By: - Independent Computer Security Analyst

@gcluley

Popular WordPress plugins found vulnerable to XSS attacks

April 21st, 2015

As I’ve explained before on the Optimal Security blog, cross-site scripting (XSS) flaws are a big problem on the net. Vulnerable websites can be exploited via XSS to steal user accounts, change settings or phish passwords from unsuspecting users. In fact, XSS flaws are one of the most commonly encountered security flaws found on websites. […]



By:

Hijacking Websites for Hacktivism (part 2)

April 20th, 2015

In the first post of this series I outlined my plan for the upcoming U.S. election. I’ll find unvarnished information about the candidates from sources like public records, create a website to display that information, and then re-route web traffic from the candidates’ own URL’s to my website. So far we’ve covered setting up the […]



By: - Independent Computer Security Analyst

@gcluley

Minecraft learns the hard way: It’s not good to ignore vulnerability reports

April 17th, 2015

If a security researcher finds a vulnerability in your software, please don’t ignore them. Instead, be grateful that someone who has found a flaw in your product has chosen to let you know about it, rather than selling it (for probably more cash than you’ll offer them as a bug bounty) to some nefarious ne’er-do-well […]



By:

Hijacking Websites for Hacktivism (part 1)

April 13th, 2015

I mentioned in my last post about hacktivism that I had some future plans based on upcoming events. I’m confident enough in my plan that I’m going to share it here with you, of course leaving out a few specific details. If you want to avoid being the victim of a plan like this, then […]



By: - Independent Computer Security Analyst

@gcluley

Hackers break into Linux Australia server, plant malware, steal personal information

April 7th, 2015

Linux Australia has warned its members and conference attendees that their personal information may have fallen into the hands of online criminals, following a breach of the organisation’s servers. In a mailing list posting, Linux Australia Joshua Hesketh confirmed that a malicious hacker attacked the site between 04:00 and 06:00 local time on 22 March […]



By:

Have You Thought About Hacktivism?

April 6th, 2015

I know you are focused on stopping cyber crime, but have you thought about hacktivism at all? It may very well affect your organization in the future – if it hasn’t already. Who Are Hacktivist Targets? A surprising variety of organization types are victims of hacktivism. You might think that your organization is immune, or […]



By: - Independent Computer Security Analyst

@gcluley

XSS flaws expose weaknesses on Amazon and UK newspaper websites

March 31st, 2015

Cross-site scripting (XSS) flaws are amongst the most commonly encountered security flaws found on websites, opening up opportunities for malicious hackers to hijack customer accounts, change users’ settings and phish login credentials. Unfortunately, it only requires a single web developer to make a mistake to open up opportunities which online criminals can exploit to launch […]



By:

Will Bar Mitzvah Be The Death Knell for RC4 Crypto?

March 30th, 2015

RC4 is an encryption algorithm designed by RSA in 1987. It was attractive then because it could be implemented in a few lines of code, and wasn’t computationally intensive. PC’s were 8088 or MC68000 based at the time, and 64K was enough RAM, remember? Even today RC4 has advantages. It runs fast on small devices, […]



By: - Independent Computer Security Analyst

@gcluley

Android users exposed to malware by installer hijacking vulnerability

March 27th, 2015

Security researchers have warned about a widespread vulnerability in Android devices, that could see attackers sneakily modify or entirely replace seemingly benign apps with malware, without users becoming aware. In other words, a user might attempt to install a legitimate version of “Angry Birds” but instead end up with a Flashlight app that’s harbouring malware. […]



By:

To Patch or Not To Patch, Which is Riskier?

March 16th, 2015

Patching systems in an enterprise is a complex and risky activity. It’s extremely time-consuming if you do it right. It’s even more time consuming if you don’t do it right. And in either case, there is fallout to deal with after patching. The patches don’t get applied to some systems, some systems stop working after […]


By: - Sr. Director Solutions and Strategy

@donleatham

Open Source Security – A Change In the Wind?

March 12th, 2015

As we approach the April anniversary of the Heartbleed security defect (CVE-2014-0160), it’s an understatement to say the last year has been rough sledding for OpenSSL. Since OpenSSL is a critical building block for the tools used to initiate and manage most secured transactions on the internet (e.g. SSL and TLS,) there’s a lot riding […]


By: - Independent Computer Security Analyst

@gcluley

Government report and US senator criticises Air Traffic Control network security

March 10th, 2015

New York Senator Charles Schumer held a press conference this weekend, demanding “immediate action” to improve the security of the Federal Aviation Administration’s computer systems. His concern? That terrorists could break into national air traffic control systems run by the FAA, and use them to wreak havoc in the skies above America. The Democratic senator […]


By:

You’re Still Using Clear Text Passwords!?

March 9th, 2015

This week I was doing some poking around in the hacking forums. Someone recently posted a huge password list. These get circulated around from time to time. It’s a long list of words and character sequences people commonly use for passwords. The intent is that you feed the list to a tool like John the […]


By:

Does Open Source Mean Open Season?

March 2nd, 2015

There has long been a debate over whether open source software is generally more secure or less secure than commercial software. Proponents of open source say it’s more secure because more people are looking at the code, increasing the chances that problems will be seen, documented, and corrected. Proponents of commercial software claim that vendors […]


By: - Independent Computer Security Analyst

@gcluley

What’s worse than Superfish? Meet PrivDog, leaving users wide open to attacks

February 24th, 2015

Last week, a storm erupted on the net after it became widely known that Superfish – software that was being pre-installed on Lenovo PCs – could compromise users’ security and privacy. The problem with Superfish was not just that it injected money-making ads into websites, but that it used a self-signed root certificate to intercept […]



IT Secured. Success Optimized.™

Contact Lumension | Privacy Policy

Connect & Follow Us

blog.lumension.com