Web Security | SC Media

Web Security

Drupal software update patches highly critical RCE bug


The developers of Drupal this week issued a security advisory urging users to update their software following the discovery of a highly critical remote code execution vulnerability in their open-source content management framework. “Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases,” the…

Report: Details on 617 million user accounts up for sale on dark web


A dark web marketplace this week reportedly began selling stolen data linked to roughly 617 million user accounts from 16 different websites. The Register was first to report the incident, citing details provided by the seller, who has set up show on the Tor network-based site Dream Market cyber-souk. The affected online services consist of video messaging…

Movie and TV-tracking service Trakt belatedly discovers 2014 breach


An unauthorized party illegally accessed data from TV and movie “scrobbling” service Trakt more than four years ago, but only now are users learning about it. The California-based company, which allows viewers to track the programs and films they watch, reportedly sent an email to its subscribers informing them that an unauthorized party used a…

Google says it is not a flaw that passwords saved in its web browser can be viewed in plain text.

Google adds Password Checkup Chrome extension


Google has rolled out a new Chrome extension that will inform users if their passwords have been compromised. The service, which was introduced as part of Google’s Safer Internet Day offerings, is called Password Checkup. The Chrome extension checks a person’s username and password against a list of four billion credentials that are known to…

Safer Internet Day 2019 offers array of educational programs


Safer Internet Day 2019 kicks off today with a worldwide schedule of events to help make the internet a safer environment, and this is certainly needed as a recent poll indicates many people still make poor choices when it comes to protecting themselves online. Behind the slogan “Together for a better internet”, the day’s organizer…

DHS issues emergency directive to protect federal domains from DNS hijacking campaign


The Department of Homeland Security’s newly created Cybersecurity and Infrastructure Security Agency (CISA) issued its first-ever emergency directive on Tuesday, instructing federal government agencies to take preventative measures against an ongoing DNS hijacking campaign that has recently affected several executive branch domains. Cisco Systems’ Talos research unit first reported on the DNS infrastructure tampering in November…

Click2Gov breach threatens credit card data of Hanover County residents


A data breach of an third-party online payment system has compromised the personal information of Hanover County, Virginia, residents. In an official online notification, county officials have disclosed that an unauthorized party stole credit card information processed by the Click2Gov payment portal between Aug. 1, 2018 and Jan. 9, 2019. Exposed information includes customer names,…

Credential stuffing attack prompts Reddit to force password reset


Some Reddit users discovered they were locked out of their own accounts earlier this week after an apparent credential stuffing attack compelled the popular website to invoke password security measures. An admin post published on Reddit’s Help subreddit this past Wednesday advises users that a “large group of accounts were locked down” due to anomalous…

Phishing kit leverages web fonts to obfuscate source code


In an apparent first, researchers last year observed an unusual phishing kit that obfuscates its landing page’s source code with web fonts as a means to avoid detection. Attackers recently used the kit as part of a credential harvesting scheme that targeted a major retail bank, researchers from Proofpoint revealed in a Jan. 3 blog…

Cybercriminals compromise website for Dublin tram system, post ransom demand


Malicious hackers on Thursday defaced the website for Luas, a public tram system based in Dublin Ireland, posting a ransom demand that threatened to publish data they claim to have stolen from the transport service. The Ireland-based division of Transdev, the transportation company that runs Luas, took its site offline in response to the incident.…

Next post in Cybercrime