Sending thousands of alleged pirates a bill for $20 per song isn't working out.
More than 95 percent of companies running SAP applications are failing to apply software patches on a timely schedule leaving them vulnerable to cyber-attacks. More than 95 percent of companies running the SAP business application platform are vulnerable to security breaches because unpatched software flaws that could allow attackers to compromise their systems, security firm Onapsis stated in an analysis released on May 6. The results, based on hundreds of assessments conducted by the firm, found three common vectors through which attackers used vulnerabilities in SAP systems to compromise business systems. Attackers looking to breach corporate SAP systems will often create new users in a management engine for Java to gain access to internal systems, use flawed proprietary protocols to change business information and exploit connections between systems to jump from a lower security SAP component to a higher security component. “Breaches are happening every day but still many CISOs don’t know because they don’t have visibility into their SAP applications,” Mariano Nunez, CEO and co-founder of Onapsis, said in a statement sent to eWEEK. More than 290,000 companies use SAP systems to automate their business processes and collect data and metrics on business goals. The company, and its rival Oracle, focus on analyzing operational data to help businesses run more smoothly. Yet, despite SAP’s “Run Simple” branding campaign, SAP implementations can be very complex. Moreover, because SAP systems tend to be critical to business operations, companies are hesitant to update the application servers. As a result, most companies delay patching by more than 18 months, despite the fact that hundreds of patches are released each year—391 in 2014 alone, according to Onapsis. While nearly half of the patches where rated as high priority by SAP, “the truth is that most patches applied are not security-related, are late or introduce further operational risk,” Nunez said. Researcher and attacker interest in SAP systems jumped in 2010 and continues to increase, SAP security firm ERPScan stated in a 2013 RSA presentation. In 2014, SAP landed at fourth on the list of vendors with the most vulnerabilities, behind Microsoft, HP and Advantech, according to the latest HP Cyber Risk Report released last month. SAP’s platform for next-generation applications and analytics, HANA, has become a focus on a large number of patches, according to Nunez. “With SAP HANA positioned in the center of the SAP ecosystem, data stored in SAP platforms now must be protected both in the cloud and on-premise,” he said. Onapsis analyzed the data from hundreds of assessments conducted by the firm to find the top-three vectors of attacks against SAP systems. The top attack pattern consisted of creating backdoor accounts in the SAP system for handling Java users and exploiting critical flaws to obtaining access to other connected systems. Attackers also focused on the company’s proprietary communications and control protocols to access sensitive data in the platform’s database. Finally, by compromising a lower security system, attackers can move laterally within the network to more critical systems, Onapsis said. The company recommended that SAP users continuously monitor and maintain their systems by applying software patches as promptly as possible.
Programs that insert or replace ads on pages that users visit are proliferating, the company warns. Software programs that insert new ads or replace existing ones on pages that Internet users visit when browsing the Web present a clear and growing security danger, Google said in a report released this week. The report, developed in conjunction with researchers at the University of California at Berkeley and at Santa Barbara, examined the prevalence of ad injector programs on the Web. To conduct the study, the researchers built what Google described as an ad injector detector for Google sites and observed the programs in action over the course of several months in 2014. What they discovered was that more than 5.5 percent of all unique IP addresses accessing Google sites—a number thought to be in the millions—were infected with ad injection programs. "Deceptive ad injection is a significant problem on the web today," Kurt Thomas, a member of Google's spam and abuse research team, said in a blog post. "Unwanted ad injectors are not only annoying, they can pose serious security risks to users as well." According to Google, the problems caused by ad injectors have become so acute that the company has received more than 100,000 complaints about it from Chrome users just since the beginning of this year. Ad injectors infect browsers like Chrome, Internet Explorer and Safari and basically are used to serve up unwanted ads on pages that users may be browsing at a particular time. Distributors of these programs typically make money on every click that users make on the ads that are served up. During the study, the researchers from Google and the other organizations discovered a staggering 50,000 browser extensions and more than 30,000 software applications capable of taking control of a user's browser to inject ads. "Upwards of 30% of these packages were outright malicious and simultaneously stole account credentials, hijacked search queries, and reported a user's activity to third parties for tracking," Thomas said. An astonishing 5.1 percent of all page views on Windows and 3.4 percent of page views on Mac showed signs of ad injection, he noted. Ad injection malware is distributed in a variety of ways but most commonly by bundling it with other free and popular software downloads. Malware distribution and social advertising campaigns are two other fairly typical ways in which the injectors are distributed. During the study, the researchers found that ad affiliation networks play a major part in delivering the malware on end-user browsers. The ads that these injectors deliver come from a collection of about two dozen businesses that supply "injection libraries" containing ads to be served up on a user's browsers. Many of the ads that are being illegally injected actually are from legitimate businesses that have little inkling of what is going on or how their advertisements are being manipulated to drive traffic to their sites. Google and the other researchers discovered more than 3,000 advertisers whose ads were being displayed improperly on end-user browsers via ad injectors. Among the companies whose advertisements were being delivered this way were Walmart, Sears, Target and eBay. "Because advertisers are generally only able to measure the final click that drives traffic to their sites, they're often unaware of many preceding twists and turns, and don't know they are receiving traffic via unwanted software and malware," Thomas said. Based on the findings in the report, Google has removed 192 deceptive Chrome extensions that impacted some 14 million users. Google has also updated Chrome so users get an alert and a red warning when they are about to download malicious software, Thomas said. Google has also been reaching out to advertisers to inform them of what is going on, he said.
Coffee company will bring back “My K-Cup” reusable filter, license more outside brands.
"They’re not running rogue out there," Sen. Mitch McConnell (R-Ky.) says of the NSA.
WordPress issues its third security update, version 4.2.2, in less than four weeks to fix cross-site scripting security vulnerabilities. The open-source WordPress content management system is once again being ...
AT&T wants to keep charging Netflix and other online video providers.
Proof-of-concept malware may pave the way for future in-the-wild attacks.
EFF, ACLU lose their California state appeal in LPR public records case.
ASCAP says 1.85% royalties aren't enough; appeals judges said it's just fine.