Silensec Newsletter

Top News

Russian Hackers Pilfered Data from NSA Contractor's Home Computer: Report

The NSA may have suffered yet another databreach: Russian state hackers stole classified cyberattack and defense tools & information off of the home computer of an NSA contractor.
The hack reportedly occurred via Kaspersky Lab antivirus software on the contractor's home computer, where the AV flagged the NSA cyberspying tools and code.
The breach wasn't detected until the spring of 2016, and how the NSA contractor's Kaspersky Lab software was apparently abused and exploited - or not - is under debate by experts.
Just how the NSA contractor's Kaspersky Lab software was apparently abused and exploited — or not — is under debate by experts; it could be a case of the application's detection of the tools on the contractor's system inadvertently landing in the wrong hands, they say, or the software could have been hijacked and hacked by the attackers during a software update, for instance, or a more nefarious scenario.

Read more...

Replacing Social Security Numbers

In the wake of the massive Equifax system compromise, in which the personal information of at least 145million people may have been stolen, many people have questioned the ubiquitous use of social security numbers (SSNs) for authentication.
The problem underlying identity theft is not the existence of social security numbers, but rather, how little authentication is done for a person requesting credit. Social security numbers are bad, but it's really hard to do better if you want to do things like match records for credit reports, accommodate failure recovery, and permit blind account setup.
There are certainly cryptographic schemes that can handle some of these tasks; €”but if you need linkage and you need memorability to recover from lost credentials, any replacement for the social security number is going to have most or all of the same problems.
A digital national ID card could perhaps solve that, but as noted, deploying such a system is very hard even apart from the privacy concerns attendant on such schemes.

Read more...

Read more...

Top News

Amazon's Whole Foods Market Suffers Credit Card Breach In Some Stores

Amazon-owned grocery chain has fallen victim to a credit card security breach.

Whole Foods Market (acquired for $13.7 billion) disclosed that hackers were able to gain unauthorized access to credit card information for its customers who made purchases at certain venues within some stores.

The company did not disclose details about the targeted locations or the total number of customers affected by the breach, but it did mention that hackers targeted some of its point-of-sale (POS) terminals in an attempt to steal customer data, including credit details. Whole Foods Market has hired a cybersecurity firm to help it investigate the credit card breach and contacted law enforcement authorities of this incident.

"When Whole Foods Market learned of this, the company launched an investigation, obtained the help of a leading cybersecurity forensics firm, contacted law enforcement, and is taking appropriate measures to address the issue," Whole Foods said in a statement on its website.

Read more...

Deloitte Hacked - Cyber Attack Exposes Clients' Emails

The world's "big four" accountancy firms has fallen victim to a sophisticated cyberattack.

Global tax & auditing firm Deloitte has confirmed the company had suffered a cyber attack that resulted in the theft of confidential information, including the private emails and documents of some of its clients.

Hackers managed to gain access to the Deloitte's email server through an administrator account that wasn't secured using two-factor authentication (2FA), granting the attacker unrestricted access to Deloitte's Microsoft-hosted email mailboxes.

Besides emails, hackers also may have had potential access to "usernames, passwords, IP addresses, architectural diagrams for businesses and health information."

Read more...

Read more...

Top News

Another iPhone Change to Frustrate the Police

There seems to be another,significant, change with Apple's iOS which now requires a passcode before it establishes trust with another device.

In the current system, when you connect your phone to a computer, you're prompted with the question "Trust this computer?" and you can click yes or no. Now you have to enter in your passcode again.

That means if the police have an unlocked phone, they can scroll through the phone looking for things but they can't download all of the contents onto a another computer without also knowing the passcode.

This might be particularly consequential during border searches. The "border search" exception, which allows Customs and Border Protection to search anything going into the country, is a contentious issue when applied electronics.

The new iOS feature means that a Customs office can browse through a device -- a time limited exercise -- but not download the full contents.

Read more...

Optionsbleed vulnerability can cause Apache servers to leak memory data

Seurity researcher recently discovered a vulnerability, dubbed ‘Optionsbleed’ in Apache HTTP Server (httpd) that can cause certain systems to leak potentially sensitive data in response to HTTP OPTIONS requests.

He was analyzing HTTP methods when he noticed that requests with the OPTIONS method, which is normally used by a client to ask a server which HTTP methods it supports, were returning apparently corrupted data via the “Allow” header instead of the list of supported HTTP methods

(e.g. “Allow: GET, POST, OPTIONS, HEAD”).

Read more...

Read more...

Silensec Africa

Feel free to contact us if you have any problems.

Silensec UK

Feel free to contact us if you have any problems.

News Feed