Updated to include response from Accellion. 1/9/2013 A security researcher who was looking for vulnerabilities in Facebook’s platform instead stumbled on a much larger hole that could affect scores of firms who rely on a secure file transfer platform from Accellion. Writing on his blog on Monday, Israeli researcher Nir Goldshlager said he uncovered a security hole affecting Accellion’s Secure File Transfer service that could allow an attacker to take control of a user’s Secure File Transfer account with little more than the e-mail address associated with the account. Accellion Secure File Transfer is a service that allows enterprises to offer secure transfer and storage of large files (up to 100GB). In contrast to consumer-focused services like DropBox, Accellion offers comprehensive file tracking and reporting as well as data security features necessary to satisfy government regulations like HIPAA, GLBA, and SOX. Secure File Transfer is offered to companies as a private cloud, public […]
Search Results for "password"
Microsoft issued an emergency fix for its Internet Explorer web browser on Monday, just days after security researchers reported finding a previously unknown (zero day) vulnerability in IE that was being used in targeted attacks against members of Washington D.C.’s media, government and policy elite. Microsoft’s Security Response Center (MSRC) released the fix for IE versions 6, 7 and 8 on Monday following reports of sophisticated and targeted attacks using the vulnerability were detected on the web site of the Council of Foreign Relations, a leading think tank whose members include senior government officials. In a Security Advisory (#2794220), Microsoft described the flaw as a “remote code execution vulnerability” in code that governs the way that “Internet Explorer accesses an object in memory that has been deleted or (improperly) allocated.” The vulnerability could allow a malicious attacker to create a malicious web page that would exploit the vulnerability to corrupt memory in […]
Editor’s Note: Updated to add comments from Jason Donenfeld. – Paul A security researcher is warning WordPress uses that a popular plugin may leave sensitive information from their blog accessible from the public Internet with little more than a Google search. The researcher, Jason A. Donenfeld, who uses the handle “zx2c4” posted a notice about the add-on, W3 Total Cache on the Full Disclosure security mailing list on Sunday, warning that many WordPress users that had added the plugin had directories of cached content that could be browsed by anyone with a web browser and knowledge of where to look. The content of those directories could be downloaded, including directories containing sensitive data like password hashes, Donenfeld wrote. W3 Total Cache is described as a “performance framework” that speeds up web sites that use the WordPress content management system by caching site content, speeding up page loads, downloads and the […]
The Dexter malware is getting some media attention this week – and not just because the malware shares its name with Showtime’s popular drama about a serial killer by the same name. (Not that those of us tasked to write catchy headlines don’t love stuff like that – ’cause we do.) No, the Dexter virus caught the attention of malware analysts because it infects point of sale (POS) systems like electronic cash registers, kiosks and automatic teller machines (ATMs), rather than run of the mill laptops and desktops. It has also generated some interest because it uses a form of memory dump parsing to steal sensitive data from infected POS terminals, and because its POS malware that is part of a botnet – communicating back to a command and control system and receiving commands – that’s quite unusual and, while its kind of insider baseball for malware geeks, it makes […]
The FBI issued an alert to businesses in July after unknown attackers breached a computer used to control the heating, ventilation and air conditioning (HVAC) system of a New Jersey company, accessing a graphical user interface for the system, including a floor play layout of the company’s office. The attacks came after an Anonymous affiliated hacker, using the handle @ntisec, published links to vulnerable ICS systems running software from the firm Tridium online. The links included the address of an administrative system that controlled the HVAC system used by US Business 1, a New Jersey company that installs air conditioning systems for other companies, according to a copy of the July, 2012 Situational Information Report (PDF), issued by the Newark Division of the FBI. The alert concerning the February and March, 2012 attack was released by the web site Public Intelligence on Saturday. The FBI did not respond to a request for comment from Security […]