LAS VEGAS—Apple closed out Black Hat today with a long-awaited announcement that next month it will launch a bug bounty. The Apple Security Bounty will be an invitation-only program, open to two dozen researchers at the outset, said Ivan Krstic, head of security engineering and architecture. The maximum payout is $200,000 and five classes of...

Google is used to taking a beating over Android vulnerabilities, but it says too often its hard work fixing vulnerabilities and keeping the platform safe goes unnoticed. “Over the seven years working on Android security vulnerabilities I’ve seen a lot of bugs and a lot of fear uncertainty and doubt,” said Nick Kralevich, Android platform...

LAS VEGAS—Charlie Miller and Chris Valasek figuratively drove off into the sunset today at Black Hat, hanging up their car hacking exploits for good and leaving behind a pioneering legacy that elevated this type of research into the mainstream. “It’s time someone else pick it up,” Valasek said. “We did our part and it’s time...

LAS VEGAS – Poor operational security on the part of Nigerian scammers running a Business Email Compromise (BEC) scheme has given researchers a window into their operations. Dell SecureWorks today published a report at Black Hat USA 2016 on what the criminals involved call wire-wire, or “waya-waya.” These attackers aren’t particularly sophisticated malware coders, for...

LAS VEGAS—Buried in the pages of the secure configuration guide for Oracle EBusiness Suite 11i is a declaration that SQL injection just isn’t a thing for the ubiquitous enterprise software. “Of the many potential SQL injections we have seen reported, we have yet to find a single confirmed example,” the guide says. “That’s a like...

LAS VEGAS – The FREAK, LOGJAM and DROWN attacks of the last 17 months weren’t just the work of academics and security researchers who found a cool way to unmask encrypted traffic. They were ugly reminders of the Crypto Wars of the 1990s and why export-grade cryptography and intentional encryption backdoors are fraught with potential...

LAS VEGAS — It wasn’t long ago that ROP, or return-oriented programming, was a hacker’s best friend when it came to bypassing mitigations against memory-based attacks such as DEP and ASLR. ROP, however, is so 2005. In the last couple of years, researchers and attackers have figured out how to bypass popular tools such as...

LAS VEGAS — Researchers have found flaws in the Web Proxy AutoDiscovery protocol tied to DHCP and DNS servers that allow hackers spy on HTTPS-protected URLs and launch a myriad of different malicious attacks against Linux, Windows or Mac computers. According to the security firm SafeBreach, this vulnerability allows hackers to monitor the URLs of every...