Stories by Lucian Constantin

Attack on Dailymotion redirected visitors to exploits

Attackers injected malicious code into Dailymotion.com, a popular video sharing website, and redirected visitors to Web-based exploits that installed malware.

Ruby on Rails gets patches for SQL injection vulnerabilities

Two SQL injection vulnerabilities were patched in Ruby on Rails, a popular open-source Web development framework used by some high-profile websites.

Hardcoded SSH key gives backdoor access to Cisco communications manager

An unprotected SSH access key left inside the Cisco Unified Communications Domain Manager product for remote support purposes allows attackers to take complete control of affected deployments.

Critical vulnerability in popular WordPress newsletter plug-in endangers many blogs

A critical vulnerability found in a WordPress plug-in that has been downloaded over 1.7 million times allows potential attackers to take complete control of blogs that use it.

Israeli security startup firm Hexadite automates cyber incident response

Technology developed by an Israeli security firm called Hexadite promises to help companies reduce cyber incident response times by automating security breach investigation and remediation.

Microsoft to resume email-based security notifications

Microsoft has backtracked on a plan to stop sending email-based notifications about security bulletins starting this month.

New malware program hooks into networking APIs to steal banking data

There is yet another reason to be wary of spam email about bank transfers or invoices -- it could be carrying a new, cleverly designed malware program that steals financial information.

Rare SMS worm targets Android devices

A rare Android worm that propagates itself to other users via links in text messages has been discovered by security researchers.

Privacy-focused Blackphone starts shipping to early adopters

The wait is almost over for early adopters of Blackphone, an Android-based smartphone that promises enhanced privacy and security.

VMware catches up with some Apache Struts patches, but not all

Two months after critical vulnerabilities were patched in Apache Struts, a popular open-source framework for developing Java-based Web applications, VMware released a security update to incorporate the fixes in its vCenter Operations Management Suite product but appears to have left out a more recent patch.

Researchers bypass PayPal's two-factor authentication system

PayPal was one of the first large online services providers to offer two-factor authentication to its users, but until recently the company's implementation had a loophole that could have allowed attackers to bypass this additional protection.

Fewer NTP servers can be abused to amplify DDoS attacks, but threat remains

The number of NTP (Network Time Protocol) servers that can be abused to amplify DDoS attacks has decreased dramatically this year, but the threat remains.

Researchers expect large wave of rootkits targeting 64-bit systems

Following a downward trend during the past two years, the number of new rootkit samples rose in the first quarter of this year to a level not seen since 2011, according to statistics from security vendor McAfee.

New Havex malware variants target industrial control system and SCADA users

A malware threat previously used in attacks against energy sector companies is now being aimed at organizations that use or develop industrial applications and machines.

Heartbleed patching effort stalls at around 300,000 vulnerable servers

Despite a great start, the rate of patching OpenSSL servers against the critical Heartbleed vulnerability has slowed down to almost a halt. Around 300,000 servers remain vulnerable and many of them are unlikely to get patched anytime soon.