Some experts have been warning that with the increased use of electronic and network-capable systems in cars produced over the last decade, security concerns could become life-threatening on a massive scale within few years. If not adequately secured, the vehicles’ internal networks could potentially be compromised, affecting brakes, locks, or power steering. While this would clearly be catastrophic, others have said it may not be as dire a situation as some describe, asserting that billions are being invested industry-wide to secure these electronic and digital components. The truth of it may lie somewhere in the middle, but only time will tell.
Week 12: Web Services
Online Fraud is not a bad thing…
Nick Wells reported a story on CNBC.com with a headline suggesting online fraud is not a bad thing.
He comments on a report from Forter, an e-commerce fraud-prevention company. Forter monitors customer transactions to determine if the purchase may be fraudulent. Forter checks the device that purchased the item, the address it is being sent to, and other information. It will then approve or deny the transaction, based on machine learning and decision making.
The data in the report shows online fraud stabilizing at about 2% of all online transactions, or 98% of all transactions are legit. The report also mentions regular customers, who are technology savvy are taking advantage of coupon and referral promotions by using proxy and vpn’s to bypass authorization controls. Some referral bonuses include free giftcards or merchandise. Using these methods to circumvent the system is online fraud.
The story concludes with Forter CEO, Mickael Reitblat saying, “A little bit of fraud helps. As long as it’s controlled, it’s okay. It’s the cost of doing business.” What he means is that if a company closes down all fraud avenues, the customer will find it more difficult to make an online transaction, which will chase them away.
https://www.cnbc.com/2017/11/16/online-fraud-is-still-around-and-thats-not-a-bad-thing.html
AI, machine learning new tools to fight cyber-attacks: Internet security firm
AI, machine learning new tools to fight cyber-attacks: Internet security firm
This article talks about the following: In order to prevent cyber-attacks, the new help for all cyber security companies is Machine Learning and Artificial Intelligence. It is said that the future holds for these new technologies and that they will be automatically able to parse new threats by identifying them at the right time.
It will be interesting to see how things unfold in the future. It is evident that the implementation of ML and AI can only be possible by big companies who can afford. How can small and mid-companies enable themselves against cyber security? Also, ML and AI are still evolving and how will organizations be able to tap into whole set of these system? Will it happen anytime soon? Or will they have to depend on 3rd party companies to protect them against newer forms of Cyber-attacks?
AWS S3 ‘Misconfiguration’ Opens Door to MITM Attacks
https://findbiometrics.com/aws-s3-misconfiguration-opens-door-mitm-attacks-411294/
AWS S3 ‘Misconfiguration’ Opens Door to MITM Attacks
This article talks about the following: According to recent research, one of Amazon’s web service data storage has a security flaw and this has been identified as AWS’s Simple Storage Service or S3. The main reason for this is misconfiguration of the buckets enabling users to have public access. This has ultimately led to malicious attacks by 3rd parties.
It will be interesting to see how things unfold in the future. Amazon has been one of the largest cloud and server providing companies in the world. That being said, how will the company prevent such irresponsible behaviour? Will it compromise by putting critical information across networks or theft of customer information in jeopardy? Or will it scrutinize their internal security server configuration to prevent Man-in-the-middle (MiTM) attacks?
Akamai Finds Web App Attacks Increased in Q3 2017
http://www.eweek.com/security/akamai-finds-web-app-attacks-increased-in-q3-2017
Akamai Finds Web App Attacks Increased in Q3 2017
This article talks about the following: As per Akamai’s Internet Security report, Web application attacks have grown in Q3, 2017 and SQL Injection accounts for 47% of most attacks. Surprisingly, most attacks were aimed at gaming companies. The DDoS attacks happened mostly on gaming industries and accounted for 86% of such attacks.
It will be interesting to see how things unfold in the future. In all these cases, US has been found to be the largest exporter of SQL Injection and Web application attacks. Does it mean that the cyber security measures in the country are weak? How can security professionals in organizations learn constantly from these attacks and know about any forthcoming attacks?
Hackers took over the computer system of a Boeing 757 passenger jet
This is really interesting and kind of scary article. A department of homeland security hacker was able to gain access to the avionic controls of a Boeing 757 remotely without and internal help within the aircraft. It is kind of scary to think about about because the plane is in the air someone can hack in and take control and the pilots would have no idea what is happening before it is to late.
http://metro.co.uk/2017/11/13/hackers-took-over-the-computer-system-of-a-boeing-757-passenger-jet-7076824/
Fake WhatsApp On Google Play Store Downloaded By Over 1 Million Android Users
This is another article that shows how much big companies that make so much money to take people security under consideration. Few days ago, cyber criminals took advantage of Google’s official Play Store leak to place a fake Whatsupp application which was downloaded from over 1 million android users.
Dubbed Update WhatsApp Messenger, came from an app developer who pretended to be the actual WhatsApp service with the developer title “WhatsApp Inc.”—the same title the actual WhatsApp messenger uses on Google Play. The biggest question will be, how this app developer was able to use the same title as the legitimate Facebook-owner maker of the messaging client? the answer is very simple: Thank you to the Unicode character space. in other words, the app maker added a Unicode character space after the actual WhatsApp Inc. name, which in computer code reads WhatsApp+Inc%C2%A0. This caracter in the end of WhatsApp Inc. was invisible enough to trick most of the downloaders including Google IT security people.
Google just removed the fake WhatsApp Android app from the official Play Store, but this incident make so many users of the Google Play Store think about the security efforts that Google put on to secure us.
https://thehackernews.com/2017/11/fake-whatsapp-android.html
Equifax Hack – SQL Injection Overview
https://blog.cloudflare.com/thwarting-the-tactics-of-the-equifax-attackers/
Another article about Equifax, ho-hum. Except this one is the BEST summary of the attack I have found that is accessible to people who don’t have a lot of technical expertise but know a bit about cybersecurity and SQL injection. It walks the reader through the Apache STRUTS vulnerability, remote code injection, and shows a sample code injection. It’s worth a read now that we understand more of the terminology and context.