Articles In Security

By Nancy Rand, Posted in Security

February 23, Techcrunch.com - Major Cloudflare bug leaked sensitive data from customers’ websites. Cloudflare revealed a serious bug in its software today that caused sensitive data like passwords, cookies, authentication tokens to spill in plaintext from its customers’ websites. The announcement is a major blow for the content delivery network, which offers enhanced security and performance for more than 5 million websites. This could have allowed anyone who noticed the error to collect a... read more.

• February 27, 2017

By Nancy Rand, Posted in Security

January 16, SecurityWeek – (International) Flaws found in Carlo Gavazzi energy monitoring products. Carlo Gavazzi released firmware updates after a security researcher found that the company’s VMU-C product was plagued with a flaw that grants a malicious actor access to most of the application’s functions without authentication, as well as a cross-site request forgery (CSRF) issue that can be exploited to change configuration parameters. The researcher also found the product stores some se... read more.

• January 18, 2017

By Nancy Rand, Posted in Security

January 12, SecurityWeek – (International) GoDaddy revokes nearly 9,000 SSL certificates. GoDaddy revoked nearly 9,000 Secure Sockets Layer (SSL) certificates after discovering that a software bug, which was introduced in July 2016 as part of a routine code change intended to improve the certificate issuance process, can cause the domain validation process to be unreliable. GoDaddy provides the customer a random code and directs the customer to place it in a specific location on their Website in order... read more.

• January 17, 2017

By Nancy Rand, Posted in Security

January 12, SecurityWeek – (International) Eight vulnerabilities patched in WordPress. WordPress version 4.7.1 was released, resolving a total of 8 security flaws and 62 bugs including 2 cross-site request forgery (CSRF) flaws, several cross-site scripting (XSS) vulnerabilities, and a weak crypto issue related to multisite activation keys. Source January 12, SecurityWeek – (International) Four high severity DoS flaws patched in BIND. The Internet Systems Consortium (ICS) released BIND versions... read more.

• January 13, 2017

By Nancy Rand, Posted in Security

January 10, SecurityWeek – (International) Microsoft patches flaws in Windows, Office, Edge. Microsoft released a total of four security bulletins, including a critical bulletin that resolves a memory corruption flaw in Office that can be exploited by convincing a targeted user to open a maliciously crafted file or to visit a Website hosting a malicious file due to the way the software handles objects in memory. Microsoft also released bulletins patching a privilege escalation flaw in Edge, a denial-o... read more.

• January 12, 2017

By Nancy Rand, Posted in Security

January 6, SecurityWeek – (International) New “Ghost Host” technique boosts botnet resiliency. Cyren security researchers reported that malware developers have started leveraging a new technique, dubbed ghost host, which fools Web security and Uniform Resource Locator (URL) filtering systems by inserting non-malicious host names that are both registered and unregistered into the Hypertext Transfer Protocol (HTTP) host fields of a botnet’s communications, in order to guarantee communi... read more.

• January 10, 2017

By Nancy Rand, Posted in Security

January 5, SecurityWeek – (International) KillDisk malware targets Linux machines. ESET security researchers reported that the KillDisk malware recently observed adding encryption capabilities and behaving like ransomware is now targeting Linux systems, including workstations and servers. The Linux variant of the malware overwrites the bootloader entries and displays the ransom text within the GRUB bootloader. Source January 5, SecurityWeek – (International) “MM Core” APT malware no... read more.

• January 09, 2017

By Nancy Rand, Posted in Security

January 5, SecurityWeek – (International) FireCrypt ransomware packs DDoS code. The MalwareHunterTeam discovered that the FireCrypt ransomware is able to encrypt victims’ files, as well as launch a distributed denial-of-service (DDoS) attack against a Uniform Resource Locator (URL) hardcoded in the source code. The researchers found the URL FireCrypt targets cannot be modified using the ransomware’s builder, and reported that in order for the malware’s DDoS attack to cause significan... read more.

• January 06, 2017

By Nancy Rand, Posted in Security

January 4, SecurityWeek – (International) Pseudo-Darkleech remains prominent distributor of ransomware. Palo Alto Networks security researchers reported that the pseudo-Darkleech campaign is expected to remain a prominent ransomware distributor in 2017 after finding the campaign’s operators were able to quickly adapt to major exploit kit (EK) and ransomware landscape changes during 2016 to maintain the high level of attacks and to ensure the campaign remained relevant. The researchers found, how... read more.

• January 06, 2017

By Ken Phelan, Posted in Infrastructure, Security, Virtualization

2016 was a tough year for celebrities and not an altogether great year for IT. I’m going to break from my normal annual predictions format and cover two things as we start 2017. I’m going to talk about lessons we need to learn from 2016 and things we should look forward to in 2017. 2016’s Tough Love Weak IT = Weak Cyber. For a number of years, IT budgets have been shrinking on the whole while cyber budgets increase. This is not working. Cyber is too dependent on solid IT operations to be... read more.

• January 05, 2017