Hi attached is the powerpoint and executive summary for the Burp Suite QVC analysis.
ITACS 5211: Introduction to Ethical Hacking
Wade Mackay
Hi attached is the powerpoint and executive summary for the Burp Suite QVC analysis.
During the election of 2016 Facebook found itself embroiled in the drama of fake news stories that were created by scammers looking to make a fast buck. Scammers knew they had a massive and willing audience of Facebook, and they struck. Pew Research, the nonpartisan American “fact tank” reported that week that 64% of adults get news through social media, yet only 4% of users trust the information they find on the platforms a lot and 30% trust it some.
To resolve this issue, Mark Zuckerberg said that Facebook is working on a fake new detection system, a warning system, and the means to report fake news, to for many, this plan is too little, too late this article says.
here is the rest of the article: http://www.techrepublic.com/article/fake-news-is-everywhere-should-the-tech-world-help-stop-the-spread/?ftag=TRE684d531&bhid=27250068933112925186573856412477
Hacker finds flaw in Gmail allowing anyone to hack any email account
Hacker finds flaw in Gmail allowing anyone to hack any email account
Google offers $20,000 bounties for any security vulnerabilities in its applications. The most recent cash-in of this program was to Ahmed Mehtab. Mehtab discovered that Google’s feature that allows users to link multiple email addresses together can expose the accounts to hijacking. If a user tries to link an account, but that account is deactivated, SMTP of the recipient is offline, the recipient email is invalid, or the recipient has blocked the sender, then Google’s verification email will fail and be sent to the sender. Now the user has wrongfully been granted a verification code and the email can be linked. Google has since paid Mehtab and addressed the issue, but its interesting to see that such a significant vulnerability slipped pass Google.
https://community.mis.temple.edu/itacs5211fall16/2016/11/05/3909/
We are a few days away from the 2016 U.S. Presidential election. It should be no secret to no one that Cyber Security has been amid several controversial topics such as emails and alleged state-sponsored cyber-attacks to influence the results of this year’s presidential election. The Federal Government believes that Russia can be behind recent waves of DDoS attacks which caused internet disruptions in the Northeast region. Multiple major news outlets have now confirmed that the U.S. military has been preparing and is ready to retaliate against any possible cyber-attacks from Russia to disrupt the election next week.
http://www.nbcnews.com/news/us-news/u-s-hackers-ready-hit-back-if-russia-disrupts-election-n677936
This article is a perfect example of upper management not taking IT security seriously. Even though this article is 2 years old it shows a blatant act on Home Depot’s part not to address known security issues. Home Depot cyber security team presented concerns to management back in 2008 and they were slow to respond, resulting in 56 million credit cards being compromised four years later. You would have thought after the Target data breech; Home Depot would have tightened up their act.
http://www.theverge.com/2014/9/20/6655973/the-home-depot-reportedly-ignored-warnings-from-its-own-cybersecurity-team
This is a good article for this week’s lesson. The Google Threat analysis group disclosed a critical vulnerability in Windows in a public post on the company’s security blog. The vulnerability allows hackers to escape from security sandboxes through a weakness in the win32k system. Google went public ten days after reporting the bug to Microsoft, before a patch could be deployed. Google has already sent out a fix to protect users that use Chrome and Windows is still vulnerable.
Microsoft has launched a new security program for its Azure cloud platform to help improve customer’s security when they are dealing with the IoT. It is a response to customer requests fro increased security assurances as they deploy IoT products. Microsoft has partnered with security auditors to evaluate customers’ IoT infrastructure, detect security problems, and provide recommendations. Partners so far include Praetorian, Casaba Security, CyberX, and Tech Mahindra. The massive DDoS attacks on Dyn through IoT was a wakeup call for business that vulnerable IoT devices such as webcams, routers, printers and DVRs would easily become the security targets of attackers. IoT product teams struggles a balance between quickly releasing products to market and the risk of insecurity. IT experts said the security issues of IoT requires the entire ecosystem to work together and collaborate to ensure security.
One of the biggest IT news last week was the IoT-Based DDoS Attacks on Dyn. IoT security problems suddenly attracted everyone’s attention. Vulnerable devices in the IoT system with default setting were turned into “bots” under control of a malware to attack DNS. Since IoT products are increasingly used within organizations, their security and privacy issues should be the top concerns of organizations before implementation.
Link: http://www.darkreading.com/iot/microsoft-launches-security-program-for-azure-iot/d/d-id/1327350
A US bank regulator, now retired, who downloaded large amount of data on two thumb drives says that he lost them. The Office of the Comptroller of the Currency, which is part of the Department of Treasury, says that this is a “a major information security incident.” The specifics on the data lost hasn’t been disclosed, but it involved “controlled unclassified information, including privacy information.” The agency discovered this loss by conducting a review on all information downloaded to removable media back in September. This issue would have been avoided if there was a policy in place that restricting data to be downloaded to devices, like most companies are doing now.
Link to article: http://www.csoonline.com/article/3137005/security/lost-thumb-drives-bedevil-us-banking-agency.html
The Australian Red Cross Blood Service has apologized after a database backup file containing over one million donor records including highly sensitive information on sexual activity was exposed to the public. What comes with the breach is a partner published 1.74 GB mysqldump file to a publicly facing website with directory browsing enabled. Which means an unnamed researcher was able to find it at random using a simple IP address scan for publicly exposed web servers returning directory listings. The data included over 1.2 million records pertaining to 550,000 blood donor applicants. The information crucially included answers to highly sensitive question on whether the applicant had engaged in “at-risk” sexual behavior over the past year. According to the statement apologizing for the incident, the Blood Service has taken immediate action to resolve the problem and informed the police and Australian Information Commissioner. They have deleted all known copies of the data. It is unclear how long the data was left publicly available, but it contains info on donors who’ve registered between 2010 and 2016.
I think this will definitely affect people who want to donate blood and people who had donated blood before. I would not donate my blood for a while since it may leak my personal information publicly. So the blood donors in Australia will decrease for a time I believe. They need to prepare for it.
Link: http://www.infosecurity-magazine.com/news/blood-service-data-leak-australias/