Week 11: SQL Injection

AMD has acknowledged 13 critical vulnerabilities, and exploitable backdoors in its Ryzen and EPYC processors disclosed earlier by Israel-based CTS Labs and promised to roll out firmware patches for millions of affected devices ‘in the coming weeks.’
According to CTS-Labs researchers, critical vulnerabilities (RyzenFall, MasterKey, Fallout, and Chimera) that affect AMD’s Platform Security Processor (PSP) could allow attackers to access sensitive data, install persistent malware inside the chip, and gain full access to the compromised systems.
Although exploiting AMD vulnerabilities require admin access, it could help attackers defeat important security features like Windows Credential Guard, TPMs, and virtualization that are responsible for preventing access to the sensitive data from even an admin or root account.
In a press release published by AMD, the company downplays the threat by saying that, “any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research.”

https://thehackernews.com/2018/03/amd-processor-hacking.html

https://www.technewsworld.com/story/85634.html

This article points out how hardware companies have created history in IT industry and they are questioning if big companies like Oracle is steering the market properly. The article says that the first innovation began when Oracle introduced the first Exadata machine that could keep most, and eventually all, of a business’ database in memory, which greatly accelerated database performance, the second innovation announced at last year’s OpenWorld, and fully released earlier this year, is Oracle’s autonomous database software which can patch itself without human help and the third to be cloud computing.

They say that taken together, all of this is more than a technology story and it’s a tale of economics — specifically of creative destruction. Advances in technology have begun to commoditize the tech industry, and Oracle is trying to accelerate this curve. Cloud computing, especially, is a form of commoditization in which basic compute services can be delivered for a fraction of the costs usually involved in supporting all of one’s IT needs in-house.

Give it a read!!

The perpetrators told the BBC Russian Service that they had details from a total of 120 million accounts, which they were attempting to sell, although there are reasons to be skeptical about that figure. The hackers offered to sell access for 10 cents (8p) per account. However, their advert has since been taken offline.

The cyber-security company Digital Shadows examined the claim on behalf of the BBC and confirmed that more than 81,000 of the profiles posted online as a sample contained private messages.

Facebook is still denying that it was hacked and is sticking to their story that a browser extension was compromised and that’s how the user information was compromised.

Reference: https://www.bbc.com/news/technology-46065796?intlink_from_url=https://www.bbc.com/news/topics/cz4pr2gd85qt/cyber-security&link_location=live-reporting-story

An independent exploit developer and vulnerability researcher has publicly disclosed a zero-day vulnerability in VirtualBox—a popular open source virtualization software developed by Oracle—that could allow a malicious program to escape virtual machine (guest OS) and execute code on the operating system of the host machine.
The vulnerability occurs due to memory corruption issues and affects Intel PRO / 1000 MT Desktop (82540EM) network card (E1000) when the network mode is set to NAT (Network Address Translation).
The flaw is independent of the type of operating system being used by the virtual and host machines because it resides in a shared code base.

The vulnerability allows an attacker or a malicious program with root or administrator rights in the guest OS to escape and execute arbitrary code in the application layer (ring 3) of the host OS, which is used for running code from most user programs with the least privileges.

However, until it is patched, users can protect themselves against potential cyber attacks by changing the network card of their “virtual machines to PCnet (either of two) or to Paravirtualized Network.”

https://thehackernews.com/2018/11/virtualbox-zero-day-exploit.html

 

Police in the Netherlands announced on Tuesday that were able to break the encryption used on a cryptophone app called IronChat. IronChat is said to be a supposedly secure encrypted messaging service available on BlackBox IronPhones. Police say that criminals mostly purchased these Iron Phones and used the Iron Chat app to communicate amongst themselves, believing that they were safe. The cost of a six-month subscription was around USD 1500. Although, the police did not reveal how they managed to crack the Iron Chat system for obvious reasons, it is suspected that the app had a weakness – such as its reliance on a central server.

As a result of their surveillance, law enforcement agencies have seized automatic weapons, large quantities of hard drugs (MDMA and cocaine), 90,000 Euros in cash, and dismantled a drugs lab.

https://hotforsecurity.bitdefender.com/blog/police-crack-encrypted-chat-service-ironchat-and-read-258000-messages-from-suspected-criminals-20530.html

The security company Imperva has released new details on a Facebook vulnerability that could have exposed user data. The bug allowed websites to obtain private information about Facebook users and their friends through unauthorized access to a company API, playing off a specific behavior in the Chrome browser. The bug was disclosed to Facebook and resolved in May.

In technical terms, the attack is a cross-site request forgery, using a legitimate Facebook login in unauthorized ways. For the attack to work, a Facebook user must visit a malicious website with Chrome, and then click anywhere on the site while logged into Facebook. From there, attackers could open a new pop-up or tab to the Facebook search page and run any number of queries to extract personal information.

https://thehackernews.com/2018/11/facebook-vulnerability-hack.html

 

The article introduces about the biggest cyber threats to watch out for in 2019. Chertoff Group estimate the biggest risks and make advise for the risks in 2019, which include security risk, technology and policy. The threats include following:

1,Cryptojacking, 2, Software subversion, 3, Rise in attacks to 4, the cryptocurrency ecosystem 5, (Slow) Domestic Movement on Data Privacy and Security Legislation 6, Cyber threats and influence operations 7, Heightened incident disclosure expectations (SEC, etc.) 8, Vulnerability equities process 9, CISA and lingering private sector resistance 10,Ambiguity remains for the Lines of Defense 11, Threat emulation to measure effectiveness (ATT@CK) 12, Identity solutions moving to the cloud 13, Authentication through mobile devices will explode 14, Customers will increasingly focus on effective risk management as a differentiator.

 

https://www.securitymagazine.com/articles/89581-the-biggest-cyber-threats-to-watch-out-for-in-2019

Well, we should all ready this story. It is a quick read on factors for getting the most salary in cybersecurity. It looks like choosing a path that leads you towards a cybersecurity engine would be the wisest if $$$$ is on your mind.

A breakdown of these are:
Path
Experience
Location
Certification
Portfolio

 

https://thehackernews.com/2018/11/cyber-security-jobs-salary.html

Intro-to-Ethical-Hacking-Week-11 updates

https://capture.fox.temple.edu/Mediasite/Play/8c4040ac25cb48de9bdcc02078fd801d1d

Along with the launch of a number of new tools and features at its Android Dev Summit 2018, Google has also launched the a new API, called “In-app Updates,” which aims to help developers ensure that users are running the latest and greatest version of their app. Android’s new In-app Updates API doesn’t force or lock out users from the app if they chose not to update it.
Instead, the API has been designed to aggressively inform users about the latest available updates and give them a smooth in-app installation experience without closing the app or opening the Google Play Store.
Google also says that Android developers will have the ability to completely customize the update flow so that it feels like part of your app, which indicates that all apps will not have the same in-app update experience.

https://thehackernews.com/2018/11/android-in-app-updates-api.html

https://community.mis.temple.edu/mis5211sec001fall2018/2018/11/12/5895/