Articles by 'Nancy Rand'

By Nancy Rand, Posted in Security

January 15, Help Net Security – (International) Flaw allows malicious OpenSSH servers to steal users’ private SSH keys. Researchers from Qualys reported that two vulnerabilities including an Information Disclosure flaw were found in the OpenSSH implementation of the secure shell (SSH) protocol that can allow an attacker to pose as an owner of the SSH keys and extract users’ private cryptographic keys through the default client code that can be tricked into leaking client memory to the server. Source Janu... read more.

• January 19, 2016

By Nancy Rand, Posted in Security

January 14, SecurityWeek – (International) Cisco patches serious flaw in networking, security products. Cisco released software updates that addressed multiple critical vulnerabilities in several of its networking and security products including an unauthorized access issue that affects Cisco standalone and modular controllers running Wireless LAN Controller (LAN) software that allowed attackers to modify the device’s configuration and compromise the device. Source January 13, Softpedia – (International)... read more.

• January 15, 2016

By Nancy Rand, Posted in Security

January 13, Softpedia – (International) Three XSS bugs found on Mozilla’s add-ons and support portals. Mozilla released one patch for its Add-ons portal addressing a cross-site scripting (XSS) flaw that was exploited via the “Create new collection” feature, allowing attackers to add malicious code to the collection’s name field. The company reported they are also working to release patches for two other XSS flaws in its Add-ons portal and in its Support Center. Source January 13, Help Net Security – (Int... read more.

• January 14, 2016

By Nancy Rand, Posted in Security

January 12, IDG News Service – (International) Mozilla Persona login system to shut down in November. Mozilla reported that its login system, Persona (persona.org) and related domains will be shut down November 30 due to limited resources and low customer usage within the last two years. The company will continue to maintain the system including providing security fixes and support, but will not introduce new features or produce major enhancements. Source January 12, SecurityWeek – (International) Google... read more.

• January 13, 2016

By Nancy Rand, Posted in Security

January 11, Softpedia – (International) CSRF bug in Verizon’s API left My FiOS accounts open to attacks. Verizon released patches for a cross-site request forgery flaw and a proof-of-concept (PoC) vulnerability in its My FiOS application program interface (API) after an independent security researcher discovered that attackers can access users’ accounts via malicious web pages distributed through email campaigns. Once users open the malicious pages, a password reset command can be triggered. Source Janua... read more.

• January 12, 2016

By Nancy Rand, Posted in Security

January 7, SecurityWeek – (International) Unpatched Drupal flaws expose sites to attacks. A researcher from IOActive reported that there were several vulnerabilities in the update process for the Drupal content management system (CMS) versions 6 and 7 series including a cross-site request forgery (CSRF) vulnerability that can be exploited to force website administrators to check for updates, which can enable hackers to deliver server-side request forgery (SSRF) attacks against drupal.org. Additional issues... read more.

• January 08, 2016

By Nancy Rand, Posted in Security

January 6, SecurityWeek – (International) Linode resets user passwords after breach. Linode reported that it reset customers’ Linode Manager passwords after the company discovered that a massive distributed denial-of-service (DDoS) attack was launched on its website, data centers, and Domain Name System (DNS) infrastructure, in addition to multiple volumetric attacks that targeted its authoritative nameservers and public websites, which may have compromised user credentials from the company’s database. The... read more.

• January 07, 2016

By Nancy Rand, Posted in Security

January 5, Softpedia – (International) Google patches Android for yet another RCE flaw in its Mediaserver component. Google released patches for 12 vulnerabilities, five of which were categorized as critical, for its Android operating system (OS) including a remote code execution (RCE) flaw in its Mediaserver component, which allowed attackers to craft malicious media files and send them via a multimedia messaging service (MMS) or stream them through a user’s browser. Other issues included an elevation of p... read more.

• January 06, 2016

By Nancy Rand, Posted in Security

January 4, SecurityWeek – (International) BlackEnergy malware used in Ukraine power grid attacks. Researchers from ESET reported that the BlackEnergy malware, which previously targeted Ukrainian government entities and U.S. critical infrastructure companies, and a Secure Shell (SSH) backdoor have been targeting news media and electrical power companies in the Ukraine after researchers found that the malware was planted on the networks of several regional power companies and news companies via a destructive... read more.

• January 05, 2016

By Nancy Rand, Posted in Security

December 31, SecurityWeek – (International) Details of 34,000 Steam users exposed during DDoS attack. Valve Corporation reported that its Internet-based platform, Steam deployed catching configurations, one that incorrectly cached traffic for unauthenticated users, which resulted in users’ personal information to be displayed to other users after the company tried to resolve distributed denial-of-service (DDoS) attacks against the Steam Store that affected 34,000 users. The company was working to identify a... read more.

• January 04, 2016