(get it in RSS or Atom)

Burning Man festival to cancel tickets of cheaters who used website hacks

Image of Burning Man effigy courtesy of John Chandler/Flickr - Creative Commons license

Burning Man says it will cancel festival tickets purchased by approximately 200 individuals who managed to use a flaw in the ticketing website to jump ahead of the line.

Internet Explorer has a Cross Site Scripting zero-day bug


Another day, another zero-day.

This time, it's Internet Explorer that is attracting the sort of publicity a browser doesn't want, with the public disclosure of an XSS bug.

SSCC 134 - Patching, foisting, hacking and obfuscating [PODCAST]


Here's our latest security podcast, featuring Sophos experts Chester Wisniewski and Paul Ducklin.

Join the dynamic duo as they turn the latest news into a quarter-hour podcast that is informative, entertaining and educational.

Anatomy of a poisoned image: colour-coded JavaScript!


Colour-coded JavaScript?

Paul Ducklin looks into a malware writer's poisoned-image trick that tells an interesting (and, though it hurts to say it, an amusing) story of subterfuge and guile...

Are the websites you're using tracking what you type?

Is the website you're using tracking what you type?

Facebook, Twitter, Gmail or any webpage can track everything you do and could be keylogging your every pointer movement or keystroke. But it's how the internet has been since forever, though many, many people don't know it and are horrified to find out.

Anatomy of an exploit - inside the CVE-2013-3893 Internet Explorer zero-day - Part 2


Part Two of our examination of an IE exploit.

This is a great read if you want to get a feeling for how cybercrooks think. (Don't worry if you aren't technical: it's clear and jargon-free.)

Anatomy of an exploit - inside the CVE-2013-3893 Internet Explorer zero-day - Part 1


The latest IE zero-day explained.

This is a great read if you want to get a feeling for how cybercrooks think.

(Don't worry if you aren't technical: we've kept the code and jargon to a minimum.)

"Mailbox" app on iPads and iPhones runs JavaScript from emails - vulnerability or feature?


Italian computer scientist Michele Spagnuolo recently wrote about what he considered a security issue in the popular iPhone and iPad email app "Mailbox."

Not everyone agreed with him...

OpenX ad servers "pre-compromised" - official distro contained remote code backdoor


You don't always have to break into someone's web server to get them to deliver your malware for you. You can just break into the server they get their online ads from.

Or you can pre-infect the online ad server software so you can own it as soon as it is installed.

Google announces brand new web browser core, so does Mozilla

When you wait ages for a bus, and then three come along at once, it's not a coincidence: it's a side-effect of queuing and traffic lights.

But what about when three browser vendors make announcements on the same day?

Monday review - the hot 13 stories of the week

Monday review - the hot stories of the week

Catch up with everything we've written in the last seven days with this handy weekly roundup

SSCC 105 - HP printers, Google blocks ad blockers, Apple does the 2-step, and more...


Have you joined thousands of others, and become a loyal listener to the "Chet Chat" yet?

Here's the latest Naked Security podcast, Sophos Security Chet Chat 105, discussing a range of recent and newsworthy topics from the world of computer security.

Anatomy of a "feature" - should JavaScript be allowed to change a web link *after* you click on it?

A young web coding enthusiast from Manchester, UK, recently published a thought-provoking hackette intended to highlight the risks of relying only on "look before you click."

Paul Ducklin wants to know what you think of it...

Apple's own Macs bitten by Java-based malware attack


Apple released a statement today acknowledging that they were victims of the same attackers that Facebook talked about last week. A zero-day Java vulnerability infected Apple Mac developers through a drive-by attack.

Malware injected into legitimate JavaScript code on legitimate websites

Malware injected into legitimate JavaScript code on legitimate websites

SophosLabs has observed a trend of hackers inserting their malicious code into legitimate JavaScript hosted on legitimate compromised websites.

Learn more about what our experts have seen, and ensure that you have protection in place.

Java is not JavaScript - tell your friends!

Some people are worried that turning off Java also turns off JavaScript.

Despite their names, Java and JavaScript are completely different, and turning off Java will not turn off JavaScript.

Firefox 18 brings TURKTRUST update, Retina support, faster JavaScript - oh, and 20 other security fixes

Firefox 18 has landed: 2917 bugs patched, 21 security fixes, 12 critical.

Also with a brand-new JavaScript compiler and support for Retina displays on the groovier sorts of Mac.

How the Tumblr worm spread so quickly

How the Tumblr worm spread so fast

SophosLabs explains how today's Tumblr worm was able to spread so quickly.

Sophos Techknow - All about Java


Java brings with it some significant risks, yet for many people, it's "just there on my computer."

In this episode, Duck and Chet tell you All about Java, and help you to make an informed decision in balancing its risks and rewards at work and at home.

Vote in our poll: is Google's fine of $22.5 million enough to buy privacy?

Google fined $22.5 million for not living up to its privacy promises

Google will cough up $22.5 million for putting sneaky code into its web pages, even after agreeing that it would get "comprehensive" about privacy.

But are financial sanctions enough?

Have your say in our poll...