WhatsApp and Telegram Vulnerabilities Opened Users to Account Takeover

Encrypted messaging services WhatsApp and Telegram patched vulnerabilities in the last week that could have let an attacker take over a user’s account, access personal and group conversations, along with photos, videos and other files. A trio of researchers with Check Point Software Technologies,...

PT-2017-4237 · Linux +3 · Linux Kernel +3

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 4.10.7 Description: The issue is related to a use-after-free vulnerability in the fs/crypto component of the Linux kernel, which can lead to a denial of service or possibly allow local users to gain privileges...

PHPCMS v9.5.10 suffers from a design vulnerability

PHPCMS is a website management software. The software adopts modular development and supports a variety of classification methods, using it can easily realize the design, development and maintenance of personalized websites. A design vulnerability exists in PHPCMS v9.5.10, which allows an attacke...

SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32)

A flaw was found in the way the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based...

YouTube encrypted video there are multiple universal password can bypass the limit(wonderful vulnerability)-vulnerability warning-the black bar safety net

YouTube encrypted Video, a plurality of universal password Detailed description: As long as the Password box, enter the two English double quotation marks. For example: "" press the OK button to play all the encrypted videos. Management added: "" \ %% or a=a And other characters can bypass video...

Sage XRT Treasury database fails to properly restrict access to authorized users

Overview Sage XRT Treasury, version 3, fails to properly restrict database access to authorized users, which may enable any authenticated user to gain full access to privileged database functions. Description CWE-639: Authorization Bypass Through User-Controlled Key - CVE-2017-3183Sage XRT...

Google Releases E2EMail to Open Source

The ongoing struggle to provide encrypted email solutions that aren’t on a PGP level of complexity and difficulty is a real challenge. Google’s attempt at it, called E2EMail, was introduced more than a year ago as an effort to give users a Chrome app that allows for the simple exchange of private...

Google Achieves First-Ever Successful SHA-1 Collision Attack

SHA-1, Secure Hash Algorithm 1, a very popular cryptographic hashing function designed in 1995 by the NSA, is officially dead after a team of researchers from Google and the CWI Institute in Amsterdam announced today submitted the first ever successful SHA-1 collision attack. SHA-1 was designed i...

SMTP STS Coming Soon to Gmail, Other Webmail Providers

Gmail users can expect the introduction of SMTP Strict Transport Security to the email service some time this year, bringing a measure of security similar to certificate pinning to one of the world’s biggest webmail services. Elie Bursztein, the head of Google’s anti-abuse research team, said at...

Signal Messaging App Rolls Out Encrypted Video Calling

WhatsApp and Facebook have so far the largest end-to-end encrypted video calling network of all, but now another popular end-to-end encrypted messaging app recommended by whistleblower Edward Snowden is ready to give them a really tough competition. The Signal app, which is widely considered the...

USN-3194-1: OpenJDK 7 vulnerabilities

Karthik Bhargavan and Gaetan Leurent discovered that the DES and Triple DES ciphers were vulnerable to birthday attacks. A remote attacker could possibly use this flaw to obtain clear text data from long encrypted sessions. This update moves those algorithms to the legacy algorithm set and causes...

CVE-2016-5918

IBM Tivoli Storage Manager HSM for Windows displays the encrypted Tivoli Storage Manager password in application trace output if the password access option is prompt and the password is changed...

Polish Banks Hacked using Malware Planted on their own Government Site

In what considered to be the largest system hack in the country's history and a massive attack on the financial sector, several banks in Poland have been infected with malware. What's surprising? The source of the malware infection is their own financial regulator, the Polish Financial Supervisio...

CVE-2016-6329

OpenVPN, when using a 64-bit block cipher, makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTP-over-OpenVPN session using Blowfish in CBC mode, aka a "Sweet32" attack...

Design/Logic Flaw

OpenVPN, when using a 64-bit block cipher, makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTP-over-OpenVPN session using Blowfish in CBC mode, aka a "Sweet32" attack...

CVE-2016-6329

OpenVPN, when using a 64-bit block cipher, makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTP-over-OpenVPN session using Blowfish in CBC mode, aka a "Sweet32" attack...

CVE-2016-6329

Removed by vendor...

Facebook Unveils 'Delegated Recovery' to Replace Traditional Password Recovery Methods

How do you reset the password for your Facebook account if your primary email account also gets hacked? Using SMS-based security code or maybe answering the security questions? Well, it's 2017, and we are still forced to depend on insecure and unreliable password reset schemes like email-based or...

CVE-2016-6329

OpenVPN, when using a 64-bit block cipher, makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTP-over-OpenVPN session using Blowfish in CBC mode, aka a "Sweet32" attack...

CVE-2016-10102

hitek.jar in Hitek Software's Automize uses weak encryption when encrypting SSH/SFTP and Encryption profile passwords. This allows an attacker to retrieve the encrypted passwords from sshProfiles.jsd and encryptionProfiles.jsd and decrypt them to recover cleartext passwords. All 10.x up to and...