Security News

The US government has recommended a series of steps that critical infrastructure operators should take to prevent distributed-denial-of-service attacks. The joint guide, entitled Understanding and Responding to Distributed Denial-Of-Service Attacks [PDF], distinguishes between denial-of-service and DDoS attacks.

More than 178,000 SonicWall firewalls are still vulnerable to years-old vulnerabilities, an infosec reseacher claims. "SSD Labs previously stated that in both cases, cybercrims are"tasked with exploiting a stack overflow vulnerability to cause the DoS - remotely carried out by sending a malicious HTTP request.

According to Chen, a major laptop maker of the day complained that Windows was prone to crashing when certain music was played through the laptop speaker. The crashes, it seems were not limited to the laptop playing the song, but could also be provoked on nearby laptops that were exposed to the "Vulnerability-triggering" music, and even on laptops from other vendors.

OpenSSL has released a security update to address a vulnerability in the library that, if exploited, activates an infinite loop function and leads to denial of service conditions. Certificates causing DoS. In this case, the high-severity OpenSLL problem lies in a bug on the BN mod sqrt() function, that if served a maliciously crafted certificate to parse, it will enter an infinite loop.

Apple HomeKit is a software framework that lets iPhone and iPad users control smart home appliances from their devices. To demonstate the doorLock bug, Spinolas has released a proof-of-concept exploit in the form of an iOS app that has access to Home data and can change HomeKit device names.

Two high-severity vulnerabilities in the OpenSSL software library were disclosed on Thursday alongside the release of a patched version of the software, OpenSSL 1.1.1k. OpenSSL is widely used to implement the Transport Layer Security and Secure Sockets Layer protocols, which support encrypted network connections. "In order to be affected, an application must explicitly set the X509 V FLAG X509 STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose," the OpenSSL advisory explains.

The FBI published this warning on Wednesday as an IC3 public service announcement and as a Private Industry Notification issued to private sector organizations in coordination with DHS-CISA. Attacks on emergency services can lead to loss of lives. "The IC3 has become aware of increased coercion tactics used by the subjects, which have created a threat to emergency services across the nation," the FBI said in a public service announcement from January 2013.

Independent of who uses them, denial of service attacks can be particularly disruptive and damaging for organizations targeted by cybercriminals. TechRepublic's cheat sheet on denial of service attacks is a comprehensive guide to this topic.

A shared memory vulnerability that IBM addressed in its Db2 data management products could allow malicious local users to access sensitive data. Trustwave, which identified the vulnerability and reported it to IBM, says that the issue exists because the developers forgot to include explicit memory protections for the shared memory that the Db2 trace facility uses.

A report released Thursday by Positive Technologies explains how and why existing 4G and new 5G networks can be hurt by Denial-of-Service attacks in particular. Specifically, the company looked at 4G and 5G networks using Diameter signaling protocol, a method for coordinating data among different Internet Protocol network elements.