Dennis Fisher

UPDATE--An Android handset produced by Chinese manufacturer ZTE has a backdoor installed that could enable an attacker to take control of an affected device remotely and run arbitrary code. The manufacturer has acknowledged the issue in the ZTE Score M, which includes a harcoded password, and says that it plans to push out a fix soon.  Read more »

Since the beginning of recorded time, security researchers, software vendors and hackers have been issuing security advisories in all kinds of nutty formats. Some feature excellent ASCII art, some have clever inside jokes and some come from Microsoft. Now, there's a effort underway, called the Common Vulnerability Reporting Framework, to standardize the way that vulnerabilities are reported so that they're in a common, machine-readable format.  Read more »

For the aspiring attacker or pen tester, there is no shortage of attack tools, scripts, crimeware kits and exploits available online. But, the Internet being what it is, there's always room for one more. Enter HULK, a new DDoS tool that arrives just in time to coincide with the release of some movie involving the actual Hulk and other CGI-ified mediocre-heroes. Read more »

Twitter has implemented the Do Not Track header on its site, giving users the option of telling the site that they do not want to be tracked across other sites on the Web. The implementation is being done through the DNT technology in the Firefox browser. Read more »

Howard Schmidt, the top White House information security adviser, is retiring after more than two years on the job and several decades in security both in government and private industry. Schmidt is in his second stint as the White House security chief and he's leaving at a time when cybersecurity has moved into the top tier of military and economic concerns for the country. Read more »

It's been more than 10 years now since Microsoft began the initiative that would eventually become Trustworthy Computing, and while the effects it's had inside the company have been well documented, the utility and adoption of the Security Development Lifecycle by outside organizations and customers is less well-known. Several large organizations have adopted the SDL, either in whole or in part, and Microsoft executives say that the effects on these organizations are going to be just as important as they were for Microsoft. Read more »

Google has released Chrome 19 and fixed more than 20 vulnerabilities in its browser, including eight high-risk bugs. The company paid security researchers $7,500 in rewards as part of its bug bounty program, including two rewards for vulnerabilities that applied to Chrome as well as other applications. Read more »

The recent trend of attackers using stolen digital certificates to make their malicious executables look legitimate is continuing unabated, with researchers now having come across a series of variants of the Etchfro Trojan that are using certificates taken from several companies and issued by VeriSign, Thawte and other certificate authorities. Read more »

Just a few days after the company announced that customers would have to pay for security updates to some of its popular products, Adobe officials backed off of that idea and announced that patches for flaws in Illustrator, Photoshop and Flash Professional would be provided after all. Read more »

A group of security experts is working to put together a new global TLD that will require companies and individuals applying for domains to adhere to strict security policies and requirements. The proposed .secure TLD is intended to be a known safe group of domains and would include mandatory use of DNSSEC, TLS for every HTTP session and other security technologies. Read more »