A lack of security common sense still plagues businesses with 30 percent of phishing emails opened by campaign targets. Worse, 12 percent click on the attachments inside those phishing attacks, giving crooks easy access to systems to snarf up credentials that are later used to pull off financially or espionage motivated crimes. That’s the big...

A menacing wave of ransomware that locks up Android devices and demands victims pay $200 in Apple iTunes gift card codes is raising concern among security researchers. The ransomware attacks, they say, open a new chapter for Android vulnerabilities similar to Microsoft’s obsolete, unpatched and unsupported Windows XP operating system. “This is a new and...

The effectiveness of bug bounty programs is difficult to deny, especially after adoption of one at Uber, which announced last month it would begin paying $10,000 for critical bugs, and the Department of Defense, whose Hack the Pentagon illustrates the government’s softening stance on hackers. The Massachusetts Institute of Technology announced this week that it will...

Was the Federal Bureau of Investigation justified in paying over $1.3 million for a hacking tool that opened the iPhone 5c of the San Bernardino shooter? For some in the security community the answer is a resounding yes. For others, the answer is not so clear-cut. FBI Director James Comey said on Thursday the agency...

A core Windows command-line utility, Regsvr32, used to register DLLs to the Windows Registry can be abused to run remote code from the Internet, bypassing whitelisting protections such as Microsoft’s AppLocker. A researcher who requested anonymity found and privately disclosed the issue to Microsoft on Tuesday. It’s unknown whether Microsoft will patch this issue with...

In a storyline that rivals an episode of The Sopranos, researchers at FireEye documented the heist of bank card data from 20 million individuals that involved a complex web of crooks that may have netted hackers more than $100 million since 2014. In conjunction with recently acquired Isight Partners, FireEye released a report Thursday that shines a bright...

Adobe today patched a vulnerability in the Adobe Analytics AppMeasurement for Flash library, which can be added to Flash projects to measure the usage of Flash-based content. The vulnerability is a DOM-based cross-site scripting flaw that can be abused for cookie theft, said researcher Randy Westergren Jr., who privately disclosed the issue to Adobe. Unlike...

Cisco released software updates to address five separate denial of service vulnerabilities, all which the company considers either high or critical severity, across its product line this week. According to a series of security advisories issued on Wednesday, three of the five vulnerabilities exist in Cisco’s Wireless LAN Controller (WLC) devices, commonly used to manage...

Threatpost Op-Ed is a regular feature where experts contribute essays and commentary on what’s happening in security and privacy. Today’s contributors are Dave Dittrich and Katherine Carpenter. Reports of APT activities detail compromises spanning multiple organizations, sectors, industry verticals, and countries (over multiple years). According to MITRE: “it is becoming increasingly necessary for organizations to...

Oracle fixed 136 vulnerabilities across 46 different products this week as part of its quarterly Critical Patch Update. More than half of the CVEs, 72, could be remotely exploitable without authentication. Fixes for a slew of products, including Oracle’s Database Server, E-Business Suite, Fusion Middleware, along with its Sun Products line, Java SE platform, and MySQL database,...