A Java serialization vulnerability disclosed more than a year ago figured to have a long shelf life. It lived in popular Java application development frameworks such as Apache Commons Collections—where it’s been patched—and not to mention widely deployed application servers such as Oracle WebLogic, IBM WebSphere, Red Hat’s JBoss and others. PayPal this week put...

The Internet of Things security challenge is twofold: finding bugs, and more urgent—fixing them. Cisco’s Talos security intelligence and research group found and privately disclosed a serious and trivially exploitable client-side bug in MiniUPnP that was patched in September of last year. The problem is: How many patches were applied by vendors in their products...

Google is downplaying the scope of the critical Linux vulnerability patched this week, suggesting that the number of affected Android devices has been exaggerated. The Android OS is built upon the Linux kernel, but minus many of the libraries that are included in standard Linux builds. Initially, startup Perception Point said that upwards of two-thirds...

LastPass has taken measures to mitigate a phishing attack described this weekend at ShmooCon that put at risk users’ credentials and information stored by the password manager. Researcher Sean Cassidy, chief technology officer of cloud security company Praesidio, demonstrated an attack where he was able to recreate a LastPass login page, pixel-for-pixel as he said....

Apple has had two cracks at patching a vulnerability that allows malicious apps to bypass its OS X Gatekeeper security feature, and twice has taken a shortcut approach to the fix, said the researcher who reported the flaw. The latest measure to address this was released on Thursday and it appears Apple again took steps to...

Connecting a webcam to your home or office network might seem like a harmless thing, but researchers have figured out how to turn that connected device into a backdoor. Researchers at Vectra Networks today released a report demonstrating how a $30 D-Link webcam can be abused by attackers and turned into a medium for sending...

Juniper Networks announced late Friday it was removing the suspicious Dual_EC_DRBG random number generator from its ScreenOS operating system. And while that’s heralded as a positive move considering Dual_EC’s dubious origins, there remain important and unanswered questions about Juniper’s decision to include what is considered to be a backdoored random number generator in its NetScreen...

European authorities dismantled a cybercrime ring last week responsible for a series of ATM attacks that ultimately led to substantial financial losses across Europe. Authorities apprehended eight Romanian and Moldovan nationals in connection with the ring following a series of house searches in the two countries last week, according to Europol, which announced the news last Thursday via press...

If you’re hanging on to the theory that collision attacks against SHA-1 and MD5 aren’t yet practical, two researchers from INRIA, the French Institute for Research in Computer Science and Automation, have demonstrated new attacks that raise the urgency to move away from these broken cryptographic algorithms. Karthikeyan Bhargavan and Gaetan Leurent recently published an...

Cloud-based webhost Linode absorbed another body blow on Tuesday when it said it was resetting customer passwords after a suspected breach. The development compounded the company’s existing woes as it continues to battle a distributed denial-of-service attack that began on Christmas. A Linode representative said late Tuesday its executives were unavailable for comment and that...