Security News

A new version of COMpfun remote access trojan has been discovered in the wild that uses HTTP status codes to control compromised systems targeted in a recent campaign against diplomatic entities in Europe. In addition to functioning as a fully-featured RAT capable of capturing keystrokes, screenshots, and exfiltrating sensitive data, this new variant of COMpfun monitors for any removable USB devices plugged to the infected systems to spread further and receives commands from an attacker-controlled server in the form of HTTP status codes.

Microsoft has announced the first testable version of DNS-Over-HTTPS support, available for its Windows 10 operating system. Support for the DoH protocol, which Microsoft first announced in November, is available in the Windows 10 Insider Preview Build 19628.

Short-video biz Quibi, airline JetBlue, shopping site Wish, and several other companies leaked million of people's email addresses to ad-tracking and analytics firms through HTTP request headers, it is claimed. Netizens using web browsers that prioritize defenses against ad tracking, such as Brave, Firefox, and Safari, or who have installed suitable privacy extensions in other browsers, may have avoided having their email addresses spirited away.

CA domains, among other important internet functions, is rolling out a free Canada-wide DNS-over-HTTPS service to protect people's privacy. The Canadian Internet Registry Authority today said its new Canadian Shield service will allow people and businesses to encrypt their DNS queries in transit between their devices and CIRA's servers, providing an added layer of security at a time where millions in the country are transitioning to working from home mid-coronavirus pandemic.

Converting websites from HTTP to HTTPS over the last decade must count as one of the most successful quiet security upgrades ever to affect web browsing. There are some HTTPS security caveats worth mentioning, but before getting to them we'll start with the news that that Mozilla's Firefox will, from May's version 76, offer the option to browse in an HTTPS-only mode.

While such Web site card skimming attacks are not new, this intrusion leveraged a sneaky new domain that hides quite easily in a hacked site's source code: "Http[.]ps". This crafty domain was hidden inside the checkout and login pages for grandwesternsteaks.com, a meat delivery service owned by Cheney Bros. Ps domain is hosted in Russia, and sits on a server with one other malicious domain - autocapital[.

A vulnerability in Avast's anti-tracking solution could allow malicious actors to perform man-in-the-middle attacks on HTTPS traffic, a security researcher has discovered. The security flaw, which impacts both Avast and AVG AntiTrack, as they share underlying code, resides in the manner in which the software filters HTTPS traffic.

Compounding the issue is that certain operating systems and browsers use new encryption technologies - DNS over TLS and DNS over HTTPS - in the query response handshake with these unauthorized DNS services that make them harder to block. Today I'm going to talk about DNS over HTTPS misuse or abuse.

The patched flaw was made public in early February on the HackerOne bug bounty platform and was forwarded to The Register by concerned reader Matt, who told us: "Note that this is regardless of whether the users had set strong passwords and otherwise wouldn't be vulnerable to credential-stuffing attacks." Professor Alan Woodward of the University of Surrey told The Register that while the vuln was bad, it would require an extra step to enumerate user IDs before the attack would work at scale.

Let's Encrypt has halted its plans to cancel all three million flawed web security certificates - after fearing the super-revocation may effectively break a chunk of the internet for netizens. Earlier this week, the non-profit certificate authority, which issues HTTPS certs for free, announced a plan to disable some three million certificates tainted by a software bug.