Monday, October 20, 2014
Sunday, October 19, 2014
So, Microsoft and iSIGHT uncovered another 0-day vulnerability; this time impacting all supported versions of Microsoft Windows and Windows Server 2008 and 2012. iSIGHT has detailed in the wild exploits of the vulnerability, and points the finger of suspicion at state-sponsored Russian interests. The Dallas-based cybersecurity outfit explained that the exploit (dubbed Sandworm) showed visibility targeting Ukranian government organisations, Polish energy businesses and US academic organisations as well as NATO itself, and warned that there is an obvious potential for much broader targeting from the same and new threat actors.
Friday, October 17, 2014
The web, as we know it today, relies heavily on content management systems (CMS) to operate. It's a CMS that allows a blog, news publication or shopping site to be managed centrally, collaboratively and consistently, which is why it's such a shame that CMS systems suck elephants through a straw when it comes to security. Actually, let me qualify that statement: CMS plugins suck.
Sunday, October 12, 2014
At the start of the year, DaniWeb reported how Snapchat, the self-destruct photo messaging service, had been hacked and information regarding 4.5 million users had been stolen. Fast forward to now, and Snapchat is again in the mire: nude images have started to appear on 4chan which have been stolen from Snapchat accounts.
Thursday, October 09, 2014
Sunday, October 05, 2014
As well as being CEO of penetration testing specialists High-Tech Bridge, Ilia Kolochenko is also perhaps unsurprisingly a white hat hacker of some repute. Equally unsurprising is the fact that he has warned that security vulnerabilities in leading CMS platforms such as Drupal, Joomla and WordPress are effectively leaving the security door wide open for hackers to walk through. Kolochenko refers to the threat posed by old plugins, passwords and extensions as being the 'Achilles heel of popular CMS' and for good reason. High-Tech Bridge regularly tests popular CMSs via the ImmuniWeb online penetration testing service and equally regularly, sadly, discovers vulnerabilities therein. It follows a strategy of responsible disclosure, which I'm all in favour of, whereby any vulnerabilities are reported to the vendor with immediate effect but no public disclosure (other than a broad statement without exploitable details) is made for three weeks. This gives the vendor ample time to do something about it, and should encourage those who are a bit slow off the mark to focus attention on a fix. All without alerting the bad guys as to how to create code to exploit the hole.
The news that JPMorgan Chase & Co, which is the largest of the US banks with a reach that extends to half of all American households, has been breached will surprise nobody. At least not in the sense that this is old news, with a disclosure of the event happening in August. The actual breach was discovered by the bank back in July, and is thought to have been active for at least a month prior to that. What is surprising, however, is that a financial organisation of such a size and reputation should fall victim to such a breach in the first place. One highly placed individual in the IT security business told me over a pint that "if it can happen to JP Morgan then, frankly, it can happen to anyone" and that wasn't just the drink talking. Also surprising was the claim that a million accounts had been compromised during the breach, a claim made during the initial disclosure. Just before the weekend the surprise level went off the scale as the New York-based bank revealed, via a regulatory filing, that the actual numbers were a little higher. How much higher? How does 76 million households and 7 million small businesses higher strike you? Of course, this can be played down by comparing it to other mega-breach statistics: the Target attack last year hit 110 million accounts, and the more recent eBay hack 145 million. That doesn't make the JP Morgan numbers any the less striking though, this is a bank we are talking about after all and bloody great big one at that. Let's not forget that JP Morgan is that largest bank in the USA by measure of assets. It insists that no financial information has been compromised, and further that there has been no breach of login data. Email addresses, names, addresses, phone numbers have all been accessed though. To be honest, this is a case where it is less worrying what information has been breached than the fact that the breach happened in the first place.
Thursday, October 02, 2014
I am sorry to say that I suffer from migraines, but sysadmins found themselves with an even bigger headache over the weekend, courtesy of the 22-year-old Bash bug, or Shellshock vulnerability. The remote code execution through Bash does what it says on the tin by allowing trailing code in function definitions to be executed independently of the variable name and exploited remotely across the network. In one sense, this is a good thing. Sometimes people need to be "shellshocked" into a state of reality, with those who are so comfortable in their denial of risk prime becoming candidates to be targeted. This means you, if you are a dyed-in-the-wool Linux or Mac evangelist. Sure, Windows gets the brown and smelly end of the proverbial insecurity stick and there, but that doesn't mean bad things cannot and do not happen elsewhere.
Saturday, September 27, 2014
The proposed General Data Protection Regulation (GDPR) is expected to replace 20-year-old regulations (the current rules came into place in 1995) and enable harmonisation of data protection across the EU sometime next year. This will bring with it a much stricter compliance requirement and harsher consequences for failure to comply. How harsh? At the sharpest end of the punishment stick for those organisations breaching the rules that could be five per cent of global turnover. While the regulation will put much of the emphasis on the organisation itself to ensure such compliance, it also requires businesses to work with a service provider which can guarantee data is processed in compliance with the data protection rules.
Thursday, September 25, 2014
A 22 year old vulnerability, yes you read that right, has been discovered which some security experts suggest could be bigger than Heartbleed. The bug, reported as 'CVE-2014-6271:remote code execution through bash' relates to how environment variables are processed: with trailing code in function definitions being executed independently of the variable name. This can be exploited remotely with code injected into environment variables across the network.