Archives: January 2016
You are here: Home \ 2016 \ January \ Page 6
As promised, Mozilla officially began rejecting new SHA-1 certificates as of the first of the year. And as promised, there have been some usability issues. Mozilla yesterday said that some security scanners and antivirus products are keeping some from reaching HTTPS websites. “When a user tries to connect to an HTTPS site, the man-in-the-middle device...
Roughly 320,000 Time Warner Cable customers are being told to change their email passwords this week after the company announced Wednesday that hackers may have gained access to them. The move comes after the F.B.I. notified the telecommunications giant that someone may have gained access to TWC customer information. It’s still unclear exactly how someone may have...
Developers at WordPress are encouraging users of the content management system to download and apply the most recent update, pushed yesterday, to address a cross-site scripting (XSS) vulnerability. According to WordPress the bug exists in all versions before 4.4 and if exploited, could allow a hacker to take control of an affected website. An independent security researcher based...
If you’re hanging on to the theory that collision attacks against SHA-1 and MD5 aren’t yet practical, two researchers from INRIA, the French Institute for Research in Computer Science and Automation, have demonstrated new attacks that raise the urgency to move away from these broken cryptographic algorithms. Karthikeyan Bhargavan and Gaetan Leurent recently published an...
A number of issues exist in the content management system Drupal that could lead to code execution and the theft of database credentials via a man-in-the-middle attack, a researcher warns. The vulnerabilities lie in the way Drupal processes updates, according to Fernando Arnaboldi, senior security consultant with IOActive. Arnaboldi wrote a blog entry describing three...
The Brain Test mobile malware family has once again been evicted from Google Play. Known for piggy-backing on fully functioning mobile applications, the malware’s various iterations try to root Android devices, download malicious APKs and inflate the Google Play ratings of other apps written by the same group of Chinese developers. Worse yet is Brain...
Silent Circle, makers of the security and privacy focused Blackphone, have patched a vulnerability that could allow a malicious mobile application or remote attacker to access the device’s modem and perform any number of actions. The update was released Dec. 7 in version 1.1.13 RC3; details of the issue were disclosed today by SentinelOne, which...
Cloud-based webhost Linode absorbed another body blow on Tuesday when it said it was resetting customer passwords after a suspected breach. The development compounded the company’s existing woes as it continues to battle a distributed denial-of-service attack that began on Christmas. A Linode representative said late Tuesday its executives were unavailable for comment and that...
While the “Going Dark” debate over encryption standards rages on here in the ­­United States, government officials in the Netherlands this week released a statement that actually calls for stronger encryption and rejects backdoors entirely. On Monday officials said, citing respect for privacy and confidentiality, they were staunchly opposed to against any legislation that would...
Despite calls to eliminate Adobe Flash Player, researchers inside and outside the vendor continue to invest in and build mitigations against modern attacks. As recently as three weeks ago, Adobe announced it had rewritten its memory manager, laying the groundwork for widespread heap isolation, which is an important protection against use-after-free vulnerability exploits. Today, however,...