twitter facebook rss

Zero-day Flash vulnerability delivered by Angler

Posted by Kevin on January 22, 2015

The Angler exploit kit has, according to Cisco’s latest report, replaced Blackhole as the kit of choice for the bad guys: Cisco Security Research attributes Angler’s popularity to the decision by its author(s) to eliminate the requirement of downloading a Windows executable to deliver malware. Angler’s use of Flash, Java, Microsoft Internet Explorer (IE), and […]

A serious unfixed flaw in Facebook – maybe

Posted by Kevin on November 13, 2014

Vivek Bansal wrote to me. I have something fantastic to share with you all which can give your readers an interesting read ! This story is to bring your attention on a very serious security breach from Facebook and their casual attitude towards it. Some 11 months ago Bansal responsibly reported a Facebook flaw. Facebook […]

ITsecurity Daily News: 09/22/2014

Posted by Kevin on September 22, 2014

The ITsecurity daily security briefing: Monday, September 22, 2014. If you find this security briefing useful, please spread the word via social media. If you have any comments or recommendations, please email kevtownsend at gmail dot com. News Papers/Reports WebThings Events M&A Alerts News Yahoo SQL Injection to Remote Code Exection to Root Privilege   […]

New vulnerability in WordPress security plugin

Posted by Kevin on September 4, 2014

ThreatPost, the Kaspersky Lab security news service, reported yesterday, A smattering of bugs, mostly cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities, have been plaguing at least eight different WordPress plugins as of late. Well it just got worse. High-Tech Bridge, operator of the ImmuniWeb online web pentesting service, has discovered a SQLi flaw […]

HTB finds SQLi flaws – CyberVor uses them

Posted by Kevin on August 7, 2014

News that Russian cybercriminals had amassed a database of 1.2 billion unique access credentials broke on August 5 when Hold Security published a report titled You Have Been Hacked. The report explained the method used by the gang, dubbed by Hold as CyberVor (‘vor’ means ‘thief’ in Russian), to employ botnets to find SQL vulnerabilities: […]

A new exploit for TimThumb – widely used in WordPress

Posted by Kevin on June 26, 2014

Last week there was a serious flaw found in the code behind TimThumb, an image re-sizing library commonly used in premium themes. Because the code is commonly embedded in themes it’s not easy to discretely update like it would be if the code were a plugin, and even when a theme is updated people are […]

Of irony and petards

Posted by Kevin on June 18, 2014

Says it all without comment – but I must make one: I think 122 hours to find an unknown vulnerability is pretty good going.

JavaScript: New Privacy/Security Threat

Posted by Alexander Hanff on June 13, 2014

  Recently, a developer I know reasonably well contacted me to show me a new JavaScript library he had written which exposes information on all network adapters and connections on a PC. This code was able to detect -all- network adapters along with the IP addresses assigned to them including virtual adapters. This means that […]

Dropbox waits almost six months to fix a flaw that probably took less than a day

Posted by Kevin on May 7, 2014

Graham Cluley is a much respected security expert – but we don’t always agree. Full disclosure – the early public disclosure of a vulnerability whether or not the vendor has a fix available – is an example. I believe that vendors should be notified when a flaw is discovered, and then given 7 days to […]