Wednesday, October 29, 2014

Sites using Drupal content management could be compromised by SQL injection vulnerability unless they applied patch immediately


A major content management system vendor was apparently hacked, and customers have been warned that unless they patched their systems within seven hours of the discovery of a vulnerability to an SQL injection attack. Restoration would require going to database backups as of Oct. 15.  This would be very costly for some operations, perhaps news sites. 
  
The content company is Drupal.  I’m not aware that any of my stuff uses it.  Also, I don’t keep ANY consumer or user personal information on any sites.  I hope there are no ties to Blogger or Wordpress;  I don’t think there is.  (Wordpress uses simply MySQL, I think.) 
  
The detailed news story is on zdnet, link here.   Drupal’s own announcement is here
   
Webroot tweeted this story today a short time ago.  This was the first I had heard of it.

Monday, October 20, 2014

Phone dial (900-number) scammers hitting small businesses with Internet land lines


The New York Times has a major front page story Monday by Nicole Perlroth, “Dial and Redial: Phone Hackers Stealing Billions”, link here. Around the country, hackers are invading Internet-connected phone systems of small businesses on weekends and making a cut on calls to “900” numbers (or their international equivalents), often to sex businesses overseas.   In at least one case, the hackers were associated with Islamist terror groups (related to Mumbai) so it is possible that ISIS has used this technique. 
  
Telecomm carriers have still sued the businesses for bills in the hundreds of thousands, as there is no fraud protection as there is in the credit card industry, and carriers insist that customers are responsible for securing their own systems.  This may be impossible, and state lawmakers are noticing.

I think there was an idea like this in the 1997 novel “The Trojan Project” by Minnesota author Edmund Contoski. 

  

ABC News has a story about the practice (hitting a Missouri realtor) and it sounds like maybe it could happen at home, especially to a home-based business.  But the realtor says that her phones actually started ringing incessantly.  But on a weekend, or when someone is away from home for a period, it could happen.  

Monday, October 13, 2014

Shodan, the "other" search engine to find "things"


Here’s something to know about: “Shodan” (inspired by the game “System Shock”), the “search engine for the Internet of things” – somehow connected to a housecat in a popular TV ad.  Rather than websites, it searches for Internet connected devices – routers, televisions, refrigerators, home thermostats, security systems, especially those with weak passwords.  The basic domain is here. Yes, it can find power plants, which really should be walled off from the public Internet, but we’ve known since 2002 how exposed they are.  It does NOT find ordinary websites, so I don’t know if it is part of the “deeper Internet” in reputation management. (The "io" TLD refers to British Indian Ocean Territory.) 
    
  
CNN Money calls Shodan “the scariest search engine on the Internet”, link here. No, I don't have any appliances hooked up to the Internet.  Obviously, it makes it easy for the NSA to monitor anyone's TV viewing habits -- for anyone with Internet TV. 

The site was launched in 2009 by John Matherly.   Despite the hype, law enforcement and the US military and homeland security use it for investigation all the time.  

(For major story on Snapchat, see Oct. 11 on COPA blog; more to come.) 

Thursday, October 09, 2014

Washington Post offers major insert on cybersecurity, says we are at a critical turning point


The Washington Post offered a major insert Wednesday, Oct. 8, 2014,  “Cybersecurity: A Special Report”, link here
   
The Editor Mary Jordan starts out with an op-ed. “Cyber attackers have the upper hand.” She mentions DARPA (Defense Advanced Research Project Agency) and a prize associated with a “Cyber Grand Challenge”. The agency director, Arati Prabhakar, has a piece, “Building the unhackable system.”
  
Ellen Nakashima and Askhan Soltani have a paper “The ethics of Hacking 101”, with descriptions in university courses in hacking, at the University of Tulsa and Carnegie Mellon.  In some cases, only students who will go to work for law enforcement or go into the military are accepted.

There is a “call to action” from Alejandro Mayorkas, Deputy Secretary of Homeland Security. 

Tuesday, October 07, 2014

Popup from Major League Baseball wants to install new Adobe Flash Player and new java engine, looks suspicious to me.


Occasionally, I get a pop-up prompting me to install a new Adobe Flash Player and java engine from Major League Baseball (mlb.com), especially when trying to play on of the videos.  It claims to be required and a security update (suspicious) and comes from a URl for an "easy update" company.  This certainly sounds suspicious.  I always just click out of the pop-up (in Chrome) and everything plays normally.

If this is malware somehow placed on the mlb site by hackers, MLB should investigate and remove it.  I've seen it before, but it might become more common during the playoffs and World Series if not stopped.

Webroot does not flag anything, although it might if I actually tried to go to the site that does the update.

It seems to happen only in Windows 8, not in Windows 7 or lower, or on the Mac.

Reputable, well known sites for sports and news do get hacked sometimes.  That seems to be following on the attacks on the payment systems of retailers.  This might be the next trend.

Does anyone have any info?


Update: Nov. 13, 2014

I got the popup today in Chrome when I went to the Washington Nationals' site to learn about trades.  The site seems to be "easycomputerrepars.be".   I doubt that it is legitimate,  The Adobe trademark appears to be reproduced exactly, as are all the scripts.  I'm surprised mlb.com and Adobe haven't put a stop to this.  

Monday, October 06, 2014

Examiner reports on self-destruct option for hard drives, and on Mac botnet (unclear if part of Bash)


There is now a hard drive that you can set up to self-destruct, with a text message, as explained in a story on The Examiner, link with video here.  It is a 128 gig drive.
  

The Examiner is also reporting a vicious Mac Malware botnet called “Mac.BackDoor.iWorm” which somehow leverages upon Reddit, story here. It is not complexly clear right now if this is related to the “Bash Bug” (Sept 25).