Web Security News, Articles and Updates

US-CERT: Domain name collision bug could result in MitM attacks

US-CERT: Domain name collision bug could result in MitM attacks

By

The US-CERT issued an alert this week, warning of a "domain name collision" bug, causing certain DNS queries to be resolved on public instead of private or enterprise servers, exposing organizations to Man-in-the-Middle attacks.

Microsoft bans passwords from breach lists

Microsoft bans passwords from breach lists

By

On the heels of a breach last week at LinkedIn that exposed passwords of 117 million users, Microsoft has put in place new password security for users of its Azure Active Directory.

Adobe patches Connect untrusted search path vulnerability

Adobe patches Connect untrusted search path vulnerability

By

A security update for Adobe Connect for Windows released Monday resolves an untrusted search path vulnerability in the add-in installer for Connect versions 9.5.2 and earlier.

Researcher brute forces Instagram, cites multiple internal flaws

Researcher brute forces Instagram, cites multiple internal flaws

By

Information security bug-bounty hunter Arne Swinnen used several flaws with Instagram's login system to brute force his way into the social media giant and gain access to member accounts.

Cash stolen from 1,400 ATMs in Japan in coordinated attack

Cash stolen from 1,400 ATMs in Japan in coordinated attack

By

As many as 100 people are believed to have taken part in a heist of nearly $13 million (USD) from 1,400 cash machines in Japan.

Trojan in app on Google Play shuttered

Trojan in app on Google Play shuttered

By

A variant of the malware family Acecard was detected in the Google Play store by researchers at Lookout.

Cisco patch blocks DoS vulnerability

Cisco patch blocks DoS vulnerability

By

Remote attackers have been shut out of the IPsec code of Cisco Adaptive Security Appliance (ASA) Software following Tuesday's patch.

NTIA study: Security threats deter online activities like making purchases and banking

NTIA study: Security threats deter online activities like making purchases and banking

By

A new government survey shows that U.S. households are growing averse to even the most routine online transactions, due to cyberattacks imperiling users' finances, identities and privacy.

UPDATED - Domo Arigato: White hat reports vulnerability on Mr. Robot website

UPDATED - Domo Arigato: White hat reports vulnerability on Mr. Robot website

By

The new promotional website for season two of the USA Network's computer hacking drama Mr. Robot required an emergency patch after a white-hat hacker discovered a cross-site scripting vulnerability, according to a Forbes.com report.

Hacker doxes Nulled cybercrime forum, exposes data on 536,000 user accounts

Hacker doxes Nulled cybercrime forum, exposes data on 536,000 user accounts

By

An unidentified hacker turned the tables on Nulled.io, a popular online forum that facilitates cybercriminal activity, by compromising its website and publicly dumping its sensitive user data and communications.

Pornhub dismisses hacker's offer to sell access to servers as hoax

Pornhub dismisses hacker's offer to sell access to servers as hoax

By

A hacker calling himself Revolver yesterday advertised on Twitter that he was selling access to Pornhub servers for $1,000 after discovering an exploit, but the pornography video sharing website is disputing the veracity of this hack.

Not OK, data on 70K OKCupid users exposed

Not OK, data on 70K OKCupid users exposed

By

A semi-private database consisting of the identities of 70K users of the dating website was published on the internet.

Attackers already pouncing on newly discovered ImageTragick vulnerability

Attackers already pouncing on newly discovered ImageTragick vulnerability

By

Mere hours after word spread last week of a remote code execution vulnerability in the image-processing software ImageMagick, bad actors were already actively exploiting it in the wild

Florida security expert demoing flaw charged for unauthorized access

Florida security expert demoing flaw charged for unauthorized access

By

A Florida man who logged into a computer system with appropriated credentials now faces felony charges.

Locky ransomware bolsters encryption of communications with C&C servers

Locky ransomware bolsters encryption of communications with C&C servers

By

In a move to obfuscate network traffic more effectively, Locky ransomware developers recently upgraded the malware to communicate with its command and control server via both symmetric and asymmetric encryption.

Malware popups delivered with Pirate Bay downloads, report

Malware popups delivered with Pirate Bay downloads, report

By

Torrent site's users received malware warnings.

Tech advocates lobby to oppose re-election of Senate intel chief

Tech advocates lobby to oppose re-election of Senate intel chief

By

A lobbying effort is underway to block the re-election of Sen. Richard Burr for internet policies that at least one digital rights activists has called "idiotic."

Attackers inject code into WordPress header file to redirect random users

Attackers inject code into WordPress header file to redirect random users

By

Researchers are warning WordPress website administrators of a malware attack, whereby adversaries inject code into the header.php file of a site's current WordPress theme, in order to redirect visitors to malicious domains.

Microsoft will cease support for TLS certs signed by SHA1

Microsoft will cease support for TLS certs signed by SHA1

By

Microsoft announced it will soon cease support for TLS certificates signed by the SHA1 hashing algorithm.

OpenSSL patches memory corruption and unauthorized decryption vulnerabilities

OpenSSL patches memory corruption and unauthorized decryption vulnerabilities

By

OpenSSL has issued as a series of patches in conjunction with the disclosure yesterday of six vulnerabilities, including two of high severity.

Slack users expose corporate credentials while creating new 'bot' tools

Slack users expose corporate credentials while creating new 'bot' tools

By

Developers using the corporate messaging tool Slack are carelessly including their Slack tokens (aka credentials) within the coding of newly created automated business tools known as "Slack bots," according to Detectify's research labs division.

Miami programmer facing jail for hacking frequent flyer accounts

Miami programmer facing jail for hacking frequent flyer accounts

By

A computer programmer was charged with purloining the frequent flier accounts of American Airlines customers to treat himself to more than $260,000 worth of global travel and car rentals

Top NFL prospect Tunsil free falls in draft after apparent hacker posts damaging video, texts

Top NFL prospect Tunsil free falls in draft after apparent hacker posts damaging video, texts

By

Minutes before the NFL Draft commenced on Thursday night, an apparent hacker accessed the Twitter account of top prospect Laremy Tunsil and posted an old video of the Ole Miss player smoking from a bong, damaging his value.

CryptXXX ransomware being served by toy company site

CryptXXX ransomware being served by toy company site

By

The day after security researchers discovered the website for toy maker Maisto was not only selling radio-controlled cars and planes, but was also pushing CryptXXX ransomware, the site was down for maintenance.

'Wizz' kids: Talos researchers pinpoint French firm as source of spyware-adware threat

'Wizz' kids: Talos researchers pinpoint French firm as source of spyware-adware threat

By

A supposedly legitimate French software firm, Tuto4PC, has actually infected an estimated 12 million PC users with a generic Trojan disguised as downloadable utilities programs, according to an analysis from Cisco's Talos research division.

Firefox patches issued, one critical

Firefox patches issued, one critical

By

Mozilla released 10 security advisories affecting its Firefox open-source web browser.

Defense to judge: Make feds disclose hacking technique in child porn case or dismiss charges

Defense to judge: Make feds disclose hacking technique in child porn case or dismiss charges

By

More than two months after a federal judge ruled the U.S. must privately disclose the hacking technique the FBI used to identify patrons of the child porn site Playpen, lawyers have filed a motion urging the case be dismissed if the government does not comply or drop the charges.

A million-plus accessed Facebook via Tor last month

A million-plus accessed Facebook via Tor last month

By

Just-released figure doubles the number from less than a year ago of Facebook users accessing the site via Tor.

MIT launches bug bounty program

MIT launches bug bounty program

By

The Massachusetts Institute of Technology (MIT) introduced a bug bounty program last week that it termed "experimental."

SpyEye authors headed to prison

SpyEye authors headed to prison

By

The two men responsible for the SpyEye banking trojan, used to steal user information from financial institutions, were sentenced to a combined 24-1/2 years in prison.

RECENT COMMENTS

Sign up to our newsletters

FOLLOW US