Week 13

This is something that was made aware at my job that I believe is relevant to what we are learning in this program. It addresses social engineering in a high-level strategy by hackers. The security division shared some important notes with good suggestions that can help other companies too. They explain that as technology becomes more advanced, so do the schemes cyber thieves put together. They went on to add that, “One of those is around CEO Fraud.  This is where the cyber thief will use sophisticated social engineering tactics to trick employees into wiring funds to fraudulent accounts.” These tactics include receiving a phone call from someone acting as if he/she is part of senior executives.

All, especially large organizations, should be prudent. For example, a cyber thief could also try to use an executive’s email addresses to reach out to an employee asking to transfer large amount of money. Another instance includes an employee received a call from someone pretending to be the CEO of a company asking for money.

As a solution, employees must forward all suspicious emails to the appropriate security team(s). Moreover, it is highly recommended to ask whoever tries to call customer service for their phone number to call them back, then pass that information to a appropriate manager. Chances are hackers will not provide one. Social engineering attack is on the rise, so it is in all companies’ best interests to educate employees proper techniques to minimize the chances of being compromised.

http://www.cio.com/article/3136159/security/how-to-prevent-ceo-fraud.html

A newly released Dell End-User Security Survey showed that even employees with information security education and training could engage in risky security practices. According to the survey, a good news is that 76% of employees feel their company prioritized security rather than productivity, and two out of three employees are trained, but 18% of them still engaged in unsafe security practices, and 24% of them did not care because they thought it is unavoidable for productivity. They also found that 72% of employees are willing to share confidential, sensitive, or regulated information with others under certain circumstances, and 35% think it’s common to see workers leaving with corporate information when they leave an organization. I think there are two problems, the first one is that balance of security and productivity. For productivity, employees would share data with each other or skip over some security steps to complete tasks more effectively. The second problem is that employee security training is not very effective so that employees still have bad security practices and habits. Organizations should realize that the security training must be continuous to create a security culture so that employees can always be aware that security has more priority than productivity.

Link: http://www.darkreading.com/endpoint/users-overshare-sensitive-enterprise-data/d/d-id/1328689

Article Link

This article discusses the recent attempt of a launch of a medium-range ballistic rocket by North Korea.  Many experts believe the launch failed after several seconds due to possible hacking by the United States.  The United States has been known for launching cyber-attacks on foreign countries in the past.  An example of this was Stuxnet. A worm that took down Iran’s nuclear program, which was installed and spread through a USB.   For the North Korea launch, “US agents are believed to have infiltrated the supply chain and may have planted undetectable “malware” viruses inside Kim’s missiles.”

Magento, the popular e-commerce platform used by more than 250,000 merchants worldwide, is affected by a potentially serious vulnerability that can be exploited to hijack online stores, researchers warned.The flaw was found by DefenseCode in November and reported to Magento via the company’s Bugcrowd-based bug bounty program. The vendor indicated at the time that it had been aware of the issue, but it still hasn’t addressed it. After its attempts to obtain a status update on the vulnerability failed, DefenseCode decided to make its findings public.The vulnerability is related to a feature that allows users to add Vimeo video content for an existing product. When a video is added, Magento automatically retrieves a preview image via a POST request.

This request method can be changed from POST to GET, allowing an attacker to launch a cross-site request forgery (CSRF) attack and upload an arbitrary file. While invalid image files are not allowed, the file is still saved on the server before it is validated.The location of the file can be easily determined, enabling a hacker to upload a malicious PHP script to the server. In order to achieve remote code execution, the attacker also needs to upload a .htaccess file to the same directory.

For the attack to work, a hacker needs to convince a user with access to the shop’s administration panel, regardless of their role and permissions, to access a specially crafted web page that triggers the CSRF attack

http://www.securityweek.com/unpatched-magento-flaw-exposes-online-stores-attacks