Threatpost for B2B
VANCOUVER--The Pwn2Own contest has evolved in many ways over the years, from new rules to new targets to larger prizes, but perhaps the one thing that has changed the most is that the researchers who show up here every year hoping to go home with a bag full of money are having to spend more and more time finding and exploiting vulnerabilities in the browsers and plug-ins in play. The research team at VUPEN, which successfully compromised Internet Explorer 10 on Windows 8 spent several months finding the flaws they used and writing the expoits.
VANCOUVER--When Peiter Zatko, the security researcher and pioneering hacker known as Mudge, joined the federal government several years ago to help run a DARPA research program, some in the security industry wondered what effect someone with his background could have in an organization as famously change-resistant and slow as the Department of Defense. As it turns out, the Cyber Fast Track program he started has been a huge success and though the CFT is ending in less than a month, the program may well serve as a model for other agile research programs inside the U.S. government.
On the one year anniversary of Google Play comes news that a new botkit is making the rounds that leverages actual verified accounts from that marketplace to trick users into downloading phony banking applications.
A number of U.S. banks are dealing with online service disruptions as hacktivists reportedly have launched another round of distributed denial of service (DDoS) attacks against financial institutions.
Researchers at Seculert have discovered a link between spear phishing campaigns targeting Japanese and Chinese journalists, post-Mandiant’s APT1 report, and domains connected to the Aurora attacks on Google and the Shady RAT campaign.
Facebook users are sharing less information publicly, yet continue to share countless bits of information with what one group of researchers has dubbed “silent listeners.”
Google today revealed - if in vague terms - it last year received less than 1,000 "national Security letters" from federal authorities seeking financial and communications data on up to almost 2,000 individuals. The disclosure of such government requests marks a first for a major Internet service provider.
A vulnerability in sudo – a program that manages user privileges on certain types of systems – could allow an unauthenticated user to execute commands for about five minutes, without entering a password.
Oracle’s new security model for Java, in place since the release of Java 7 update 11, is under serious fire now that attackers have demonstrated in the wild how to bypass the updated controls with the help of social engineering.
The new year is barely two months old and it's already been a brutal one for the disclosure of new vulnerabilities. Java, Adobe Reader, Flash, Google Chrome and a number of other widely deployed applications have all been hit with a slew of serious bugs in just the last few weeks. And that's likely to get worse this week as researchers convene in Vancouver for the Pwn2Own and Pwnium hacking contests.
Researchers have found an earlier version of the MiniDuke espionage malware that dates to June 2011 - almost a year ahead of the previously oldest variant designed to spy on NATO, European governments and U.S. research and think tanks. Unlike the cyberspyware discovered last week, this one embedded a U.S. Navy clock, not one running on Chinese time.
Oracle has once again released an emergency Java update to patch zero-day vulnerabilities in the browser plug-in, the fifth time it has updated the platform this year. Today’s update patches CVE-2013-1493 and CVE-2013-0809, the former was discovered last week being exploited in the wild for Java 6 update 41 through Java 7 update 15.
Mozilla chief privacy officer Alex Fowler relayed a vivid anecdote last week during RSA Conference 2013 that illustrates the lengths third parties such as advertisers, data brokers and others who traffic in users’ online behavior will go to track you once you land on a website.
Similar to what Mozilla did in its Firefox browser earlier this year, Apple has elected to block old, out-of-date versions of Adobe’s Flash Player product in Safari in hopes of getting users to update their systems.
A vulnerability exists in Samsung devices running Android version 4.1.2 that could give unauthenticated users the ability to circumvent the screen lock and view the home screen, run apps, and reach out to contacts without successfully completing Android’s pattern lock, PIN, password or Face Unlock mechanisms.
Giving a prolific bug hunter an excuse to go poking deeper into a potential security issue generally doesn’t end well or the vendor in question—in this case Oracle. Polish security firm Security Explorations, noteworthy for its Java security research, said today it reported five new vulnerabilities in Java SE 7 to Oracle. If combined, researcher Adam Gowdiak said, they can be used to gain a complete bypass of the Java sandbox.
Evernote, the online service that enables users to store and sync all kinds of data across multiple devices, has become the latest major Web property to suffer a serious intrusion. The company said on Saturday that attackers had compromised some user information, including email addresses and hashed passwords.
With Dennis Fisher out of pocket at the RSA Conference in San Francisco, Ryan Naraine hijacks the Digital Underground podcast and gets on the phone with Kaspersky Lab research guru Costin Raiu to talk about the intricacies of the miniDuke malware campaign.
You are missing some Flash content that should appear here! Perhaps your browser cannot display it, or maybe it did not initialize correctly.