Vulnerability

(get it in RSS or Atom)

Apple pushes out iOS 8.1 - kills the mobile POODLE and closes some, ahem, "backdoors"

8dot1-250

The marquee vulnerablity fixed in iOS 8.1 is, as you might expect, POODLE.

But there are other cryptographic fixes in iOS 8.1 that are equally important...because cryptography is notoriously hard to get right first time.

"Oops! I'm sorry about that" - 60 Sec Security [VIDEO]

60ss-video-250

Here it is - this week's 60 Second Security video.

News that will amuse, and it only takes a minute...

Apple kills the POODLE – also fixes Shellshock in case you forgot

poosdle-osx-250

Apple just shipped OS X 10.10 Yosemite - including a fix for the POODLE vulnerability.

Mavericks and Mountain Lion also got updates to kill the POODLE.

As for Lion, now three releases off the pace...bad news.

'The Snappening’: stolen Snapchat photos site defaced, details of site owner published

Snappening fans deface Snapchat photos site after it comes down

Owner of TheSnappening.org photo site, Mudit Grover, took the stolen Snapchat images and the site down. But within hours, attackers identifying themselves as "Team Danny" allegedly took over the domain and published Grover's personal details.

Snapchat to address sketchy third-party apps with public API ... at some point

Snapchat logo

Oh, those darn third-party apps, their home-brewed APIs and their photo-leaking ways, Snapchat moaned on Wednesday morning, promising to cook up a public API to fix the situation... sooner or later.

The "Sandworm" malware - what you need to know

sandworm-250

Fortunately, the Sandworm malware is a lot easier to deal with than the giant science fiction creature from which it takes its name.

In fact, in malware terms, it's not a worm at all.

Paul Ducklin takes a look...

Dropbox passwords leaked, third-party services blamed

Dropbox logo

Hundreds of Dropbox logins were posted on Pastebin and Reddit, but it turns out they were stolen from a third-party service months ago, Dropbox says. So why did some of those passwords work, as Reddit users claimed? Think password reuse.

Backoff malware gang hits Dairy Queen stores

Backoff malware gang hits Dairy Queen stores

Customers' payment card details may have been whipped out of nearly 400 Dairy Queen stores in the US. It's just the latest in a string of PoS malware infections that have been slamming US retailers.

Patch Tuesday for October 2014 - bigger than usual as Microsoft, Adobe and Oracle align

Oracle, Adobe and Microsoft patches are all arriving together on Tuesday 14 October 2014.

Paul Ducklin looks at what to expect...

SSCC 168 - Amaze your friends by ruining all their USB drives! [PODCAST]

chet-chat-logo-featured-250

Here's the latest Chet Chat security podcast for your listening pleasure.

Sophos experts Chester Wisniewski and Paul Ducklin take apart the latest computer security stories to turn them into news you can use.

SSCC 167 - Avoiding the shock of Shellshock (and more!) [PODCAST]

chet-chat-logo-featured-250

Here's the latest episode of our weekly Chet Chat podcast!

Shellshock leads the list, of course, but Snapchat, cybersecurity awareness and the iPhone 6 all get a look in too...

Security incidents are up - and pricier! - but infosec budgets are dwindling

Security incidents are up - and pricier! - but budgets to prevent them dwindle

The number of security incidents is popping, as are associated costs to mop them up, according to a report from PcW. Global corporate security budgets, meanwhile, seem to be hiding in the closet, just hoping it all goes away.

SSCC 166.5 - Special edition from the Virus Bulletin 2014 conference [PODCAST]

chet-chat-logo-featured-250

Sophos security expert Chester Wisniewski was at the Virus Bulletin 2014 conference in Seattle.

In this special edition of the Chet Chat, Paul Ducklin puts Chet on the other side of the mic to find out more about both the technology and the ethics of anti-malware research.

Apple patches OS X against Shellshock

apple-bash-250

If you're a Mac user, you may have felt wrongfully left out of all the Shellshock kerfuffle over the past few days.

Not any more!

Are you tired of weak or fake zero-day exploits? 60 Sec Security [VIDEO]

60ss-video-250

Watch our latest 60 Second Security video!

An entertaining but insightful look at the week's security woes - in just one minute...

Ex-con Kevin Mitnick now selling zero-day exploits, starting at $100K

Ex-con Kevin Mitnick now selling zero-day exploits, starting at $100K

He says his firm will carefully screen potential clients and that he'd never sell to an entity such as the Syrian regime or a criminal gang. Then again, he's not asking what clients intend to do with the high-end exploits.

Bash “Shellshock” vulnerability – what you need to know

shellshock-250

Shellshock is the media-friendly name for a remote code execution hole in Bash, a command shell commonly used on Linux and UNIX systems.

Paul Ducklin explains...

Mozilla fixes "phishing friendly" cryptographic bug in Firefox and Thunderbird

moz-250

Mozilla just patched a bug in its cryptographic library, NSS.

The bug is rated "critical" because it could permit skullduggery in apparently secure connections.

Is it *really* such a bad idea to use a password twice?

reuse-250

We regularly warn you against using the same password for multiple accounts.

But if you memorise one really long and complex password, isn't that enough?

No! Here's why...