Threatpost for B2B

Apple has patched a handful of security vulnerabilities in iOS, including a bug that was used for the latest iPhone jailbreak tool, called Evasion. Apple iOS 6.1.3 has patches for six vulnerabilities, including the screen lock bypass bug and a flaw in WebKit that can be used to execute arbitrary code.

read more

With antiquated gear running the country’s industrial control systems that oversee critical infrastructure, it’s no shock attackers targeting SCADA networks do their fair share of reconnaissance looking for weak spots in that equipment.

read more

The default “Wi-Fi Calling” feature on T-Mobile devices that lets milllions of Android users make phone calls over a wireless Internet connection contains a vulnerability that could be exploited to perform man-in-the-middle (MiTM) attacks.

read more

The developers of Ruby on Rails, the popular web app framework, released four new versions of the product yesterday, complete with fixes for a series of vulnerabilities that could have lead to denial of service attacks and XSS injections.

Four vulnerabilities in total are addressed in versions 3.2.13, 3.1.12 and 2.3.18 of Rails, according to a post to the company’s blog on Monday. “All versions are impacted by one or more of these security issues,” according to the post.

read more

Depending upon your perspective, the third iteration of Google Pwnium at this year's CanSecWest conference was either a mild failure or a huge success. No researchers were able to come up with a full compromise of the Chrome OS, the target in this year's contest, but Google said this week that it did receive a partial qualifying entry from one researcher and awarded him $40,000 for his efforts.

read more

Researchers and attackers alike are quickly discovering you don’t need a fancy Java or Flash exploit to beat application sandboxes. Exploiting an unpatched kernel vulnerability in the underlying operating system, one that’s likely to stay unpatched for a long time, will do just fine.

read more

The United States Government Accountability Office (GAO) believes that “serious weaknesses remain” in the ways that the Internal Revenue Service handles its internal network, problems that could directly implicate taxpayer data according to a report the regulatory group released on Friday.

read more

The Web browser is the primary portal through which the vast majority of connected users access and interact with the Internet. Each browser has its own security and privacy settings and those settings have an enormous impact on the nature of the relationship between users’ data and the services they encounter online. Google’s Chrome browser has extensive, easy to navigate privacy settings that let users manage everything from digital certificates to location tracking to “Do Not Track” requests.

read more

Five years ago, a pair of security researchers write a book called Exploiting Online Games in which they described a number of ways in which attackers could take advantage of weaknesses in the protection systems for various gaming platforms. Now, with online gaming having emerged as a massive business, other researchers have picked up the ball and begun finding serious flaws. The latest vulnerability to be disclosed is in EA's Origin online game-delivery system, which researchers from ReVuln have shown can be exploited remotely to run malicious code on users' machines.

read more

Third-party applications accounted for a whopping percentage of vulnerabilities last year, many more than security flaws found in Microsoft programs according to a report released this week by Danish vulnerability research firm Secunia.

read more

The Ramnit malware family has been given a facelift with new anti-detection capabilities, a troubleshooting module, as well as enhanced encryption and malicious payloads.

read more

Apple on Thursday released a large batch of security fixes for its OS X operating system, one of which patches a flaw that allowed Java Web Start applications to run even when users had Java disabled in the browser. OS X 10.8.3 fixes 21 total vulnerabilities, and also includes a new version of the malware removal tool for Apple machines.

read more

A Reuters social media editor on Thursday was charged with helping hackers break into the Tribune Co.'s network shortly after he was fired from a Sacramento television station in Fall 2010.

A U.S. Eastern District grand jury in Sacramento handed down a three-count indictment against Matthew Keys, 26, of Secaucas, N.J., for conspiracy to transmit information to damage a protected computer and transmitting or attempting to transmit that information. The combined counts carry a potential penalty of 25 years' imprisonment and $750,000 in fines.

read more

UPDATE -- One of Matthew Keys' lawyers told The Huffington Post on Friday that his client was working as an "undercover" journalist when he engaged members of Anonymous in an IRC channel offering login credentials for Tribune Co. servers.

Keys, 26, of Secaucas, N.J., was suspended with pay from Reuters news service on Thursday after the social media editor was charged with helping hackers break into the Tribune Co.'s network shortly after he was fired from a Sacramento television station in Fall 2010.

read more

It's been more than 25 years since Ron Rivest invented his RC4 stream cipher, and after all that time it's still being used widely, which is something of an achievement in the crypto world. However, for more than 15 years researchers have known about a weakness in RC4 that could enable an attacker to decrypt the keystream. Now, a cryptographer has published an attack that exploits that vulnerability and causes serious problems with TLS implementations.

read more

Attackers with a control infrastructure based in China are leveraging the same vulnerability exploited by Miniduke to attack Uyghur and Tibetan activists with new exploits.

read more

The website of the National Vulnerability Database (NVD) remains down today, six days after malware was reportedly found on its servers.

read more

Google, which has been a favorite target of privacy advocates for the last few years, has taken another step that's unlikely to endear the company to that crowd or Android users. The company has begun removing ad-blocking apps from the Google Play Android app market, apparently for violating the terms of service.

read more

More rhetoric is coming out of Washington regarding the use of malware as an auxiliary weapon to bombs and bullets. National Security Agency leader Gen. Keith Alexander told a House Armed Services Committee yesterday that his new Cyber Command will be ready to retaliate should the United States critical infrastructure come under cyberattack.

read more

The top credit bureaus have admitted someone accessed prominent Americans' private data by filling out bogus requests via a Web site used by millions of consumers to access free annual credit reports.

read more