Tag: patching

Study Finds Unrelenting Cyber Attacks Against China’s Uyghurs

A group representing the Uyghurs,a  persecuted religious minority in China, faces unrelenting, targeted cyber attacks that appear aimed at stealing sensitive data and otherwise undermining the group’s activity, according to a new study by researchers at Northeastern University in Boston as well as the Max Planck Institute for Software Systems and the National University of Singapore.   A study of more than 1,400 suspicious email messages sent to members of groups representing the Uyghur minority found that more than three quarters of the messages contained malicious attachments. The messages targeted 724 individuals at 108 separate organizations. Moreover, researchers found overlap between the individuals associated with the Uyghur World Contress (UWC) and western targets such as the New York Times and U.S. embassies. The study, “A Look at Targeted Attacks Through the Lense of an NGO” is being presented at the UNENIX Security Conference in San Diego on August 21. (A copy of the full paper is […]

Continue Reading

Popular Web Sites Still Getting Gamed in SEO Attacks

In this post, Security Ledger contributor Or Katz of Akamai provides details of how malicious actors are abusing redirect vulnerabilities in popular web sites to boost the reputation of malicious sites they control. One recent attack involved the compromise of some 4,000 vulnerable web applications for the purpose of pumping up the search engine ranking of more than 10,000 malicious web sites, Katz reveals. 

Continue Reading

Dan Geer’s Other Keynote: Embedded Devices Need A Time To Die

With the Black Hat Conference well under way and DEFCON starting later this week, the security world’s attention will turn to Las Vegas, where some of the cyber security industry’s top researchers and thinkers will be holding court. One of the most anticipated talks is the Black Hat Briefings opening keynote. This year, the honor goes to none other than Dr. Dan Geer, the CISO of In-Q-Tel, the investment arm of the U.S. intelligence sector. Geer’s talk  on Wednesday, August 6, 2014 is entitled “Cybersecurity as Realpolitik.” In anticipation of Dr. Geer’s Black Hat, we’re releasing another recent talk he gave: this one a keynote speech at our May, 2014 Security of Things Forum in Cambridge, MA. In this talk, Dan focused on the security of embedded devices and the fast-emerging Internet of Things. (A full transcript of the talk is available here.) “The embedded systems space, already bigger than what is normally thought of as […]

Continue Reading

Micro Survey of Smart Home Devices Finds Much To Fault

Larry Dignan over at ZDNet is writing about a new survey by HP’s Fortify application security division that finds 70 percent of Internet of things devices have exploitable software vulnerabilities. Some caveats: HP makes its conclusions based on scans of “10 of the most popular Internet of things devices.” That’s a very small sample size that could (greatly) skew the results one way or the other. So take this with a grain of salt. You can download the full survey here. (PDF) [Read Security Ledger coverage of Internet of Things here.] According to Dignan, HP found 25 vulnerabilities per device. Audited devices included TVs, Webcams, thermostats, remote power outlets, sprinklers, door  locks, home alarms, scales and garage openers. One of each, from the sound of it. The findings, assessed based on the OWASP Internet of Things Top 10 list and vulnerability categories, account for the devices as well as cloud and […]

Continue Reading

Old Apache Code at Root of Android FakeID Mess

A four year-old vulnerability in an open source component that is a critical part of Google’s Android mobile operating system could leave mobile devices that use it susceptible to attack, according to researchers at the firm Bluebox Security. The vulnerability was disclosed on Tuesday. It affects devices running Android versions 2.1 to 4.4 (“KitKat”), according to a statement released by Bluebox. According to Bluebox, the vulnerability was introduced to Android by way of the open source Apache Harmony module. It affects Android’s verification of digital signatures that are used to vouch for the identity of mobile applications, according to Jeff Forristal, Bluebox’s CTO. He will be presenting details about the FakeID vulnerability at the Black Hat Briefings security conference in Las Vegas next week.

Continue Reading
1 31 32 33 34 35 51