Sunday, July 17, 2016

Issue 73 - Week of July 11th


1.       Ubuntu Linux forum hacked: A silly mistake of not installing a patch for a known bug caused exposure of user's personal data - in Ubuntu online forums. The vulnerability is one of the oldest, but most powerful and most dangerous flaw that could affect any website or web application that uses an SQL-based database. The bug allows- SQL injection attack, in which malicious SQL commands/payloads are injected through the client to the application in order to breach the database and get access to the user's personal data. The hack did not affect the Ubuntu operating system, or it was not due to a vulnerability or weakness in the OS.

2.       Downloading Pokémon GO game for Android? beware! it could be malicious: "Pokémon Go" has become the hottest iPhone and Android game to hit the market with enormous popularity and massive social impact. The app has taken the world by storm since its launch last week. The location-based augmented reality game allows players to catch Pokémon in the real life using their device's camera and is currently only officially available in the United States, New Zealand, UK and Australia. In other countries users are side-loading the app from untrusted sources which needs modification of core security settings. This allows the apps to install a backdoor on phones, enabling hackers to compromise a user's device completely.

3.       For iOS, Pokémon GO doesn't Intend, but has Power to look inside: The iOS version of the official Pokémon GO app  is a "huge security risk" as the game, for some reason, grants itself "full account access" to your Google account when you sign into the app via Google on iPhone or iPad. This allows the app to Read /send email, Access Google Drive documents, Look at search history as well as Maps navigation history and a whole lot more. The game developer has acknowledged this and said the company is actively working on a fix to downgrade the permission.

4.       Chinese hacker who stole information on US military jets jailed: A 51-year-old aviation specialist Chinese national, has been thrown behind bars after admitting to his part in a year-long conspiracy to steal valuable technical data belonging to military and defense contractors in the United States. He pleaded guilty to one count of conspiring to gain unauthorized access to a protected computer and to violate the Arms Export Control Act by exporting defense articles on the US Munitions List.

5.       Microsoft wins! Govt. can't force tech companies to hand over data stored overseas: Last week, a court ruled that the United States government cannot force tech companies to give FBI or other federal authorities access to their non-US customers' data stored on servers located in other countries. US Government can't go beyond its boundaries to collect data. The case was an international drug trafficking case, in which FBI wanted data from the US & Ireland data centers.

6.       The World's first all-machine hacking tournament: Today's approach to cybersecurity depends on computer security experts to identify new flaws/threats and remediate them manually. This process takes time and critical systems may have already been breached. DARPA wants to address this and is conducting a tournament called 'Cyber Grand Challenge', in which the participants will build a smart Artificial Intelligence System that will automatically detect and even patch security flaws. The Tournament will be held in Las Vegas on Aug 4th, winning team gets $2M, runner up gets $1M. If successful, the speed of autonomy could someday blunt the advantages hackers enjoy in cyber offense.

7.       3 popular Drupal modules found vulnerable, patch released: Three popular Drupal modules - RESTful Web Services, coder & Webform Multiple File Upload, have been found to be Vulnerable. The Drupal Security Team released critical patches to address these security issues. If you own a Drupal website, you are advised carefully to review the list of affected modules and apply the security patches as soon as possible. Panama Papers leak was largely due to unpatched Drupal & WordPress systems.

8.       Fiat Chrysler debuts Bug Bounty program: A year ago, IT security researchers hacked the onboard computer in Fiat Chrysler's Jeep Cherokee, that led to the recall of 1.4 million vehicles. Now, the company is launching its first public bug bounty program. The bug bounty program will award researchers up to $1,500 per vulnerability that is responsibly disclosed to Chrysler. Other recent Bug bounty programs – MIT, Uber, General Motors, Pentagon.

9.       State-sponsored SCADA malware targeting European energy companies: Security researchers have discovered a new campaign targeting energy companies in Western Europe with a sophisticated malware that almost goes to great lengths in order to remain undetected while targeting energy companies. The malware, dubbed 'SFG', features a vast arsenal of tools rarely seen in ordinary malware samples. The malware provides its masters with a backdoor, which could then be used to install other malware on systems to extract data or potentially shut down the energy grid.


10.   Are you prepared for Ransomware?: Ransomware is no longer a consumer threat, it has begun affecting government and enterprise. The decision "To pay or not to pay", must take into account a balanced view. FBI had initially suggested the victims should not pay, later they suggested paying hackers was an option. The Hollywood hospital is one of the victims that paid $17K. For as long as ransomware remains profitable, attackers will continue to frustrate and damage organizations around the world. Ultimately, Advanced content security protection and a good backup strategy is the safety net that underpins the mitigation strategy against Ransomware.



https://twitter.com/ootyajay
https://www.linkedin.com/in/ootyajay

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)