Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.
A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks.
It is, relatively, rare to find core vulnerabilities in content management platforms, but when they are found, they're normally great! The security advisory SA-CORE-2014-005 states that Drupal core 7.x versions prior to 7.3.2 are affected and they have already released both an upgrade and standalone patch to resolve the issue.
As a result of our investigation, we discovered evidence that the systems of some DQ locations and one Orange Julius location were infected with the widely-reported Backoff malware that is targeting retailers across the country. The investigation revealed that a third-party vendor’s compromised account credentials were used to access systems at those locations.
The affected systems contained customers’ names, payment card numbers and expiration dates. We have no evidence that other customer personal information, such as Social Security numbers, PINs or email addresses, were compromised as a result of this malware infection.
Alex Stamos, the CISO of Yahoo, posted an in-response bulletin on Hacker News to clear up the rumor that this breach was caused by Shellshock.
Straight to the point, he states that it was not Shellshock that the system was vulnerable to but a separate command-injection vulnerability in their log parsing scripts. Though... Shellshock itself is a command-injection / parsing vulnerability so I'm sure many will skip over the technicalities and consider them one-in-the-same.
At first I was surprised that he came forward and gave explicit details that, well, can now be targeted against. On the other hand, I think it's pretty cool of them to be so open (either that, or they really didn't want to be the "large company" that was effected by Shellshock =P).
When Microsoft first announced Windows 8, the bashing began (as usual and expected). "Metro's bad", "no Start Menu", yada yada.
Now, fast forward to today - Windows 8.1 and still no Start Menu. Is it really that bad? How many users that are commenting here, complaining about it, have actually tried it? Does it truly hinder your ability to use the computer?
I, for one, have not tried Windows 8. Not because I don't like the idea of it but because I'm still on Windows 7 and have no need to actually upgrade yet. However, I have *seen* both PCs and laptops with Windows 8 (neither with touch screen) and it actually looked pretty good. Both switched from the Metro-giant-buttons screen over to the desktop and it looked like a normal computer with a normal version of Windows on it, nothing crazy.
The primary reason I'm not going to issue a complaint about the "no Start Menu" isn't because I haven't actually tried Windows 8 and dislike it, it's because as an actual "power user" of Windows, I don't use the Start Menu that much. WinKey+R to run whatever I need, main apps pinned to the taskbar, "My Computer" / "Documents" icons available on the desktop - everything one double-click away. My linux boxes are quite similar (except the WinKey+R, of course =P).
Are there any users out there that actually had their "experience" ruined because they didn't have a Start Menu and, if so, why / how?
The linked article has zero information regarding this attack and instead focuses on eBay's attack history; once more, it also links to it's own eBay page so +1 for that.
Can anyone find a more relevant article that spills out the actual details of this, or maybe one that includes the actual PoC this researcher has created?
You can now take extra precaution against hackers and snoops by enabling SSL security on your Tumblr Dashboard. Just head over to your Account Settings and flip the switch.
"Any reason I shouldn’t do this?" Nope, not really. It doesn’t change anything about the dashboard, it just encrypts your connection to it. We’ve been using it for weeks and haven’t even noticed. So, yeah, turn it on and forget about it. Easy.
"Ada is PL/I trying to be Smalltalk. -- Codoso diBlini