GitHub’s search capability remains dark Friday after it was discovered that the code-sharing site’s search feature could be used to dredge up passwords, private crypto keys, and other credentials developers use in their projects.
In a video from this week’s DLD Conference, F-Secure’s Chief Research Officer Mikko Hypponen and Kaspersky Lab’s CEO Eugene Kaspersky discuss increased paranoia surrounding cyber warfare, the dangers of the internet and the evolution of hacking throughout the years.
Several undocumented remote administration backdoors were discovered in a number of Barracuda Networks products that could provide not only the company with access to the affected appliances, but also provide that access to a number of other outside entities.
The Java saga continued when unknown, and apparently well concealed goons exploited recent Java and Internet Explorer zero-days to compromise the website of the French-based, free-press advocacy group, Reporters Without Borders. The attack, which attempted to take advantage of the time-gulf that separates Oracle’s patch release from their users’ application of it, is part of a watering hole campaign also targeting Tibetan and Uygur human rights groups as well as Hong Kong and Taiwanese political parties and other non-governmental organizations.
Researchers with Vulnerability Lab today announced mega payment processor PayPal has fixed a flaw on its site that allowed a remote user or a local user with low privileges to compromise a Web application using a blind SQL injection.The vulnerability was first reported to PayPal back in August, according to Softpedia, but the company waited until now to announce a fix. PayPal awarded the researchers a $3,000 bounty for responsibly disclosing their find.
Social networking sites such as Twitter and Facebook have become not just communication hubs, but also authentication mechanisms for third-party sites. Many sites and Web applications allow users to sign in with their Facebook or Twitter credentials rather than registering, which is a nice convenience. That is, until, it turns into a security liability. Security researcher Cesar Cerrudo recently discovered a bug in Twitter’s code that enabled third-party apps to access users’ private direct messages under some circumstances, even when users had not explicitly granted those apps that level of access.
A Canadian college student was expelled after reporting a vulnerability in the school’s Web site that potentially exposed private data on more than 250,000 students.The high-achieving computer science major, Hamed Al-Khabaz and another student, Ovidiu Mija, in November were developing a mobile app using Omnivox Web portal software when they discovered “sloppy coding” that could lead to a major data breach. Ominvox is used at hundreds of Canadian campuses, including theirs at Montreal’s Dawson College.
It’s really starting to feel like we’re piling on the perennially vulnerable, industry punching bag that is Java. That said, GFI Labs and other security firms are warning their users to be wary of malicious fake Java updaters taking advantage of all the patches Oracle had to ship last week.
As humans, we have a difficult time letting go of things. Whether it be a favorite pair of jeans, a beloved dog or an old friend who you know is just bringing you down, putting aside things we know well is hard to do. But sometimes things are just too broken to be useful any longer, and that’s the point we’ve reached with Java.
Foxit fixed a vulnerability in its PDF reader product yesterday, eight days after it was discovered that an attacker could have leveraged to insert malicious code into documents.
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.
