InfoQ Homepage Security Content on InfoQ
-
AVG Plugin Exposes Chrome User Data
Anti-virus software vendor AVG has produced a plugin for Google Chrome that negates that browser's security settings, leaving users at risk of having their information stolen or possibly having their system compromised.
-
Postponing the Retirement of SHA-1
The need to retire SHA-1 faces obstacles with the access needs of users who have yet to upgrade. Facebook, Twitter, and CloudFlare have proposed an interim solution for users of these legacy devices.
-
Container Manifests, Docker Labels, and the Implications on Security: A Q&A with Gareth Rushgrove
At DockerCon EU 2015, InfoQ sat down with Gareth Rushgrove, a senior software engineer at Puppet Labs, and explored the concepts behind his conference presentation “Shipping Manifests, Bill of Lading and Docker”. The range of topics discussed included the benefits of system package management (manifest) metadata, the use of Docker labels, and the implications on security and compliance audits.
-
A Brief Introduction to Incident.MOOG with Rob Markovich
Recently we caught up with Rob Markovich, CMO of Moogsoft, to talk about the new version of their early warning system, Incident.MOOG.
-
Security Release for DOS Vulnerability in Node.js
The Node Foundation has announced vulnerabilities in versions of Node.js from v0.12.x through to v5.x "whereby an external attacker can cause a denial of service."
-
Twistlock Announce General Availability of Container Security Suite
Twistlock have announced the general availability of their Container Security Suite, along with a partnership with Google Cloud Platform that integrates Twistlock into Google Container Engine (GKE). The suite consists of a console to define policy, a registry scanner and a ‘Defender’that runs as a privileged container on each host.
-
Remotely Exploitable Java Zero Day Exploits through Deserialization
According to a recent security analysis by Foxglove Security suggests that applications using deserialization may be vulnerable to a zero-day exploit. This includes libraries including OpenJDK, Apache Commons, Spring and Groovy. InfoQ investigates.
-
Oracle Patches 154 New Security Vulnerabilities
Oracle have announced 154 new security vulnerabilities in its latest Critical Patch Update -- but says there is no indication that any of the most severe vulnerabilities have been successfully exploited “in the wild.”
-
Internet Security, TLS, and HTTP/2: A Q&A with ThoughtWorks’ Vuksanovic and Gibson
InfoQ recently sat down with Marko Vuksanovic and Sam Gibson from ThoughtWorks, and asked about their recent study of TLS/HTTPS and HTTP/2 that was published in the ThoughtWorks P2 magazine. Both Vuksanovic and Gibson shared their expertise on a range of security-focused topics, including ubiquitous computing, the workings of TLS/HTTPS, certificate trust, and the security implications of HTTP/2.
-
Cambridge Study Analyzes State of Android Security
Researchers at the University of Cambridge have carried through an extensive research to assess security across Android devices, Android versions, and years. Their findings show 87% of Android devices to be vulnerable on average over the last four years. InfoQ has spoken with Daniel Thomas, lead author of the study.
-
Firefox Will No Longer Support Plug-ins Except for Flash
Mozilla has announced the end of NPAPI in Firefox by the end of 2016, the only plug-in continuing to be supported being Flash.
-
LinkedIn Release QARK to Discover Security Holes in Android Apps
LinkedIn has recently open sourced QARK, a static analysis tool meant to discover potential security vulnerabilities existing in Android applications written in Java.
-
Docker 1.8 Release with Multiple New Tools
Docker Inc have announced the release of Docker 1.8, which brings with it some new and updated tools in addition to new engine features. Docker Toolbox provides a packaged system aiming to be, ‘the fastest way to get up and running with a Docker development environment’. The most significant change to Docker Engine is Docker Content Trust, which provides image signing and verification.
-
First Zero-Day Java Vulnerability in Two Years
A zero-day vulnerability affecting sandboxed Java Web Start applications and sandboxed Java applets was recently announced, the first one for Java in nearly two years. Concerns that the vulnerability is already being exploited, together with the ease of exploitation, gave this vulnerability the highest CVSS risk score. Oracle has issued a patch and urges customers to upgrade as soon as possible.
-
Android 'Stagefright' Vulnerabilty puts Millions at Risk
Google has moved quickly to reassure Android users following the announcement of a number of serious vulnerabilities. The Stagefright Media Playback Engine Multiple Remote Code Execution Vulnerabilities allow an attacker to send a media file over a MMS message targeting the device's media playback engine, responsible for processing several popular media formats.