Articles In Security

By Nancy Rand, Posted in Security

March 10, Softpedia – (International) Exploit code published for Elasticsearch remote code execution flaw. Security researchers at Xiphos Research created an exploit for a glitch in Elasticsearch versions earlier than 1.3.8 and 1.4.3 that allows server-side code execution by passing Groovy code in a search query and executing it in the sandbox. The glitch was patched in updates released February 11. Source March 10, Threatpost – (International) Yahoo patches critical eCommerce, small business vulnerabili... read more.

• March 11, 2015

By Nancy Rand, Posted in Security

March 9, Securityweek – (International) Email spoofing flaw found in Google Admin console. Security researchers identified a security flaw in the Google Apps Admin console that could have been exploited to gain temporary ownership of any previously unclaimed domain and used to send malicious emails that would not be flagged as suspicious because they came from trusted servers. Google has addressed the vulnerability. Source March 7, Softpedia – (International) Two arrested in the largest data breach in th... read more.

• March 11, 2015

By Nancy Rand, Posted in Security

March 4, Softpedia – (International) Strong SSL/TLS ciphers downgraded to use weak crypto key in FREAK attack. A security researcher at INRIA and the Microsoft Research Team identified a serious vulnerability in the implementation of secure sockets layer (SSL) and transport layer security (TLS) protocols on Apple and Android devices that can be abused through man-in-the-middle (MitM) attacks that capitalize on abandoned policies to force the use of weak RSA keys, potentially leaving a wide range of governme... read more.

• March 05, 2015

By Nancy Rand, Posted in Security

March 3, Help Net Security – (International) Phishers target victims of iOS device theft. Security researchers at Malwarebytes discovered an elaborate phishing campaign that targets victims of iOS device theft by using spoofed messages and a fake iCloud log-in Web page, which is available in 10 different languages, to steal users’ log-in credentials, enabling the thieves to unlock the stolen devices. Source March 3, Securityweek – (International) Lossy image compression can hide malicious code in PDF fil... read more.

• March 05, 2015

By Nancy Rand, Posted in Security

March 2, Help Net Security – (International) 0-day flaw in Seagate NAS devices endangers thousands. A security researcher discovered that certain firmware versions of Seagate Business Storage 2-Bay NAS devices are susceptible to an easily-exploitable zero-day remote code execution vulnerability due to outdated Web-enabled application management versions of Hypertext Preprocessor (PHP), CodeIgniter, and Lighttpd technologies that contain known security issues. The company is reportedly working on the issue.... read more.

• March 03, 2015

By Nancy Rand, Posted in Security

February 27, Softpedia – (International) Apps bypass Google Play verification and spew tempest of ads. Bitdefender security researchers discovered 10 apps hosted in Google Play that use social engineering to trick users into installing ad-spewing software and relied on deceptive tactics to ensure persistence on users’ devices. None of the apps linked to Web sites hosting malware, allowing the apps to bypass Google Play quality controls. Source February 27, Securityweek – (International) Critical vulnerab... read more.

• March 02, 2015

By Nancy Rand, Posted in Security

February 25, Securityweek – (International) Mozilla fixes 17 vulnerabilities in Firefox 36. Mozilla released version 36 of its Firefox browser closing 17 vulnerabilities and flaws, including 4 rated as critical. Source February 25, Help Net Security – (International) New DDoS attack and tools use Google Maps plugin as proxy. PLXsert security researchers discovered that attackers are exploiting a known vulnerability in Joomla’s Google Maps plugin by spoofing the sources of requests, causing results to be... read more.

• February 26, 2015

By Nancy Rand, Posted in Security

February 23, SC Magazine – (International) Older vulnerabilities a top enabler of breaches, according to report. Hewlett Packard security researchers reported that 44 percent of known breaches happened as a result of server misconfigurations and vulnerabilities discovered years ago. The report cites 33 percent of identified exploit samples from Microsoft Windows, 11 percent from Adobe Reader and Acrobat, 6 bugs in Oracle Java, and 2 flaws in Microsoft Office flaws. Source February 23, Securityweek – (Int... read more.

• February 25, 2015

By Ken Phelan, Posted in Security

I was out to dinner with my parents the other night and my mother started getting on my case. You know, the way mothers do. “Kenneth.” Yes, I’m a grown man and my mother still calls me Kenneth when she’s angry with me. “I’ve been reading the paper and there are all these security problems all the time. Aren’t you supposed to be fixing this? There must be something you can do to stop it. It seems like quite a problem.” Mothers. How is it that they can bundle up a wonderful compliment (I’m capable... read more.

• February 25, 2015

By Nancy Rand, Posted in Security

February 23, The Register – (International) Cisco IPv6 processing bug can cause DoS attacks. Cisco announced that its NCS 6000 and Carrier Routing System (CRS-X) contain an IPv6 software bug that attackers could repeatedly exploit by sending a malformed IPv6 packet, carrying extension headers, through an affected Cisco IOS XR device line card to cause an extended denial of service (DoS) condition. Source February 23, Securityweek – (International) Superfish SSL interception library found in several appli... read more.

• February 24, 2015