Application Security News for October 2016

Version imprimable, PDF et e-mail

This month, we introduce our new podcast, Between Two Teeth. This regularly scheduled podcast will feature discussions and opinions on various security related topics from the previous month. This month’s hosts are Anshuman Singh and Nitzan Miron.  You can listen to the podcast in the player above.

This month’s topics: the Mirai botnet and the attack on DynDNS; how necessity led one person to discover a vulnerability in Paypal's 2FA and news on Magento eCommerce vulnerabilities leading to 6000 sites being hacked; How simply turning on HTTPS does not fully protect you and your site's visitors and more.

Click here for the trivia question.

Show notes and links:

Malicious Insiders Remain a Difficult and Growing Problem

Earlier this month, the Department of Justice unsealed a criminal complaint against a contractor for the National Security Agency, alleging the theft of highly classified information. Like Edward Snowden in 2013, Harold Thomas Martin III, 51, of Glen Burnie, Maryland, worked for Booz Allen Hamilton and is accused of exploiting his insider access in order to remove classified files….

The 10 Most Damaging Security Breaches of 2016

There’s no doubt that 2016 has been a massive year for security breaches. We’ve seen data breaches affecting large retailers, social media platforms and even political campaigns. In this article I’m going to give you the list of what I believe to be…

DomainTools Warns Customers of User Data Scraping Attack

DomainTools said it detected an attack against its user management system from an unknown attacker and advised users to change their passwords as a precaution.

Bug Bounty Hunter Launches Accidental DDoS Attack on 911 Systems via iOS Bug

The Maricopa County Sheriff's Office Cyber Crimes Unit arrested Meetkumar Hiteshbhai Desai, an 18-year-old teenager from the Phoenix area, for flooding the 911 emergency system with hang-up calls.

DDoS Attacks Dominate News, Spark Calls for Regulation

Virginia Sen. Mark Warner sent letters to the  Federal Communications Commission, Federal Trade Commission and the Department of Homeland Security’s National Cybersecurity & Communications Integration Center about his “growing concern” over the “unprecedented” volume of DDoS attacks driven by the Marai botnet exploiting connected devices.

“[O]ver 500,000 connected devices were vulnerable to Mirai because of an exploitable component from a single vendor’s management software,” Warner wrote. “Manufacturers today are flooding the market with cheap, insecure devices, with few market incentives to design the products with security in mind, or to provide ongoing support.”

“I am interested in a range of expert opinions and meaningful action on new and improved tools to better protect American consumers, manufacturers, retailers, Internet sites and service providers,” Warner said.

Wannabe Hackers Are Adding ‘Terrible’ and ‘Stupid’ Features to Mirai

Security firm Arbor Networks noticed that several hackers “have been observed customizing and improving the attack capabilities of the original botnet code,” according to a blog post published on Thursday.

Hackers Took Down a High School Literacy Test Because Punk’s Not Dead

A dry run for a high school literacy test in Ontario was cancelled last week after being sabotaged with a cyber attack, affecting thousands of grade 10 students, the organization that oversees the test announced on Monday.

According to the province’s Education Quality and Accountability Office (EQAO), which plans on administering the test online in March in a digital first, the pilot was scuttled after being targeted by a “intentional, malicious and sustained” distributed denial of service attack, or DDoS. The attack could have affected up to 150,000 students who were registered at schools that volunteered to participate in the trial, and only 16,000 were able to complete the test before it was taken offline.

How security flaws work: SQL injection

This easily avoidable mistake continues to put our finances at risk.

Inside the Cyberattack That Shocked the US Government

The Office of Personnel Management repels 10 million attempted digital intrusions per month—mostly the kinds of port scans and phishing attacks that plague every large-scale Internet presence—so it wasn’t too abnormal to discover that something had gotten lucky and slipped through the agency’s defenses.

Shellshock Scans Climb Back to 2015 Levels

On Saturday, September 24, the Shellshock bug turned two, but threat actors haven't forgotten about it just yet, with a fairly decent amount of Shellshock scans taking place on a regular basis, according to telemetry data gathered by IBM X-Force.

Tushar Richabadas is a Product Manager for the Barracuda Web Application Firewall team in our India office. You can connect with him on LinkedIn here.


Remonter en haut de page