Darren Pauli( IT News - April 14, 2014 )
DDoS reaches 300,000 connections a minute. Botnet operators in the criminal underground are launching large denial of service attacks against each other in a bid to knock out rivals in the race to compromise computers. Security researchers have discovered command and control servers owned by operators of Zeus botnets were blasted by those running a rival Cutwail botnet in a distributed denial of service attack reaching 300,000 connections a minute. The infamous Zeus malware was a trojan often used to steal banking information and install cyrptolocking software. The Zeus family was considered to be the largest botnet operating on the internet. Cutwail is also an established botnet which is typically involved in sending spam via the Pushdo trojan, at its peak pushing out millions of emails a day. University researchers said in a paper that Cutwail, known to spammers as ‘0bulk Psyche Evolution’, was rented to spam affiliates who pay fees to the botmasters totalling hundreds of t
housands of dollars, in order to launch spam campaigns (pdf). RSA researchers found a hit list of new dynamically generated domain names within a Cutwail botnet which served as infrastructure targets of the operator’s rivals.

Jim Finkle( Reuters - April 14, 2014 )
(Reuters) - BlackBerry Ltd said it plans to release security updates for messaging software for Android and iOS devices by Friday to address vulnerabilities in programs related to the “Heartbleed” security threat. Researchers last week warned they uncovered Heartbleed, a bug that targets the OpenSSL software commonly used to keep data secure, potentially allowing hackers to steal massive troves of information without leaving a trace. Security experts initially told companies to focus on securing vulnerable websites, but have since warned about threats to technology used in data centers and on mobile devices running Google Inc’s Android software and Apple Inc’s iOS software. Scott Totzke, BlackBerry senior vice president, told Reuters on Sunday that while the bulk of BlackBerry products do not use the vulnerable software, the company does need to update two widely used products: Secure Work Space corporate email and BBM messaging program for Android and iOS.

Joyce Lee and Clarence Fernandez( Reuters - April 11, 2014 )
(Reuters) - Hackers stole the personal information of about 200,000 South Korean credit card users, using some to make fake cards and rack up fraudulent charges of about 120 million won ($115,400), an official of the country’s financial regulator said on Friday. The Financial Supervisory Service (FSS) said in a statement several suspects had late last year hacked into a server of a firm managing card payment processing terminals, and extracted data such as numbers, expiry dates and passwords for a point-amassing loyalty card. The suspects exploited the fact that some users had the same pin number or password for both credit cards and the loyalty card to create fake cards and charge items earlier this year, an official with direct knowledge of the investigation said. South Korean police, who are leading the investigation, have so far identified 268 separate cases of wrongful charges, said the official, who declined to be identified as the probe is still underway.

Gregg Keizer( ComputerWorld - April 11, 2014 )
Computerworld - Microsoft’s demand that Windows 8.1 users install this week’s major update was another signal that the company is very serious about forcing customers to adopt its faster release strategy, experts said today. “Microsoft is going to drag organizations and users into this new world of faster updates kicking and screaming,” said Michael Silver of Gartner in an email. “Microsoft wants users to trust it to keep their systems updated. Maybe they figure forcing organizations to deploy [Windows 8.1 Update] will get them used to taking updates and keeping current.” Earlier this week, Microsoft shipped Windows 8.1 Update (8.1U), adding that to obtain future updates, including fixes for vulnerabilities distributed each month on “Patch Tuesday,” Windows 8.1 users had to install 8.1U. “Failure to install this Update will prevent Windows Update from patching your system with any future updates starting with updates released in May 2014,” Microsoft said.

Julie Bort( Greenwich Time - April 11, 2014 )
It’s been two days since the Heartbleed bug was exposed, a security flaw so bad, security expert Bruce Schneier has called it “catastrophic.” The flaw allows hackers to intercept and read website information supposed to be encrypted, like passwords and credit card info. This problem was found in the really popular security software known as OpenSSL used by many huge websites and devices. That means Heartbleed was found in some of most popular cloud services on the Internet, like Gmail, Yahoo, Flicker, OkCupid, Tumbler and others. The good news is that those sites have been fixed, Mashable reports. More good news: hundreds of other websites are racing to get rid of the bug as we write this. 24 hours after the bug was reported, security vendor SkyHigh Networks had found 368 cloud providers that still had the bug. Yet, a couple of hours ago, security vendor Netskope, searching only cloud services that serve businesses, found 100 of those sites to have the Heartbleed bug. So the
numbers of dangerous websites are diminishing.

Staff( Critical Watch - April 10, 2014 )
Use the Critical Watch Heartbleed Tester to verify if your site is/isn’t vulnerable to the heartbleed vulnerability.

John Zorabedian( Naked Security - April 9, 2014 )
A 17-year-old scam artist allegedly ripped off 10,000 people who purchased a fake anti-virus app. His app made it to number one on the Google Play Store Top New Paid Android Apps page, before it was taken down last Sunday, 6 April 2014. The Virus Shield app cost $3.99 and claimed to be a scanner that protected Android devices from viruses, while promising to never annoy users with pop-up ads found on many free apps. Sounds like a good reason to pay four dollars for an app, right? Well, a blogger for the website Android Police bought the app from the Play Store and discovered that Virus Shield had no anti-virus functionality whatsoever, and didn’t do anything like it claimed. The app was uploaded to Play Store on 28 March 2014 and in one week Virus Shield amassed more than 10,000 downloads and 1,600 recommendations, surging to the top of Google Play’s new apps, according to media reports.