Dirty Dozen Spampionship – which country is spewing the most spam?

The World Cup may be done and dusted, but the Spampionship continues! Where did you come in our spam-sending league tables?

New search engine Indexeus unmasks malicious hackers

Indexeus is a database of stolen names and passwords, many doxed from the hackers who've themselves doxed others' data. Is it poetic justice, exploitation of a lucrative market, a prototype of an educational tool, or all of the above?

Hackers Could Take Control of Your Car. This Device Can Stop Them

David Schwen | Wheel: Getty Hackers Charlie Miller and Chris Valasek have proven more clearly than anyone in the world how vulnerable cars are to digital attack. Now they’re proposing the first step towards a solution. Last year the two Darpa-funded security researchers spent months cracking into a Ford Escape and a Toyota Prius, terrifying […]






[webapps] – Aerohive HiveOS 5.1r5 – 6.1r5 – XSS & LFI Vulnerability

Aerohive HiveOS 5.1r5 - 6.1r5 - XSS & LFI Vulnerability

[remote] – Kolibri WebServer 2.0 – GET Request SEH Exploit

Kolibri WebServer 2.0 - GET Request SEH Exploit

SoHo routers to get hacker-style scrutiny in return for “awesome” prizes

Buy a $50 SoHo router, plug it in, press a couple of buttons. Bingo! A connected household! What could possibly go wrong? If history is any guide, quite a lot...

[web applications] – IBM GCM16/32 1.20.0.22575 – Multiple Vulnerabilities

[dos / poc] – OpenVAS Manager 4.0 – Authentication Bypass Vulnerability PoC

[web applications] – Raritan PowerIQ 4.1.0 – SQL Injection Vulnerability

[web applications] – MTS MBlaze Ultra Wi-Fi / ZTE AC3633 – Multiple Vulnerabilities

Shopping site reports 3-year-old data breach

Australian shopping website CatchOfTheDay has warned customers of a data breach dating back to 7 May 2011, urging anyone who has kept the same password at the site since that date to change it.

Jailed Apple phishing duo also imported pickpockets and cloned credit cards

How's this for irony? A pair of fraudsters phished bank account details out of over 150 Apple users by sending them hairy-scary messages about their accounts having been compromised.

New York proposes strict regulations for Bitcoin

The rules are strict. Will the community pay heed, or will it ignore attempts to control this wild landscape?

[webapps] – Raritan PowerIQ 4.1.0 – SQL Injection Vulnerability

Raritan PowerIQ 4.1.0 - SQL Injection Vulnerability

[remote] – OpenVAS Manager 4.0 – Authentication Bypass Vulnerability PoC

OpenVAS Manager 4.0 - Authentication Bypass Vulnerability PoC

[remote] – IBM GCM16/32 1.20.0.22575 – Multiple Vulnerabilities

IBM GCM16/32 1.20.0.22575 - Multiple Vulnerabilities

[webapps] – MTS MBlaze Ultra Wi-Fi / ZTE AC3633 – Multiple Vulnerabilities

MTS MBlaze Ultra Wi-Fi / ZTE AC3633 - Multiple Vulnerabilities

[webapps] – WordPress WP BackupPlus – Database And Files Backup Download (0day)

Wordpress WP BackupPlus - Database And Files Backup Download (0day)

[remote exploits] – vBulletin 5.1.2 SQL Injection Exploit 0day

[dos / poc] – Apache 2.4.7 httpd mod_status Heap Buffer Overflow Vulnerability

[remote exploits] – Apache httpd mod_status Heap Buffer Overflow Remote Code Execution

[web applications] – Foundry CMS Multiple Vulnerability

“SOHOpelessly BROKEN” hacking contest aims to test home router security

Over the past few years, consumer-grade routers have emerged as a key security threat. Whether manufactured by Asus, Linksys, D-Link, Micronet, Tenda, TP-Link, or others, small office/home office (SOHO) routers have suffered a variety of real-world attacks that in some cases have allowed hackers to remotely commandeer hundreds of thousands of devices.

Now, security advocates are sponsoring "SOHOpelessly BROKEN," a no-holds-barred router hacking competition at next month's Defcon hacker conference in Las Vegas. The contest will challenge attendees to unleash novel exploits on 10 off-the-shelf SOHO routers running recent firmware versions.

"The objective in this contest is to demonstrate previously unidentified vulnerabilities in off-the-shelf consumer wireless routers," organizers said. "Contestants must identify weaknesses and exploit the routers to gain control. Pop as many as you can over the weekend to win. Contest will take place at Defcon 22, August 7-12, 2014 in the Wireless Village contest area."

Read 1 remaining paragraphs | Comments

[web applications] – Trixbox XSS / LFI / SQL Injection / Code Execution Vulnerabilities

[web applications] – OL-Commerce 2.1.1 Cross Site Scripting / SQL Injection Vulnerabilities

Critical industrial control systems remain vulnerable to Heartbleed exploits

More than three months after the disclosure of the catastrophic Heartbleed vulnerability in the OpenSSL library, critical industrial control systems sold by Siemens remain susceptible to hijacking or crashes that can be triggered by the bug, federal officials have warned.

The products are used to control switches, valves, and other equipment in chemical, manufacturing, energy, and wastewater facilities. Heartbleed is the name given to a bug in the widely used OpenSSL cryptographic library that leaks passwords, usernames, and secret encryption keys. While Siemens has updated some of its industrial control products to patch the Heartbleed vulnerability, others remain susceptible, an advisory published Thursday by the Industrial Control Systems Cyber Emergency Response Team warned.

"The vulnerabilities identified could impact authenticity, integrity, and availability of affected devices," the notice stated. "The man-in-the-middle attack could allow an attacker to hijack a session between an authorized user and the device. The other vulnerabilities reported could impact the availability of the device by causing the web server of the product to crash."

Read 2 remaining paragraphs | Comments

[web applications] – Barracuda Networks Message Archiver 650 – Persistent XSS Vulnerability

A Convicted Hacker and an Internet Icon Join Forces to Thwart NSA Spying

A new project called Dark Mail brings together two high-profile privacy advocates to take on the leakiest of all information: that pernicious metadata.






Notorious Shylock banking malware taken out by law enforcement

Law enforcement action led by the National Crime Agency (NCA) in the UK has knocked out the infrastructure of a banking malware known as Shylock, because of excerpts from Shakespeare's Merchant of Venice hidden in its code. Here's how to check to make sure you weren't among the more than 30,000 PCs that were infected.

[webapps] – Barracuda Networks Message Archiver 650 – Persistent XSS Vulnerability

Barracuda Networks Message Archiver 650 - Persistent XSS Vulnerability

Government-Grade Stealth Malware In Hands Of Criminals

"Gyges" can be bolted onto other malware to hide it from anti-virus, intrusion detection systems, and other security tools.

[web applications] – Citrix Netscaler 9.3-62.4 Disclosure / Cross Site Scripting Vulnerabilities

[web applications] – e107 2.0 alpha2 Cross Site Scripting Vulnerability

[remote exploits] – Boat Browser 8.0 and 8.0.1 – Remote Code Execution Vulnerability

[web applications] – Joomla Youtube Gallery Component – SQL Injection Vulnerability