Articles In Security

By Nancy Rand, Posted in Security

January 21, Softpedia – (International) Threat group uses dating sites to build a botnet of vulnerable home routers. Damballa security researchers reported that a Linux ELF binary, a variant of TheMoon worm, was targeting Home Network Administration Protocol (HNAP) by using adult dating websites to infect home routers and prevents consumers from using their routers’ inbound ports via a malicious iframe embedded on the malicious web pages. Researchers reported the worm is spread by opening outbound ports on... read more.

• January 22, 2016

By Nancy Rand, Posted in Security

January 20, Softpedia – (International) Apple releases 28 security fixes for iOS, OS X and Safari. Apple released 28 security patches for its iOS and Mac OS X operating systems (OS) and its Safari web browser through updated versions of OS X El Capitan 10.11.13, Safari 9.0.3, and OS X kernel that addressed critical vulnerabilities and allowed attackers to execute arbitrary code in the operating system’s kernel and execute arbitrary code on the underlying operating system to trick a victim into accessing a m... read more.

• January 21, 2016

By Nancy Rand, Posted in Security

January 19, Softpedia – (International) Yahoo fixes bug that could compromise email accounts when opening an email. Yahoo! patched a cross-site scripting (XSS) vulnerability that affected its mail’s Web Interface after a researcher from Finish found that the flaw allowed attackers to fully compromise email accounts by crafting an email with a malicious code in the message’s body and sending the malicious email to a target. The vulnerability can be executed each time a user opens an email. Source January... read more.

• January 20, 2016

By Nancy Rand, Posted in Security

January 15, Help Net Security – (International) Flaw allows malicious OpenSSH servers to steal users’ private SSH keys. Researchers from Qualys reported that two vulnerabilities including an Information Disclosure flaw were found in the OpenSSH implementation of the secure shell (SSH) protocol that can allow an attacker to pose as an owner of the SSH keys and extract users’ private cryptographic keys through the default client code that can be tricked into leaking client memory to the server. Source Janu... read more.

• January 19, 2016

By Nancy Rand, Posted in Security

January 14, SecurityWeek – (International) Cisco patches serious flaw in networking, security products. Cisco released software updates that addressed multiple critical vulnerabilities in several of its networking and security products including an unauthorized access issue that affects Cisco standalone and modular controllers running Wireless LAN Controller (LAN) software that allowed attackers to modify the device’s configuration and compromise the device. Source January 13, Softpedia – (International)... read more.

• January 15, 2016

By Nancy Rand, Posted in Security

January 13, Softpedia – (International) Three XSS bugs found on Mozilla’s add-ons and support portals. Mozilla released one patch for its Add-ons portal addressing a cross-site scripting (XSS) flaw that was exploited via the “Create new collection” feature, allowing attackers to add malicious code to the collection’s name field. The company reported they are also working to release patches for two other XSS flaws in its Add-ons portal and in its Support Center. Source January 13, Help Net Security – (Int... read more.

• January 14, 2016

By Nancy Rand, Posted in Security

January 12, IDG News Service – (International) Mozilla Persona login system to shut down in November. Mozilla reported that its login system, Persona (persona.org) and related domains will be shut down November 30 due to limited resources and low customer usage within the last two years. The company will continue to maintain the system including providing security fixes and support, but will not introduce new features or produce major enhancements. Source January 12, SecurityWeek – (International) Google... read more.

• January 13, 2016

By Nancy Rand, Posted in Security

January 11, Softpedia – (International) CSRF bug in Verizon’s API left My FiOS accounts open to attacks. Verizon released patches for a cross-site request forgery flaw and a proof-of-concept (PoC) vulnerability in its My FiOS application program interface (API) after an independent security researcher discovered that attackers can access users’ accounts via malicious web pages distributed through email campaigns. Once users open the malicious pages, a password reset command can be triggered. Source Janua... read more.

• January 12, 2016

By Nancy Rand, Posted in Security

January 7, SecurityWeek – (International) Unpatched Drupal flaws expose sites to attacks. A researcher from IOActive reported that there were several vulnerabilities in the update process for the Drupal content management system (CMS) versions 6 and 7 series including a cross-site request forgery (CSRF) vulnerability that can be exploited to force website administrators to check for updates, which can enable hackers to deliver server-side request forgery (SSRF) attacks against drupal.org. Additional issues... read more.

• January 08, 2016

By Nancy Rand, Posted in Security

January 6, SecurityWeek – (International) Linode resets user passwords after breach. Linode reported that it reset customers’ Linode Manager passwords after the company discovered that a massive distributed denial-of-service (DDoS) attack was launched on its website, data centers, and Domain Name System (DNS) infrastructure, in addition to multiple volumetric attacks that targeted its authoritative nameservers and public websites, which may have compromised user credentials from the company’s database. The... read more.

• January 07, 2016