Week 10: Web Application Hacking

In a recent report, an employee at Twitter shut down President Donald Trumps twitter account for 11 minutes on their last day of work.  President Trump responded by tweeting his account was taken down by a “rouge employee”.  He is making me think that he is the Emperor and the employee is a member of the rebel alliance.  (Starwars Reference)

Anyway…

CNN discusses why this could be really bad…

1. Imagine if someone tweeted from the Presidents account, “I just OK’d nuclear action against N. Korea”.
2. Social Media companies have been under attack by Washington because of evidence pointing to foreign states utilizing social media sites to pass along misleading, and even false stories that were quoted by high ranking political figures.
   1. Do we feel comfortable with our President using a platform like Twitter to communicate his political messages and actions to the country and/or world?  We are putting a lot of trust in Twitter security, and their ability to keep these high profile users from being seduced and preaching questionable information as facts.

http://www.cnn.com/2017/11/03/politics/trump-twitter-account-down/index.html

 

I thought this post by Mozilla was easy to understand and fairly comprehensive. This, combined with a post on either Reddit or Hacker News about the topic also brought up the alarming fact that some people pay for VPN apps on the Apple Store of Google Play Store without doing any research!

https://www.ft.com/content/56eace9e-990b-11e7-a652-cde3f882dd7b

Equifax blames known web app glitch for hacking

This article talks about the following: Equifax, one of the biggest US credit reporting agency, has reported cyber-attacks and this is likely to amplify criticism of its poor systems. Information of over 143 million people was stolen including SSN, name, birthdays, etc.

It will be interesting to see how things unfold in the future. The future of such attacks is only constant upgradation and training of new cyber threats. Unless, companies practice this, it would be difficult to prevent future attacks. How will Equifax prevent misuse of customer data that was stolen? Will customers face problems and will regulators be given a justified reasoning for this?

http://bwcio.businessworld.in/article/Hackers-Steal-Almost-250-000-Web-Logins-each-Week-Google/13-11-2017-131399/

Hackers Steal Almost 250,000 Web Logins each Week: Google

This article talks about the following: Google has discovered that there are millions of credentials of users that have been compromised through hacking and 3^rd party breaches. The challenge that has been seen is that people continue to use their same old username and passwords across different platforms and fail to distinguish between personal and professional accounts.

It will be interesting to see how things unfold in the future. Is this a wakeup call for the people in the world to constantly change passwords for different platforms? Cyber-attacks and Web application threats have grown and how can consumers be trained to change username and passwords, especially in cash sensitive sites?

http://markets.businessinsider.com/news/stocks/SANS-Las-Vegas-2018-Security-Training-to-Feature-Advanced-Web-Application-Penetration-Testing-1008295199

SANS Las Vegas 2018 Security Training to Feature Advanced Web Application Penetration Testing

This article talks about the following: We application attacks have grown over the last few years, especially because of the traffic that paves way for attacks. The SANS Las Vegas 2018 aims at equipping security professionals from around the world with latest skills needed to prevent any cyber-attacks. The bootstrap program ensures new skills and developments in web attacks are imparted across those who are security professionals.

It will be interesting to see how things unfold in the future. Can organizations practically implement new cyber threat systems in their systems without impacting operations? How costly will these installations be or how cumbersome will training programs be that would offset gains?

Intro-to-Ethical-Hacking-Week-10

Francisco Partners Acquires Comodo’s Certificate Authority Business

 

Interesting article about security related to CA’s and private equity. It sounds like this industry is a target for consolidation, or at least a shakeup with the private equity guys getting involved. In addition to this Comodo CA carve out, Symantec is selling off it’s CA business to DigiCert in a ~$1BN deal. The current chairman of the newly formed Comodo CA is also CEO of SonicWall (the dell security hardware spinoff). I wonder what implications this will have for hardware and cert business. Does anyone have experience in this industry? Does certain hardware work better with certain CA’s (Does preferential pricing exist?).