News, Analysis and Opinion for Web server threats and application attacks

January 13, 2020 13 Jan'20

Signal Sciences: Enterprises still overlooking web app security

Signal Sciences co-founder and CEO Andrew Peterson explains why web application security often gets shortchanged and what his next-gen WAF company is doing to change that.

September 24, 2019 24 Sep'19

Cloudflare battles malicious bots with 'fight mode'

Cloudflare takes its first steps in keeping malicious bots from attacking customers by using complex challenges to waste a bot's CPU resources in an attempt to disincentivize more bots.

May 29, 2019 29 May'19

Hackers scan for MySQL ransomware targets

A security researcher found that malicious actors have been scanning database servers for MySQL ransomware targets running on Windows, but mitigation should be relatively easy.

April 19, 2019 19 Apr'19

DNS hijacking campaign targets national security organizations

A DNS hijacking campaign targeting national security organizations and critical infrastructure may be part of a new trend, according to the researchers behind recent attacks.

April 16, 2019 16 Apr'19

Microsoft disputes Outlook data breach report

Microsoft warned Outlook users who may have had data compromised in an attack using customer support login credentials to access account information over the course of months.

April 04, 2019 04 Apr'19

Pipdig WordPress plugin accused of DDoS attacks and backdoors

Pipdig, a blog theme and plugin company, was accused of using obfuscated code to gain backdoor access to customer blogs and launch low-scale DDoS attacks on rivals.

April 03, 2019 03 Apr'19

Proof-of-concept Magento exploit used in attacks

Experts are urging users to patch after a proof-of-concept Magento exploit was picked up by malicious actors and used in attempted attacks on e-commerce websites.

March 01, 2019 01 Mar'19

Coinhive shutdown imminent after troubled cryptomining past

The Coinhive cryptominer is scheduled to be shut down following a troubled history and experts don't think the company gave the full story as to why the shutdown is happening.

February 27, 2019 27 Feb'19

MarioNet attack exploits HTML5 to create botnets

Researchers created a new browser-based attack, called MarioNet, that exploits an HTML5 API and can create botnets even after a browser tab is closed or a target navigates away.

February 13, 2019 13 Feb'19

Dunkin' security alert warns of new credential-stuffing attacks

Dunkin' sent a security alert to customers warning of potentially malicious access of accounts due to the second credential stuffing attack in less than three months.

January 29, 2019 29 Jan'19

Dailymotion credential stuffing attacks lasted more than 6 days

Video-sharing website Dailymotion reset passwords for an unknown number of users following 'large-scale' credential stuffing attacks that lasted for more than six days before being stopped.

January 25, 2019 25 Jan'19

DNS hijack attacks lead to government directive from DHS

Following a string of DNS hijack attacks around the globe, the Department of Homeland Security has directed federal agencies to harden defenses against DNS tampering.

January 11, 2019 11 Jan'19

Iran implicated in DNS hijacking campaign around the world

FireEye researchers investigating a DNS hijacking campaign against governments and telecom companies said those who are potential targets of Iran should take precautions.

January 10, 2019 10 Jan'19

UnCAPTCHA attack updated to bypass spoken phrases

Researchers updated their unCAPTCHA proof of concept to be more efficient in bypassing audio CAPTCHAs and be able to handle spoken phrases and not just strings of numbers.

December 20, 2018 20 Dec'18

Twitter bugs expose user data and direct messages

Two Twitter bugs led to questions about the platform's user privacy and security, while the company said one of the bugs opened the door to possible state-sponsored attacks.

December 11, 2018 11 Dec'18

Second Google+ data exposure leads to earlier service shutdown

Another Google Plus data exposure -- this time potentially affecting more than 52 million users -- will cause the service to be shut down four months earlier than scheduled.

November 27, 2018 27 Nov'18

USPS website flaw exposed data for one year

The U.S. Postal Service inadvertently exposed the data of 60 million users and has only just fixed the underlying website flaw, despite being notified of the issue one year ago.

November 16, 2018 16 Nov'18

Google BGP route leak was accidental, not hijacking

Despite early speculation, experts concluded the BGP route leak that sent Google traffic through China and Russia was due to an accidental misconfiguration and not malicious activity.

November 05, 2018 05 Nov'18

As PHP v5 nears its end, enterprises face serious threats

The majority of websites still use the outdated PHP v5, according to recent data, causing concern over the fact that it will stop receiving security support at the end of the year.

October 23, 2018 23 Oct'18

Healthcare.gov breach exposes data on 75,000 people

Malicious actors attacked a back-end insurance system and the resulting Healthcare.gov breach exposed an unknown amount of data on 75,000 people.

October 10, 2018 10 Oct'18

Google security audit begets product changes, German probe

A Google security audit uncovered a glitch in Google Plus that exposed data from nearly 500,000 accounts, causing the company to shutter the social network and spur a German data protection probe.

September 27, 2018 27 Sep'18

Congressional websites need to work on TLS

Congressional websites may not always have the best security, according to Joshua Franklin. Although, senators may be better at website security than House representatives.

September 27, 2018 27 Sep'18

Election website security a mess for states and candidates alike

Joshua Franklin has been researching election website security for congressional candidates, and he found a lot of misconfigurations on official pages and other sites meant to confuse voters.

September 07, 2018 07 Sep'18

Misconfigured Tor sites leave public IP addresses exposed

The anonymity of Tor is once again under scrutiny, as a researcher finds misconfigured Tor sites can expose the public IP address connected to a dark web site.

August 10, 2018 10 Aug'18

Web cache poisoning attacks demonstrated on major websites, platforms

PortSwigger's James Kettle doesn't believe web cache poisoning is theoretical and to prove it, he demonstrated several attacks on major websites and platforms at Black Hat 2018.

August 06, 2018 06 Aug'18

BGP hijacking attacks target payment systems

Researchers discovered a wave of BGP hijacking attacks aimed at DNS servers related to payment-processing systems in an apparent effort to steal money from unsuspecting users.

July 13, 2018 13 Jul'18

Ticketmaster breach part of worldwide card-skimming campaign

News roundup: The Ticketmaster breach was part of a massive digital credit card-skimming campaign. Plus, the U.K. fined Facebook over the Cambridge Analytica scandal, and more.

April 30, 2018 30 Apr'18

Attackers seek Oracle WebLogic vulnerability after faulty patch

The combination of a broken Oracle WebLogic vulnerability and available proof-of-concept exploit code has led threat actors to search for any servers that are at risk.

December 13, 2017 13 Dec'17

Return of Bleichenbacher: ROBOT attack means trouble for TLS

A team of security researchers discovered many vendors' TLS implementations are vulnerable to the Bleichenbacher oracle attack, which was first discovered 19 years ago.

October 31, 2017 31 Oct'17

Google Buganizer flaw reveals unpatched vulnerability details

A security researcher earned more than $15,000 by finding three flaws in the Google Issue Tracker, aka Buganizer, which revealed details on unpatched vulnerabilities.

October 05, 2017 05 Oct'17

Yahoo data breach found to affect all 3 billion users

Newly uncovered information indicated that all 3 billion users were affected by the 2013 Yahoo data breach, but Oath claimed passwords and credit card info was safe.

September 15, 2017 15 Sep'17

Apache Struts vulnerability blamed for Equifax data breach

Equifax has confirmed an unpatched critical Apache Struts vulnerability was exploited in the breach that compromised the personal data of 143 million U.S. citizens.

May 04, 2017 04 May'17

Google Docs phishing attack grants attacker full Gmail access

A Google Docs phishing attack abused OAuth to give malicious actors full access to a victim's Gmail account and contacts, but Google claims to have blocked the attacks.

March 03, 2017 03 Mar'17

Cloudflare security team calms fears over Cloudbleed bug

Cloudflare security researchers continue investigations as CEO calms fears over potential exposure of sensitive personal data by the Cloudbleed bug, though doubts remain.

February 24, 2017 24 Feb'17

Project Zero discovers Cloudflare bug leaking sensitive customer data

The Cloudflare bug in CDN is fixed after causing sensitive customer data to leak. Google Project Zero discovered the flaw, and users were warned to change passwords.

January 26, 2017 26 Jan'17

Heartbleed bug still found to affect 200,000 services on the web

Researchers found the infamous Heartbleed bug is still unpatched on as many as 200,000 services connected to the internet and experts don't expect that number to change.

December 29, 2016 29 Dec'16

Critical PHPMailer library vulnerability patched, and repatched

A bypass for the patch of a remote code execution vulnerability in the PHPMailer library prompted a second patch release for the popular library used by millions of websites.

December 14, 2016 14 Dec'16

Facebook Certificate Transparency Monitoring tool will help secure web

A new Certificate Transparency Monitoring tool from Facebook may help webmasters track and vet TLS certificates, as well as improve integrity and security for HTTPS traffic.

October 13, 2016 13 Oct'16

Researchers demonstrate undetectable encryption backdoor in crypto keys

Academic researchers show how to place undetectable encryption backdoors in cryptographic keys and passively decrypt data, which could undermine confidence in certain algorithms.

September 28, 2016 28 Sep'16

ICANN grinds forward on crucial DNS root zone signing key update

Domain name system watchdog ICANN has begun the process of updating the DNS root zone signing key to strengthen DNSSEC protection against man-in-the-middle attacks.

July 18, 2016 18 Jul'16

Responsible disclosure of latest named vulnerability, 'httpoxy'

Responsible disclosure wins as researchers roll out branded website for 'httpoxy,' a set of vulnerabilities in server-side web apps that use the HTTP_PROXY variable.

May 19, 2016 19 May'16

ImageMagick calls into question responsible disclosure reporting

The ImageTragick bug raises questions over responsible disclosure, as the flaw in the ImageMagick image-processing library exposes millions of websites to remote code execution.

January 29, 2016 29 Jan'16

OpenSSL patch fixes encryption flaw and strengthens Logjam defense

A new OpenSSL patch fixes a severe encryption flaw and strengthens the protocol against the Logjam vulnerability.

January 18, 2016 18 Jan'16

DHCP servers must be patched against denial-of-service attacks

The Internet Systems Consortium released a critical patch for DHCP servers that fixed a flaw that could lead to denial-of-service attacks.

November 19, 2015 19 Nov'15

Experts: DNSSEC protocol can't be worse than certificate authorities

The DNSSEC protocol is a flawed solution to certificate authorities, but experts said any controversy surrounding the potential spying is more misunderstanding than fact.

May 20, 2015 20 May'15

Google changes Chrome extension policy amid security concerns

Google's new Chrome extension policy mandates that all users and developers must install web browser extensions from the Chrome Web Store.

January 30, 2015 30 Jan'15

GHOST Linux bug update: WordPress, other PHP applications vulnerable

PHP applications, including WordPress, are vulnerable to the GHOST Linux exploit, but overall the flaw may not be as dangerous as first thought.

September 11, 2014 11 Sep'14

Healthcare.gov breach shows poor website security testing

Experts say the latest security breach of the Healthcare.gov website was caused by lacking security process maturity, downplaying the importance of website security testing.

June 25, 2014 25 Jun'14

Enterprises fix NTP amplification, but many DDoS techniques remain

NTP amplification had led to several recent massive DDoS attacks. Despite the good news, researchers say many other DDoS techniques remain unfixed.

March 19, 2014 19 Mar'14

Imperva finds old PHP vulnerability still being exploited by attackers

Security vendor Imperva says thousands of enterprise Web servers are exposed to an easy-to-exploit PHP flaw despite a patch long being available.

January 29, 2014 29 Jan'14

DNS amplification, application-layer attacks drive DDoS attack trends

Data from Arbor Networks shows an increase in DNS amplification attacks and application-layer DDoS attacks.

January 08, 2014 08 Jan'14

Malvertising attacks via Yahoo ads may precede broader iframe attacks

Update: A Cisco researcher says last week's malvertisement attacks using Yahoo ads likely began prior to December 2013.

November 05, 2013 05 Nov'13

IT pros lack confidence when dealing with server security threats

The IT professionals tasked with fending off a barrage of server security threats are unsure of their ability to do so, according to a new survey.

June 19, 2013 19 Jun'13

RSA Silver Tail improves online fraud detection, enterprise security

Fraud prevention for the Web: RSA Silver Tail sets stage for enterprise-level security with big data and brand new interface.

May 09, 2013 09 May'13

Department of Labor website hack highlights advanced attack trends

The IE8 zero-day attack planted in the U.S. Labor Department's website highlights how few organizations can ward off never-before-seen attacks.

December 21, 2011 21 Dec'11

Spear phishing attacks likely key in U.S. Chamber of Commerce breach, experts say

Spear phishing attacks via China were likely what led to the lengthy U.S. Chamber of Commerce breach, experts say.

August 31, 2011 31 Aug'11

Apache DDoS vulnerability requires immediate update to avoid threat

Apache has released an updated version of its Web server to address a DDoS vulnerability, for which exploit tools have been found in the wild.

February 07, 2011 07 Feb'11

DDoS attacks growing in size, break attack bandwidth barrier, Arbor Networks says

Attackers are becoming more skilled at harvesting the amount of bandwidth available and selecting specific targets, a new report finds.

September 28, 2010 28 Sep'10

Microsoft plans emergency update for ASP.NET encryption flaw

Attackers are targeting a weakness in the ASP.NET Web application framework. A fix is expected today at 1 p.m. ET.

July 29, 2010 29 Jul'10

Black Hat: Researchers poke holes in HTTPS, SSL Web browser security

Attackers capable of carrying out man-in-the-middle attacks to hijack Web browsing sessions can go further and render Web security protocols HTTPS and SSL/TLS useless against attack.

September 03, 2009 03 Sep'09

Microsoft issues IIS FTP advisory, exploit code circulates

Exploit code is circulating for the FTP zero-day flaw in Microsoft IIS Web server.

July 29, 2009 29 Jul'09

Panda reports fast-spreading rogueware antivirus fraud rakes in millions

Rogueware fake antivirus strains are increasing at a stunning rate. Panda Security reports that this cyber crime bilks users out of about $34 million every month.

July 29, 2009 29 Jul'09

Kaminsky reveals key flaws in X.509 SSL certificates at Black Hat

Researcher Dan Kaminsky returned to Black Hat with new research on X.509 certificates, explaining an attack method that could enable malicious hackers to spoof legitimate SSL certificates..

April 21, 2009 21 Apr'09

Symantec acquires Mi5 Networks, bolsters Web security

Mi5's technology gives Symantec URL and malware filtering as well as control of unmanaged applications, such as instant messaging and VoIP programs.

January 14, 2009 14 Jan'09

Oracle patches dangerous WebLogic, Secure Backup vulnerabilities

Oracle repaired several dangerous flaws in its BEA WebLogic server line and its Secure Backup software that could be exploited by an attacker to gain access to critical files.

November 26, 2008 26 Nov'08

Web app attacks grow, but developers may fight back

Web application security expert Ryan Barnett would like to see every company use a Web application firewall. But Barnett, director of security at Web application firewall vendor Breach Security Inc., knows that companies need to use more than just ...

October 15, 2008 15 Oct'08