POODLE More Potent, Now Affects TLS
Patches to fix the POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability in SSL first discussed in October have been gradually put in place since its discovery. We’ve recently uncovered that some transport layer security (TLS) implementations may be vulnerable to a variant of the same POODLE attack. This means that secure connections protected via TLS can, in certain conditions, be vulnerable to man-in-the-middle […] more…POODLE Vulnerability Puts Online Transactions At Risk
Earlier today, Google researchers Bodo Möller, Thai Duong, and Krzysztof Kotowicz released a paper discussing a serious bug in SSL 3.0 that allows attackers to conduct man-in-the-middle attacks and decrypt the traffic between Web servers and end users. For example, if you’re shopping online with your credit card, you may think that your information is secure […] more…DDoS Attacks in Q3 2018
News Overview The third quarter 2018 turned out relatively quiet in terms of DDoS attacks. “Relatively” because there were not very many high-level multi-day DDoS onslaughts on major resources. However, the capacities employed by cybercriminals keep growing year after year, while the total number of attacks shows no signs of decline. The early July attack […] more…Identifying Top Vulnerabilities in Networks: Old Vulnerabilities, IoT Botnets, Wireless Connection Exploits
by Tony Yang, Adam Huang, and Louis Tsai We have noted time and again how compromising networks and connected devices is rooted in finding weak points in the system. Often, these are in the form of vulnerabilities. Worse, vulnerabilities that aren’t even new. In the context of the internet of things (IoT) and noteworthy security […] more…a-PATCH-e: Struts Vulnerabilities Run Rampant
by Steve Povolny Equifax confirmed the attack vector used in its data breach to be CVE-2017-5638, a vulnerability patched last March 2017 via S2-045. The vulnerability was exploited to gain unauthorized access to highly sensitive data of approximately 143 million U.S. and 400,000 U.K. customers, as well as 100,000 Canadian consumers. This vulnerability was first disclosed […] more…SLOTH Downgrades TLS 1.2 Encrypted Channels
Early last month a new vulnerability was found in how TLS 1.2 was implemented. Researchers from the French Institute for Research in Computer Science and Automation (INRIA) called this new attack SLOTH (Security Losses from Obsolete and Truncated Transcript Hashes). An attacker with man-in-the-middle capabilities could use SLOTH to attack encrypted traffic in the following ways: decrypt […] more…One Year After Shellshock, Are Your Servers and Devices Safer?
Security researchers were the first to respond during the Shellshock attacks of 2014. After news of the fatal flaw in the prevalent Bash (Bourne Again Shell)— found in most versions of the Unix and Linux operating systems as well as in Mac OSX —was released, researchers started looking into how it can be used against affected web […] more…Not So Spooky: Linux “Ghost” Vulnerability
Researchers at Qualys have found a vulnerability in the GNU C Library (alternately known as glibc), which can be used to run arbitrary code on systems running various Linux operating systems. The vulnerability (assigned as CVE-2015-0235) has been dubbed GHOST and is the latest vulnerability to receive a “friendly” name, joining others like Heartbleed, Shellshock, […] more…Remembering the Vulnerabilities of 2014
With the New Year celebrations safely behind us, it’s time to look forward and plan for 2015. Before we can do that, however, we need to spend a few minutes to remember the vulnerabilities of 2014 and what we can take away from these. Every year there are several zero-days and tons of undisclosed vulnerabilities fixed […] more…Learning From 2014: Security Resolutions for 2015
I do not exaggerate when I say that it is only a matter of time before your company has to deal with a targeted attack, if it has not yet. In 2014, we saw many victims grapple with an invisible enemy. A very big and recent example of this is the Sony attack which caused a […] more…New Year Resolutions for IT Admins this 2015
I do not exaggerate when I say that it is only a matter of time before your company has to deal with a targeted attack, if it has not yet. In 2014, we saw many victims grapple with an invisible enemy. A very big and recent example of this is the Sony attack which caused a […] more…More information
- Thousands of Android apps bypass Advertising ID to track users
- Microsoft Windows CVE-2016-0098 Remote Code Execution Vulnerability
- FIN7 Hackers Use LNK Embedded Objects in Fileless Attacks
- Are Samsung phones and tablets really running Chinese spyware?
- Resolved: Group E-mails within UCS
- This is (apparently) how the iPhone 7 looks, according to Spigen
- Australia Flags Tough New Data Protection Laws This Year
- Zoom Events gets a virtual green room
- Multiple Trend Micro Products CVE-2019-18190 Arbitrary Code Execution Vulnerability
- iTerm2 CVE-2019-9535 Remote Command Execution Vulnerability