Donald Hoxhaj

Injection Attacks: The Least Glamorous Attack Is One of the Most Threatening

This article talks about the following: Research says that Injection attacks are the most common form of attacks in organizational networks, especially SQLi. Attackers have started using malicious PHP scripts, mining tools, and force attacks to take control of systems. Out of all this, 47% attacks are from OS Command Injections, 36% from SQL Injections, and about 13% from Code Injections. The most favourable targets for these attacks obviously are the largest networks in organizations.

It will be interesting to see how things unfold in the future. With password reuse, server misconfiguration being the usual causes of such vulnerability, how can organizations enforce that employees adhere to security practices? Do such companies have a time-sensitive response system to prevent injection attacks?

Web App attacks up 69%, US main source of cyber attacks

November 10, 2017 by Donald Hoxhaj Leave a Comment

https://www.scmagazineuk.com/web-app-attacks-up-69-us-main-source-of-cyber-attacks/article/710175/

Web App attacks up 69%, US main source of cyber attacks

This article talks about the following: The rate of growth in web application attacks have grown substantially over the last few years. Akamai Q3 State of the Internet Security Report says that the Web App attacks have grown 69% compared to previous quarter. SQL Injection attacks have grown 62% compared to previous year. Statistics says that US stands in the top of the list as the main source of cyber-attacks and that SQL injection attacks rank in the top vulnerability category.

It will be interesting to see how things unfold in the future. SQL Injection attacks have been a common phenomenon. Despite firewalls preventing connections to database, these attacks have taken the brute force way. How can companies strengthen their internal database to prevent cyber-attacks? How can regulations be imposed among internet use, especially in the US, so that the rate of attacks lowers down further?

Equifax blames known web app glitch for hacking

November 4, 2017 by Donald Hoxhaj Leave a Comment

https://www.ft.com/content/56eace9e-990b-11e7-a652-cde3f882dd7b

Equifax blames known web app glitch for hacking

This article talks about the following: Equifax, one of the biggest US credit reporting agency, has reported cyber-attacks and this is likely to amplify criticism of its poor systems. Information of over 143 million people was stolen including SSN, name, birthdays, etc.

It will be interesting to see how things unfold in the future. The future of such attacks is only constant upgradation and training of new cyber threats. Unless, companies practice this, it would be difficult to prevent future attacks. How will Equifax prevent misuse of customer data that was stolen? Will customers face problems and will regulators be given a justified reasoning for this?

Hackers Steal Almost 250,000 Web Logins each Week: Google

November 4, 2017 by Donald Hoxhaj Leave a Comment

http://bwcio.businessworld.in/article/Hackers-Steal-Almost-250-000-Web-Logins-each-Week-Google/13-11-2017-131399/

Hackers Steal Almost 250,000 Web Logins each Week: Google

This article talks about the following: Google has discovered that there are millions of credentials of users that have been compromised through hacking and 3^rd party breaches. The challenge that has been seen is that people continue to use their same old username and passwords across different platforms and fail to distinguish between personal and professional accounts.

It will be interesting to see how things unfold in the future. Is this a wakeup call for the people in the world to constantly change passwords for different platforms? Cyber-attacks and Web application threats have grown and how can consumers be trained to change username and passwords, especially in cash sensitive sites?

SANS Las Vegas 2018 Security Training to Feature Advanced Web Application Penetration Testing

November 4, 2017 by Donald Hoxhaj Leave a Comment

http://markets.businessinsider.com/news/stocks/SANS-Las-Vegas-2018-Security-Training-to-Feature-Advanced-Web-Application-Penetration-Testing-1008295199

SANS Las Vegas 2018 Security Training to Feature Advanced Web Application Penetration Testing

This article talks about the following: We application attacks have grown over the last few years, especially because of the traffic that paves way for attacks. The SANS Las Vegas 2018 aims at equipping security professionals from around the world with latest skills needed to prevent any cyber-attacks. The bootstrap program ensures new skills and developments in web attacks are imparted across those who are security professionals.

It will be interesting to see how things unfold in the future. Can organizations practically implement new cyber threat systems in their systems without impacting operations? How costly will these installations be or how cumbersome will training programs be that would offset gains?

McAfee’s own anti-hacking service exposed users to banking malware

October 31, 2017 by Donald Hoxhaj Leave a Comment

http://www.zdnet.com/article/mcafees-own-anti-hacking-service-exposed-users-to-banking-malware/

McAfee’s own anti-hacking service exposed users to banking malware

This article talks about the following: McAfee, one of the largest security companies that builds protection software, failed to successfully implement anti-hacking service. The company’s own network sent malware to consumers and ultimately it had to block the malware being sent from the company’s own network. Consumers who would have opened word documents, would have been attacked by Emotet banking malware

It will be interesting to see how things unfold in the future. This is a bizarre incident as the company that supplies its antivirus and security solutions globally itself was generating malware for its customers. Will the users are already using McAfee services be impacted with this? How can the company protect its shipments from this malware already being pre-installed?

New Ursnif variants silently targets banks and employ redirection attacks

October 31, 2017 by Donald Hoxhaj 1 Comment

https://www.scmagazineuk.com/new-ursnif-variants-silently-targets-banks-and-employ-redirection-attacks/article/710504/

New Ursnif variants silently targets banks and employ redirection attacks

This article talks about the following: The recent attacks on Australian banks has alarmed consumers and this has been attributed to New Ursnif that is using redirection attacks and malicious TLS callback techniques to achieve process injection. It does it by establishing a genuine connection with the bank as if it’s a legitimate connection and then gradually use web injections to steal the login credentials.

It will be interesting to see how things unfold in the future. While banks in Australia are known to be highly sophisticated in their cyber systems, such threats have sparked a new debate. How can banks even know about new types of threats that are coming in? If legitimacy is what attackers are playing with, how can bank employees be trained of new ways of threat and denying any service to packets from such systems?

Ransomware, malware attacks to continue in 2018 as hackers advance to machine learning, analytics

October 31, 2017 by Donald Hoxhaj Leave a Comment

http://www.businesstoday.in/technology/news/ransomware-malware-attack-2018-hackers-machine-learning/story/265049.html

Ransomware, malware attacks to continue in 2018 as hackers advance to machine learning, analytics

This article talks about the following: Despite new standards in security and advanced sophistication in server security, the first half of the year saw more than 27,000 cyber security attacks. The incidents of online ransomware have grown and the recent incident of WPP is a cause of concern. It is said that these attackers are becoming smarter each day with the advancement in Machine Learning.

It will be interesting to see how things unfold in the future. How long can advancement in new technology remain a threat to the world? Will machine learning be a good thing for the future or bad? Will it be soon enough that specialists can develop antidotes against malware attacks using ML?

The Equifax hacks are a case study in why we need better data breach laws

October 29, 2017 by Donald Hoxhaj Leave a Comment

https://www.vox.com/policy-and-politics/2017/9/13/16292014/equifax-credit-breach-hack-report-security

The Equifax hacks are a case study in why we need better data breach laws

This article talks about the following: The systems of Equifax, one of the largest credit reporting agencies in the world, was hacked recently and seems it took 6 weeks for the company to let its 143 million customers know about it. This is a huge time in letting its customers know of the risk and the company has been shamed for focusing more on its bottom line rather than on the safety of its customers. To prevent customer grievance, the company offered free credit monitoring and identity theft protection to its customers. While it is known that reporting should be done only after careful examination of the attack and its impact, but 6 weeks is a total collapse of the system and deviation from industry standards.

It will be interesting to see how things unfold in the future. Will offering free credit monitoring systems save the company from the delay in reporting the risk to its customers? How soon can the company take measures to mitigate the attack and install anti-theft systems for any attacks in the future? What is the damage done or will be done with the data hacked? These are questions that need answers to quickly.

Singapore wants ethical hackers to get a license, or else

October 29, 2017 by Donald Hoxhaj 4 Comments

https://thenextweb.com/asia/2017/07/14/singapore-wants-ethical-hackers-to-get-a-license-or-else/

Singapore wants ethical hackers to get a license, or else

This article talks about the following: With the recent advancements in Information Security in Singapore, it has become a mandate by the government to have a license for all ethical hackers in the country. Singapore is known to have the best Information Security Practice in the world and despite this there are changes that are being brought up to further secure or mitigate any potential threats. Any Ethical hacker without a license will be levied upon a penalty of 2 years in jail or up to $36,000 in fines. These norms have come with the rise in ethical hackers who are not qualified enough or who do not practice in academic settings.

It will be interesting to see how things unfold in the future. How much will Ethical Hackers have to shell out to undertake license? Will it take the same amount of time for professional hackers who also take CISSP certifications? Will this license be applicable or allowed for professionals to gain access to job market too? This policy might be a bottleneck and might see reduced number of legitimate ethical hackers in the future.