Category Archives: patching

Pepper IoT: Smart devices aren’t so bright when it comes to security

Smart devices aren’t very intelligent when it comes to protecting user privacy and handling security, according to a report by Internet of Things platform and service provider Pepper IoT and cybersecurity

The post Pepper IoT: Smart devices aren’t so bright when it comes to security appeared first on The Cyber Security Place.

Zero-day vulnerability in ‘Total Donations’ plugin could allow attackers to take over WordPress sites

The zero-day affects all versions of Total Donations plugin, a commercial plugin that is used to gather and manage donations. The plugin’s code contains several design flaws that inherently expose

The post Zero-day vulnerability in ‘Total Donations’ plugin could allow attackers to take over WordPress sites appeared first on The Cyber Security Place.

Unpatched Vulnerabilities Exposes Businesses To Hackers

Are organizations keeping software up to date and maintaining security patches on a scheduled basis? The answer may shock you. According to Veracode’s latest research, most businesses will not patch critical security

The post Unpatched Vulnerabilities Exposes Businesses To Hackers appeared first on The Cyber Security Place.

Microsoft Windows 7 & Windows 2008 End of Life

Microsoft Windows 7 and Windows Server 2008 End of Life is fast approaching. 'End of Life' is the point where the operating system will be no longer supported with security patches, unless you (as a business) take out a rather expensive extended warranty agreement with Microsoft.



As a home user, you should upgrade from Windows 7 without delay, as there are significant performance improvements to be gained with Windows 10. I always recommend installing Windows 10 from scratch onto a blank hard disk drive, rather than using the upgrade option. Ideally install onto a new Solid State Drive (SSD), which improves an operating system's performance massively. SSDs have come down in price in recent months, making a decent memory size SSD an affordable option. Always ensure all your important documents and data are backed up at all times, double check before attempting an operating system installation or upgrade.

Where as a businesses you have Windows 7 and Windows Server 2008 present, it is imperative not to leave your upgrade plan until the last minute, as mass operating systems upgrades within business can be fraught with delays due to technical issues to overcome, and unforeseen business circumstances. Also, Microsoft Windows Server 2016 has a significant virtualisation perform kick over 2008 & 2012 versions. And given the high security risk or cost in purchasing a Microsoft Extended Warranty, there really can be no solid business reason for delaying an upgrade project.

Microsoft Product     End of Life Date
Windows 7                      14/01/2020
Windows Server 2008    14/01/2020
Office 2010                     13/10/2020
Windows Server 2012    10/01/2023
Windows 8/8.1                10/01/2023
Office 2013                     11/04/2023
Windows 10                    14/10/2025
Office 2016                     14/10/2025

For further Microsoft EOF details see https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet

Cyber Security Roundup for August 2018

The largest data breach disclosed this month was by T-Mobile, the telecoms giant said there had been "unauthorised access" to potentially 2 million of their 77 million customer accounts. According to the media, a hacker took advantage of a vulnerability in a T-Mobile API (application programming interface). It was a vulnerable API used by Air Canada mobile App which was also exploited, resulting in the compromise of 20,000 Air Canada customer accounts. Air Canada promptly forced a password change to all of its 77 million customer accounts as a result, however, the airline faced criticism from security experts for advising a weak password strength. Namely, a password length of 8, made up of just characters and digits. Both of these hacks underline the importance of regularly penetration testing Apps and their supporting infrastructure, including their APIs.

Hackers stole up to 34,000 Butlin guest records, reportedly breaching the UK holiday camp firm through a phishing email. Dixons Carphone upped the estimated number of customer records breached in a hack last year from 1.2 million to 10 million, which includes 5.9 million payment cards. There was no explanation offered by Dixons to why it had taken so long to get a grip on the scale of the data breach, which was reported as occurring in July 2017.

Huawei continues to face scrutiny over the security of their products after the UK National Cyber Security Centre (NCSC) issued a warning about using the Chinese tech manufacturing giant's devices in a security report. Huawei recently took over from Apple as the world's second largest provider of smartphones. A 16 year old Australian 'Apple fanboy' found himself in court after hacking into Apple's network.

On the international scene, Microsoft announced it had thwarted Russian data-stealing attacks against US anti-Trump conservative groups, by taking down six domains which hosted mimicked websites, which were likely to be used in future phishing campaigns. The Bank of Spain's website was taken out by a DDoS attack, and a Chinese Hotel Group's 140Gb customer database was found for sale on the dark web. The PGA golf championship was hit by a ransomware, and the FBI arrested three key members of the notorious FIN7 hacking group, the group is said to be responsible for stealing millions of credit card and customer details from businesses across the world.

On the personal front, the EC-Council confirmed my Computer Hacking Forensic Investigation (CHFI) certification had been renewed until 2021. I dropped into B-Sides Manchester this month, the highlight was a demonstration of a vulnerability found by Secarma researches, namely a PHP flaw which places CMS sites at risk of remote code execution

There was plenty of critical security patches released by the usual suspects, such as Microsoft, Cisco, and Adobe, the latter firm released several out-of-band patches during August. A critical update was released for Apache Struts (popular web server) and a reminder that Fax machines and all-in-one devices network devices could be used as a way into corporate networks by hackers.

Finally, there were a couple of interesting cybercrime articles posted on the BBC's news website this month,  Cyber-Attack! Would your firm handle it better than this? and Unpicking the Cyber-Crime Economy

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

Cyber Security Roundup for March 2018

In the wake of the global political fallout over the Salisbury nerve agent attack, there are reports of a growing threat of Russian state or Russian state-affiliated hacking groups conducting cyber attack reprisals against UK organisations, government officials have directly warned bosses at electricity, gas and water firms, Whitehall departments and NHS hospitals to prepare for a state-sponsored cyber assault


Large-scale data breaches were disclosed with Under Armour’s Fitness App MyFitnessPal (1.5 million personal records compromised), Orbitz (880k payment cards at risk), and at a Walmart partner (1.3 million personal records compromised). The latter was caused when an AWS S3 bucket holding a Walmart database was left with open access, which isn't the first time a cloud service misconfiguration has caused a major data breach.

TalkTalk were warned about their website’s poor security after a hacker known as 'B' disclosed a cross-site scripting vulnerability on the talktalk.co.uk website to Sky News. TalkTalk was given a record £400,000 fine by the Information Commissioner's Office following a major website breach in October 2015, which 157,000 customer details were stolen. And the company were told to "be more diligent and more vigilant” and was fined a further £100,000 after data belonging to 21,000 customers were exposed to "rogue" staff at an Indian call centre.

GitHub survived the largest ever DDoS attack recorded thanks to Akamai DDoS protection, which peaked at a massive 1.35 terabytes of data per second.

UK schools were warned they were soft targets for cybercriminals, experts believe many schools are ill-equipped to prevent cyber thefts, with sensitive data such as children’s medical records said to be lucrative on the dark web. There has been a number of security incidents disclosed involving UK schools in recent months.
Gwent Police are facing scrutiny by the Information Commissioner's Office for not informing 450 people that hackers may have accessed their personal information, after discovering the breach over a year ago.

A hacker alleged to be behind a gang the ran the Carbanak and Cobalt bank target malware has been arrested. The gang is reported to be responsible for the theft of up to billion euros through bank transfers and from cash machines, from over 100 banks since 2013


NEWS

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

REPORTS