn't just outdated legacy technology -- medical professionals ...

• June 29, 2016 29 Jun'16

  Nearly 10 million hospital patient records for sale on dark web market

  Nearly 10 million patient records have been posted for sale on a dark web market, putting the personally identifiable information of many at risk for abuse.

• June 29, 2016 29 Jun'16

  Google Project Zero exposes more critical Symantec vulnerabilities

  A raft of new Symantec and Norton antivirus vulnerabilities exposed by Google Project Zero are 'as bad as it gets,' according to Tavis Ormandy: RCE, no user interaction and wormable.

• June 27, 2016 27 Jun'16

  Intel reportedly considering selling its security business

  New reports suggest Intel may be looking into selling off its security business, and experts are unclear whether it means Intel's McAfee acquisition has gone sour.

• June 27, 2016 27 Jun'16

  NASCAR race team hit with ransomware attack

  Hit by a ransomware attack, a NASCAR race team paid to restore data worth millions, then called on Malwarebytes to secure their systems -- and Malwarebytes joined up as a sponsor.

• June 24, 2016 24 Jun'16

  Cyber attribution relies on human intelligence, not technical info

  Experts said human intelligence was the key to the cyber attribution effort for the Democratic National Committee attack, which confirmed Russian agents were to blame.

• June 24, 2016 24 Jun'16

  FBI surveillance access with National Security Letter unchanged, for now

  U.S. Senate fails to pass National Security Letter regulation to enhance warrantless FBI surveillance access to metadata, including email headers and browser history.

• June 22, 2016 22 Jun'16

  Activists, DOJ spar over Rule 41 changes to enhance FBI searches

  EFF and privacy activists oppose Rule 41 changes, while the Department of Justice claims the changes do not alter 'traditional protections' under the Fourth Amendment.

• June 21, 2016 21 Jun'16

  Acer's e-commerce website hit by a customer data breach

  Computer maker Acer was hit by a customer data breach of its e-commerce website, leaving approximately 34,500 customers' contact and payment information exposed for about a year.

• June 20, 2016 20 Jun'16

  CIA chief denies encryption backdoor effect on U.S. business

  The director of the CIA denied that a government-mandated encryption backdoor would have an effect on U.S. business, but experts said the statement ignores the global market.

• June 17, 2016 17 Jun'16

  DNC hack raises questions about cyber attribution methods

  The hack of the Democratic National Committee has called into question methods for cyber attribution after the alleged attacker comes forward.

• June 17, 2016 17 Jun'16

  FBI facial recognition systems draw criticism over privacy, accuracy

  GAO report blasts FBI facial recognition programs over privacy and accuracy concerns; FBI systems offer access to over 411 million photos from federal and state sources.

• June 17, 2016 17 Jun'16

  What Symantec's acquisition of Blue Coat says about the CASB market

  Symantec's $4.65 billion acquisition of Blue Coat Systems could lead to a dramatic shift at the antivirus vendor, but what does the deal mean for the cloud access security broker space?

• June 16, 2016 16 Jun'16

  Russian hacker arrests linked to ransomware and exploit kit shutdowns

  The Lurk group hacker arrests in Russia came at the same time as the shutdown of a major exploit kit, ransomware family and botnet, but no one is sure if it is coincidence or causation.

• June 15, 2016 15 Jun'16

  SAP vulnerability, reported in 2010, finally patched

  SAP vulnerability patched, finally: The Java flaw was originally patched in 2010 but became the subject of an unprecedented US-CERT alert in May.

• June 15, 2016 15 Jun'16

  Ransomware worm raises concerns for enterprise security

  In this Risk & Repeat podcast, SearchSecurity editors break down the discovery of the ZCryptor ransomware worm and what it means for future ransomware threats.

• June 14, 2016 14 Jun'16

  Adobe Flash zero-day overshadows June 2016 Microsoft Patch Tuesday

  Microsoft's June 2016 Patch Tuesday release is not the most important of the day according to experts, instead another Adobe Flash zero-day vulnerability gets the spotlight.

• June 14, 2016 14 Jun'16

  Ransomware attack, education highlight 2016 Information Security Summit

  User education, ransomware attacks and cyberliability insurance are among the hot topics for infosec attendees at the annual 2016 Information Security Summit.

• June 13, 2016 13 Jun'16

  Symantec acquisition of Blue Coat shakes up security industry

  Symantec agreed to acquire Blue Coat Systems for $4.65 billion, with Blue Coat CEO Greg Clark taking over as new CEO of the combined company.

• June 10, 2016 10 Jun'16

  Mozilla Secure Open Source Fund to aid developers with audits

  Mozilla created the Secure Open Source Fund to help developers perform security audits on software in an effort to reduce the potential of another Heartbleed or Shellshock.

• June 10, 2016 10 Jun'16

  Ransomware attack hits UCalgary as CryptXXX devs up their game

  As the University of Calgary contends with a ransomware attack, the actors behind CryptXXX are rolling out patches and upgrades and attackers are shifting from Angler to Neutrino EK.

• June 09, 2016 09 Jun'16

  TeamViewer hacks have everyone placing blame

  A rash of TeamViewer hacks has led to confusion concerning what the issues are and who is responsible for user security in this case.

• June 09, 2016 09 Jun'16

  Petraeus slams encryption backdoors, supports Apple

  Speaking at the Cloud Identity Summit, Gen. David H. Petraeus blasted the FBI's recent efforts to compel Apple to break the company's own encryption protection.

• June 08, 2016 08 Jun'16

  SWIFT banking system boosts security following cyberattacks

  Following a number of attacks on the SWIFT banking system that led to the theft of millions of dollars, SWIFT promised new rules to improve security for bank transfers.