Threatpost for B2B

Syndicate content
The First Stop For Security News
Updated: 3 hours 36 min ago

Apple Implements Email Encryption in Transit For iCloud

Thu, 07/17/2014 - 13:26
Apple quietly began encrypting virtually all of the email flowing in and out of its servers for its iCloud.com, mac.com and me.com domains, a move that throws up an important roadblock for attackers and others attempting to snoop on those transmissions.

Chrome for Android Update Fixes Critical URL Spoofing Bug

Thu, 07/17/2014 - 12:38
The latest update to Chrome on Android fixes two bugs, including a critical flaw in the browser that could have let an attacker trick a user into visiting a malicious site.

Cisco Patches Wireless Residential Gateway Vulnerabilities

Thu, 07/17/2014 - 10:20
Cisco patched a critical remote code execution bug in its Cisco Wireless Residential Gateway product.

Five Vulnerabilities Fixed in Apache Web Server

Thu, 07/17/2014 - 09:58
There are five vulnerabilities fixed in the latest release of the Apache Web server, including a buffer overflow and several denial-of-service vulnerabilities. Fixes for these flaws have landed in the developer release of the server, 2.4.10-dev. The buffer overflow vulnerability is rated moderate by the Apache Software Foundation, but it could be used for remote code […]

Content Security Policy Mitigates XSS, Breaks Websites

Wed, 07/16/2014 - 16:20
An easily available and stout defense against cross-site scripting - content security policy - is sparsely deployed because it is not compatible with most websites.

Researchers Say Password Re-Use Isn’t All Bad

Wed, 07/16/2014 - 13:40
A paper published by Microsoft and researchers at Carleton University declare password re-use and weak credentials have their place for users managing multiple accounts.

OpenVPN Warns Customers of CSRF Bug in Access Server Desktop Client

Wed, 07/16/2014 - 11:39
OpenVPN is advising users of its Desktop Client to upgrade as soon as possible to avoid attacks against a CSRF vulnerability that can allow remote code execution. The vulnerability lies in a product that the company no longer supports and considers obsolete. An attacker could exploit the vulnerability if a user running a vulnerable version visits […]

Large-Scale DDoS Attacks Continue to Spike

Wed, 07/16/2014 - 10:05
Although the average size of a given DDoS attack is going down, the number of attacks at the upper end of the scale is increasing, with researchers at Arbor Networks reporting more than 100 attacks of 100 Gbps in the first half of this year. In order for a DDoS attack to be effective, bad […]

‘Overblown’ LibreSSL PRNG Vulnerability Patched

Wed, 07/16/2014 - 08:25
The OpenBSD project patched a vulnerability in the LibreSSL random number generator; both sides of the issue concede the test program used to trigger the flaw was either unusual or unrealistic.

Early Review of LibreSSL Finds Problematic PRNG

Tue, 07/15/2014 - 15:48
A critical vulnerability was reported in the random number generator in LibreSSL, a fork of OpenSSL. LibreSSL preview versions were released this weekend.

SSL Black List Aims to Publicize Certificates Associated With Malware

Tue, 07/15/2014 - 13:25
The new SSL Black List is a public list of certificates associated with a variety of malicious operations, including botnets, malware campaigns and banking Trojans.

Google Set to Change Malware, Phishing Warnings Following Study

Tue, 07/15/2014 - 12:40
Google will soon change the way it displays malware and phishing warnings in its Chrome browser to give users a better idea of the risk and to help them make a decision.

New Kronos Banking Malware Advertised On Russian Forums

Tue, 07/15/2014 - 11:30
Researchers have spotted a new banking Trojan advertised for sale on Russian forums. Kronos promises features that help it evade detection and analysis, such as a Ring3 rootkit.

Google Project Zero May Prove a Big Win for Security

Tue, 07/15/2014 - 10:58
Google is focusing some of the sharpest minds it has on a new security initiative known as Project Zero that will dig into the critical software that the Internet and its users depend upon and find new vulnerabilities.

Five Year Old Phishing Campaign Unveiled

Mon, 07/14/2014 - 16:04
Active for about five years, a campaign in which attackers have pilfered victims’ credentials from Google, Yahoo, Facebook, Dropbox and Skype, was recently revealed.

Outside Panel Finds Over-Reliance on NSA Advice Led to Dual EC Problems

Mon, 07/14/2014 - 13:47
A group of outside experts found that the process that led to the inclusion of the weakened Dual EC_DRBG random number generator in a NIST standard was flawed and there were several failures along the way that led to its approval. The committee also recommended that the National Institute of Standards and Technology increase the number of […]

Oracle Clarifies XP Support Ahead of Quarterly Patches

Mon, 07/14/2014 - 12:45
Oracle is expected to release 113 patches across its product lines as part of its quarterly Critical Patch Updates.

First Version of LibreSSL Debuts

Mon, 07/14/2014 - 11:23
An early version of LibreSSL, a fork of OpenSSL developed by the OpenBSD Foundation, was released for a number of platforms beyond OpenBSD.

LastPass Fixes a Pair of Security Flaws

Mon, 07/14/2014 - 09:58
LastPass, the popular password manager for most of the top Web browsers, has fixed a couple of vulnerabilities that could have allowed an attacker to target users and generate his own one-time passwords for the victim’s account. The company said that its security team hasn’t seen any active attacks exploiting these vulnerabilities and doesn’t think that […]

Possible New Version of GameOver Zeus Malware Emerges

Fri, 07/11/2014 - 13:55
It’s only been a little more than a month since the FBI and Europol took down the GameOver Zeus botnet, taking control of its command-and-control infrastructure and effectively cutting off the malware’s head. But researchers say that there are some indications that a new strain of the malware may already be active again. GameOver Zeus […]