Earlier this month, security outfit FireEye’s 'FireEye as a Service' researchers out in Singapore [discovered and reported](https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html) on a phishing campaign that was found to be exploiting a zero-day in Adobe Flash Player vulnerability (CVE-2015-3113). That campaign has been well and truly active for a while now, with attacking emails including links to compromised sites serving up benign content if you are lucky and a malicious version of the Adobe Flash Player complete with the exploit code if you are not. Adobe has now [responded with a security update](https://helpx.adobe.com/security/products/flash-player/apsb15-14.html) with the following recommendations: Users of the Adobe Flash Player Desktop …

Member Avatar
Member Avatar
+2 forum 1

It all started pretty well, with the announcement by Mozilla at the end of last month that the Firefox web browser would make the Internet a safer place by encrypting everything. That's everything, even those connections where the servers don't even support the HTTPS protocol. Developers of the Firefox browser have moved one step closer to an Internet that encrypts all the world's traffic with a new feature that can cryptographically protect connections even when servers don't support HTTPS. The 'Opportunistic Encryption' (OE) feature essentially acts as a bridge between non-compliant plaintext HTTP connections and fully compliant and secure HTTPS …

Member Avatar
+1 forum 0

Content Management Systems (CMS) may not be the most interesting topic on the tech table, but oh boy does WordPress liven things up in this sector. Not, it has to be said, always in a good way. I've lost count of the number of WordPress vulnerability stories that I've read over this last 12 months, and have even written a few myself. of course, more often than not [it isn't WordPress itself that is the problem](http://www.itpro.co.uk/security/24163/the-wordpress-cms-isnt-insecure-you-are) but one of the gazillion plug-ins that are out there and being used to customize it and add functionality. There was the [SoakSoak malware](https://www.daniweb.com/web-development/php/news/489065/kings-of-google-gun-for-supersoaker-soaksoak-wordpress-malware-warning) …

Member Avatar
Member Avatar
+3 forum 2

Spring has been getting rather unseasonably hot for Apache users as far as security flaws go. First there was news of how the FREAK (Factoring Attack on RSA-EXPORT Keys) vulnerability could impact Apache. For more on FREAK see this [excellent analysis](http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html) by Matthew Green, a cryptographer and research professor at Johns Hopkins University. Green points out that "Apache mod_ssl by default will generate a single export-grade RSA key when the server starts up, and will simply re-use that key for the lifetime of that server. What this means is that you can obtain that RSA key once, factor it, and …

Member Avatar
+1 forum 0

"Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders. At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems." These are the words of Brad Arkin, Chief Security Officer at Adobe as he reveals that one of the biggest names in the software business has fallen victim to …

Member Avatar
Member Avatar
+3 forum 10

Google has been quick to blacklist domains implicated, most often unwittingly, in the distribution of what has become known as the SoakSoak malware campaign courtesy of soaksoak.ru being the first domain in the redirection path it used. With 11,000 domains blocked over the weekend, you might be forgiven for thinking that it's another WordPress hosting sites security problem sorted before it can do any harm. However, most experts I have spoken to would seem to agree that 11,000 domains is just the tip of this particular iceberg and the actual number of soaksoak impacts on WordPress specific sites is in …

Member Avatar
+2 forum 0

As well as being CEO of penetration testing specialists High-Tech Bridge, Ilia Kolochenko is also perhaps unsurprisingly a white hat hacker of some repute. Equally unsurprising is the fact that he has [warned](https://www.htbridge.com/blog/plugins_and_extensions_the_achilles_heel_of_popular_cmss.html) that security vulnerabilities in leading CMS platforms such as Drupal, Joomla and WordPress are effectively leaving the security door wide open for hackers to walk through. Kolochenko refers to the threat posed by old plugins, passwords and extensions as being the 'Achilles heel of popular CMS' and for good reason. High-Tech Bridge regularly tests popular CMSs via the ImmuniWeb online penetration testing service and equally regularly, sadly, …

Member Avatar
Member Avatar
+4 forum 1

A report from Hold Security claims that one of the biggest ever online heists has been committed by a Russian crime gang. It would appear that the data theft includes, wait for it, no less than 1.2 billion (yes billion) username and passwords along with around half a billion email addresses obtained from more than 400,000 websites. In total, Hold Security says, the stolen data amounts to some 4.5 billion items. According to the [report](http://www.holdsecurity.com/news/cybervor-breach/) the gang acquired databases of stolen credentials from online dark markets which were then used to attack e-mail providers, social media, and other websites. Spam …

Member Avatar
Member Avatar
+2 forum 2

Feedly app left attack window open for malicious JavaScript hackers according to one security researcher. Security consultant and blogger Jeremy S [revealed](http://breaktoprotect.blogspot.in/2014/04/feedly-android-application-zero-day.html) that the Feedly Android app, or at least the version prior to the update on March 17th 2014, had been subject to a zero-day JavaScript code injection vulnerability. Jeremy reported the discovery to the Feedly developers who patched the vulnerability within 24 hours, ethical disclosure working at its best if you ask me. The Singapore based researcher explained that the code injection was possible from an RSS feed into the app itself as the Feedly app didn't sanitize …

Member Avatar
+0 forum 0

It has been [officially confirmed](http://php.net/archive/2013.php#id2013-10-24-2) that the php.net website of the open-source PHP programming language has been hacked and infected with malware. The successful breach of the site came to light yesterday morning when the Google Safe Browsing service started flagging php.net as serving up malicious scripts. This was, at first, denied by php.net which Tweeted claims that it was down to a false negative by Google. However, that position has changed and now it has been officially confirmed that two servers at php.net had been hacked and were, indeed, hosting malicious code in order to install malware on the …

Member Avatar
Member Avatar
+13 forum 10

In the newly published Imperva 'Hacker Intelligence Initiative Report' the in-the-wild modification and exploitation of PHP SuperGlobal variables has been investigated. This particular external variable modification weakness has been described as being where a PHP application does "not properly protect against the modification of variables from external sources, such as query parameters or cookies". Imperva has seen evidence of SuperGlobal variables being used as a launchpad for remote code execution, remote file inclusion and security filter evasions attacks. The report itself should be something of a must-read for anyone developing PHP applications who wants to get a grip on how …

Member Avatar
Member Avatar
+4 forum 9

Within days of the New York Times website suffering an outage which was widely reported as being down to another cyber attack, although the NYT itself insists it was actually an internal issue following system maintenance, media sites belonging to CNN, Time and the Washington Post have been attacked by the Syrian Electronic Army (SRA) in support of President Bashar al-Assad. All three sites concerned apparently used a single link recommendation service called Outbrain, and it seems that a social engineering attack there led to the successful breach. ![0612f5b78049dbb2f29c20a86e26b88f](/attachments/small/0/0612f5b78049dbb2f29c20a86e26b88f.jpg "align-right") Outbrain [announced yesterday](http://www.outbrain.com/blog/2013/08/update-outbrain-security-breach.html) that "we have fully secured the network …

Member Avatar
Member Avatar
+1 forum 1

A minor update to the 1.6 version of jQuery was just released today. After a big outcry of version 1.6's changes to the way properties work, the jQuery team quickly released version 1.6.1 to make the new techniques more compatible with the older functionality, hopefully preventing sites from breaking. The release also fixed some bugs, as did version 1.6.2. And now 1.6.3 also fixes several bugs, along with one change that some people will find disappointing: They dropped support for the requestAnimationFrame API. When 1.6 came out, support for requestAnimationFrame was added to allow for smoother animation. However, requestAnimationFrame itself …

Member Avatar
Member Avatar
+0 forum 2

...and the Microsoft AJAX Library, err, and the ASP.NET AJAX Control Toolkit. Yep, Microsoft has not only finally come up with an official name for the AJAX technologies which until now have been known collectively as ‘Atlas’ but has also split it into three individual products. All are expected to ship by year-end. ASP.NET 2.0 AJAX Extensions cover the server-side functionality, while the Microsoft AJAX Library handles the client-side stuff and integrates with the server-based extensions, naturally. The final part of this triumvirate is the self-explanatory ASP.NET AJAX Control Toolkit. Together, the intention is to simplify ASP 2.0 web development …

Member Avatar
Member Avatar
+0 forum 1

Over the last couple of days the online media seems to have gone crazy for the news that the Google Chrome web browser client has overtaken Microsoft Internet Explorer to become the most popular browser on the planet. This based entirely upon the fact that, for a single week, and according to figures from the StatCounter service, Chrome reached a 32.76% share against the 31.94% share enjoyed by Internet Explorer. But does this really mean that Chrome is now the number one client, and should web developers be giving more design love to it than Internet Explorer as a result? …

Member Avatar
Member Avatar
+0 forum 5

Everyone loves PHP these days it seems, and that includes the bad guys. So it should come as no surprise to learn that yet another remote access Trojan written using PHP has appeared. However, the fact that this particular bit of PHP backdoor code comes complete with a second, hidden, backdoor within it certainly was surprising to the security researcher who found it. DaniWeb has been talking to that researcher to find out more... [attach]17135[/attach]"Is there no honor among thieves anymore?" asks Andrew Brandt, the Lead Threat Analyst for security specialists Webroot, when disclosing the details of his [URL="http://blog.webroot.com/2010/09/06/php-backdoor-has-another-backdoor-inside/"]PHP double …

Member Avatar
Member Avatar
+4 forum 10

Most of the reports out yesterday about the release of [URL=http://www.microsoft.com/ie8]Internet Explorer 8[/URL]Beta 2 focused on its so-calledInPrivate Browsing, which leaves no trace of the Web sites you visit and protects anonymity. And while that's certainly useful, developers are likely to be more interested in its improvements in DOM and HTML 4.01 cross-browser inconsistencies, new Ajax features and news that IE8 passes the [URL=http://acid2.acidtests.org/]Acid2 test[/URL] for accurate browser rendering. Microsoft on Wednesday made available for [URL=http://www.microsoft.com/windows/internet-explorer/beta/]download the latest IE 8 beta[/URL], which it says includes fixes to "the get/set/remove Attribute,default attributes, Attribute object and the <Q> tag." The company also …

Member Avatar
Member Avatar
+0 forum 2

According to the 2009 Web Application Security Report from NTA Monitor, 90% of all web applications have at least one medium risk vulnerability and 27% have at least one high risk vulnerability. Apparently the most common vulnerabilities are those which involve SQL injection, cross-site scripting and cross-request forgery. One data security specialist told DaniWeb that not only should this come as no real surprise, but nor should the fact that the problem is steadily getting worse instead of better. Brian Contos is the Chief Risk Strategist at Imperva, and he points out that the high risk category percentage is up …

Member Avatar
Member Avatar
+2 forum 4

I read a [URL="http://www.infoworld.com/d/open-source/open-source-innovation-the-cutting-edge-582"]story[/URL] this morning over at [URL="http://www.infoworld.com"]Infoworld.com[/URL] that shocked me a bit. Neil McAllister discusses how proprietary software companies, like [URL="http://www.microsoft.com"]Microsoft[/URL], criticize open source projects by saying that, "They don't innovate, they copy." Is that really the consensus for an entire software realm that brought us the [URL="http://www.w3.org"]world wide web[/URL], TCP/IP, [URL="http://www.sendmail.org"]sendmail[/URL], DNS, DHCP, [URL="http://www.perl.org"]Perl[/URL], [URL="http://www.php.net"]PHP[/URL], [URL="http://www.apache.org"]Apache[/URL], HTML and basically everything else that we use on the Internet today? Is that really the stance they want to take? Neil also gives us seven major open source projects that are not knockoffs of Microsoft's knockoffs. But, instead of focusing …

Member Avatar
Member Avatar
+1 forum 7

If you are a PHP, Zend or IBM fan, today Zend and IBM announce a major release for IBM i-Series Servers. Zend Technologies and IBM are working together to offer PHP solutions for IBM i customers. Today Zend announced Zend Server for IBM i, a Web Application Server for applications running on IBM i and Power System servers. (see attached or click on links below for more) [B]What’s New from Zend and IBM[/B] Zend Server for IBM i – Runtime and Management Features [B]·[/B] Business-grade PHP – An up-to-date, fully tested, supported and documented PHP stack ensures high reliability and …

Member Avatar
Member Avatar
+0 forum 1

What if you had access to the millions of tweets that flow to and from Twitter users every day? Perhaps you'd build something like [url=http://www.daniweb.com/news/story240308.html]PostRank[/url], which amasses them along with other data from social media sites to trackcyber-reaction to posted articles. Or maybe you would filter them by demographic and figure out a way to sell targeted banner ads. The sky's the limit, so you might want to start noodling. According to Twitter platform director Ryan Sarver, speaking this week at the [url=http://www.leweb.net/]Le Web[/url] conference in Paris, access to its data stream is about to get easier. On Wednesday, Sarver …

Member Avatar
Member Avatar
+0 forum 1

Today, Tuesday November 10, 2009, [URL="http://www.novell.com"]Novell[/URL] announces a Visual Studio plugin that allows support for non-Microsoft operating systems that use .NET code development on a platform known as [URL="http://go-mono.com"]Mono[/URL] via a new product called [URL="http://go-mono.com/monovs/"]Mono Tools for Visual Studio 1.0[/URL]. This is not a cost free toolset. In fact, it's really quite [URL="http://www.go-mono.com/store/"]pricey[/URL]--starting at $99 for the Professional (Individual) version. Of course, compared to the exorbitant price of Visual Studio, that's a mere pittance. If you can afford Mono Tools, it's a powerful addition to your Visual Studio environment. Using Mono Tools, you can create and test your .NET applications …

Member Avatar
Member Avatar
+0 forum 2

With all the libraries available that have emerged, Java and Ajax applications practically build themselves these days. This week Java tool maker Instantiations added support for Ext GWT to [url=http://www.instantiations.com/gwtdesigner/]GWT Designer 7.2[/url], the latest version of its Eclipse-based drag-and-drop GUI-building environment that can be had for as little as $5 a month. Also known as GXT, [url=http://www.extjs.com/products/gxt/]Ext GWT[/url] builds on the [url=http://code.google.com/webtoolkit/]Google Web Toolkit[/url], adding a slew of customizable UI widgets and CSS-based themes, plus full documentation and backward compatibility. It's made by Ext LLC. And if you're currently building Web apps and you haven't hard of them, a look …

Member Avatar
+1 forum 0

You have to give Sony credit, they are really trying new strategies to wrestle eBook marketshare from the Amazon Kindle. This month [URL="http://news.sel.sony.com/en/press_room/consumer/computer_peripheral/e_book/release/41492.html"]they announced several new editions [/URL]of the Sony Reader, including the brand new Reader Daily Edition, which should be in stores in time for the holiday shopping season. This comes on the heels of their recent announcement to support the [URL="http://www.idpf.org/"]open ePub ebook standard[/URL] I wrote about last week in my post, [URL="http://www.daniweb.com/blogs/entry4640.html"]Could Sony Open eBook Decision Pressure Amazon[/URL]. I'm still not sure either Sony (or Amazon) has lowered the price on these units enough to give them …

Member Avatar
+0 forum 0

In a move that could only be characterized as surprising, Sony announced last week that it was going to be using the open [URL="http://www.idpf.org/"]ePub eBook standard[/URL], which in theory should enable [URL="http://ebookstore.sony.com/reader/"]Sony Reader[/URL] users to access and use any books created around the standard. Sony Readers will also be able to read Adobe PDFs and Adobe eBooks, both of which come with [URL="http://www.adobe.com/products/contentserver/"]Adobe DRM[/URL]. It's a complex announcement, but one thing is clear, Sony has laid down the gauntlet with Amazon, leaving it as the lone major proprietary reader. But is Amazon too big to care? [B]The Amazon eBook Erase …

Member Avatar
+0 forum 0

A company has been awarded a patent for providing episodic media downloads, which essentially gives it a patent on all forms of podcasting. The company, VoloMedia, calls itself the "leading provider of advertising and reporting solutions for portable media, extending the reach of video and audio from the PC to devices such as smartphones (e.g., iPhone, Android, BlackBerry), media players (e.g., iPod, Touch) and set-top boxes (e.g., Apple TV, Vudu) whether connected or offline." The patent was filed in 2003. In a [URL="http://www.volomedia.com/blog/"]blog entry[/URL], company founder Murgesh Navar said it had filed a dozen patents since 2003 and this is …

Member Avatar
+0 forum 0

Research released this week by Evans Data showed that 73 percent of the market currently use or plan to adopt the [url=http://en.wikipedia.org/wiki/Spring_framework]Spring application framework for Java[/url] within the next two years. More remarkable is that 83 percent of companies with 500 or more developers use Spring, according to the study[/url]. So I thought it would be a good time to speak with Rod Johnson, CEO and founder of [url=http://www.springsource.com/]SpringSource[/url], and author of the open source framework that some in the Java community view as a superior alternative to [url=http://en.wikipedia.org/wiki/Enterprise_JavaBean]EJB[/url]. [quote] [B]EddieC[/B]: Why do you think Spring adoption has become so …

Member Avatar
Member Avatar
+0 forum 1

I don't know the extent to which this story has crossed the shores to America, but our local friendly far-right political party the British National Party has had details of its members published on the Internet. I'm not going to rehearse their arguments for them - you know the sort of thing, compulsory repatriation for immigrants, jobs for the British at the expense of anyone else who lives on our shores no matter how long their family has been here - we all know the types. I'd have loved to have seen their faces when Obama was elected as the …

Member Avatar
+0 forum 0

Good IT management doesn't take place in a vacuum. If you're going to make the right decisions and lead people in ways that will make them want to follow, you need an arsenal of information. Of course, overworked CIOs and IT managers don't have time to sift through hundreds of industry articles a week and news announcements a week, but there's lots of good information to be gleaned from your RSS feeds that go unread every day. Here are my 3-step process for keeping track og the latest IT news, filing it away for future reference, and sharing with your …

Member Avatar
+0 forum 0

If you’re a Ruby or Python developer building AJAX applications, you’ve got to learn JavaScript. Even if you’re converting Ruby code to client-side JavaScript with a tool like [URL= http://www.scribd.com/doc/220397/RJShow-it-works] RJS[/URL], it can still be helpful to know the AJAX component for adding features and debugging. Now Microsoft is promoting APAX and ARAX, techniques similar to AJAX that supplant JavaScript with Python and Ruby languages commonly used on the server side of the dynamic Web apps. The news was brought to light last week at O’Reilly’s [URL=http://en.oreilly.com/rails2008/public/content/home] RailsConf[/URL] by Microsoft’s [URL=http://www.iunknown.com/]John Lam[/URL], who was there giving a talk on his …

Member Avatar
Member Avatar
+0 forum 1

The End.