Will The Drupal Flaw Be Catastrophic?
Comments Off on Will The Drupal Flaw Be Catastrophic?
The Drupal web content management system has been exposed as having backdoor access that could deliver your site to hackers.
The problem is not particularly new. Drupal warned about it earlier this month, but it still needs tackling as millions of websites may be at risk.
Drupal said that sites running version 7 really ought to have upgraded to 7.32 by now, because not doing so leaves them as open as a torn tea bag.
Initially the alert was about the threat, but the firm has updated its earlier advice and is now warning of in-the-wild attacks.
That earlier advice was about a problem in a database API. “A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution,” warned Drupal in a security alert.
“Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks. This vulnerability can be exploited by anonymous users.”
More recent information from the firm points users toward the released upgrade, and informs them that attacks started not long after the initial announcement.
“You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is seven hours after the announcement,” it said, adding that, even when updated, sites will have some cleaning up to do.
“If you have not updated or applied this patch, do so immediately, then continue reading this announcement; updating to version 7.32 or applying the patch fixes the vulnerability but does not fix an already compromised website,” it explains.
“If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised – some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site.”
Gavin Millard, EMEA technical director at Tenable Network Security, advised people to follow Drupal’s advice.
“The so-called ‘Drupageddon’ vulnerability could have easily led to exploitation of any systems running the vulnerable code. With such an easy to exploit flaw, the chance of exfiltration of data or further exploitation are high,” he said.
“For those who have good security controls, reviewing of logs and traffic directed at the sites following the vulnerability being announced and the patch applied is common sense and highly advisable, with appropriate action taken if indicators of compromise are found.
“For those who don’t have such a good level of security or visibility into the logs, the advice from the Drupal team should be heeded. If you don’t know if you were exploited you should assume that you have been.”
Phishing Attacks Increasing
Security researchers at Kaspersky Lab have reported significant growth in phishing attacks over the last year.
In a study entitled “The Evolution of Phishing Attacks”, Kaspersky said it found 37.3 million out of its 50 million customers running its security products that were at risk of being phished from 2012 to the present, an 87 percent increase over the same period between 2011 and 2012.
“The nature of phishing attacks is such that the simplest types can be launched without any major infrastructure investments or in-depth technological research,” Kaspersky said in the report.
“This situation has led to its own form of ‘commercialization’ of these types of attacks, and phishing is now being almost industrialized, both by cybercriminals with professional technological skills and IT dilettantes.”
The security firm explained that overall, the effectiveness of phishing, combined with its profitability for criminals and how simple the process is to undertake has led to a steadily rising number of these types of incidents.
Kaspersky noted that most of the victims in 2012-2013 were located in just ten countries, that is, Russia, the US, India, Germany, Vietnam, the UK, France, Italy, China and Ukraine. These 10 countries were home to 64 percent of all phishing attack victims during this time.
In addition to a rise in the number of users attacked, the number of servers involved in phishing attacks also increased, Kaspersky said, without giving any exact numbers. Though the firm did reveal that internet giants like Yahoo, Google, Facebook and Amazon are the top targets of malicious users.
“Online game services, online payment systems, and the websites of banks and other credit and financial organizations are also common targets,” the firm added, warning users to stay vigilant when entering personal data.
Sprint To Offer Ultrabooks
Sprint has become the first U.S. mobile operator to offer an ultrabook, which is being sold with a 3G/4G mobile hotspot device at no added cost.
Sprint and Lenovo announced the 13.3-in. IdeaPad U310 ultrabook with a hotspot device for $799.99, subject to a two-year Sprint mobile broadband service agreement, the companies said. Three months of broadband service will be available for free.
The hotspot is either a MiFi 3G/4G mobile hotspot by Novatel Wireless or the Overdrive Pro 3G/4G mobile hotspot by Sierra Wireless. Data plans for the hotspot start at $35 a month for 3GB, or $50 for 6GB.
Sprint said the offer is focused on small business users and students. It will be available through Sprint telesales at 800-Sprint1, Sprint business sales and business partners and on the Sprint ultrabook Web site.
The IdeaPad U310 features Lenovo RapidBoot, allowing it to resume from hibernate status in less than seven seconds, and BootShield for fast booting even with multiple apps installed.
Maryland Bill To Ban Employers From Facebook Snooping
Comments Off on Maryland Bill To Ban Employers From Facebook Snooping
The practice of employers requesting job applicants to provide their account login information for Facebook and other social media sites will soon be a think of the past, as Maryland is poised to be among the first states to ban the practice. The state’s General Assembly has passed the bill, which now awaits the signature of Gov. Martin O’Malley, reports The Baltimore Sun.
O’Malley is expected to sign the bill into law, reports The Gazette.
Melissa Goemann, who directs the American Civil Liberties Union’s legislative efforts in Maryland, tells the Sun, “this is a really positive development, because the technology for social media is expanding every year, and we think this sets a really good precedent for limiting how much your privacy can be exposed when you use these mediums.”
Goemann says the ACLU took up the case of Maryland Corrections Officer Robert Collins, who had been asked to give his Facebook login and password to Corrections officials during a recertification interview.
As news spread of similar cases, legislators at the state and federal level vowed to take action and ban the practice, on the grounds that it is an unreasonable invasion of a job-seeker’s privacy. Sens. Chuck Schumer and Richard Blumenthal say they asked the U.S. Justice Department to investigate whether the practice is illegal.
Microsoft’s IE Latest Flaw: ‘Cookiejacking’
Comments Off on Microsoft’s IE Latest Flaw: ‘Cookiejacking’
A technology security researcher has discovered a flaw in Microsoft Corp’s widely used Internet Explorer browser that he said may allow hackers to steal credentials to access FaceBook, Twitter and other websites.
He coined the technique as ”cookiejacking.”
“Any website. Any cookie. Limit is just your imagination,” said Rosario Valotta, an independent Internet security researcher based in Italy.
Hackers can exploit the flaw to access a data file stored inside the browser known as a “cookie,” which holds the login name and password to a web account, Valotta wrote.
Once a hacker has that cookie, he or she can use it to access the same site, said Valotta, who calls the technique “cookiejacking.”
The vulnerability affects all versions of Internet Explorer, including IE 9, on every version of the Windows operating system.
To take advantage of this flaw, the hacker must first persuade the victim to drag and drop an object across the PC’s screen before the cookie can be hijacked.
That sounds like a difficult task, but Valotta said he was able to do it fairly easily. He built a puzzle that he put up on Facebook in which users are challenged to “undress” a photo of an attractive woman.
“I published this game online on FaceBook and in less than three days, more than 80 cookies were sent to my server,” he said. “And I’ve only got 150 friends.”
Microsoft said there is little risk a hacker could succeed in a real-world cookiejacking scam.
“Given the level of required user interaction, this issue is not one we consider high risk,” said Microsoft spokesman Jerry Bryant.