Articles about web security

Hipster with laptop photo via Shutterstock

Slack quick to whack account hijack crack

Slack quickly squashed a potential account hijack bug hours after it was reported. Frans Rosén, a security researcher at Detectify, discovered a vulnerability in Slack that created a means for a malicious website to steal a user's Slack token, potentially seizing control of their account in the process. Slack fixed the bug in …
John Leyden, 3 Mar 2017

Tricksy bugs in Zscaler admin portal let you ruin a coworker's day

Cloud management software peddler Zscaler has plugged cross-site scripting holes in the admin portal it provides to customers. People logged into the website could have exploited the bugs to inject malicious HTML and JavaScript into the browsers of other users of the site, allowing them to take over their accounts and perform …
John Leyden, 1 Mar 2017

Rasputin whips out large intimidating tool, penetrates uni, city, govt databases – new claim

A Russian-speaking miscreant dubbed "Rasputin," who potentially hacked into the US Election Assistance Commission and sold access to its systems, has struck again, it is claimed. Rasputin has allegedly infiltrated database servers within 60 organizations, US government agencies, and international universities. These victims …
John Leyden, 15 Feb 2017
Robots, image via Shutterstock

Battle of the botnets: My zombie horde's bigger than yours

DDoS attacks more than doubled in the last quarter of 2016 compared to the same period the year before. Although the infamous Mirai IoT botnets accounted for many of the most severe attacks, the biggest single assault came from a different zombie network, according to a new study by Akamai out Tuesday. Attacks greater than …
John Leyden, 14 Feb 2017

PayAsUGym breach exposes passwords

Fitness website PayAsUGym has been breached in a hack that may have exposed up to 400K emails and passwords. In a breach notice to users, the firm admitted one of its servers was hacked after “underground researchers” posted screenshots purporting to show PayAsUGym’s hacked database via Twitter. The 1x0123 hacker crew later …
John Leyden, 19 Dec 2016
AVSWinvote box

US voting machine certification agency probes potential hack

The US agency charged with ensuring that voting machines meet security standards may have been compromised, according to evidence uncovered by cyber security firm Recorded Future. In a statement, the EAC confirmed it was investigating a potential breach. EAC has become aware of a potential intrusion into an EAC web-facing …
John Leyden, 16 Dec 2016

Web security still outstandingly mediocre, experts report

Black Hat EU Cross-site scripting (XSS) vulnerabilities continue to dominate the list of most common vulnerabilities found in real-world tests. In more than a third (37 per cent) of cases, a website vulnerable to XSS is also vulnerable to a more critical flaw such as SQL injection or improper access control, according to web security …
John Leyden, 7 Nov 2016
couch_potato_remote_control_surfer

DDoSers do it more now, but they do it less fiercely*

The number of distributed denial of service attacks has doubled over the last 12 months. Akamai reports that Q2 saw a 129 per cent year-on-year increase in total DDoS attacks. During the second quarter, Akamai mitigated a total of 4,919 attacks, one of which (against a media company) reached an eye-watering 363n Gbps. Although …
John Leyden, 15 Sep 2016

DDoS protection biz Incapsula knackers its customers' websites

Glitches at distributed denial-of-service mitigation biz Incapsula left the websites it defends offline twice on Thursday. Incapsula blamed "connectivity issues" for the global PITSTOP, aka the worldwide degradation of its services. "A rare case triggered an issue on the Incapsula service and caused two system-wide errors at …
John Leyden, 10 Mar 2016

90% of SSL VPNs are ‘hopelessly insecure’, say researchers

Nine in 10 SSL VPNs use insecure or outdated encryption, putting corporate data at risk in the process, according to new research. High-Tech Bridge (HTB) conducted large-scale Internet research on live and publicly-accessible SSL VPN servers. The firm passively scanned 10,436 randomly selected publicly available SSL VPN …
John Leyden, 26 Feb 2016

Google punts freebie DDoS shield to hacks, human rights worthies

Google has launched a free service to protect news websites against DDoS attacks. Project Shield will also be offered to human rights and election monitoring websites as a way of fending off increasingly commonplace site-swamping DDoS assaults. Google is offering to "reverse proxy" qualifying websites' traffic through Google's …
John Leyden, 25 Feb 2016

Bacs corporate website still runs obsolete crypto

UK banking organisation Bacs is running a cryptographically obsolete website despite telling everyone else to upgrade before a June deadline. Earlier this week Bacs reminded UK businesses to update their systems and adopt SHA-2 before mid-June in order to avoid losing access to vital payment and money transfer services. …
John Leyden, 19 Feb 2016

Disney World-area University admits massive data breach

The University of Central Florida (UCF) has admitted that hackers who broke into its systems may have snaffled the personal details of more than 60,000 staff and students. The breach, discovered in early January but only made public on Thursday, exposed the social security numbers and other private information of 63,000 …
John Leyden, 5 Feb 2016
Bond on train Patrice Skyfall

Commuters slam UK rail operator c2c. You slow, late, er... privacy violator

Commuters in the south east of England, already angry about recent timetable changes and delays, have been further incensed by basic security blunders by rail operator c2c as it tried to placate passenger disquiet with a new compensation form on its website. The company, which operates rail service between London Fenchurch …
John Leyden, 25 Jan 2016
lottery

Bad luck, Ireland: DDoS attack disrupts isle's National Lottery

A DDoS attack disrupted the Irish National Lottery’s website and ticket machines on Wednesday (January 20). The draw took place as normal despite two hours of disruption beforehand. "Indications are that this morning's technical issues were as a result of a DDoS attack affecting our communications networks," a statement from …
John Leyden, 21 Jan 2016
Linux password file by https://www.flickr.com/photos/132889348@N07/  CC 2.o attribution sharealike generic https://creativecommons.org/licenses/by-sa/2.0/

It's 2016 and idiots still use '123456' as their password

Put your head in your hands, sysadmins: the usual weak suspects continue to make up the top most used 25 passwords. The ubiquitous ”123456" remains the most popular password among web users, followed by "password" in a list of user credentials leaked online last year. “Qwerty” appears in fourth place of the list of …
John Leyden, 20 Jan 2016
Asda Recycling Site, Belvedere On Crabtree Manorway North. Copyright David Anstiss and licensed for reuse under this CC 2.0

Shop online at Asda? Website vuln created account hijack risk

Updated Retailer Asda dragged its heels for nearly two years before finally this week tackling a set of security vulnerabilities reported to it by a UK consultant. Asda has acknowledged the flaws - which Paul Moore, who discovered them, argues offer up an account hijack risk - but played down their significance. Moore told El Reg …
John Leyden, 19 Jan 2016

Distil gets into a Scrape to boost bot defences

Distil Networks has bought managed security services provider ScrapeSentry in order to step up its fight against bots and ad fraud. Financial terms of the deal, announced on Wednesday, were undisclosed. Bots are routinely used by hackers and fraudsters alike in all manner of malfeasance including but not limited to competitive …
John Leyden, 13 Jan 2016

Create a news alert about web security, or find more stories about web security.

Biting the hand that feeds IT © 1998–2017