Password Cracker Targets Siemens S7 PLCs

Siemens S7 programmable logic controllers, the same PLC family exploited by the Stuxnet malware, are in the crosshairs of a password-cracking tool that is capable of stealing credentials from industrial control systems.

DARPA Seeking Help With Targeted Attack Analysis

The networks of government agencies and the military are under constant attack from a variety of sources, and the U.S., like most other countries, relies on those networks to not just run daily operations, but to support missions around the world. In the face of those attacks, the Department of Defense’s advanced research group, DARPA, is looking for new technologies that can collect and analyze massive amounts of network data and enable security teams to get quick reads on attacks happening across a broad, department-level network.

PayPal Addresses Months-Old SQL Injection Vulnerability, Frozen Accounts

Researchers with Vulnerability Lab today announced mega payment processor PayPal has fixed a flaw on its site that allowed a remote user or a local user with low privileges to compromise a Web application using a blind SQL injection.The vulnerability was first reported to PayPal back in August, according to Softpedia, but the company waited until now to announce a fix. PayPal awarded the researchers a $3,000 bounty for responsibly disclosing their find.

Users looking for “cracked” Android files are in danger of running into a site that is peddling apps that are more or less a ploy to garner advertising clicks from unsuspecting users. The site,, boasts a collection of free, yet crooked looking downloads for Android phones including audio apps, Java apps, wallpapers, games and more.

Rarely a day goes by without mention of a targeted attack against some government-related website, massive disruptions in online banking services, or critical vulnerabilities in specialized software running our power plants and water supplies. And all the while, IT and security organizations have thought little about fighting back. Their options were limited to better patching, more security hardware and new firewall rules. That dynamic is changing because the buzzwords active defense and hacking back are creeping into conversations between vendors and customers, IT managers and executives, executives and legal teams. 

Social networking sites such as Twitter and Facebook have become not just communication hubs, but also authentication mechanisms for third-party sites. Many sites and Web applications allow users to sign in with their Facebook or Twitter credentials rather than registering, which is a nice convenience. That is, until, it turns into a security liability. Security researcher Cesar Cerrudo recently discovered a bug in Twitter’s code that enabled third-party apps to access users’ private direct messages under some circumstances, even when users had not explicitly granted those apps that level of access.

With Skype expanding its reach with services designed for small businesses, and other messaging platforms such as Microsoft Windows Messenger shutting down, Skype is becoming an attractive target for malware writers.Reports surfaced last week of the Shylock financial malware spreading on Skype and yesterday, researchers reported the discovery of more malware propagating on Skype.  

A Canadian college student was expelled after reporting a vulnerability in the school’s Web site that potentially exposed private data on more than 250,000 students.The high-achieving computer science major, Hamed Al-Khabaz and another student, Ovidiu Mija, in November were developing a mobile app using Omnivox Web portal software when they discovered “sloppy coding” that could lead to a major data breach. Ominvox is used at hundreds of Canadian campuses, including theirs at Montreal’s Dawson College.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.