A severe security vulnerability has been discovered in the CloudFlare content delivery network that has caused big-name websites to expose private session keys and other sensitive data.
CloudFlare, a content delivery network (CDN) and web security provider that helps optimize safety and performance of over 5.5 Million websites on the Internet, is warning its customers of the critical bug that
Posted by Nguyen Anh Quynh on Feb 24
Greetings,
We are super happy to announce version 1.0 for Unicorn CPU Emulator
framework!
Full source code & precompiled binaries are now available at
http://www.unicorn-engine.org/Version-1.0
This release is the result of over 1 year of community-based development.
We fixed a lot of issues on all architectures, added some new APIs and
provide 3 more bindings in Haskell, MSVC & VB6 now. See the link above for
details on important…
Posted by Indrajith AN on Feb 24
Title:
====
DIGISOL DG-HR1400 Wireless router – Cross-Site Request Forgery (CSRF)
vulnerability
Credit:
======
Name: Indrajith.A.N
Website: https://www.indrajithan.com
Company: PwC-SDC
Reference:
=========
CVE Details: CVE-2017-6127
Date:
====
23-02-2017
Vendor:
======
DIGISOL router is a product of Smartlink Network Systems Ltd. is one of
India’s leading networking company. It was established in the year 1993 to
prop the Indian…
Posted by X41 D-Sec GmbH Advisories on Feb 24
X41 D-Sec GmbH Security Advisory: X41-2017-004
Multiple Vulnerabilities in tnef
================================
Overview
——–
Confirmed Affected Versions: 1.4.12 and earlier
Confirmed Patched Versions:
Vendor: verdammelt
Vendor URL: https://github.com/verdammelt/tnef/
Vector: File
Credit: X41 D-Sec GmbH, Eric Sesterhenn
Status: Public
Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2017-004-tnef/
Summary and Impact…
http://www.pandasecurity.com/mediacenter/src/uploads/2017/02/facebook-two-step-verification-300×225.jpg
We’ve all been there. You get a new smartphone or computer, and you have to slog through all of your first-time logins by manually typing out usernames, passwords, etc. Sometimes it happens that one of your accounts has a particularly difficult password that you barely even remember creating and – yep, you get locked out of your account. You curse yourself for that distant day when you felt so ambitious about password security and created such a puzzle for your future self. But if you’re among the many who ordinarily aren’t too finicky about security, then you’ll probably have no qualms about recovering access to your account by requesting a password reset email from the company.
However, cases reminiscent of the recent data breach of the century at Yahoo that affected a billion accounts show the need for additional security measures. Attackers would be happy to use passwords and security questions collected from such breaches to access your current accounts. In fact, the password recovery link itself may be compromised.
The alternative standard procedure in these cases is the two step verification: associate a phone number with the account to add an extra layer of security. This option is available on a number of services, including Gmail, Facebook, Twitter, and Instagram. However, Facebook has just announced a new way to recover forgotten passwords safely and without the need of a phone.
Soon, the social network par excellence will allow third-party web users to recover their passwords through their own service. Internet users will be able to save an encrypted token on Facebook that allows them to retrieve their password on pages like GitHub. This way, if you lose your Github password, you can send the token from your Facebook account, thus proving your identity and regaining access to your GitHub profile.
The company has emphasized that the token’s encryption guarantees user privacy. Facebook can’t read the information stored in it and will not share it with the service you’re using it for without express permission from the user.
At the moment, the service, which has been called Delegated Recovery, is only available on GitHub. It has also been made available to researchers as an open source tool to be scrutinized for vulnerabilities before it is implemented to other websites and platforms.
With this new method, Facebook aims to eliminate the headaches of users who suffer theft or loss of their smartphones and can’t recover their accounts immediately. And while they’re at it, they’ll take the opportunity to offer themselves up as a safer alternative to email when it comes to recovering passwords. “There’s a lot of technical reasons why recovery emails aren’t that secure. Email security doesn’t have the greatest reputation right now. It’s the single point of failure for everything you do online,” said Brad Hill, security engineer at Facebook. Will Facebook succeed in becoming the hub of all of our accounts? Time will tell.
The post Two Step Verification, and How Facebook Plans to Overhaul It appeared first on Panda Security Mediacenter.
SHA-1, Secure Hash Algorithm 1, a very popular cryptographic hashing function designed in 1995 by the NSA, is officially dead after a team of researchers from Google and the CWI Institute in Amsterdam announced today submitted the first ever successful SHA-1 collision attack.
SHA-1 was designed in 1995 by the National Security Agency (NSA) as a part of the Digital Signature Algorithm. Like
Can Parental Spyware Keep Kids Safe Online? – Christian Science Monitor
Multiple use-after-free vulnerabilities in the gx_image_enum_begin function in base/gxipixel.c in Ghostscript before ecceafe3abba2714ef9b432035fe0739d9b1a283 allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted PostScript document.
An issue was discovered in ytnef before 1.9.1. This is related to a patch described as “3 of 9. Buffer Overflow in version field in lib/tnef-types.h.”
An issue was discovered in ytnef before 1.9.1. This is related to a patch described as “2 of 9. Infinite Loop / DoS in the TNEFFillMapi function in lib/ytnef.c.”