Backdoors in Wi-Fi routers, said to be closed, can be reopened

Backdoors in Wi-Fi routers, said to be closed, can be reopened

Although said to be patched, researcher Eloi Vanderbeken discovered during the Easter holiday that backdoors existing in certain wireless routers can be reactivated.

Apple ships Mac OS X updates, fixes several code execution bugs

Apple ships Mac OS X updates, fixes several code execution bugs

Among the addressed vulnerabilities, was a bug affecting WindowServer, which could allow an attacker to execute malicious code outside the sandbox.

NIST eyes removing flawed Dual_EC_DRBG alogrithm from guidelines

NIST eyes removing flawed Dual_EC_DRBG alogrithm from guidelines

The National Institute of Standards and Technology is looking to remove the flawed Dual_EC_DRBG algorithm from its guidelines.

Verizon: Espionage attacks grew threefold in 2013, greater visibility diverts China focus

Verizon: Espionage attacks grew threefold in 2013, greater visibility diverts China focus

While China continued to lead cyber espionage activity against organizations, Eastern Europe accounted for more than 20 percent of related incidents, according to an annual data breach report.

Feedly fixes Android JavaScript code injection flaw, deems it "harmless"

Feedly fixes Android JavaScript code injection flaw, deems it "harmless"

A researcher wrote about a bug in the Android app for news aggregator Feedly that could enable JavaScript code injection, but even though it was fixed, the company did not really consider it a vulnerability.

Class-action suit aimed at MCCCD for delayed notification in breach

Class-action suit aimed at MCCCD for delayed notification in breach

A motion filed in Maricopa County Court says that by delaying notification and lying about last April's breach, MCCCD put victims' PII at risk.

Attack exercise reveals threat-sharing roadblock within health orgs

Attack exercise reveals threat-sharing roadblock within health orgs

In the "CyberRx" exercise, many organizations expressed concerns about communicating threat information to integral team members outside IT.

Critical update makes P2P Zeus trojan even tougher to remove

Critical update makes P2P Zeus trojan even tougher to remove

An update to the P2P Zeus banking trojan results in the installation of a rootkit driver that makes deleting the malware even tougher.

Research shows vulnerabilities go unfixed longer in ASP

Research shows vulnerabilities go unfixed longer in ASP

A new report finds little difference in the number of vulnerabilities among programming languages, but remediation times vary widely.

Amplification, reflection DDoS attacks increase 35 percent in Q1 2014

Amplification, reflection DDoS attacks increase 35 percent in Q1 2014

The Q1 2014 Global DDoS Attack Report reveals that amplification and reflection distributed denial-of-service attacks are on the rise.

Attackers target Facebook to deliver Android iBanking malware

Attackers target Facebook to deliver Android iBanking malware

A Windows trojan delivered via drive-by download is injecting malicious content into Facebook and ultimately fooling users into downloading Android malware that can allow for the capturing of SMS messages.

Federal watchdog says SEC security issues put financial data at risk

Federal watchdog says SEC security issues put financial data at risk

According to the U.S. Government Accountability Office (GAO), SEC, among other lapses, failed to adequately oversee a contractor, which migrated its financial system to a new data center.

POS malware risks millions of payment cards for Michaels, Aaron Brothers shoppers

POS malware risks millions of payment cards for Michaels, Aaron Brothers shoppers

An investigation dating back to January has finally confirmed that malware on point-of-sale systems may have compromised payment card data for millions of Michaels Stores and Aaron Brothers customers.

Contempt order against Lavabit still stands, appeals court rules

Contempt order against Lavabit still stands, appeals court rules

A federal appeals court backed an earlier ruling penalizing the email service.

Arrested Canadian hacker 'believed' to have exploited Heartbleed bug

Arrested Canadian hacker 'believed' to have exploited Heartbleed bug

The Royal Canadian Mounted Police arrested a 19-year-old man in Ontario who they believe exploited the Heartbleed bug to steal information from a federal agency.

Researchers uncover critical flaws impacting satellite communications

Researchers uncover critical flaws impacting satellite communications

Critical security issues that leave satellite communications vulnerable to being intercepted, manipulated or blocked were detailed in a white paper.

Report: SQL injection a pervasive threat, behavioral analysis needed

Report: SQL injection a pervasive threat, behavioral analysis needed

Long lag times between detection and resolution and reliance on traditional methods impair an organization's ability to combat SQL injection attacks.

Galaxy S5 fingerprint scanner bypassed using old Apple Touch ID spoof

Galaxy S5 fingerprint scanner bypassed using old Apple Touch ID spoof

A fingerprint spoof created in September 2013 to bypass the Touch ID on the iPhone 5s was used to bypass the fingerprint scanner on the Samsung Galaxy S5, which was released on Friday.

Oracle fixes 104 flaws in quarterly update, addresses Heartbleed bug

Oracle fixes 104 flaws in quarterly update, addresses Heartbleed bug

Oracle's Critical Patch Update (CPU) plugged 37 holes in the popular Java browser plug-in.

Pentagon to triple its security workforce by 2016

Pentagon to triple its security workforce by 2016

Defense Secretary Chuck Hagel recently announced the recruitment efforts during a speech in Fort Meade, Md.

The Heartbleed bug works, and could be a scapegoat for older breaches

The Heartbleed bug works, and could be a scapegoat for older breaches

Researchers proved the Heartbleed bug was real in a challenge issued by CloudFlare to prove private keys can be stolen, right around the time companies are claiming they were breached because of the critical flaw.

Researchers find Android security issue in app permissions protocol

Researchers find Android security issue in app permissions protocol

The permissions issue could allow a malicious app to alter legitimate home screen icons.

Heartbleed bug not leveraged for surveillance, NSA says

Heartbleed bug not leveraged for surveillance, NSA says

After a Bloomberg article reported that unnamed sources indicated that the NSA knew of the major flaw and utilized it for surveillance purposes, the agency denied the claims.

Trio charged with hacking, stealing data from U.S. Army, Microsoft and more

Trio charged with hacking, stealing data from U.S. Army, Microsoft and more

According to a sealed indictment published online, three men face more than a dozen charges for hacking into computer systems and stealing data from the U.S. Army, Microsoft and more.

DHS puts critical infrastructure on 'Heartbleed Bug' alert

DHS puts critical infrastructure on 'Heartbleed Bug' alert

This week, critical infrastructure operators were notified of potential threats arising from the critical OpenSSL flaw.

Indictment charges 'Jabber Zeus Crew' with using malware to steal millions

Indictment charges 'Jabber Zeus Crew' with using malware to steal millions

Nine individuals are charged in an operation dating back to 2009, which involved infecting computers with the Zeus trojan and using the malware to steal millions.

Phishers find most success midweek, masquerading as IT, report finds

Phishers find most success midweek, masquerading as IT, report finds

An incident response firm found that 93 percent of phishing emails were sent out on weekdays, with the most popular day being Wednesday.

Trojanized Android apps steal authentication tokens, put accounts at risk

Trojanized Android apps steal authentication tokens, put accounts at risk

Rogue Android apps can steal authentication tokens and risk the accounts of some of the most widely used services, including Google, Facebook and Twitter.

Latest UMD 'intrusion' linked to IT worker exposing security issues, account shows

Latest UMD 'intrusion' linked to IT worker exposing security issues, account shows

An engineer, who was contracted to work for the University of Maryland, says that his goal was to spur action at the school.

Vulnerable organizations respond to encryption-breaking 'Heartbleed Bug'

Vulnerable organizations respond to encryption-breaking 'Heartbleed Bug'

Organizations vulnerable to the SSL/TLS encryption-breaking Heartbleed Bug, a critical vulnerability in widely used versions of the OpenSSL library, are updating quickly.

Study reveals only 56 percent of employees get awareness training

Study reveals only 56 percent of employees get awareness training

A survey reveals that employees routinely make security mistakes but 45 percent employees get awareness training in a single, short annual session.

Popular ad server patches SQL injection flaw impacting platform

Popular ad server patches SQL injection flaw impacting platform

Orbit Open Ad Server was vulnerable to SQL injection attacks, which could result in website visitors' information being stolen via malvertising, a security firm found.

Report: Data breaches up 62 percent in 2013

Report: Data breaches up 62 percent in 2013

Targeted attacks grew by 91 percent and lasted three times longer, according to a recent threat report.

Judge denies Wyndham motion challenging FTC authority

Judge denies Wyndham motion challenging FTC authority

The court battle began when the FTC filed a 2012 complaint against hotelier Wyndham, accusing it of deceptive and unfair practices against consumers following data breaches.

Microsoft releases final fixes for Windows XP, Office 2003

Microsoft releases final fixes for Windows XP, Office 2003

This month's Patch Tuesday marks the end of support for the dated, but widely used, products.

Critical OpenSSL vulnerability, 'Heartbleed Bug,' enables SSL/TLS decryption

Critical OpenSSL vulnerability, 'Heartbleed Bug,' enables SSL/TLS decryption

Internet communications utilizing SSL/TLS encryption may be at risk due to the Heartbleed Bug, a critical vulnerability in widely used versions of the OpenSSL library.

HHS reveals "high-risk" security issues at Medicaid agencies

HHS reveals "high-risk" security issues at Medicaid agencies

An HHS report, based on audits between 2010 and 2012, noted serious vulnerabilities affecting 10 state Medicaid agencies.

Zeus variant uses valid digital signature to avoid detection

Zeus variant uses valid digital signature to avoid detection

Anti-virus company Comodo has identified a variant of the infamous Zeus trojan that is avoiding detection by using a valid digital signature.

Report: Neiman Marcus breach work of Russian hackers who targeted Heartland

Report: Neiman Marcus breach work of Russian hackers who targeted Heartland

The group being implicated has stolen over 160 million card numbers over the years by hacking organizations, including Heartland Payment Systems, Visa and 7-Eleven.

Connecticut, Illinois to investigate massive breach at Experian co.

Connecticut, Illinois to investigate massive breach at Experian co.

The breach struck Experian subsidiary, Court Ventures, and compromised the personal and financial data of more than 200 million Americans.

Microsoft previews last Patch Tuesday update for Windows XP

Microsoft previews last Patch Tuesday update for Windows XP

The company also revealed that a zero-day flaw in Word 2010 will be patched next week.

XSS vulnerability in popular video site enables unique DDoS attack

XSS vulnerability in popular video site enables unique DDoS attack

Website security company Incapsula defended a client from a DDoS attack that was carried out using a persistent XSS vulnerability in a highly popular site that hosts video content.

Federal agencies fall short on data breaches, GAO report says

Federal agencies fall short on data breaches, GAO report says

The number of data breaches reported by U.S. government agencies more than doubled in a four-year period, jeopardizing PII, a GAO official tells Senate committee.

Lawsuit over Symantec, Digital River sales practices granted class-action status

Lawsuit over Symantec, Digital River sales practices granted class-action status

Symantec and a company it contracted, Digital River, are accused of misleading consumers who paid for antivirus download insurance.

More than 24M home routers enabling DNS amplification DDoS attacks

More than 24M home routers enabling DNS amplification DDoS attacks

More than 24 million home routers have open DNS proxies that enable DNS-based DDoS attacks, and 5.3 million of the devices were used to generate attack traffic in February, according to Nominum.

Google wants Supreme Court to rule on Street View privacy case

Google wants Supreme Court to rule on Street View privacy case

Google continues to fight a court ruling that its interception of Wi-Fi traffic, using Street View, may have been unlawful.

Cryptocurrency mining malware discovered on surveillance DVRs

Cryptocurrency mining malware discovered on surveillance DVRs

Cryptocurrency mining malware has been discovered on DVRs that record footage taken by surveillance cameras.

Two men plead guilty to role in worldwide hacking operation

Two men plead guilty to role in worldwide hacking operation

The men, who are New York and Massachusetts residents, led "cash out" operations for an international scheme.

Researchers uncover NSA tool, enables faster cracking of flawed algorithm used by RSA

Researchers uncover NSA tool, enables faster cracking of flawed algorithm used by RSA

Researchers have uncovered an NSA tool, known as "Extended Random," that enables the government agency to more quickly crack a flawed community-developed encryption algorithm.

Advanced Evasion Techniques still top of mind for pros, study says

Advanced Evasion Techniques still top of mind for pros, study says

Nearly 40 percent of IT decision-makers don't believe they have the ability to detect AETs, which fly under the radar of most firewalls.

Coinbase responds to information disclosure, user enumeration, other concerns

Coinbase responds to information disclosure, user enumeration, other concerns

Coinbase responded to a researcher's claims that the San Francisco-based Bitcoin exchange is vulnerable to information disclosure, user enumeration, and lack of rate limitation for sending money requests.

In LinkedIn breach suit, judge denies company's motion to dismiss

In LinkedIn breach suit, judge denies company's motion to dismiss

A plaintiff says she would have viewed her premium LinkedIn subscription as "less valuable" had the company disclosed "lax security practices," before its 2012 password breach.

Company news: McAfee's new CTO and Bit9's recent merger

This month's company news features a new CTO at McAfee, Bit9 merging with Carbon Black, and a partnership between Qualys and AlgoSec.

News briefs: Revelations at RSA Conference, zero-day fixes and more security news

News briefs: Revelations at RSA Conference, zero-day fixes and more security news

This month's news briefs includ revelations at the RSA Conference 2014 in San Francisco, new malware, zero-day fixes and more security news.

Tesla cars' weak password protocol could allow remote unlock, locating

Tesla cars' weak password protocol could allow remote unlock, locating

A researcher at Black Hat Asia highlighted security issues affecting Tesla Model S cars.

Smartphones at risk of malicious code injection through HTML5-based apps

Smartphones at risk of malicious code injection through HTML5-based apps

Researchers have discovered a new attack, known as Cross-Device Scripting, that can allow an attacker to compromise most smartphones by injecting malicious code through HTML5-based apps.

Fandango, Credit Karma settle FTC charges of poor app security

Fandango, Credit Karma settle FTC charges of poor app security

The companies were accused of failing to securely transmit credit card data, Social Security numbers, and other sensitive data collected by their mobile apps.

Trustwave responds to Target breach lawsuit, bank drops out

Trustwave responds to Target breach lawsuit, bank drops out

Trustmark National Bank has dropped its claims related to the class-action lawsuit filed last week against the retail giant and the security firm.

Feds indict 17 involved in international ATM skimming spree

Feds indict 17 involved in international ATM skimming spree

Using stolen debit card information, the defendants created phony replicas of cards to make fraudulent transactions at various Chicago ATMs.

Researchers demo how Philips smart TVs do not have smart security

Researchers demo how Philips smart TVs do not have smart security

Researchers with security company ReVuln released a video in which they demonstrated how recent Philips smart TVs are vulnerable to numerous attacks.

Cutwail operators aim DDoS at Zeus competitors

Cutwail operators aim DDoS at Zeus competitors

Researchers at RSA noted the "battle of the botmasters" taking place.

Experts suggest transaction malleability did not ruin Mt. Gox

Experts suggest transaction malleability did not ruin Mt. Gox

In a paper released on Wednesday, Swiss researchers suggest the transaction malleability Bitcoin flaw did not ruin Mt. Gox, despite what the Tokyo-based company announced.

AvMed breach settlement awards plaintiffs regardless of suffered fraud

AvMed breach settlement awards plaintiffs regardless of suffered fraud

Legal experts say the settlement serves as a small win for plaintiffs, and a much bigger one for their attorneys.

WinRAR spoofing vulnerability being exploited in malware campaign

WinRAR spoofing vulnerability being exploited in malware campaign

A WinRAR vulnerability is being taken advantage of in a malware campaign targeting government and international organizations, as well as Fortune Global 500 companies.

Univ. of Maryland hackers used trojan to steal IT credentials, access database

Univ. of Maryland hackers used trojan to steal IT credentials, access database

University President Wallace Loh told Senate members that the attackers cloaked their activity by using the Tor network.

Windows trojan packs punch, downloads ransomware "Cribit"

Windows trojan packs punch, downloads ransomware "Cribit"

Cribit ransomware demands Bitcoin payment to decrypt hostage files, Trend Micro reveals.

Study examines erosion of PII as massive breaches persist

Study examines erosion of PII as massive breaches persist

A report investigates how static, or hard to change personal data, like SSNs or dates of birth, are impacted by repeated breaches.

MitM attackers posing as banks, other major groups, tough to detect

MitM attackers posing as banks, other major groups, tough to detect

PhishLabs researchers have identified a man-in-the-middle attack campaign that involves hackers posing as major organizations, including banks.

Pileup flaws enable privilege escalation during Android updates, researchers find

Pileup flaws enable privilege escalation during Android updates, researchers find

Under the right conditions, simply updating any Android device can enable an attacker to escalate app privileges and carry out all sorts of malicious things.

Banks file class-action against Target and Trustwave over massive breach

Banks file class-action against Target and Trustwave over massive breach

Banks impacted by the Target data breach have banded together to file a class-action against the retail giant, as well as against security firm Trustwave.

President to propose legislation to halt bulk collection of phone data

President to propose legislation to halt bulk collection of phone data

Along with the White House's legislative proposal, the House Intelligence Committee also introduces its own bill tackling the NSA surveillance practice.

APT groups use Malaysian flight-themed email attachments as bait

APT groups use Malaysian flight-themed email attachments as bait

Researchers at FireEye say firms were targeted with phishing emails mentioning the mysterious flight.

Zorenium bot said to be updated for iOS, capable of various attacks

Zorenium bot said to be updated for iOS, capable of various attacks

A new multipurpose bot known as Zorenium has recently been updated to work with iOS devices, according to the alleged author.

Attackers get cash out of ATMs by sending SMS messages

Attackers get cash out of ATMs by sending SMS messages

Criminals are using SMS messages to get cash out of ATMs, according to Symantec.

Microsoft warns of attacks leveraging Word zero-day, releases temporary fix

Microsoft warns of attacks leveraging Word zero-day, releases temporary fix

The zero-day vulnerability is a remote code execution flaw in Word 2010.

Huawei responds to leaks detailing NSA hack of firm's networks

Huawei responds to leaks detailing NSA hack of firm's networks

Recent Snowden leaks allege that the NSA targeted Chinese telecom firm Huawei for corporate data, including product source code.

New group provides threat intelligence to domain registrars, other firms

New group provides threat intelligence to domain registrars, other firms

Name.com, Facebook and Verizon are among the companies backing the newly-formed Secure Domain Foundation (SDF).

Basecamp becomes latest victim of extortion-based DDoS attack

Basecamp becomes latest victim of extortion-based DDoS attack

Basecamp has become the latest victim of an extortion-based distributed denial-of-service (DDoS) attack, according to a Monday notification.

NSA hacks system admins to gain access through gatekeepers, leaks reveal

NSA hacks system admins to gain access through gatekeepers, leaks reveal

Snowden leaks detail the agency's practice of going after the gatekeepers of networks to gather intel.

BlackOS software package automates website hacking, costs $3,800 a year

BlackOS software package automates website hacking, costs $3,800 a year

An updated version of a malicious software package designed to automate the process of hacking websites is being offered up on underground markets for $3,800 a year, according to a blog by Trend Micro.

DoS attack takes down Hootsuite

DoS attack takes down Hootsuite

An email sent out to the social media management platform's users states that the assault began Thursday at 6:45 a.m. PST, making the service temporarily unavailable.

"Gangs Beyond Borders" report charts Calif.'s battle with cyber crime

"Gangs Beyond Borders" report charts Calif.'s battle with cyber crime

On Thursday, California Attorney General Kamala Harris released the 118-page report on international criminal groups targeting the state.

Breaches, malware to cost $491 billion in 2014, study says

Breaches, malware to cost $491 billion in 2014, study says

A study by IDC and the National University of Singapore also found a close link between pirated software and cyber security breaches.

What the SEA stole from McCain's office, and much more, compiled in report

What the SEA stole from McCain's office, and much more, compiled in report

An IntelCrawler report shines some new light on the Syrian Electronic Army, including its attacks, tactics, members and more.

Hacked EA Games server puts Apple IDs and card data at risk

Hacked EA Games server puts Apple IDs and card data at risk

Apple ID accounts, payment card data and other personal information are at risk for victims of a fairly convincing phishing scam being hosted on a compromised EA Games server.

Authorities arrest infamous hacker "Diabl0" in Bangkok

Authorities arrest infamous hacker "Diabl0" in Bangkok

Farid Essebar, also known as Diabl0, previously served prison time for his role in creating the Zotob worm.

Unpatched servers still enabling exploitation of two-year-old PHP vulnerability

Unpatched servers still enabling exploitation of two-year-old PHP vulnerability

A PHP vulnerability originally disclosed in March 2012 - and revised in October 2013 after a hacker found an easier way to take advantage of the exploit - is still impacting users after all these years.

Darlloz variant infects Intel systems to mine Dogecoins, MinCoins

Darlloz variant infects Intel systems to mine Dogecoins, MinCoins

The Darlloz worm installs coin mining software on infected computers running Intel x86 architectures.

Communication, social media are riskiest mobile apps, report says

Communication, social media are riskiest mobile apps, report says

After analyzing 200,000 Android apps Marble Security Labs found communication apps pose the greatest risk, while game apps were the least risky.

$30 RAT, WinSpy, involved in two phishing campaigns

$30 RAT, WinSpy, involved in two phishing campaigns

Researchers with FireEye have identified two phishing campaigns involving a remote administration tool known as WinSpy, that also comes packaged with an Android component known as GimmeRAT.

"Windigo" Op infected 25,000 servers to bolster spam, malware campaign

"Windigo" Op infected 25,000 servers to bolster spam, malware campaign

After compromising Unix and Linux servers, attackers make money by redirecting users to advertisements or exploit pages that serve malware.

Three fraudsters indicted for roles in global cyber crime scheme

Three fraudsters indicted for roles in global cyber crime scheme

Three men on their way to scoring more than $15 million in a cyber crime scheme instead scored formal charges in New Jersey District Court for their alleged roles in the international conspiracy, according to an indictment.

IBM to clients: No data, source code handed over to NSA

IBM to clients: No data, source code handed over to NSA

The software and IT services giant published an open letter to its clients on Friday.

SC Magazine partner, Norwich University, named a top security school

SC Magazine partner, Norwich University, named a top security school

Vermont-based Norwich University, a longtime SC Magazine collaborator, ranked second in the 2014 Best Schools for Cybersecurity study by the Ponemon Institute and sponsored by HP Enterprise Security.

DDoS attacks against NATO likely DNS amplification or NTP reflection, expert suggests

DDoS attacks against NATO likely DNS amplification or NTP reflection, expert suggests

A distributed denial-of-service attack carried out against various NATO websites on Sunday was likely a Domain Name Server amplification attack or a Network Time Protocol reflection attack, or a combination of both.

Sally Beauty changes tune, says customer data was accessed in breach

Sally Beauty changes tune, says customer data was accessed in breach

After claiming it saw no evidence that payment card data was taken in a breach, the chain now says fewer than 25,000 records were "illegally accessed."

Researcher finds easier way to exploit iOS 7 kernel vulnerabilities

Researcher finds easier way to exploit iOS 7 kernel vulnerabilities

A security researcher published a white paper on Wednesday that breaks down exactly how the Early Random PRNG, which protects mobile operating systems from kernel exploits, is vulnerable to brute force.

Syrian Electronic Army claims it obtained U.S. Central Command docs via hack

Syrian Electronic Army claims it obtained U.S. Central Command docs via hack

On Friday, the hacktivist group threatened to release the data, including "hundreds of documents" it obtained, in coming days.

Trojan makes rounds on Facebook via IMs

Trojan makes rounds on Facebook via IMs

Security site Malwarebytes.org first warned users about the threat targeting Windows users.

Transaction malleability Bitcoin flaw may have ruined Mt. Gox

Transaction malleability Bitcoin flaw may have ruined Mt. Gox

Mt. Gox bankruptcy documents filed in the U.S. on Sunday refer to a Bitcoin flaw known as transaction malleability, which may have caused the Tokyo-based company to lose half a billion dollars in the virtual currency.

Sign up to our newsletters

POLL