Will The Drupal Flaw Be Catastrophic?
Comments Off on Will The Drupal Flaw Be Catastrophic?
The Drupal web content management system has been exposed as having backdoor access that could deliver your site to hackers.
The problem is not particularly new. Drupal warned about it earlier this month, but it still needs tackling as millions of websites may be at risk.
Drupal said that sites running version 7 really ought to have upgraded to 7.32 by now, because not doing so leaves them as open as a torn tea bag.
Initially the alert was about the threat, but the firm has updated its earlier advice and is now warning of in-the-wild attacks.
That earlier advice was about a problem in a database API. “A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution,” warned Drupal in a security alert.
“Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks. This vulnerability can be exploited by anonymous users.”
More recent information from the firm points users toward the released upgrade, and informs them that attacks started not long after the initial announcement.
“You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is seven hours after the announcement,” it said, adding that, even when updated, sites will have some cleaning up to do.
“If you have not updated or applied this patch, do so immediately, then continue reading this announcement; updating to version 7.32 or applying the patch fixes the vulnerability but does not fix an already compromised website,” it explains.
“If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised – some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site.”
Gavin Millard, EMEA technical director at Tenable Network Security, advised people to follow Drupal’s advice.
“The so-called ‘Drupageddon’ vulnerability could have easily led to exploitation of any systems running the vulnerable code. With such an easy to exploit flaw, the chance of exfiltration of data or further exploitation are high,” he said.
“For those who have good security controls, reviewing of logs and traffic directed at the sites following the vulnerability being announced and the patch applied is common sense and highly advisable, with appropriate action taken if indicators of compromise are found.
“For those who don’t have such a good level of security or visibility into the logs, the advice from the Drupal team should be heeded. If you don’t know if you were exploited you should assume that you have been.”
Hackers Infiltrate Jimmy Johns
October 7, 2014 by admin
Filed under Around The Net
Comments Off on Hackers Infiltrate Jimmy Johns
Sandwich restaurant chain Jimmy John’s said there was a potential data breach involving customers’ credit and debit card information at 216 of its stores and franchised locations on July 30.
An intruder stole log-in credentials from the company’s vendor and used the credentials to remotely access the point-of-sale systems at some corporate and franchised locations between June 16 and Sept. 5, the company said.
The chain is the latest victim in a series of security breaches among retailers such as Target Corp, Michaels Stores Inc and Neiman Marcus.
Home Depot Inc said last week some 56 million payment cards were likely compromised in a cyberattack at its stores, suggesting the hacking attack at the home improvement chain was larger than the breach at Target Corp.
More than 12 of the affected Jimmy John’s stores are in Chicago area, according to a list disclosed by the company.
The breach has been contained and customers can use their cards at its stores, the privately held company said.
Jimmy John’s said it has hired forensic experts to assist with its investigation.
“Cards impacted by this event appear to be those swiped at the stores, and did not include those cards entered manually or online,” Jimmy John’s said.
The Champaign, Illinois-based company said stolen information may include the card number and in some cases the cardholder’s name, verification code, and/or the card’s expiration date.
NSA Software Reengineered
Hackers have found a way to reverse engineer the technology of the United States National Security Agency (NSA) spy gadgets.
Thanks to documents leaked by fugitive former NSA contractor and whistleblower Edward Snowden, the group has built a copycat device able to gather private data from computer systems.
The Advanced Network Technology catalogue, leaked by Snowden, is the Argos book of the NSA showing a range of toys available to agents. One such device known has a “retro reflector” had eluded identification, beyond that it acted as a bug, keylogger and screengrabber.
Michael Ossman and his team from Great Scott Gadgets, a Colorado based hacking group, decided that the best defence against such devices was to create their own to understand what makes them tick.
It transpired that the key technology being used is called software defined radio (SDR), an approach that uses software to generate radio transmissions through signal processing, doing away with a lot of hardware circuitry.
“SDR lets you engineer a radio system of any type you like really quickly so you can research wireless security in any radio format,” Ossmann told New Scientist.
The technique can be used for almost any type of radio signal and therefore the devices are capable of tracking anything, from what you’re listening to through a Bluetooth headset to the binary signals of your internet traffic.
The group, which will demonstrate its work at the Defon hacking conference in Las Vegas, runs a website at NSAplayset.org that is a repository for all of the information it gathered.
Is The Internet Secure?
June 9, 2014 by admin
Filed under Around The Net
Comments Off on Is The Internet Secure?
Hacker blogger Quinn Norton is getting a lot of coverage with her blog claiming that the Internet is broken. She argues that every computer and every piece of software we use is vulnerable to hackers because of terrible security flaws. Norton blames these flaws on the fact that developers who face immense pressure to ship software quickly.
Norton says that those bugs may have been there for years unnoticed, leaving systems susceptible to attacks. One of her hacker mates accidentally took control of more than 50,000 computers in four hours after finding a security vulnerability. Another one of her colleagues accidentally shut down a factory for a day after sending a “malformed ping.”
She said that the NSA wasn’t, and isn’t, the great predator of the internet, it’s just the biggest scavenger around. It isn’t doing so well because they are all powerful math wizards of doom. The other problem is software is too complicated and the emphasis placed on security too light.
“The number of people whose job it is to make software secure can practically fit in a large bar, and I’ve watched them drink. It’s not comforting. It isn’t a matter of if you get owned, only a matter of when,” Norton said.
Microsoft Buys Parature
Microsoft Corp said that they it will acquire cloud-based software maker Parature Inc, which assists businesses in managing help desks and provide other customer support services.
Parature’s software helps businesses provide automated customer service, manage online discussion boards and forums, and conduct online surveys.
The company’s customers include Ask.com, the U.S. Environmental Protection Agency, International Business Machines Corp and Saba Software Inc.
Microsoft did not disclose the terms of the deal.
The acquisition will boost Microsoft’s Dynamics unit, which makes business software and counts Mattress Firm Holding Corp, Pandora Media Inc and Nissan Motor Co as customers.
Cloud computing, a broad term referring to the delivery of services via the Internet from remote data centers, is a favorite with businesses because it is faster to implement and has lower upfront costs than traditional software.
Oracle Corp said in December that it would buy web-based marketing software maker Responsys Inc for about $1.39 billion to bolster its cloud computing offerings.
Salesforce.com Inc, the biggest maker of online sales management tools, said in June that it would pay $2.5 billion for marketing software maker ExactTarget, which helps companies reach customers on social networks through mobile devices.
BlackBerry’s Secure Goes To iOS
July 1, 2013 by admin
Filed under Smartphones
Comments Off on BlackBerry’s Secure Goes To iOS
BlackBerry continues to expand its support for Android and iOS with Secure Work Space, which separates work and personal apps and data, as the device maker tries to hold on to enterprise users by becoming more platform neutral.
Remaining relevant in a world where more than 9 out of 10 smartphones shipped are based on either Google’s Android or Apple’s iOS isn’t easy for BlackBerry. But the company still has fans in enterprise IT departments and hopes to remain an option for users by continuing to embrace the two dominant platforms. The company can already manage devices based on Android and iOS, and support for BlackBerry Messenger is on the way.
BlackBerry announced Secure Work Space in March and has now made good on a promise to ship it before June 30. The software is an add-on to BlackBerry Enterprise Service (BES) 10, and it adds a managed container to protect corporate data and applications running on Android and iOS devices.
Users get integrated email, calendar and contacts, as well as secure browser access to intranets and document editing capabilities. Data is protected both when stored on the device and when transferred to and from enterprise servers, according to BlackBerry.
“The concept is right and very similar to what AT&T offers with Toggle. Creating two different “personas” on mobile devices is becoming a best practice for enterprises. Buying it from BlackBerry is probably most relevant for enterprises that have a major commitment to BlackBerry 10 and BES 10,” said Leif-Olof Wallin, research vice president at Gartner.
On BlackBerry 10 smartphones, BlackBerry has tightly integrated a personal and a work environment with the Balance feature.
BlackBerry is far from the only vendor that has adopted this concept. One competitor is Good Technology, which on Tuesday announced a whole host of new applications compatible with its Dynamics Security Mobility platform, which includes support for both app wrapping and encrypted app containers. The list of newcomers includes Mobility for SAP and remote access app Splashtop.
But for those interested in Secure Work Space, which is based on software from OpenPeak, the BES 10 server software is free to download. Annual client access licenses for Secure Work Space are $99 per year and device. For enterprises that want to get their feet wet, the platform is also available as a 60-day free trial bundle that includes device management for BlackBerry 10, iOS and Android devices, as well as Secure Work Space licenses for 50 users.
Oracle Wants More Money From SAP
Oracle is appealing the damages awarded from SAP that it was granted and is pushing for more.
The news has disappointed SAP, according to a German newspaper, and the firm is worried that the appeal will draw out the five year long legal battle even longer.
“We are disappointed that the lawsuit Oracle pulls further out,” said a SAP spokesman to the German newspaper Mannheimer Morgen.
“We had agreed on a sensible arrangement, because we believe that this case has gone on long enough. We remain committed to bring this dispute to an end.”
Neither firm has commented yet, but the appeal follows SAP’s admission of liability in the Tomorrownow affair.
SAP pleaded guilty last year and acknowledged that its Tomorrownow subsidiary had done wrong. Tomorrownow was accused of downloading information belonging to Oracle, including software and customer information related to Peoplesoft users.
Oracle was initially awarded $1.3bn in damages but this was knocked down to $306m by a judge who told it that it had two options, accept that sum or take SAP back to court.
Did Hackers Attack Water System?
November 28, 2011 by admin
Filed under Around The Net
Comments Off on Did Hackers Attack Water System?
Federal investigators are investigating a report that hackers managed to remotely shut down a utility’s water pump in central Illinois last week, in what could be the first known foreign cyber attack on a U.S. industrial system.
The November 8 incident was described in a one-page report from the Illinois Statewide Terrorism and Intelligence Center, according to Joe Weiss, a prominent expert on protecting infrastructure from cyber attacks.
The attackers obtained access to the network of a water utility in a rural community west of the state capital Springfield with credentials stolen from a company that makes software used to control industrial systems, according to the account obtained by Weiss. It did not explain the motive of the attackers.
He said that the same group may have attacked other industrial targets or be planning strikes using credentials stolen from the same software maker.
The U.S. Department of Homeland Security and the Federal Bureau of Investigation are examining the matter, said DHS spokesman Peter Boogaard.
.
Apple Website Is Ripe For Hacking
July 4, 2011 by admin
Filed under Around The Net
Comments Off on Apple Website Is Ripe For Hacking
According to the Ethical Hacking group YGN, Apple’s website for developers is virtually wide open and gives the opportunity for hackers to introduce malware such asphishing attacks to gain access to subscriber’s vital personal information.
One group known as Networkworld identified three holes on Apple’s website that arbitrary URL redirects, cross-site scripting and HTTP response splitting. That said, these holes could allow hackers to arbitrarily redirect to other websites and make phishing attacks against developers login credentials more successful.
Hacker Writes Trojan For Apple’s Mac
As Apple’s popularity continues to increase, so too does the malicious interest of hackers in their famed products. Researchers at Sophos say they’ve uncovered a new Trojan horse program written for the Mac.
It’s called the BlackHole RAT (the RAT part is for “remote access Trojan”) and it’s pretty easy to find online in hacking forums, according to Chet Wisniewski a researcher with antivirus vendor Sophos. There’s even a YouTube video demo of the program that details what its capable of doing.
Sophos hasn’t seen the Trojan used in any online attacks -it’s more a bare-bones, proof-of-concept beta program right now – but the software is pretty easy to use, and if a criminal could find a way to get a Mac user to install it, or write attack code that would silently install it on the Mac, it would give him remote control of the hacked machine. Read More….