Tagged: vulnerable Toggle Comment Threads | Keyboard Shortcuts

  • jkabtech 12:17 pm on May 27, 2018 Permalink | Reply
    Tags: 'Thunderstrike', , , , vulnerable   

    Macs Vulnerable to Firmware Attacks Like ‘Thunderstrike’, Says Duo Security 

    Highlights Apple has not been able to entirely provide security fixes to macOS Duo Security found this in its report released on Friday It found that 43 percent of Mac machines had out-of-date firmware

    Since 2015, Apple Inc has tried to protect its Mac line of computers from a form of hacking that is extremely hard to detect, but it has not been entirely successful in getting the fixes to its customers, according to research released on Friday by Duo Security.

    Duo examined what is known as firmware in the Mac computers. Firmware is an in-built kind of software that is even more basic than an operating system like Microsoft Windows or macOS.

    When a computer is first powered on – before the operating system has even booted up – firmware checks to make sure that basic components like a hard disk and processor are present and tells them what to do. That makes malicious code hiding in it hard to spot.

    In most cases, firmware is a hassle to update with the latest security patches. Updates have to be carried out separately from the operating system updates that are more commonplace.

    In 2015, Apple started bundling firmware updates along with operating system updates for Mac machines in an effort to ensure firmware on them stayed up to date.

    But Duo surveyed 73,000 Mac computers operating in the real world and found that 4.2 percent of them were not running the firmware they should have been based on their operating system. In some models – such as the 21.5-inch iMac released in late 2015 – 43 percent of machines had out-of-date firmware.

    That left many Macs open to hacks like the “Thunderstrike” attack, where hackers can control a Mac after plugging an Ethernet adapter into the machine’s so-called thunderbolt port.

    Paradoxically, it was only possible to find the potentially vulnerable machines because Apple is the only computer maker that has sought to make firmware updates part of its regular software updates, making it both more trackable and the best in the industry for firmware updates, Rich Smith, director of research and development at Duo, told Reuters in an interview.

    Duo said that it had informed Apple of its findings before making them public on Friday. In a statement, Apple said it was aware of the issue and is moving to address it.

    “Apple continues to work diligently in the area of firmware security, and we’re always exploring ways to make our systems even more secure,” the company said in a statement. “In order to provide a safer and more secure experience in this area, macOS High Sierra automatically validates Mac firmware weekly.”

    View the Original article

  • jkabtech 4:17 am on May 18, 2018 Permalink | Reply
    Tags: , , , , Planet, , vulnerable,   

    Wi-Fi WPA2 Security Vulnerable to KRACK Attacks: Nearly All Wi-Fi Devices on the Planet Vulnerable 

    Highlights WPA2 security protocol has reportedly been compromised The WPA2 vulnerabilities will be detailed at 5:30pm IST Anyone near your router could eavesdrop on Wi-Fi traffic, say researchers

    Security researchers claim to have found high-severity vulnerabilities in WPA2 (Wi-Fi Protected Access II), a popular security protocol used by nearly every Wi-Fi device on the planet. The vulnerabilities could potentially allow anyone near your router to eavesdrop on the Wi-Fi traffic being sent through it.

    Details have been revealed on a dedicated site called krackattacks.com, named after the proof-of-concept attack called KRACK (Key Reinstallation Attacks). A total of 10 vulnerabilities have been identified, and were discovered by researcher Mathy Vanhoef of imec-DistriNet, KU Leuven.

    “If your device supports Wi-Fi, it is most likely affected,” Vanhoef writes on the website.

    “Concretely, attackers can use this novel

    View the Original article

  • jkabtech 8:17 pm on May 17, 2018 Permalink | Reply
    Tags: 10-Point, , Cheatsheet, , , vulnerable,   

    Wi-Fi Devices Vulnerable to KRACK Attacks: Your 10-Point Cheatsheet 

    Highlights Nearly all modern Wi-Fi devices are impacted You need to wait for a software update on your smartphone, laptop You do not need to change your router’s Wi-Fi password

    Vulnerabilities in WPA2, a protocol used by nearly all modern Wi-Fi devices, leaves all Wi-Fi devices at risk of being snooped upon, a security researcher revealed on Monday. KRACK attacks make it possible

    View the Original article

  • jkabtech 12:17 pm on August 21, 2017 Permalink | Reply
    Tags: E-Business, , , , , vulnerable   

    Oracle E-Business Suite servers vulnerable to full data leaks 

    Patch now or risk regulatory data breach wrath.

    Critical flaws in Oracle’s E-Business Suite can be exploited to easily access and capture any documents stored in the enterprise software platform.

    Security vendor Onapsis discovered the issue, and said it is easy to exploit.

    Oracle E-Business Suite versions 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6 are exposed to an arbitrary documents download vulnerability.

    Anyone who can connect to an E-Business Suite web server can access any document stored there with a single HTTP request. No access credentials are required to make the server fulfil the request, Onapsis said.

    “This vulnerability is especially critical as an attacker would only need a web browser and network access to the EBS system to perform it,” chief technology officer of Onapsis, Juan Perez-Etchegoyen, said.

    Any number of critical documents could be stored in the system, including invoices, purchase orders, HR information, and design drafts.

    Even systems in isolated demilitarised zone mode are vulnerable, Perez-Etchegoyen said.

    Oracle addressed the vulnerability in its most recent critcal patch update (CPU) set of security fixes. In total, the E-Business Suite had 22 vulnerabilities that have been patched.

    Onapsis said it had identified over a thousand networked E-Business systems that could be affected by the flaw, and is advising Oracle customers to immediately apply the security patches.

    It warned that a failure to secure vulnerable systems could violate data storage and privacy regulation compliance and lead to legal and financial liabilities for organisations.

    View the Original article

  • jkabtech 1:21 am on April 29, 2016 Permalink | Reply
    Tags: , , , moving, , vulnerable   

    How $80B moving through NY Fed daily could be vulnerable to hackers 

    Steve Liesman 6 Hours AgoCNBC.comSHARES

    The Federal Reserve Bank of New York, in its first extensive remarks on cybersecurity following the theft of $81 million from accounts it held for the central bank of Bangladesh, said the incident is a “wake-up call” for the global financial system and the Fed is taking the issue “very seriously.”

    However, a senior New York Federal Reserve official said in an interview with CNBC that the central bank has no authority to inspect or oversee the cybersecurity precautions at foreign central banks that keep their assets at the New York Fed. That means there can be varying cybersecurity risk levels around the world for transactions between global central banks and the New York Fed.

    The New York Fed stands at the center of the globalized, dollar-denominated world, maintaining as many as 250 accounts for central banks that contain approximately $3 trillion in assets. One of the reasons those funds are concentrated in New York is that the United States is seen as among the safest places in the world for central bankers looking to protect assets. At the same time, that massive pool of money represents a rich and tempting target for international thieves and their growing attempts at cybertheft.

    View the Original article

Compose new post
Next post/Next comment
Previous post/Previous comment
Show/Hide comments
Go to top
Go to login
Show/Hide help
shift + esc
%d bloggers like this: