How to craft a security awareness program that works

How to craft a security awareness program that works

How to craft a security awareness program that works

Flaw in popular WordPress plug-in Jetpack puts over a million websites at risk

Flaw in popular WordPress plug-in Jetpack puts over a million websites at risk

Owners of WordPress-based websites should update the Jetpack plug-in as soon as possible because of a serious flaw that could expose their users to attacks.

Jetpack is a popular plug-in that offers free website optimization, management and security features. It was developed by Automattic, the company behind WordPress.com and the WordPress open-source project, and has over 1 million active installations.

Researchers from Web security firm Sucuri have found a stored cross-site scripting (XSS) vulnerability that affects all Jetpack releases since 2012, starting with version 2.0.

The issue is located in the Shortcode Embeds Jetpack module which allows users to embed external videos, images, documents, tweets and other resources into their content. It can be easily exploited to inject malicious JavaScript code into comments.

To read this article in full or to leave a comment, please click here

Flaw in popular WordPress plug-in Jetpack puts over a million websites at risk

Shared malware code links SWIFT-related breaches at banks and North Korean hackers

Shared malware code links SWIFT-related breaches at banks and North Korean hackers

Malware links suggest that North Korean hackers might be behind recent attacks against several Asian banks, including the theft of US$81 million from the Bangladesh central bank earlier this year.

Security researchers from Symantec have found evidence that the malware used in the Bangladesh Bank cyberheist was used in targeted attacks against an unnamed bank in the Philippines. The same malware was also previously linked to an attempted theft of $1 million from Tien Phong Bank in Vietnam.

Symantec confirmed the earlier findings of researchers from BAE Systems who found code similarities between the Bangladesh Bank malware, which was used to modify SWIFT transfers, and the malicious program used in attacks against Sony Pictures Entertainment in December 2014.

To read this article in full or to leave a comment, please click here

Shared malware code links SWIFT-related breaches at banks and North Korean hackers

Up to a dozen banks are reportedly investigating potential SWIFT breaches

Up to a dozen banks are reportedly investigating potential SWIFT breaches

More banks have reportedly launched investigations into potential security breaches on their networks after hackers stole US$81 million from the Bangladesh central bank earlier this year through rogue SWIFT transfers.

Security firm FireEye, which was hired to investigate the Bangladesh bank attack, was also called in to look for possible compromises at up to 12 additional banks, Bloomberg reported Thursday, citing an unnamed source familiar with the investigations.

Most of the banks are from Southeast Asia but include banks in the Philippines and New Zealand, Bloomberg reported.

To read this article in full or to leave a comment, please click here

Up to a dozen banks are reportedly investigating potential SWIFT breaches

IoT security is getting its own crash tests

IoT security is getting its own crash tests

The thousands of endpoints in IoT systems may have to protect themselves against thousands of dangers. A decades-old IT lab wants to tell you if they’re up to the task.

On Wednesday, ICSA Labs announced a program to test the security features of IoT devices and sensors. If the products pass, ICSA will give them a seal of approval. It can also keep testing them periodically to make sure they’re still safe.

Consumers and enterprises are wary about security in the Internet of Things, where hardware, software and even use cases are brand new in many cases. Tiny connected devices that run all the time in the background could be vulnerable to completely new kinds of attacks.

To read this article in full or to leave a comment, please click here

IoT security is getting its own crash tests