(get it in RSS or Atom)

WordPress issues security fixes, advises "update your sites immediately"


Mega-popular blogging and content management system WordPress has just put out version 3.6.1.

This includes a patch for a remote code execution hole, so you are advised to update ASAP.

Whistleblower-friendly site Cryptome booted briefly offline for hosting "malicious content"


US whistleblower-friendly site Cryptome recently suffered a short outage, after it was booted offline by its ISP and then let back.

Paul Ducklin looks for security lessons in the story...

Infecting iOS, OpenX backdoor, toilet hole, Android malware - 60 Sec Security [VIDEO]


Are Apple's iPhones really impervious to malware? What do you do if your software is pre-infected with a backdoor? What strength of password is appropriate for a toilet? And what about firmware updates for the Android code verification holes? Find out more in 60 seconds!

OpenX ad servers "pre-compromised" - official distro contained remote code backdoor


You don't always have to break into someone's web server to get them to deliver your malware for you. You can just break into the server they get their online ads from.

Or you can pre-infect the online ad server software so you can own it as soon as it is installed.

Lifting the lid on the Redkit exploit kit

In the first of a two part series, Fraser Howard takes a closer look at the Redkit exploit kit.

Learn more about how this kit works and the compromised web servers that are being used to host it.

DHS website falls victim to hacktivist intrusion

DHS website falls victim to hacktivist intrusion

Hacktivist group NullCrew recently announced a succesful intrusion against a website in the DHS.GOV domain hierarchy.

It looks as though the site was vulnerable to what's known as a directory traversal vulnerability.

Monday review: the hot 26 stories of the week

Monday review: the hot 26 stories of the week

Here's a list of all the stories we've written in the last week, in case you missed any (or if you just want to read them again).

SourceForge serves up malware-infected phpMyAdmin toolkit


Being careful where you download from isn't always enough.

SourceForge, the hosting service for phpMyAdmin, has disclosed that the official phpMyAdmin distribution was Trojanised some time last weekend.

Large percentage of websites vulnerable to HashDoS denial of service attack


Researchers in Germany have disclosed a vulnerability in most web programming languages that allows for a denial of service attack to be successful with very little resource and against the vast majority of websites

Unpatched WordPress installations rife with malware targeted by DDoS attack

The latest WordPress release is requiring users to update their PHP and MySQL installations to newer releases. Are WordPress users doing enough to protect their blogs? Does it make a difference if you patch?

WordPress plugins Trojanised, spotted, fixed


WordPress just announced that the source code for three plugins for its popular blog-hosting platform had been Trojanised. Fortunately, the malicious changes have now been removed. Find out what happened and how to fix it.

PHP 5.3.6 released - Fixes 5 security flaws


The PHP Group has released a set of bug fixes and security udpates to their ubiquitous PHP software. Web administrators should read through the change logs and update as soon as possible. Read the article to find out about the security related fixes and enhancements in PHP 5.3.6.

Malicious Iframe infects PHP-Nuke site....again!

Detection-scan for phpnuke

Last May, I blogged about PHP-Nuke's official site being hacked. Imagine my surprise when I saw the site come up again in my malware feed.