Wiki: Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application.
Comment: I am the eBayer since 2000. However I could not find the official announcement that eBay is going to scan my device. Perhaps I am not the only one has this unsatisfied feeling.
Preface: Apple paid $75,000 to the hacker for reporting the camera hijacking bugs. As said, bug is never ending. Perhaps next round will be yours.
Background: If you let your friend access your phone for 5–7 minutes, they could have downloaded spyware. Perhaps this action only for joking. As a matter of fact, hacker can implant malicious code into a web page to conduct the similar function. Most recently, Apple paid $75,000 to the hacker for reporting the camera hijacking bugs.
Observation: Referring to the attached picture, a simple html file can easily trigger the iphone camera function. Because the control effect of apple is very good. Therefore, it will trigger the control and then let you know. In fact, a hacker hijacked your iPhone camera through a software application or website. However, the iPhone owner can know which application can access your camera. Therefore, it is recommended to check the phone settings in a timely manner. Apple paid $75,000 to the hacker for reporting the camera hijacking bugs. As said, bug is never ending. Perhaps next round will be yours.
Chrome and Safari on iOS can access your lens without special markup and can perform both AJAX POST and synchronous form POST operations just like a desktop browser. So, please be careful to use your phone doing web browsing.
Preface: Perhaps this is not the key factor causes data breach on Jan 2020. But the sound can tell.
Observation: It is believed that a new round of data breaches by Marriott this week has attracted attention. Maybe the hotel industry will run within 24 hours. Do maintenance or system upgrade is not easy. We only look at the homepage of Marriott’s “Member Credit Card Rewards”. Found a vulnerable “jquery” still in operation. From attacker point of view, such hints similar give him an indication that this web site may have more space for exploitation. As we know, jQuery(version 1.11.3) which has XSS vulnerability found on March, 2017. Why still valid in an enterprise web site. The root cause is hard to tell. May be it is a extend legacy web application. I think you will be concern the details of official announcement. See below url:
Preface: For those who conducting Ransomware attack to another person may be considered a data breach under federal or state law. While attempting to unlock and save its data, a victim of a ransomware attack may have an obligation to enact its data breach protocol and notify individuals whose data is affected by the attack.
Perhaps cybersecurity experts will focus on design weaknesses, including the circumstances under which data breaches can occur. We all know that the GDPR brings the subject of data privacy to court. The fine will be based on the actual situation. But GDPR regulations are valid in European countries. What about the United States of America?
Preface: Since the spyware runs in a stealth mode, it will let you track the device without being detected.
Background: Patroit Act empower law enforcement agency or related department can legally monitor the movements of suspect especially Terrorism. And therefore law enforcement agency will be used spyware monitor what’ the target movement. As time goes by, quite a lot of software vendors do a transformation of mobile phone monitoring tool (spyware) to consumer product. Flexispy and Spyzie are popular in the market. You can purchase this product though vendor web portal. The slogan by vendor is that no rooting or jailbreaking required. It can easy to track SMS, CallLogs, Social Apps and locations.
Legal point of view: If the spyware was ‘used on a case,’ a detail document of report should be provided. Given the functionality of FlexiSpy, it would require a wiretap order, not just a search and seizure warrant, said attorney.
The reasons why cyber criminals want to hack your phone?
Preface: Still remember that when I was work in bank environment. Visa and Master payment solutions looks indeed secure. Those facilities are running in standalone machine. The communication protocol is the IBM SDLC communication. In order to communication with S390 mainframe. We setup data link switch in network switch and define VTAM major nodes on mainframe. Can we say the invention of internet jeopardize the world. Yes, it does.
Incident details: MasterCard said it was investigating a data breach of a loyalty program in Germany. There are about 90000 personal records was steal. Perhaps the actual figure has not been finalize yet! but rumor said that the leaked personal data is selling on darknet now. However, when we manually view the programming source it shown to us there is a lot of weakness on backend server. For instance, the backend system run on vulnerable Apache version. So i am imagine that whether there has possibility let attacker exploit CVE-2017-3167 to bypass the authentication on the front end web server then stolen the data?
Background: Apache Spark is the tailor made for big data industry.Spark’s advanced acyclic processing engine can operating as a stand-alone mode or a cloud service.
Synopsis: Spark supports encrypting temporary data written to local disks. This covers shuffle files, shuffle spills and data blocks stored on disk (for both caching and broadcast variables). It does not cover encrypting output data generated by applications with APIs such as saveAsHadoopFile or saveAsTable. It also may not cover temporary files created explicitly by the user.
Vulnerability details: The vulnerability is due to a cryptographic issue in the affected software that allows user data to be written to the local disk unencrypted in certain situations, even if the spark.io.encryption.enabled property is set to true.
Security focus: This vulnerability did not category as critical. But the level of risk will be depends on the system architecture and classification level of data. For instance, it is a machine learning function and install on top of public cloud computer farm. If this is the case, a serious access restriction control to Spark infrastructure area must be apply.
Preface: Even though you company install full set of cyber defense mechanism. More than 70% of feature is detective and preventive. Perhaps SIEM can do a predictive action. May be you have doubt, but it is factual.
Part B: Cyber Attack Group & Commonly used malware
Group name: APT3,APT33,Dragonfly 2.0(Berserk Bear),Threat Group-3390,Lazarus Group , OilRig(APT35),Leafminer,Turla
Malware types: Chaos (malware) Linux Rabbit(malware) SpeakUp (Trojan backdoor) Xbash (malware) PoshC2 is an open source remote (written in powershell) Emotet (malware)
SIEM Definition – Firing Rules criteria (see below): 1. Failed attempts over a period of time 2. Large numbers of bad usernames 3. High number of account lockouts over a defined period of time 4. Unknown “appDisplayName” – Active Directory PowerShell 5. Ratio of login success verses login failure per IP address
Remark: If your IT infrastructure is a Cloud IaaS deployment, perhaps you need to do the monitoring by yourself.
If the above 5 items triggers your SIEM rules. Even though the activities not in high amount. But you requires to observe the continuity level. Most likely on those activities alert that cyber attack group is interested of your company.
Preface: The invention of the IoT sensor looks like a contingent driving a smart city. At the same time, the python programming language gives life to the Internet of Things.
Security Focus: Even though IoT devices and their back-end facilities deploy SSL certification. It cannot prevent data leakage because of programming language flaw.
Vulnerability details: The vulnerability exists because the affected software does not remove the HTTP Authorization header when performing HTTPS to HTTP redirects with the same hostname, which may allow user credentials to be transmitted in clear text. A successful exploit could allow the attacker to access sensitive information, such as user credentials and web server information. For more details, please refer to attached diagram.