Less than two months after a ban came into effect for new SSL/TLS certificates signed with the weak SHA-1 hashing algorithm, exemptions are already starting to take shape.Mozilla announced Wednesday that it will allow Symantec, which runs one of the world's largest certificate authorities, to issue nine new such certificates to a customer in order to accommodate over 10,000 payment terminals that haven't been upgraded in time.According to a discussion on the Mozilla security policy mailing list, Worldpay, a large payment processor, failed to migrate some of its SSL/TLS servers to SHA-2 certificates. As a result of an oversight, the company also didn't obtain new SHA-1 certificates for those servers before Dec. 31, 2015, when it was still allowed to do so.To read this article in full or to leave a comment, please click here
The group of hackers that crippled the computer infrastructure of Sony Pictures Entertainment in late 2014 has been responsible for a large number of attacks against organizations from South Korea, the U.S. and other countries over the past seven years.The group has been dubbed Lazarus by a coalition of security vendors who have worked together over the past two years to investigate its activities. During this time they've established links between Lazarus and 1,000 malicious file samples organized in over 45 distinct malware families.The researchers found evidence of attacks by this group against organizations from the government, media, military, aerospace, financial, and critical infrastructure sectors stretching as far back as 2009. The attacks included cyberespionage, denial of service, data theft and data destruction.To read this article in full or to leave a comment, please click here
Hackers can easily disable the Microsoft Enhanced Mitigation Experience Toolkit (EMET), a free tool used by companies to strengthen their Windows computers and applications against publicly known and unknown software exploits.Researchers from security vendor FireEye have found a method through which exploits can unload EMET-enforced protections by leveraging a legitimate function in the tool itself.Microsoft patched the issue in EMET 5.5, which was released on Feb. 2. However, it's likely that many users haven't upgraded yet, because the new version mainly adds compatibility with Windows 10 and doesn't bring any new significant mitigations.To read this article in full or to leave a comment, please click here
The employees of at least six Russian banks were recently the target of a well-crafted email attack where hackers masqueraded as the Russian Central Bank to trick them into installing malware.The incident is the latest in a string of malware attacks against financial institutions over the past year. Together they signal a shift in focus for many cybercriminal groups, from stealing money from bank customers to stealing money directly from banks themselves.According to researchers from Symantec, employees from different Russian banks received emails in December offering them employment at the Central Bank of Russia. The messages were sent from a domain that closely resembled that of the Russian Central Bank and contained a link to an archive file with a Trojan named Ratopak inside.To read this article in full or to leave a comment, please click here
A Chinese iOS application recently found on Apple's official store contained hidden features that allow users to install pirated apps on non-jailbroken devices. Its creators took advantage of a relatively new feature that lets iOS developers obtain free code-signing certificates for limited app deployment and testing.The number of malware programs for iOS has been very low until now primarily because of Apple's strict control of its ecosystem. Devices that have not been jailbroken -- having their security restrictions removed -- only allow apps obtained from the official App Store, after they've been reviewed and approved by Apple.To read this article in full or to leave a comment, please click here
Twitter has notified 10,000 users that their email addresses and phone numbers may have been exposed due to a bug in the website's password recovery feature.The incident happened over the course of 24 hours on an unspecified day last week, but the company alerted affected users on Wednesday."Any user that we find to have exploited the bug to access another account’s information will be permanently suspended, and we will also be engaging law enforcement as appropriate so they may conduct a thorough investigation and bring charges as warranted," Twitter said in a blog post.To read this article in full or to leave a comment, please click here
It's not unusual to hear of vulnerabilities in smart-home security systems these days, as security researchers turn their attention to the Internet of Things. It's worrying, though, when a modern security system turns out to be vulnerable to a so-called replay attack, the kind of thing that worked against garage door openers back in the 1990s.The latest example is SimpliSafe, a wireless alarm system that's marketed as cheaper and easier to install than traditional wired home security systems. Its manufacturer claims that the system is used in over 200,000 homes in the U.S.According to Andrew Zonenberg, a researcher with security consultancy firm IOActive, attackers can easily disable SimpliSafe alarms from up to 30 meters away, using a device that costs around $250 to create a replay attack.To read this article in full or to leave a comment, please click here
Up to 46,000 Internet-accessible digital video recorders (DVRs) that are used to monitor and record video streams from surveillance cameras in homes and businesses can easily be taken over by hackers.According to security researchers from vulnerability intelligence firm Risk Based Security (RBS), all the devices share the same basic vulnerability: They accept a hard-coded, unchangeable password for the highest-privileged user in their software -- the root account.Using hard-coded passwords and hidden support accounts was a common practice a decade ago, when security did not play a large role in product design and development. That mentality has changed in recent years and many vendors, including large networking and security appliance makers, are frequently issuing firmware updates to fix such basic flaws when they are discovered by internal and external security audits.To read this article in full or to leave a comment, please click here
Up to 46,000 Internet-accessible digital video recorders (DVRs) that are used to monitor and record video streams from surveillance cameras in homes and businesses can easily be taken over by hackers.According to security researchers from vulnerability intelligence firm Risk Based Security (RBS), all the devices share the same basic vulnerability: They accept a hard-coded, unchangeable password for the highest-privileged user in their software -- the root account.Using hard-coded passwords and hidden support accounts was a common practice a decade ago, when security did not play a large role in product design and development. That mentality has changed in recent years and many vendors, including large networking and security appliance makers, are frequently issuing firmware updates to fix such basic flaws when they are discovered by internal and external security audits.To read this article in full or to leave a comment, please click here
The Xen Project released new versions of its virtual machine hypervisor, but forgot to fully include two security patches that had been previously made available.The Xen hypervisor is widely used by cloud computing providers and virtual private server hosting companies.Xen 4.6.1, released Monday, is flagged as a maintenance release, the kind that are put out roughly every four months and are supposed to include all bug and security patches released in the meantime."Due to two oversights the fixes for both XSA-155 and XSA-162 have only been partially applied to this release," the Xen Project noted in a blog post. The same is true for Xen 4.4.4, the maintenance release for the 4.4 branch that was released on Jan. 28, the Project said.To read this article in full or to leave a comment, please click here
A cyberespionage group of Russian origin known as Pawn Storm is infecting Linux systems with a simple but effective Trojan program that doesn't require highly privileged access.Pawn Storm, also known as APT28, Sofacy or Sednit, is a group of attackers that has been active since at least 2007. Over the years, the group has targeted governmental, security and military organizations from NATO member countries, as well as defense contractors and media organizations, Ukrainian political activists and Kremlin critics.The group is known for using zero-day exploits -- exploits for previously unknown vulnerabilities -- as well as other infection techniques like spear-phishing emails with malicious attachments. Its primary tool is a Windows backdoor program called Sednit, but the group also uses malware programs for Mac OS X, Linux and even mobile operating systems.To read this article in full or to leave a comment, please click here
The Pwn2Own hacking contest will return in March, pitting researchers against the most popular browsers and operating systems. The novelty: Contestants can win a $75,00 prize for escaping a VMware virtual machine.Contestants will be able to exploit Microsoft Edge or Google Chrome on fully patched versions of 64-bit Windows 10 and Apple Safari on OS X El Capitan. System or root-level privilege escalation pays extra, as does escaping from the virtual machine.Every year, Pwn2Own, at the CanSecWest security conference, has slightly modified rules, and 2016 is no different. Adobe Reader, Mozilla Firefox and Internet Explorer are no longer on the contest's target list. Adobe Flash remains, but only the version that comes bundled with Microsoft Edge.To read this article in full or to leave a comment, please click here
Cisco Systems patched a critical vulnerability that could allow remote attackers to take over Cisco Adaptive Security Appliance (ASA) firewalls configured as virtual private network servers by simply sending malformed network packets to them.For devices that are designed to protect private networks from Internet attacks, this is as bad as it gets. That's why Cisco rated the vulnerability with the maximum score of 10 in the Common Vulnerability Scoring System.The flaw is located in the Cisco ASA code that handles the Internet Key Exchange version 1 (IKEv1) and IKE version 2 (IKEv2) protocols. More precisely, it stems from a buffer overflow condition in the function that processes fragmented IKE payloads.To read this article in full or to leave a comment, please click here
Cisco Systems patched a critical vulnerability that could allow remote attackers to take over Cisco Adaptive Security Appliance (ASA) firewalls configured as virtual private network servers by simply sending malformed network packets to them.For devices that are designed to protect private networks from Internet attacks, this is as bad as it gets. That's why Cisco rated the vulnerability with the maximum score of 10 in the Common Vulnerability Scoring System.The flaw is located in the Cisco ASA code that handles the Internet Key Exchange version 1 (IKEv1) and IKE version 2 (IKEv2) protocols. More precisely, it stems from a buffer overflow condition in the function that processes fragmented IKE payloads.To read this article in full or to leave a comment, please click here
Microsoft released its second batch of security updates for this year, addressing a total of 36 flaws in Internet Explorer, Edge, Office, Windows and .NET Framework.The patches are covered in 12 security bulletins, five of which are rated critical. There is also a thirteenth bulletin, also critical, for Flash Player. Although it's maintained by Adobe, Flash Player is included with Internet Explorer 11 and Edge, so Microsoft is distributing Adobe's patches through Windows Update.Researchers from security vendor Qualys believe that MS16-022, the Flash Player bulletin, should be at the top of users' priority list this month because it contains fixes for 22 critical vulnerabilities that could give attackers complete control over computers. Flash Player is a frequent target for attackers and can be exploited by simply visiting a malicious or compromised website.To read this article in full or to leave a comment, please click here
The Internal Revenue Service was the target of an attack that used stolen social security numbers and other taxpayer data to obtain PINs that can be used to file tax returns electronically.The attack occurred in January and targeted an IRS Web application that taxpayers use to obtain their so-called Electronic Filing (E-file) PINs. The app requires taxpayer information such as name, Social Security number, date of birth and full address.Attackers attempted to obtain E-file PINs corresponding to 464,000 unique SSNs using an automated bot, and did so successfully for 101,000 SSNs before the IRS blocked it.The personal taxpayer data used during the attack was not obtained from the IRS, but was stolen elsewhere, the agency said in a statement. The IRS is notifying affected taxpayers via mail and will monitor their accounts to protect them from tax-related identity theft.To read this article in full or to leave a comment, please click here
A cross-platform remote access Trojan that's being openly sold as a service to all types of attackers, from opportunistic cybercriminals to cyberespionage groups, has been used to attack more than 400,000 systems over the past three years.The RAT (Remote Access Tool/Trojan), which depending on the variant is known as Adwind, AlienSpy, Frutas, Unrecom, Sockrat, jRat or JSocket, is evidence of how successful the malware-as-a-service model can be for malware creators.Adwind is written in Java, so it can run on any OS that has a Java runtime installed including Windows, Mac OS X, Linux and Android. The Trojan has been continuously developed since at least 2012 and is being sold out in the open via a public website.To read this article in full or to leave a comment, please click here
The times when stealthy, persistent and advanced malware was associated only with cyberespionage are gone. Criminals are now using similar threats and techniques to steal millions of dollars from financial institutions.Last year researchers from security vendor Kaspersky Lab were called in to investigate unusual thefts from 29 banks and other organizations located in Russia, leading to the discovery of three new sophisticated attack campaigns. Their findings were presented Monday during the company's annual Security Analyst Summit.One group of attackers is using a modular malware program known as Metel or Corkow to infect computer systems belonging to banks and to reverse ATM transactions. During a single night, the gang stole millions of rubles from a Russian bank using this hard-to-detect transaction rollback trick.To read this article in full or to leave a comment, please click here
On most computers, the default download folder quickly becomes a repository of old and unorganized files that were opened once and then forgotten about. A recently fixed flaw in the Java installer highlights why keeping this folder clean is important.On Friday, Oracle published a security advisory recommending that users delete all the Java installers they might have laying around on their computers and use new ones for versions 6u113, 7u97, 8u73 or later.The reason is that older Java installers are designed to look for and automatically load a number of specifically named DLL (Dynamic Link Library) files from the current directory. In the case of Java installers downloaded from the Web, the current directory is typically the computer's default download folder.To read this article in full or to leave a comment, please click here
Several antivirus vendors have taken the open-source Chromium browser and created derivatives that they claim are more privacy-friendly and secure. Yet, at least two of them were recently found to have serious flaws that don't exist in Chromium.The latest example is the Avast SafeZone browser, internally known as Avastium, which is installed with the paid versions of Avast's antivirus and security suites. Google Project Zero researcher Tavis Ormandy found a vulnerability that could allow an attacker to take control of Avastium when opening an attacker-controlled URL in any other locally installed browser.By exploiting the flaw, an attacker could remotely read "files, cookies, passwords, everything," Ormandy said in a report that he sent to Avast in December and which he made public Wednesday. "He can even take control of authenticated sessions and read email, interact with online banking, etc."To read this article in full or to leave a comment, please click here
Lucian Constantin