3.1 C
London
Sunday, November 19, 2017
Home Tags Twitter

Tag: Twitter

Oracle's July Critical Patch Update includes 89 patches, which seems like a lot. Is it? Unlike Microsoft, which provides its users with a monthly regular patch cycle, Oracle uses a quarterly Critical Patch Update (CPU) approach. The July CPU is now out, and it's a big one. It provides no less than 89 security fixes across a wide swath of Oracle products including database, Fusion Middleware, MySQL, Oracle VM and Solaris. The update does not include any new fixes for Oracle's much maligned Java, which is currently patched on a separate cycle. Oracle plans to align its scheduled Java patch release cycle with the CPU starting in October. Oracle's namesake database  received six patches this CPU, only one of which is remotely exploitable without authentication. Oracle's open source MySQL database didn't fare quite as well, with a total of 18 new security flaws, two of which are classified as remotely exploitable without authentication. Oracle got the MySQL technology as part of its acquisition of Sun in 2010, though Oracle classifies other Sun technologies in the CPU under the title of the Sun Systems Products Suite. That suite includes the Solaris UNIX operating system that received a total of 16 new security fixes, with eight reported as being remotely exploitable without authentication. The Fusion middleware suite is tagged for 21 fixes, with 16 of those being remotely exploitable without authentication. Fusion is Java middleware and includes the JRockit Java Virtual Machine.

The flaws in the July CPU include a number of issues that Oracle already patched in its June Java CPU. Oracle patched 40 different issues as part of that update. "With the inclusion of Java in the normal Critical Patch Update schedule starting in October 2013, the release of JRockit and Java security fixes will be integrated," Eric Maurice, director, Oracle Software Security Assurance wrote in a blog post. Too Many Vulnerabilities? The overall number of vulnerabilities, as well as the method by which those vulnerabilities were found is a cause for concern, according to Tripwire security researcher Craig Young. “The constant drumbeat of critical Oracle patches is more than a little alarming, particularly because the vulnerabilities are frequently reported by third parties who presumably do not have access to full source code," Young said.

This month’s CPU credits 18 different researchers coming from more than a dozen different companies. " Young added that it's also noteworthy that every Oracle CPU release this year has plugged dozens of vulnerabilities. "By my count, Oracle has already acknowledged and fixed 343 security issues in 2013," Young said. "In case there was any doubt, this should be a big red flag to end users that Oracle's security practices are simply not working." Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.
Even Hova himself said of the privacy problems: "sux must do better."    
Twitter is the latest major web service to beef up its security two-factor authentication (2FA). The security feature is a pretty simple and effective approach - and one the notorious Mega kingpin Kim Dotcom claims today to have invented back in the '90s. Two-factor auth is a simple process for verifying that the user accessing a service is legitimate. A random code...
Security-watchers don't appear overly impressed with Twitter's introduction of two-factor authentication (2FA) to its service. While some infosec experts welcomed the move, others argued that while it might help protect the accounts of individuals, it is ill-suited to the safeguarding of shared accounts of organisations - many of which have fallen victim to recent hijacking attacks. On 22 May, users of...
Saudi telecom seeks help monitoring encrypted Twitter data according to e-mails.
There's an old adage that on the internet, nobody knows you're a dog. It's been previously used to demonstrate that it's hard, if not impossible at times, to determine whether someone really is who they say they are — be it man, woman, or dog — but it equally applies to hackers. Although offline, it's easy enough to connect with someone's day-to-day personality, it doesn't offer any insight into who they are and how they act online. Let's face it, as much as Hollywood might lead us to believe that hackers gain their street cred from hacking via sophisticated 3D-modelled file systems, or that two people typing on one keyboard doubles a computer's hacking abilities, the more boring reality is that it's mostly done by typing commands into a terminal shell (and I don't mean "access security"). Just as image is everything for some people offline, so too is it online. It's why sites like Zone-H exist, showcasing what websites online attackers have defaced.

And just like in the offline world, many will take credit for others' work, make up successful attacks, or twist simple attacks into what seem like more nobler causes. Which is what may have happened with the Commonwealth Bank of Australia (CBA) recently.

A hacking group going by the name LatinHackTeamReborn, presumably trading off the name of the former LatinHackTeam group, claimed to have breached CBA's UK site. It posted the alleged email addresses, hashed passwords, and names of users on the site, stating that it made its attack by "rerouting after attacking the firewall", and that it was "striking back after what you did to us". The only problem is, it's not CBA's data. "We have done a thorough investigation, and we can confirm that no Commonwealth Bank systems have been hacked and no customer data has been compromised.

The CBA customer information is safe and secure," a spokesperson for the bank told us. It's clear from the leaked data that it's not banking information. CBA uses numerical codes for it online banking system, not email addresses, and the passwords, while hashed, were done using MD5 with no salt.

If such a method of securing passwords was used on a live banking system, it would certainly raise eyebrows, but CBA denies that it belongs to it. But the email addresses do appear to be valid, and, worryingly, of a UK and Australian nature. It's not unheard of for a hacked organisation to lie to the media, and for the information to actually be from a lesser-known and not mission-critical system (we might as well throw "developed by a third party" in here as well). But, digging deeper, I'd be more inclined to trust CBA's word. That's not just because of the damage to its reputation should it be proved that it lied, but because it would really mean trusting a hacker group that only created its Twitter account a few hours prior to the attack, which for some reason decided to include the #stopglobalwarning (yes, warning) hashtag in its attack, and opted for the cryptic, Hollywood-esque method of "rerouting" after attacking a firewall. Wherever this data came from, it didn't happen by picking different routes. It most likely resulted from improper access to a database, probably by using SQL injection. And what has CBA got to do with whatever happened to LatinHackTeam anyway? Nothing, as far as I can tell. It's a bank — and hackers breaking into banks is a sure-fire way to improve your image and gain credibility. Which is probably why the hacking group also claimed to have attacked the Bank of Israel. That would be a significant feat itself; only the email addresses, hashed passwords, and organisations named have nothing to do with the Bank of Israel.

They are actually from leaks posted by others, on previously compromised websites; in this case, the Ontario Imported Wine-Spirit-Beer Association. It runs its site off WordPress, which, if not maintained to the current version, is an easy target for even the most novice attackers, thanks to the wealth of information freely available online. Most of the time, impersonators are going to get away with it because there are few consequences for being named and shamed, and fewer who have the time or inclination to do it ("Bank not hacked" is not a headline, after all).

Even when it does happen, this is the internet, where creating a new alter ego is as simple as a few clicks, and a teenager, or an industry veteran, can be born again as a political greenie against global warning, a freedom fighter, a North Korean official, or perhaps all of them at once. It's true that on the internet, nobody knows if you're a dog, but also, most times nobody knows you're really a dog pretending to be some sort of bank-robbing hacker.