[web applications] – ClassApps SelectSurvey.net – Multiple SQL Injection Vulnerabilities

[web applications] – Livefyre LiveComments Plugin – Stored XSS Vulnerability

Home Depot ignored security warnings for years, employees say

Former information technology employees at Home Depot claim that the retailer’s management had been warned for years that its retail systems were vulnerable to attack, according to a report by the New York Times. Resistance to advice on fixing systems reportedly led several members of Home Depot’s computer security team to quit, and one who remained warned friends to use cash when shopping at the retailer’s stores.

In 2012, Home Depot hired Ricky Joe Mitchell as its senior IT security architect. Mitchell got the job after being fired from EnerVest Operating in Charelston, South Carolina—and he sabotaged that company’s network in an act of revenge, taking the company offline for 30 days. Mitchell retained his position at Home Depot even after his indictment a year later and remained in charge of Home Deopt’s security until he pled guilty to federal charges in January of 2014.

The Home Depot breach, which reportedly began in April of 2014 and went undetected until earlier this month, exposed an estimated 56 million credit card numbers. Home Depot spokesperson Stephen Holmes told the New York Times that the company maintains “robust security systems.” Home Depot officials have said that the malware used in the attack, BlackPOS, had not been seen before and would have been difficult to detect with its security scans.

Read 2 remaining paragraphs | Comments

[web applications] – M/Monit 3.2.2 Cross Site Request Forgery Vulnerability

[web applications] – GetSimpleCMS PHP File Upload Exploit

[web applications] – WordPress Plugin CSSJockey Membership Modules Code Execution Vulnerability

[webapps] – ClassApps SelectSurvey.net – Multiple SQL Injection Vulnerabilities

ClassApps SelectSurvey.net - Multiple SQL Injection Vulnerabilities

Home Depot Breach Surpasses Target In Scope

New details have emerged about the breach affecting Home Depot, which exposed 56 million payment cards in stores in the US and Canada and utilized custom malware.

Home Depot breach totals: 56 million credit cards exposed, $62 million in losses

Lots of people who speculated about the credit card data breach at the Home Depot turned out to be wrong. But those who suggested that Home Depot's breach might end up bigger than Target's turned out to be spot on.

Chinese hackers breached US military contractors, says Senate report

Military contractors for the US Transportation Command were breached by hackers associated with the Chinese government at least 20 times in one year, according to a report released Wednesday by the US Senate Armed Services Committee.

[web applications] – WordPress Theme Konzept Arbitrary File Upload Vulnerability

Home Depot estimates data on 56 million cards stolen by cybercrimnals

The cybercriminals that compromised Home Depot's network and installed malware on the home-supply company's point-of-sale systems likely stole information on 56 million payment cards, the company stated on Thursday.

In the first details revealed in its investigation of the breach, the company said the malicious software that compromised those payment systems had been custom-built to avoid triggering security software. The breach included stores in the United States and Canada and appears to have compromised transactions that occurred between April and September 2014.

"To protect customer data until the malware was eliminated, any terminals identified with malware were taken of out service, and the company quickly put in place other security enhancements," Home Depot said in its statement. "The hacker's method of entry has been closed off, the malware has been eliminated from the company's systems, and the company has rolled out enhanced encryption of payment data to all U.S. stores."

Read 6 remaining paragraphs | Comments

[web applications] – WordPress Theme Jupiter Arbitrary File Download Vulnerability

[web applications] – WordPress Theme Forall Arbitrary File Download Vulnerability

[web applications] – WordPress Theme X Arbitrary File Download Vulnerability

[web applications] – WordPress Theme Celestial-Lite Arbitrary File Download Vulnerability

[web applications] – WordPress Theme Centum Arbitrary File Download Vulnerability

[web applications] – WordPress Theme 3clicks Arbitrary File Download Vulnerability

[web applications] – WordPress 0day – Hades Plus Framework Add Administrator

In-depth: How CloudFlare promises SSL security—without the key

CloudFlare has developed a way to separate SSL from private crypto keys, making it easier for companies to use the cloud to protect their networks.

Content delivery network and Web security company CloudFlare has made a name for itself by fending off denial-of-service attacks against its customers large and small. Today, it's launching a new service aimed at winning over the most paranoid of corporate customers. The service is a first step toward doing for network security what Amazon Web Services and other public cloud services have done for application services—replacing on-premises hardware with virtualized services spread across the Internet.

Called Keyless SSL, the new service allows organizations to use CloudFlare’s network of 28 data centers around the world to defend against distributed denial of service attacks on their websites without having to turn over private encryption keys. Keyless SSL breaks the encryption “handshake” at the beginning of a Transport Layer Security (TLS) Web session, passing part of the data back to the organization’s data center for encryption. It then negotiates the session with the returned data and acts as a gateway for authenticated sessions—while still being able to screen out malicious traffic such as denial of service attacks.

In an interview with Ars, CloudFlare CEO Matthew Prince said that the technology behind Keyless SSL could help security-minded organizations embrace other cloud services while keeping a tighter rein on them. “If you decide you’re going to use cloud services today, how you set policy across all of these is impossible," he said. "Now that we can do this, fast forward a year, and we can do things like data loss prevention, intrusion detection… all these things are just bytes in the stream, and we’re already looking at them.”

Read 13 remaining paragraphs | Comments

[web applications] – WordPress Login Widget With Shortcode 3.1.1 CSRF / XSS Vulnerabilities

[web applications] – MODX Revolution 2.3.1-pl Cross Site Scripting Vulnerability

[web applications] – WordPress Login Widget With Shortcode 3.1.1 CSRF / XSS

[web applications] – WordPress WP-Ban 1.62 Bypass Vulnerability

[web applications] – webEdition 6.3.8.0 Path Traversal Vulnerability

[web applications] – WordPress Plugin Max Banner Ads XSS Vulnerablity

[web applications] – WordPress Theme !LesPaul Arbitrary File Download Vulnerability

[web applications] – WordPress Plugin Sticky Social Bar XSS Vulnerablity

[webapps] – Briefcase 4.0 iOS – Code Execution & File Include Vulnerability

Briefcase 4.0 iOS - Code Execution & File Include Vulnerability

Credit card data theft hit at least three retailers, lasted 18 months

Goodwill Industries was one of three companies affected by an attack on a retail managed service provider that went undetected for over 18 months.

In July, it was revealed that Goodwill Industries had suffered from a credit card data breach that affected the charitable retailer’s stores in at least 21 states. The Goodwill breach seemed by many to be just the latest case of criminals taking advantage of the weak underbelly of retailers—their point-of-sale systems. But now, as it turns out, the Goodwill breach was just part of a much larger attack on an outside managed service provider that affected at least two other companies. And many more may have been affected without their knowledge.

Security reporter Brian Krebs first broke the news on the Goodwill breach in July, and traced the breach back to C&K Systems, a reseller of retail software systems from NCR, Retail Pro, and other retail software and systems providers. Goodwill had outsourced much of the operation of its retail systems, including its point-of-sale (POS) systems, to C&K through a managed service contract.

In a statement published on Monday, C&K Systems admitted that they had suffered a breach of point-of-sale systems tied to their “Hosted Managed Services Environment.” The company determined with the assistance of outside forensic investigators that the breach began sometime in early 2013. “The unauthorized access affected our Hosted Management Services Platform intermittently between February 10, 2013 and August 14, 2014.”

Read 11 remaining paragraphs | Comments

Cyberspies Resuscitate Citadel Trojan For Petrochemical Attacks

The Citadel Trojan is a rare and odd choice of malware for cyber espionage purposes, experts say.

[web applications] – WordPress Theme LaBomba Arbitrary File Download Vulnerability

[remote exploits] – Safari SVGPathSegList Use-After-Free Exploit

[web applications] – WordPress Theme Marble Arbitrary File Download Vulnerability

[web applications] – WordPress Webcam 2Way Videochat Plagin XSS Vulnerability