A large proportion of websites are built on a CMS rather than raw HTML. Three of the most common are WordPress, Joomla and Drupal, and security researchers at Fox-It warn that site administrators are at risk of being socially engineered into installing the CryptoPHP backdoor on their server.
Distributed through pirated themes and plugins, CryptoPHP's spread is thanks to the light-fingeredness of site admins. It was first detected in 2013 and is still actively spreading. The capabilities of the "well developed" backdoor include remote control of an infected server, and Blackhat SEO -- a form of illegal search engine optimization.
Using e-cigarettes, or vaping, is widely touted as being healthier for you than smoking tobacco, however, it may not be so healthy for your PC.
Many e-cigarettes offer a USB charging option but a story on social news site Reddit suggests that this is a potential source of malware attack. An executive's PC became infected after he'd recently given up smoking and the infection was traced to his e-cigarette charger.
Websites supporting the Occupy Central movement in Hong Kong have been hit with what is being described as one of the largest cyber attacks ever recorded.
The two sites, Apple Daily and PopVote, have been covering and vocally supporting the pro-democracy movement in Hong Kong. The two even carried out spoof elections for a new chief executive in the region.
Security firm Symantec has released details of an advanced cyberespionage it has discovered. Called Regin, the backdoor Trojan is described as having a structure that "displays a degree of technical competence rarely seen". Symantec goes as far as saying that the levels of resources required to create such a highly advanced tool indicate that it was created by a nation state -- although there is no suggestion about who it might be.
The report says that Regin has already been used in mass surveillance programs not by but against government organizations. Symantec estimates that the tool may have been years in development, as it delivers multi-stage attacks, and great lengths are taken to hide each stage. The framework was designed to facilitate long-term surveillance, and the concealment techniques used make Regin difficult to fully understand.
Companies are still failing to properly protect themselves from potential attacks and hackers, with security not being given enough weight of consideration -- and indeed, many firms haven’t even covered the fundamentals of keeping intruders out of their networks and data.
This is according to Neira Jones, a security expert who chairs the Global Advisory Board for the Centre for Strategic Cybercrime & Security Science, who criticized businesses for failing to "fix the basics" of protecting data, and lacking sufficient "cyber-security awareness programs".
The trend towards mobile devices and BYOD is great for productivity but it creates new challenges in terms of keeping information secure.
Identity and access management specialist Ping Identity has produced an infographic looking at the vulnerabilities introduced by letting employees use mobile devices.
Cross-site scripting (XSS) vulnerabilities allow attackers to inject script into web pages in order to infect client computers.
Security company High-Tech Bridge has released a report revealing that 95 percent of XSS vulnerabilities can be used to perform sophisticated drive-by-download attacks, which infect users who open harmless-looking URLs that they trust. More worrying is that 90 percent of vulnerabilities can be exploited in such a way that even advanced users and IT professionals won't suspect anything. The structure and architecture of more than 70 percent of web applications allows the creation of a sophisticated XSS exploit that can perform several fully-automated actions, ultimately giving full administrative access to the attacker. This access can then be used by hackers to compromise the entire website and even the web server.
Free software that can detect the presence of surveillance spyware has been launched by a global coalition of human rights and tech organizations.
Organizations including Amnesty International, Privacy International, Digitale Gesellschaft and Electronic Frontier Foundation have teamed up to unveil the open source tool Detekt.
It has been a long time coming, but the web is slowly transitioning away from HTTP to HTTPS. Google has done it with Gmail, and Yahoo did the same with its webmail service, and security advocates would like other websites to follow suit. The problem, for smaller sites at least, is the cost involved. But a new venture between Electronic Frontier Foundation (EFF), Mozilla, Cisco, the University of Michigan and IdenTrust will eliminate the cost obstacle when it launches next summer.
The partnership has brought about the creation of Let's Encrypt, a new certificate authority that will provide free security certificates to those who need them. It is hoped that handing out cost-free certificates will encourage more sites to adopt the HTTPS protocol. But Let's Encrypt does not just eliminate the financial hurdle.
Up to now cyber security has generally taken a defensive approach to protecting data and intellectual property.
That’s set to change as a team of industry experts has got together to create a system that's aimed at dramatically improving the reliability and security of enterprise data and applications running in both cloud and conventional environments.
Microsoft is giving Office 365 users an early glimpse of what it hopes will become the future of enterprise video sharing. Office 365 Video harnesses the power of SharePoint and Azure Media Services to create a tool that gives businesses a one-stop-shop for uploading, sharing, delivering and streaming videos.
A number of possible scenarios are set out by Mark Kashman, a senior product manager in the Office 365 group. From providing employees with access to training videos to delivering CEO messages, this is a flexible tool that has been designed with security and simplicity in mind. Office 365 Video is not expected to launch until early next year, but a sneak peak is available right now.
Malware developers are constantly shifting the goal posts in order to evade detection mechanisms. Part of this involves changing the domain names used to communicate with command and control servers and spread infections.
The latest trick identified by security company Seculert is the increasing use of Domain Generating Algorithms (DGAs).
New research from DDoS protection specialist Black Lotus shows that cyber attack incidents have continued to decline throughout this year.
There were 201,721 incidents in the third quarter of this year (down from 462,621 in Q1 2014 and 276,447 in Q2). This can be attributed to the security industry's increased knowledge and filtering against NTP DrDoS types of attacks, as well as more proactive activity to stop malicious attacks before or as soon as they're detected.
The past year has seen a number of high profile security breaches involving retail businesses and there’s no sign of the trend slowing down.
Security ratings company BitSight Technologies has released some new research looking at the performance of 300 major US retailers over the past 12 months. It shows that 75 percent of retailers that suffered a data breach have improved their security effectiveness.
According to the third annual State of Mobile App Security report from application protection company Arxan Technologies, 87 percent of the top 100 paid iOS apps have been hacked.
Don’t feel smug if you're an Android user though as the report reveals 97 percent of the top 100 paid Android apps have been too. But whilst the Android figure is in line with previous years, the iOS percentage represents a jump from 2013 when 56 percent were found to have been hacked.