Editor's News

Microsoft will release seven security bulletins next week, three of which are rated as critical and are for Windows, Internet Explorer, Office and Exchange.   According to the advance notification, five of the fixes are for remote code execution flaws, while the others are for information disclosure and elevation of privilege. Russ Ernst, director of product management at Lumension, said: “If all seven are released as planned, the total number of patches in 2014 will...

Google has announced the deployment of an API to revamp the CAPTCHA model According to an announcement by Vinay Shet, product manager of reCAPTCHA at Google, it is easier to directly ask users whether or not they are robots and the radically simplified reCAPTCHA experience will allow users to confirm whether or not they are not a robot. Using artificial intelligence technology, Shet said this can solve even the most difficult variant of distorted text at...

A “major volumetric DDoS attack” caused significant downtime for DNSimple with traffic up to 25 GB per second and about 50 million packets per second. The attack on Monday on DNSimple was not directed at the website or any user, said founder Anthony Eden in a blog, who said that the traffic was sufficient enough to overwhelm the four DDoS devices it had placed in its data centres after a previous attack. He said that...

Analysis of the leaked Sony Pictures data has revealed poor security practices.   The analysis by Mashable found that password files were in the same folders that they were supposed to protect. One of the folders contained payroll spreadsheets, with details such as employees' names, job titles, home addresses and current salaries.   Some of the spreadsheet files were protected by a password but in the very same folder, there was a document called "passwords"...

The traditional penetration testing model is not effective any more, as the model is not balanced in terms of cost benefit and in ensuring flaws are fixed. Speaking at the Enterprise Security and Risk Management conference in London, Rui Shantilal, founder and managing partner of Keep-It-Secure-24, said that penetration testing has changed in the last ten years to match the actions of the attacker, but asked if enough was being delivered. He said that “frameworks,tools,...

The CBEST framework has been described as a major step forward in how to deal with threat and technical assessments. Speaking at the Enterprise Security and Risk Management conference in London, CREST president Ian Glover said that the existing approach to penetration testing is more than adequate for organisations, appropriate for current attack vectors and meets the vast majority of requirements, but there are currently systems which are part of the national infrastructure that, if...

A group of attackers are targeting Wall Street and biotech companies in a likely attempt to play the stock market. Named “Fin4”, it has been observed collecting information from nearly 100 publicly traded companies, their advisory firms and all parties who handle insider information. According to the research by FireEye, over two-thirds of the targeted organisations are healthcare and pharmaceutical companies and they are likely being targeted as their stocks can move dramatically in response to news...

The Telegraph disabled its social media sharing buttons during the attack by the Syrian Electronic Army (SEA).   According to a source who chose to remain anonymous, there was a suggestion that those services were being used to hijack the news websites. “Most of the sites affected use Gigya for comments, but we use Disqus, so it cannot have been that in case,” they said.   The source said that the widgets were switched off...

Phishers are using a new technique where they point to malicious URLs within Google Docs, rather than placing them within the emails.   Speaking to IT Security Guru, PhishMe CEO Rohyt Belani said that with the seasonal shopping period underway, there is nothing specifically different this year, but there are slight tweaks to each attack effort.   “What we are finding is an interesting theme where attackers are finding that systems are creating specific signatures...

Documents taken from Sony Pictures include 894MB of sales and contract data covering a period between 2008 and 2012.   According to CSO online, initial released documents included: private key files; source code files (CPP); password files (including passwords for Oracle and SQL databases); inventory lists for hardware and other assets; network maps and outlines; production schedules and outlines; financial documents and PII. Later in the week, the attackers released preview copies of Sony movies,...