Web Security News, Articles and Updates

Voter data on 1.8M Chicagoans left exposed on online storage service

Personal data on more than 1.8 million Chicagoan voters was found exposed on a cloud-based storage site, available to anyone for downloading, researchers from UpGuard's Cyber Risk Team have reported.

Venezuelan government websites hacked in support of military base attack

Digital rebels hacked into dozens of Venezuelan government websites to oppose the dictatorial regime of opposing President Nicolás Maduro, according to multiple news reports.

npm removes malicious JavaScript packages that were caught stealing data

JavaScript programming language package manager "npm" has disclosed that it recently removed roughly 40 fraudulent, malware-spiked packages that were designed to steal environment variables upon installation.

Symantec selling SSL certification business to DigiCert in $950M deal

SSL certification provider DigiCert will acquire Symantec's Website Security service and its related PKI solutions for $950 million and a roughly 30 percent stake in DigiCert common stock equity.

Pro-ISIS hacker group defaces state, local government websites

Government websites in Ohio, Maryland and New York have been defaced with a pro-ISIS message from a hacktivist group called Team System Dz, according to various news reports.

Bank websites struggle, consumer services sites shine in online trust assessment

An annual audit of more than 1,000 top websites found that 52 percent have highly trustworthy cybersecurity and privacy practices, yet 46 percent failed the assessment altogether, with bank sites surprisingly faring worst of all.

Facebook defends encryption, says it is countering terrorism using AI

Aware that terrorists take advantage of social media and messaging platforms to spread propaganda and securely communicate, Facebook on Thursday divulged its recent efforts to use AI to identify objectionable content.

Security updates announced for Mozilla Thunderbird, Google Chrome, ISC's BIND

The US-CERT on Thursday announced security updates to Mozilla Thunderbird, Google Chrome and the Internet Systems Consortium's BIND Domain Name System software.

Up to 'old' tricks: Hackers compromise Stanford University 'Biology of Aging" website for months

A Stanford University website was reportedly compromised for four months without detection, allowing hackers to abuse it to host malicious web shells, phishing kits and defacement images.

Dark web services getting attacked too, as Tor sites become less hidden

Despite their anonymity, sites and services hidden on the dark web are not immune to cyberattacks, as recently demonstrated by a group of researchers who coaxed cybercriminals into attacking fake Tor sites in order to study their behavior.

Terror Exploit Kit ditches carpet bombing techniques; attacks now more surgical

The Terror Exploit Kit is rapidly evolving, no longer bombarding victims with multiple exploits in scattershot fashion, but rather applying only the hacking tools that work best against a specific compromised machine.

Cookie monster: Researchers detect malware that steals cookies, hijacks WordPress sessions

Sucuri researchers recently observed a malware attack that injected obfuscated code into a JavaScript file in order to steal web users' cookies and hijack their WordPress sessions.

Researcher pwns Charles Darwin to demonstrate Microsoft Edge exploit

Even Charles Darwin couldn't protect his Twitter account from being hijacked after a researcher stole his cookies and passwords by exploiting a reported universal cross-site scripting vulnerability in the Microsoft Edge browser.

OurMine claims it pulled off largest hack in YouTube history

The OurMine hackers known for hijacking online social media accounts, supposedly to test their security, executed what it's calling the largest hack in YouTube history, after changing the written content on hundreds of the video service's channels on Friday.

Report: Chinese APT compromised trade association's website to keep tabs on members

A Chinese APT is accused of compromising the website of the National Foreign Trade Council in an attempt to spy on the trade association's members.

With March Madness in full swing, online scams go for the steal

Alley-OOPS! March Madness fans scouring the web for bracket contests and live game streams instead may find themselves all fouled up by online scams, Zscaler reported in a blog post this week.

Web hacking only getting worse as webmasters fail to patch ageing code

As part of its #NoHacked campaign, Google has published figures on the state of website security, and the trend doesn't look good.

Write and wrong: Attackers compromise websites with subdirectory files to promote 'essay spam'

Cybercriminals are injecting folders with malicious subdirectories into legitimate websites in order to display spam content that advertises essay-writing services for students, Sucuri has reported.

Association of British Travel Agents web server breach impacts 43,000 individuals

The Association of British Travel Agents has suffered a data breach affecting approximately 43,000 individuals after an unauthorized intruder exploited a vulnerability in a third-party web server, the trade organization acknowledged.

Zscaler reveals risk of SSL based threats, warns of new security priority

More than half of the internet traffic is already HTTPS encrypted for the sake of higher security. However, the encrypted traffic is used by cyber-criminals as well to hide their malicious activities from detection.

Are 'bad bots' weaponising data centres to spread fake news?

As bad bots increasingly take up a greater share of internet traffic, are data centres providing the roads?

Analysis: Dark web shrank since attack on Freedom Hosting II

Anonymous's compromise of Freedom Hosting II may have reduced the overall size of the Tor network by an estimated 15 to 20 percent, according to researcher Sarah Jamie Lewis, who works for OnionScan, an open-source dark web scanning tool project.

Microsoft tech support scam leverages full-screen mode to trick victims

A new tech support scam website leverages deceptive visual elements to trick victims into thinking they have been redirected to a legitimate Microsoft support website, even though they actually never left the scam page.

Report: More than 100K WordPress web pages defaced following disclosure of patched bug

More than 100,000 WordPress web pages have been defaced, following last week's public disclosure of a patched vulnerability that allows attackers to remotely modify the content of pages and posts.

Researcher buys URLs in old Trump tweets, redirects them to videos lampooning president

A security researcher has purchased the expired domains of web pages whose links were posted in old tweets from Donald Trump, and redirected them to satirical videos that mock the U.S. president.

WordPress secretly patches severe bug that can lead to site content modification

WordPress last week silently patched a high-severity zero-day vulnerability that can allow unauthorized users to remotely modify a web page's content and change any post.

Video: 300 billion passwords by 2020, report predicts

A new report predicts that the number of passwords used among humans and machines worldwide will grow to 300 billion by 2020 - all of which will require cyber protection.