Quick Security Alerts for the Week Ending 11/11/2012

Posted onNovember 12, 2012November 12, 2012Leave a comment

Wanted: German security developers for new, homegrown spyware, Ars Technica
Side-Channel Attack Steals Crypto Key from Co-Located Virtual Machines, threatpost
Malware disguised as an MMS message, The H Security: News and Features
Android Smishing Vulnerability Found in Android Open Source Project Firmware, threatpost
Android 4.2 warns against malicious apps and premium rate texts, The H Security: News and Features
Adobe Ships Election Day Security Update for Flash — Krebs on Security, krebsonsecurity.com
Android vulnerability allows phishing texts, The H Security: News and Features
Google Patches 14 Flaws in Chrome 23, threatpost
Privacy in Ubuntu 12.10: Full Disk Encryption, Electronic Frontier Foundation
M3AAWG Recommends New DKIM Best Practices, threatpost
Chrome 23 closes holes, promises longer battery life, The H Security: News and Features
Do Not Track finally arrives with version 23 of Chrome, Ars Technica
Detecting CSRF vulnerabilities, The H Security: News and Features
Skype accused of ratting out user to private security without warrant, The Register
Gaping hole in Google service exposes thousands to ID theft, The Register
QuickTime for Windows updated to close security holes, The H Security: News and Features
Alleged 0day exploit for Adobe Reader in circulation, The H Security: News and Features
Update: Adobe Working to Confirm New Reader Zero-Day Sandbox-Bypass Exploit, threatpost
Twitter resets ‘hacked’ passwords after being compromised, BBC News
Twitter Says It Was Not Hacked, NYTimes.com
Security issue discovered in TOR client, Update at The H Security: News and Features
Memory Bug Fixed in Tor Client, threatpost
Worth Reading: Dropbox is “quite secure”, The H Security: News and Features

Quick Security Alerts for the Week Ending 11/4/2012

Posted onNovember 4, 2012November 4, 2012Leave a comment

3.6 Million South Carolina Taxpayers at Risk of ID Theft, threatpost
Critical security holes closed in Firefox 16 and Thunderbird 16, The H Security: News and Features
Another systematic SCADA vuln, The Register
Physical Keygen: Duplicating House Keys on a 3D Printer, eclecticc via Gnat’s Four Short Links on O’Reilly Radar
EFF calls Ubuntu Shopping Lens a “major privacy problem”, p developers are weak link for Android security
California Attorney General Puts Mobile App Developers on Notice, threatpost
Huawei sends team of engineers to discuss router security revelations with hacker, ZDNet
Staying safe online: Using a password manager just isn’t enough, ExtremeTech
Tell-tale status pages, The H Security: News and Features
Windows 8 ‘penetrated’ says firm which sells to world’s spy agencies, The Register
Misconfigured Apache sites expose user passwords, other private data, Ars Technica
Preloading HSTS, Mozilla Security Blog
OpenBSD 5.2 Released, Slashdot
Apple releases iOS 6 and Safari security updates, The H Security: News and Features
Facebook flaw bypasses password protections, BBC News
More Than 25% of Android Apps Know Too Much About You, Slashdot
PayPal Security Holes Expose Customer Card Data, Personal Details, Slashdot

Quick Security Alerts for the Week Ending 10/28/2012

Posted onOctober 28, 2012October 28, 2012Leave a comment

Android apps ‘leak’ personal details, BBC News
French hacker captures €500,000 with smartphone trojan, The H Security: News and Features
Researcher Develops Patch for Java Zero-Day, Puts Pressure on Oracle to Deliver its Fix, threatpost
‘Looming menace’ of evil browser extensions to be demo’d this week • The Register, The Register
CyanogenMod logged lockscreen swipe gestures, The H Security: News and Features
CyanogenMod Fixes Flaw That Logged Users Unlock Codes, threatpost
Introducing the USB Stick of Death, j00ru//vx tech blog via Four Short Links
Why Mozilla should join the CryptoParty, The H Open: News and Features
Adobe Plugs Several Buffer Overflow Holes in Shockwave Player, threatpost
Fake PayPal Emails Distributing Malware, threatpost
How a Google Headhunter’s E-Mail Unraveled a Massive Net Security Hole, Threat Level at Wired.com
Attacking TrueCrypt, The H Security: News and Features
The 25 worst passwords of the year, The H Security: News and Features
Attackers Turn to Open DNS Resolvers to Amplify DDoS Attacks, threatpost
Phony certificates fool faulty crypto in apps from AIM, Chase, and more, Ars Technica
US-CERT warns DKIM email open to spoofing, The Register
SSL Vulnerabilities Found in Critical Non-Browser Software Packages, threatpost
Boarding pass barcodes ‘can be read by smartphones’, BBC News
Backdoor in computer controls opens critical infrastructure to hackers, Ars Technica
4 Simple Changes to Stop Online Tracking, Electronic Frontier Foundation
TPM Chip in Windows 8 Lays Foundation for Widespread Enhancements to Hardware-Based Security, threatpost
DoS vulnerability affects older iPhones, Droids, even a Ford car, Ars Technica
Patch Available for Broadcom Mobile Device Firmware DoS Vulnerability, threatpost

Quick Security Alerts for the Week Ending 10/21/2012

Posted onOctober 22, 2012October 22, 2012Leave a comment

Precision Espionage miniFlame Malware Tied to Flame, Gauss, threatpost
Ever Wondered What a Live Botnet Looks Like?, Technology Review
Eugene Kaspersky Unveils Plans for New Secure SCADA OS, threatpost
New Zealand government computers leak sensitive data, The H Security: News and Features
Phishy Direct Messages Link to Fake Twitter Sign-in Page, threatpost
Zero-Day Attacks Thrive for Months Before Disclosure, threatpost
Android malware, FUD, and the FBI, ZDNet
CAPTCHA-busting service relies on CAPTCHA to block bots, The Register
Steam spawns vulnerabilities, say researchers, The Register
Pacemakers, defibrillators open to attack, The Register
Hackers Exploit ‘Zero-Day’ Bugs For 10 Months On Average Before They’re Exposed, Forbes via Slashdot
A lesser-known new feature in iOS 6: It’s tracking you everywhere • The Register, The Register
Critical Java Patch Plugs 30 Security Holes, Krebs on Security
Adobe Extends Security of Reader and Acrobat With Better Sandbox, Force ASLR, threatpost
Computer Viruses Are “Rampant” on Medical Devices in Hospitals, Technology Review
Analysts Warn Online Voter Registration Is Vulnerable to Hacking: DCist, dcist.com
New Verizon Marketing Initiative May Violate Users’ Privacy, threatpost
Android APK 4.2 teardown shows Google getting serious about security, Ars Technica
Adobe Reader and Acrobat get another layer of security, Ars Technica
Apple updates Java for older Mac OS X – kills browser plugin, The H Security: News and Features
Requesting Sensitive Data Via Google Docs: Phishing Really is That Easy, threatpost
Spammers Using Shortened .gov URLs, Slashdot

Quick Security Alerts for the Week Ending 10/14/2012

Posted onOctober 14, 2012October 14, 2012Leave a comment

US law makers against Huawei and ZTE, The H Security: News and Features
Critical Adobe Flash Player Update Nixes 25 Flaws, Krebs on Security
Huawei says US probe had ‘predetermined outcome’, The Register
To Keep Passwords Safe from Hackers, Just Break Them into Bits, Technology Review
Flaws Allow Every 3G Device To Be Tracked, Slashdot
Worm spreading on Skype IM installs ransomware, Security & Privacy at CNET News
Surprise! Microsoft patches latest IE10 Flash vulns on time, The Register
HTTPS Everywhere 3.0 protects 1,500 more sites, Electronic Frontier Foundation
Botnet maps the entire internet, The H Security: News and Features
Chrome Extension Protects Privacy Against Google, Facebook & 1,000 Other Sites, ReadWriteWeb
Confirmed: Apple-owned fingerprint software exposes Windows passwords, Ars Technica
Microsoft Patches Windows, Office Flaws, Krebs on Security
Phil Zimmermann’s New App Protects Smartphones From Prying Ears, Slashdot
Microsoft to devs: Bug users about security … now!, The Register
Mozilla closes numerous critical holes in Firefox 16, The H Security: News and Features
RSA splits passwords in two to foil hackers’ attacks, BBC News
RSA boss demands revamp of outdated privacy, security regs, The Register
RSA Boss Angers Privacy Advocates, Slashdot
BIND DNS server updates close critical hole, The H Security: News and Features
In Under 10 Hours, Google Patches Chrome To Plug Hole Found At Its Pwnium Event, Slashdot
Use Microsoft Outlook? Patch It Now! New Flaw Attacks Via Email Previews, ReadWriteWeb
Security Vulnerability in Firefox 16, Mozilla Security Blog
Firefox 16.0.1 Ready After Serious Vulnerability Forced Mozilla to Suspend Availability, threatpost
Exploit Code Released Targeting Firefox 16 Vulnerability, threatpost
Mozilla Details How Old Plugins Will Be Blocked In Firefox 17, Slashdot
Google May Soon Scan Your Android Apps For Malware, Slashdot

Quick Security Alerts for the Week Ending 10/7/2012

Posted onOctober 7, 2012October 7, 2012Leave a comment

New Android Malware App Turns Phone into Surveillance Device, threatpost
DSL modem hack used to infect millions with banking fraud malware, Ars Technica
Internet Explorer security examined, The H Security: News and Features
Authentication Implications in Uniquely Identifiable Graphics Cards, threatpost
Graphics Cards: the Future of Online Authentication?, Slashdot
Researchers testing Android security with mega network, TechHive
Zombie-animating malnets increase 300% in just 6 months, The Register
4.5 million routers hacked, The H Security: News and Features
New Strain of Man-in-the-Browser Malware Refines Data Sent to Attacker in Real Time, threatpost
Team Ghost Shell Claims to Publish Records from Thousands of Universities, threatpost
HSTS becomes IETF proposed standard, The H Security: News and Features
Some WordPress Themes, Thousands of Sites Open to XSS Vulnerability, threatpost
Security Experts Recommend Long, Hard Look at Disabling Java Browser Plug-In, threatpost
iOS 6 closes configuration hole, The H Security: News and Features
Refined hack opens locked hotel rooms–with a magic marker, ExtremeTech
Malware Signed by Adobe Certificate Only Used in Limited Targeted Attacks, threatpost
Microsoft to fix critical Word vulnerability on Tuesday, The H Security: News and Features
New Tactics Helping Toll Fraud Malware on Android Avoid Detection, threatpost
When Will We See Collisions for SHA-1?, Schneier on Security
Over 60% of Android Malware Hides In Fake Versions of Popular Apps, Slashdot
Faux Apps Found Hijacking Chrome, Spamming Tumblr, threatpost
How About Some Antivirus with that Smartphone Plan?, Technology Review
Brazil to roll out national radio-chip ID/surveillance/logging for all vehicles, Boing Boing
Mozilla To Bug Firefox Users With Old Adobe Reader, Flash, Silverlight, Slashdot

Quick Security Alerts for the Week Ending 9/20/2012

Posted onSeptember 30, 2012September 30, 2012Leave a comment

Google Go language gets used: For file-scrambling trojan, though, The Register
Tiny Evil Maid CHKDSK Utility Can Steal Passwords, threatpost
Security Vulnerability in Windows 8 Unified Extensible Firmware Interface (UEFI), Schneier on Security
Forthcoming SHA-3 Hash Function May Be Unnecessary, threatpost
Lieberman pushes for mandatory standards in White House cyber order, The Hill’s Hillicon Valley
Exhaust all of DES and crack any MS-CHAPv2-based VPN for a mere $20, Boing Boing
New Twitter-Based Malware Uses Direct Messaging to Spread, threatpost
Apple fixes security vulnerabilities with Apple TV 5.1 update, The H Security: News and Features
A single web link will WIPE Samsung Android smartphones, The Register
Questions abound as malicious phpMyAdmin backdoor found on SourceForge site, Ars Technica
Researcher Finds 100k IEEE.org Passwords Stored in Plain-Text on Public FTP Server, threatpost
Published Threat Intelligence, Not Cybersecurity Laws, Is What’s Needed, threatpost
New Java Vulnerability Found Affecting Java 5, 6, and 7 SE, Slashdot
SourceForge Investigates Backdoor Code Found in Copy of phpMyAdmin, threatpost
The Browser Exploitation Framework Project, BeEF
Rent-to-own laptops were spying on users, The H Security: News and Features
Security fixes dominate in Google’s Chrome 22, The H Security: News and Features
A death blow for PPTP, The H Security: News and Features
App protects Samsung smartphones against remote wiping, The H Security: News and Features
Samsung Fixes Remote Wipe Flaw in Galaxy S III Smartphones, threatpost
Android smartphones: USSD calls can kill SIM cards, The H Security: News and Features
Valid Adobe Certificate Used to Sign Malicious Utilities Common in Targeted Attacks, threatpost
Adobe to revoke crypto key abused to sign malware apps (corrected), Ars Technica
ASIC Seeks Power To Read Your Emails, Slashdot
PlaceRaider, an entire new class of visual malware, Beyond The Beyond at Wired.com
Cisco fixes alleged DoS holes, The H Security: News and Features
Android control code issue affects almost all manufacturers, The H Security: News and Features

Quick Security Alerts for Week Ending 9/23/2012

Posted onSeptember 23, 2012September 23, 2012Leave a comment

Google enables Do Not Track in Chrome, The H Security: News and Features
W3C presents draft of browser Web Cryptography API, The H Security: News and Features
Google Online Security Blog: Adding OAuth 2.0 support for IMAP/SMTP and XMPP to enhance auth security, googleonlinesecurity.blogspot.com
Many ways to break SSL with CRIME attacks, experts warn, Ars Technica
New IE Zero-Day Being Exploited In the Wild, Slashdot
Millions of Virgin Mobile accounts at risk of password attacks, Ars Technica
Tool Scans for RTF Files Spreading Malware in Targeted Attacks, threatpost
Latest IE Zero-Day Flaw Tied to Nitro Hackers and Recent Java Zero-Day Exploits, threatpost
Study finds web developers undertake too little vulnerability testing, The H Security: News and Features
‘How I CRASHED my bank, stole PINs with a touch-tone phone’, The Register
Microsoft pledges temporary fix for critical IE bug under attack, Ars Technica
Microsoft Recommends Workarounds to Mitigate Latest IE Zero-Day; Patch Still to Come, threatpost
Stuxnet Tricks Copied by Computer Criminals, Technology Review
Hackers Leak Thousands of Passwords From Large Private BitTorrent Tracker, TorrentFreak
Schneier on Security: Recent Developments in Password Cracking, www.schneier.com
New vicious UEFI bootkit vuln found for Windows 8, The Register
SSL Digital Certificate Security Issues Put CAs on Notice, threatpost
Schneier on Security: Analysis of PIN Data, www.schneier.com
Sprint Responds to Developer’s Disclosure of Virgin Mobile Security Shortcoming, threatpost
Apple closes numerous security holes with iOS 6, The H Security: News and Features
Android Hacked via NFC on the Samsung Galaxy S 3, thenextweb.com via Slashdot
Facebook’s New Plug-In Gives You Better Protection From Embarrassing Overshares, Gadget Lab at Wired.com
More Passwords, More Problems, Technology Review
Apple closes security holes in Mac OS X and Safari, The H Security: News and Features
Microsoft releases fix for IE bug, BBC News
Beyond The Beyond at Wired.com, Elderwood and Flame
Hotmail No Longer Accepts Long Passwords, Shortens Them For You, Slashdot
Microsoft issues IE 10 Flash flaw fix for Windows 8 • The Register, The Register

Quick Security Alerts for the Week Ending 9/16/2012

Posted onSeptember 16, 2012September 16, 2012Leave a comment

Privacy Threat Model for Mobile, freedom-to-tinker.com
Al-Jazeera SMS service attacked by pro-Syrian hackers, BBC News
Microsoft Warns Of Looming Digital Certificate Deadline – Security, Attacks/breaches at Informationweek via Slashdot
Mobile Trojans Rear Their Head, Repressive Governments Go For Their Checkbooks, Motherboard via Slashdot
Majority of Mobile Malware Now Reliant On Toll Fraud, Slashdot
UK to regulate export of spy software, The H Security: News and Features
Foxit Reader 5.4 fixes DLL hijacking vulnerability, The H Security: News and Features
The Password Fallacy: Why Our Security System Is Broken, and How to Fix It, Rachel Swaby at The Atlantic
Fingerprint reader reveals passwords, The H Security: News and Features
Early Windows 8 Users to Remain Vulnerable to Flash Exploits Until October, threatpost
WhatsApp allegedly creates overly simple passwords under iOS too, The H Security: News and Features
Microsoft, Adobe Working to Secure Flash in IE 10, Webmonkey at Wired.com
Markey introduces mobile privacy bill, The Hill’s Hillicon Valley
Chip and pin ‘weakness’ exposed by Cambridge researchers, BBC News via Slashdot
CRIME Attack Uses Compression Ratio of TLS Requests as Side Channel to Hijack Secure Sessions, threatpost
Crack in Internet’s foundation of trust allows HTTPS session hijacking, Ars Technica
Chrome for Android update strengthens sandbox, The H Security: News and Features
Apple closes more than 160 security holes in iTunes, The H Security: News and Features
Research Shows Half of All Androids Contain Known Vulnerabilities, threatpost
PHP 5.5 should reduce password sloppiness, The H Security: News and Features
OWASP ZAP – the Firefox of web security tools, Mozilla Security Blog
Senator Seeks to Graft E-Mail Privacy Onto Netflix-Facebook Bill, Threat Level at Wired.com
BlackHole 2.0 gives hackers stealthier ways to pwn, Ars Technica
Manipulated data causes BIND DNS servers to crash, The H Security: News and Features
Vulnerability in SSL encryption is barely exploitable, The H Security: News and Features
Quantum Key Exchange With an Airplane, Slashdot

Quick Security Alerts for the Week Ending 9/9/2012

Posted onSeptember 9, 2012September 9, 2012Leave a comment

Russia Unveils Secure “Almost Android” Tablet To Keep Data Away From Google, SecurityWeek.Com
Oracle’s emergency Java patch brings sandbox bypass, ZDNet
Hackers turn remote maintenance tool into trojan, The H Security: News and Features
Knocking Infected PCs Off the Internet, Slashdot
Google suspicious sign-in alert contains a trojan, The H Security: News and Features
Eye Twitch Patterns as a Biometric, Schneier on Security
Newest Java 7 Update Still Exploitable, Researcher Says, threatpost
New Attack Uses SSL/TLS Information Leak to Hijack HTTPS Sessions, threatpost
Apple Releases Fix for Critical Java Flaw, Krebs on Security
Secret account in mission-critical router opens power plants to tampering, Ars Technica
Consumers getting cagier about mobile app privacy • The Register, The Register
Apple patent could remotely disable protesters’ phone cameras, ZDNet
Virtual Machine Escape Exploit Targets Xen, threatpost
Digging into the UDID data, O’Reilly Radar
Huawei Denies Stealing State Secrets or Supporting Cyber Espionage, threatpost
New open-source app extracts passwords stored in Mac OS X keychain, Ars Technica
BEAST creators develop new SSL attack, The H Security: News and Features
Two Microsoft Security Updates Await In Advance of Certificate Key Length Changes, threatpost
Laptop fingerprint reader destroys ‘entire security model of Windows accounts’, NetworkWorld via Slashdot
Mozilla updates Firefox 15 to fix private browsing problem, The H Security: News and Features
Microsoft: ‘Update your security certs this month – or else’ • The Register, The Register
Google Adds Online Malware Scanner VirusTotal To Security Lineup, threatpost
Apache Patch To Override IE 10’s Do Not Track Setting, Slashdot
Sleuths Trace New Zero-Day Attacks to Hackers Who Hit Google, Threat Level at Wired.com
WordPress 3.4 update fixes security vulnerabilities, The H Security: News and Features
WhatsApp Is Using IMEI Numbers As Passwords, Slashdot