Threatpost for B2B

Syndicate content
The First Stop For Security News
Updated: 10 hours 10 min ago

Threatpost News Wrap, April 25, 2014

Fri, 04/25/2014 - 10:00
Dennis Fisher and Mike Mimoso discuss the Apple OSX and iOS patches, the continuing OpenSSL Heartbleed soap opera and the Verizon DBIR report.

Google Changes Ciphers in OpenSSL for Chrome on Android

Fri, 04/25/2014 - 09:50
The emergence of mobile platforms such as iOS and Android have presented a number of challenges in terms of security. Not much can be done about some of these, like users leaving their phones in bars. But engineers at Google have been working on one of the thornier ones of late–how to provide solid encryption […]

Apache Warns of Faulty Zero Day Patch for Struts

Thu, 04/24/2014 - 15:48
UPDATE - The Apache Software Foundation will re-issue at patch for a ClassLoader manipulation zero-day vulnerability in Struts. The fix is expected to be ready within 72 hours; a workaround is available.

NetSupport Manager Vulnerability Could Lead to Data Leakage

Thu, 04/24/2014 - 14:29
A vulnerability in NetSupport Manager could yield sensitive configuration settings and lead to compromise.

DDoS Attacks an Increasing Cover for Theft, Fraud

Thu, 04/24/2014 - 14:03
DDoS attacks are growing in scale and volume, and experts say attackers are also using them as a cover for secondary attacks resulting in financial fraud or loss of intellectual property.

Mozilla Offers Bug Bounty for New Certificate Verification Library

Thu, 04/24/2014 - 12:17
Mozilla is offering a $10,000 bug bounty for serious security vulnerabilities in a new cryptography library it plans to release along with Firefox 31.

Group Backed by Google, Microsoft to Help Fund OpenSSL and Other Open Source Projects

Thu, 04/24/2014 - 10:08
After the dust had started to settle in the wake of the OpenSSL Heartbleed vulnerability earlier this month, one of the common sentiments that emerged was that the small group developing and maintaining the software needed some help. And money. And resources. But mostly money. Now, the OpenSSL Foundation, along with a number of other […]

New NIST Tool Streamlines Government App Vetting

Wed, 04/23/2014 - 15:19
Developers who produce apps intended for use on internal networks at government agencies are getting a vetting process of their own called AppVet.

Google Adding Security Checks to Non-OAuth 2.0 Compliant Apps

Wed, 04/23/2014 - 14:49
Google announced it will add additional security checks to log-in attempts from applications or devices that do not support OAuth 2.0.

LibreSSL Sticks a Fork in OpenSSL

Wed, 04/23/2014 - 12:57
LibreSSL, a fork of OpenSSL, has already made "improvements" in OpenSSL programming practices according to OpenBSD officials.

Iowa State Hacked–To Mine Bitcoins

Wed, 04/23/2014 - 11:25
Officials at Iowa State University said Tuesday that the personal data of nearly 30,000 alumni, including Social Security numbers, was compromised during a data breach.

OpenSSL Heartbleed Highlights Crypto Pitfalls

Wed, 04/23/2014 - 09:36
There is no shortage of bad advice online about crypto–or anything else, for that matter. And the recent mess involving the OpenSSL heartbleed vulnerability has brought out plenty of advice on building, implementing and repairing cryptosystems, but experts say that the fundamental truths about how to do these tasks hasn’t changed much. Cryptosystems are the […]

NIST Removes Dual EC from Draft Guidance on RNGs

Tue, 04/22/2014 - 17:06
NIST announced it has removed the Dual EC DRBG random number generator from a draft guidance on RNGs; the move could become official next month after a public comment period expires.

AOL Email Hacked by Spoofers to Send Spam

Tue, 04/22/2014 - 16:20
A slew of old AOL email accounts were hacked over the weekend to send spam to other users.

Apple Fixes Serious SSL Issue in OSX and iOS

Tue, 04/22/2014 - 15:47
Apple has fixed a serious security flaw that’s present in many versions of both iOS and OSX and could allow an attacker to intercept data on SSL connections.

DBIR: Poor Patching, Weak Credentials Open Door to Data Breaches

Tue, 04/22/2014 - 12:44
Weak or default credentials, poor configurations and a lack of patching are common denominators in most data breaches, according to the 2014 Verizon Data Breach Investigations Report.

DBIR: Point-of-Sale Breaches Trending Downward

Tue, 04/22/2014 - 00:01
The 2014 Verizon Data Breach Investigations Report reveals that point-of-sale intrusions are down, Web applications attacks are up, and DDoS and cyberespionage attacks merit watching.

CloudFlare Launches Bug Bounty Program

Mon, 04/21/2014 - 15:45
CloudFlare is launching a new vulnerability disclosure program in conjunction with the HackerOne bug-bounty platform.

Oracle Gives Heartbleed Update, Patches 14 Products

Mon, 04/21/2014 - 13:55
Amidst all of the fallout related to Heartbleed, Oracle is doing its best to keep users apprised of its efforts to patch any and all software that may be vulnerable to the OpenSSL issue.

OpenICS Decodes Control System Traffic, Builds Data Dictionaries

Mon, 04/21/2014 - 13:49
An ICS protocol sniffer has been released to GitHub. OpenICS builds data dictionaries, rather than signatures, from the packets it captures in order to help business leaders make security decisions.