Web server threats and application attacks
- January 13, 2020
Signal Sciences co-founder and CEO Andrew Peterson explains why web application security often gets shortchanged and what his next-gen WAF company is doing to change that.
- September 24, 2019
Cloudflare takes its first steps in keeping malicious bots from attacking customers by using complex challenges to waste a bot's CPU resources in an attempt to disincentivize more bots.
- May 29, 2019
A security researcher found that malicious actors have been scanning database servers for MySQL ransomware targets running on Windows, but mitigation should be relatively easy.
- April 19, 2019
A DNS hijacking campaign targeting national security organizations and critical infrastructure may be part of a new trend, according to the researchers behind recent attacks.
- April 16, 2019
Microsoft warned Outlook users who may have had data compromised in an attack using customer support login credentials to access account information over the course of months.
- April 04, 2019
Pipdig, a blog theme and plugin company, was accused of using obfuscated code to gain backdoor access to customer blogs and launch low-scale DDoS attacks on rivals.
- April 03, 2019
Experts are urging users to patch after a proof-of-concept Magento exploit was picked up by malicious actors and used in attempted attacks on e-commerce websites.
- March 01, 2019
The Coinhive cryptominer is scheduled to be shut down following a troubled history and experts don't think the company gave the full story as to why the shutdown is happening.
- February 27, 2019
Researchers created a new browser-based attack, called MarioNet, that exploits an HTML5 API and can create botnets even after a browser tab is closed or a target navigates away.
- February 13, 2019
Dunkin' sent a security alert to customers warning of potentially malicious access of accounts due to the second credential stuffing attack in less than three months.
- January 29, 2019
Video-sharing website Dailymotion reset passwords for an unknown number of users following 'large-scale' credential stuffing attacks that lasted for more than six days before being stopped.
- January 25, 2019
Following a string of DNS hijack attacks around the globe, the Department of Homeland Security has directed federal agencies to harden defenses against DNS tampering.
- January 11, 2019
FireEye researchers investigating a DNS hijacking campaign against governments and telecom companies said those who are potential targets of Iran should take precautions.
- January 10, 2019
Researchers updated their unCAPTCHA proof of concept to be more efficient in bypassing audio CAPTCHAs and be able to handle spoken phrases and not just strings of numbers.
- December 20, 2018
Two Twitter bugs led to questions about the platform's user privacy and security, while the company said one of the bugs opened the door to possible state-sponsored attacks.
- December 11, 2018
Another Google Plus data exposure -- this time potentially affecting more than 52 million users -- will cause the service to be shut down four months earlier than scheduled.
- November 27, 2018
The U.S. Postal Service inadvertently exposed the data of 60 million users and has only just fixed the underlying website flaw, despite being notified of the issue one year ago.
- November 16, 2018
Despite early speculation, experts concluded the BGP route leak that sent Google traffic through China and Russia was due to an accidental misconfiguration and not malicious activity.
- November 05, 2018
The majority of websites still use the outdated PHP v5, according to recent data, causing concern over the fact that it will stop receiving security support at the end of the year.
- October 23, 2018
Malicious actors attacked a back-end insurance system and the resulting Healthcare.gov breach exposed an unknown amount of data on 75,000 people.
- October 10, 2018
A Google security audit uncovered a glitch in Google Plus that exposed data from nearly 500,000 accounts, causing the company to shutter the social network and spur a German data protection probe.
- September 27, 2018
Congressional websites may not always have the best security, according to Joshua Franklin. Although, senators may be better at website security than House representatives.
- September 27, 2018
Joshua Franklin has been researching election website security for congressional candidates, and he found a lot of misconfigurations on official pages and other sites meant to confuse voters.
- September 07, 2018
The anonymity of Tor is once again under scrutiny, as a researcher finds misconfigured Tor sites can expose the public IP address connected to a dark web site.
- August 10, 2018
PortSwigger's James Kettle doesn't believe web cache poisoning is theoretical and to prove it, he demonstrated several attacks on major websites and platforms at Black Hat 2018.
- August 06, 2018
Researchers discovered a wave of BGP hijacking attacks aimed at DNS servers related to payment-processing systems in an apparent effort to steal money from unsuspecting users.
- July 13, 2018
News roundup: The Ticketmaster breach was part of a massive digital credit card-skimming campaign. Plus, the U.K. fined Facebook over the Cambridge Analytica scandal, and more.
- April 30, 2018
The combination of a broken Oracle WebLogic vulnerability and available proof-of-concept exploit code has led threat actors to search for any servers that are at risk.
- December 13, 2017
A team of security researchers discovered many vendors' TLS implementations are vulnerable to the Bleichenbacher oracle attack, which was first discovered 19 years ago.
- October 31, 2017
A security researcher earned more than $15,000 by finding three flaws in the Google Issue Tracker, aka Buganizer, which revealed details on unpatched vulnerabilities.
- October 05, 2017
Newly uncovered information indicated that all 3 billion users were affected by the 2013 Yahoo data breach, but Oath claimed passwords and credit card info was safe.
- September 15, 2017
Equifax has confirmed an unpatched critical Apache Struts vulnerability was exploited in the breach that compromised the personal data of 143 million U.S. citizens.
- May 04, 2017
A Google Docs phishing attack abused OAuth to give malicious actors full access to a victim's Gmail account and contacts, but Google claims to have blocked the attacks.
- March 03, 2017
Cloudflare security researchers continue investigations as CEO calms fears over potential exposure of sensitive personal data by the Cloudbleed bug, though doubts remain.
- February 24, 2017
The Cloudflare bug in CDN is fixed after causing sensitive customer data to leak. Google Project Zero discovered the flaw, and users were warned to change passwords.
- January 26, 2017
Researchers found the infamous Heartbleed bug is still unpatched on as many as 200,000 services connected to the internet and experts don't expect that number to change.
- December 29, 2016
A bypass for the patch of a remote code execution vulnerability in the PHPMailer library prompted a second patch release for the popular library used by millions of websites.
- December 14, 2016
A new Certificate Transparency Monitoring tool from Facebook may help webmasters track and vet TLS certificates, as well as improve integrity and security for HTTPS traffic.
- October 13, 2016
Academic researchers show how to place undetectable encryption backdoors in cryptographic keys and passively decrypt data, which could undermine confidence in certain algorithms.
- September 28, 2016
Domain name system watchdog ICANN has begun the process of updating the DNS root zone signing key to strengthen DNSSEC protection against man-in-the-middle attacks.
- July 18, 2016
Responsible disclosure wins as researchers roll out branded website for 'httpoxy,' a set of vulnerabilities in server-side web apps that use the HTTP_PROXY variable.
- May 19, 2016
The ImageTragick bug raises questions over responsible disclosure, as the flaw in the ImageMagick image-processing library exposes millions of websites to remote code execution.
- January 29, 2016
A new OpenSSL patch fixes a severe encryption flaw and strengthens the protocol against the Logjam vulnerability.
- January 18, 2016
The Internet Systems Consortium released a critical patch for DHCP servers that fixed a flaw that could lead to denial-of-service attacks.
- November 19, 2015
The DNSSEC protocol is a flawed solution to certificate authorities, but experts said any controversy surrounding the potential spying is more misunderstanding than fact.
- May 20, 2015
Google's new Chrome extension policy mandates that all users and developers must install web browser extensions from the Chrome Web Store.
- January 30, 2015
PHP applications, including WordPress, are vulnerable to the GHOST Linux exploit, but overall the flaw may not be as dangerous as first thought.
- September 11, 2014
Experts say the latest security breach of the Healthcare.gov website was caused by lacking security process maturity, downplaying the importance of website security testing.
- June 25, 2014
NTP amplification had led to several recent massive DDoS attacks. Despite the good news, researchers say many other DDoS techniques remain unfixed.
- March 19, 2014
Security vendor Imperva says thousands of enterprise Web servers are exposed to an easy-to-exploit PHP flaw despite a patch long being available.
- January 29, 2014
Data from Arbor Networks shows an increase in DNS amplification attacks and application-layer DDoS attacks.
- January 08, 2014
Update: A Cisco researcher says last week's malvertisement attacks using Yahoo ads likely began prior to December 2013.
- November 05, 2013
The IT professionals tasked with fending off a barrage of server security threats are unsure of their ability to do so, according to a new survey.
- June 19, 2013
Fraud prevention for the Web: RSA Silver Tail sets stage for enterprise-level security with big data and brand new interface.
- May 09, 2013
The IE8 zero-day attack planted in the U.S. Labor Department's website highlights how few organizations can ward off never-before-seen attacks.
- December 21, 2011
Spear phishing attacks via China were likely what led to the lengthy U.S. Chamber of Commerce breach, experts say.
- August 31, 2011
Apache has released an updated version of its Web server to address a DDoS vulnerability, for which exploit tools have been found in the wild.
- February 07, 2011
Attackers are becoming more skilled at harvesting the amount of bandwidth available and selecting specific targets, a new report finds.
- September 28, 2010
Attackers are targeting a weakness in the ASP.NET Web application framework. A fix is expected today at 1 p.m. ET.
- July 29, 2010
Attackers capable of carrying out man-in-the-middle attacks to hijack Web browsing sessions can go further and render Web security protocols HTTPS and SSL/TLS useless against attack.
- September 03, 2009
Exploit code is circulating for the FTP zero-day flaw in Microsoft IIS Web server.
- July 29, 2009
Rogueware fake antivirus strains are increasing at a stunning rate. Panda Security reports that this cyber crime bilks users out of about $34 million every month.
- July 29, 2009
Researcher Dan Kaminsky returned to Black Hat with new research on X.509 certificates, explaining an attack method that could enable malicious hackers to spoof legitimate SSL certificates..
- April 21, 2009
Mi5's technology gives Symantec URL and malware filtering as well as control of unmanaged applications, such as instant messaging and VoIP programs.
- January 14, 2009
Oracle repaired several dangerous flaws in its BEA WebLogic server line and its Secure Backup software that could be exploited by an attacker to gain access to critical files.
- November 26, 2008
Web application security expert Ryan Barnett would like to see every company use a Web application firewall. But Barnett, director of security at Web application firewall vendor Breach Security Inc., knows that companies need to use more than just ...
- October 15, 2008
A severe WebLogic flaw is among 36 security fixes released by Oracle Corp. across its database, middleware and enterprise software products.
- August 06, 2008
Black Hat: Security researcher Dan Kaminsky outlined more than a dozen ways the DNS cache poisoning flaw could be exploited by an attacker to wreak havoc on vulnerable systems.
- August 04, 2008
Web security vendors Zscaler Inc., Purewire Inc. enter growing Software as a Service (SaaS) space dominated by appliance vendors
- July 24, 2008
A new survey found more consumers using their smartphones to access sensitive corporate data opening huge security gaps for enterprises.
- May 14, 2008
Noted network security researcher Dan Kaminsky, director of penetration testing at IOActive, shares his research on Web-based attack techniques.
- July 12, 2007
Web security gateways combine layered defense against the rising tide of Web-based malware with URL filtering and application control.
- April 17, 2007
A new worm called Rinbot.BC exploits the Microsoft DNS flaw by installing an IRC bot on infected machines and scanning for other vulnerable servers.
- February 05, 2007
- October 13, 2006
This week, the blogosphere is buzzing about Google Code Search. Despite concerns that the tool will aid attackers, some see it as a boost for security.
- December 09, 2005
Just by browsing your competitor's Web site, you might be giving away your company's most guarded secrets. Experts offer advice for countering the subterfuge and keeping secrets safe.
- September 27, 2004
Also included are a fix for a Gentoo Linux hole; and an explanation for a controversial hire
- May 27, 2004
Los Angeles County Department of Health Services bioterrorism IT coordinator David Cardenas fields and distributes about a dozen serious health alerts to physicians, hospitals and response agencies and must ensure the flow of such sensitive ...
- May 04, 2004
A security bypass may be the first of similar exploits on cellular phones and other devices sophisticated enough to use Java technology.
- March 17, 2004
Oracle recommends immediately patching to fix multiple high-risk vulnerabilities in the Oracle Web Cache that impacts all platforms.
- January 27, 2004
Internet Security Services (ISS) is offering a money-back guarantee as part of its Managed Protection Services, leading off this edition of Industry Notebook. Also included are items from NetScreen, Check Point, IPLocks and Teros.
- July 03, 2003
Hackers reportedly have organized a game this weekend that awards points for the number of Web sites defaced by Sunday. Enterprises should take note and lock down systems.
- March 18, 2003
Microsoft issued a security alert Monday advising users to patch a critical vulnerability in IIS 5.0 running on Windows 2000.
- November 06, 2002
PentaSafe released VigilEnt Security Agent for SQL Server, enabling users to self-audit their databases, leading off this edition of Quick Takes.
- July 23, 2002
PHP flaw could crash, burn Web servers
- June 18, 2002
DoS, buffer overflow flaws found in Apache