A high-severity Cross-site scripting (XSS) vulnerability has been fixed in WordPress’ new 4.4.1 release that is now available for download. In addition to the XSS vulnerability reported by security researcher ‘Crtc4L’, the release includes 51 other non-security bug-fixes. WordPress sites configured to receive automatic updates…
In the headlines: Juniper backdoor, BBC hack, Steam attack, UK surveillance bill, and more
Juniper backdoor mystery, NSA are at least partly to blame Last week, tech company Juniper Networks who sell corporate networking solutions, disclosed that they had discovered two unauthorised encryption backdoors in their firewalls. Encryption backdoors will immediately grab attention as one of the surveillance methods…
Website hack: Help, my website has been hacked! What to do now?
Here we identify 4 practical steps SMEs can plan for and implement when they become a victim of a website hack. With the massive growth in cyber-crime, it’s a sad fact that it’s highly likely to become a question of ‘when’ rather than ‘if’. Below…
Defence in Depth – Final Part – Update software, Isolate services
Update software and components Whether it’s a server’s operating system, a web server, a database server or even a client-side JavaScript library, an application should not be running software with known vulnerabilities. Updating, removing or replacing software or components with known vulnerabilities sounds obvious, but…
Defence in Depth – Part 4 – Validate everything, Parameterize SQL queries
Trust no one, validate everything Unfortunately, most vulnerabilities at the application layer can’t simply be patched by applying an update. In order to fix web application vulnerabilities, software engineers often need to correct mistakes within the application code. It’s therefore ideal for software engineers to…
Webroot report shows SMBs unprepared to counter cyber security attacks
A number of big name retailers, insurance providers and companies have hit the headlines with their cyber attacks and data breaches over the last year or two. But what about the small and medium businesses? There’s no doubt they have their own security incidents but…
In the headlines: Mr Grey hacker, Vtech hack, US government office hack and more
FBI hunting ‘Mr Grey’ hacker and his 1.2 billion stolen logins In a massive botnet operation which stole data from over 420,000 websites, the FBI are now zoning in on one member of a Russian crime ring known as ‘CyberVor’, with their target being known…
Defence in Depth – Part 3 – The Least Privilege Principle
An application does not need to use the root (MySQL), sa (Microsoft SQL Server), postgres (PostgreSQL) or SYSDBA (Oracle Database) to connect to the database. Likewise, it’s a bad idea to run daemons or services as root (Linux) or Administrator (Microsoft Windows), unless there is…
Takeaways from the VTech Hack, and the Vigilante Side of Security Breaches
Anyone following the news this week likely learned of the massive breach exposing the personal data of millions of parents and their children. VTech, a Hong Kong-based toy maker was hacked, exposing everything from children’s names and home addresses, to pictures (reportedly, 190GB worth of…