This article talks about why we need need to back up our websites, what backups do and how to choose a good backup solution.
According to the article a good back up solution has a location that is offsite, automation so you don’t have to remember to do it manually, redundancy so that is creating a back up of your backups and testing to make sure that the solution works.
Source: https://blog.sucuri.net/2018/06/website-backups.html
Joomla development team has released the Joomla 3.8.4 that addresses a large number of issues, including SQL injection bug and three cross-site scripting (XSS) vulnerabilities. The latest release also includes several improvements. The XSS and SQL injection vulnerabilities have been classified as “low priority” and it affects Joomla CMS versions 3.7.0 through 3.8.3.
“Recent updates to our analysis engine lead to the discovery of a new vulnerability in the Joomla! core affecting versions prior to 3.8.4. RIPS discovered a second-order SQL injection that could be used by attackers to leverage lower permissions and to escalate them into full admin permissions.” reads the analysis published by RIPS.
The experts explained that the flaw could be exploited to gain admin privileges and take over the Joomla installs.
“An attacker exploiting this vulnerability can read arbitrary data from the database. This data can be used to further extend the permissions of the attacker. By gaining full administrative privileges she can take over the Joomla! installation by executing arbitrary PHP code.” continues the post.
The researchers discovered the vulnerability by using their static code analyzer, an attacker can first inject arbitrary content into the targeted install’s database and then create a specially crafted query to gain admin privileges.
Source: https://www.securityweek.com/xss-sql-injection-flaws-patched-joomla
Electronics retailer Dixons Carphone has suffered a massive data breach, with attackers accessing 5.9 million customer payment-card details and a further 1.2 million records containing personal information.
While attackers attempted to access 5.9 million card details, the company states that chip-and-pin protection should prevent 5.8 million of the cards being used for fraud. Pin codes, card verification values (CVV), and authentication data enabling holder identification or purchases were not stored in the data.
Source: https://securityaffairs.co/wordpress/73479/data-breach/dixons-carphone-hacked.html
These sites have a high ratio of bad to good domains indicating that the registry could do a better job of enforcing policies and shunning abusers.
Here is the List:
A Top Level Domain check is also available on this site
MyHeritage, a DNA and genealogy firm, announced that the access credentials of 92 million users had been stolen. It only discovered the breach when a security researcher informed the company he had found a file named myheritage stored outside of MyHeritage.
Full article : https://www.securityweek.com/92-million-user-credentials-lost-myheritage
As cyber attacks continue to increase in number and escalate in complexity, companies are looking to hire hard-to-find Cybersecurity experts to help secure their needs. Here’s a look at the four most in-demand Cybersecurity skills for 2018 and beyond
Penetration testing and intrusion detection – Intrusion detection skills are crucial in identifying potentially harmful activity before it escalates to help stay a step ahead of breaches.
DevSecOps – is all about introducing the security elements sooner in the life cycle of application development to minimize vulnerabilities and have everyone involved become responsible for security. The idea is to automate core security tasks by integrating security processes and controls earlier in the DevOps process.
Cloud Security – Companies want to ensure that not only are cloud service providers like Microsoft and Amazon doing the most to protect the sensitive data stored on their servers but that the data stored there is inaccessible to hackers.
Encryption – If you experience a worst case scenario situation where hackers are attempting to steal or access your sensitive business data and your security team doesn’t catch it in time, encryption is your last line of protection, since encrypted data is unreadable without an encryption key. Expect demand for encryption skills among Cybersecurity professionals to increase even more as companies realize how vulnerable they are to emerging and evolving cyber attacks that are becoming more difficult to identify and prevent.
Source : https://www.cio.com/article/3277956/it-skills-training/4-most-in-demand-cybersecurity-skills.html
Researchers from the University of Michigan and Zhejiang University have demonstrated that it’s possible for attackers to cause physical damage to hard drives, and cause PCs to crash, just by playing sounds through a computer’s speaker.
Source: https://www.welivesecurity.com/2018/05/30/acoustic-attack-blue-screen-windows-computer/
More than half a million routers and storage devices in dozens of countries have been infected with a piece of highly sophisticated IoT botnet malware, likely designed by Russia-baked state-sponsored group.
The malware has already infected over 500,000 devices in at least 54 countries, most of which are small and home offices routers and internet-connected storage devices from Linksys, MikroTik, NETGEAR, and TP-Link. Some network-attached storage (NAS) devices known to have been targeted as well.
Source: https://thehackernews.com/2018/05/vpnfilter-botnet-malware.html
https://thehackernews.com/2018/05/vpnfilter-router-hacking.html
In this investigative news, Brian Krebs talks about how the major phone companies are selling our location data to third party companies without our consent or a court order. Our phones are giving away our location information all day and providing it to the phone companies so that they can provide us with a better call quality and to route any emergency 911 calls straight to our location. The problem arises when anyone outside of the phone companies and law enforcement agencies with a valid court order can access this data, it is always going to be at extremely high risk of being hacked, stolen and misused.
AT&T, Sprint, T-Mobile and Verizon have been providing Securus and LocationSmart with the ability to perform real-time location lookups on their customers with T-Mobile being the only one accepting the allegations. The other three carriers declined to confirm or deny that they did business with either company.
The data broker named Securus was selling local police forces around the country the ability to look up the precise location of any cell phone across all of the major U.S. mobile networks. Then it emerged that Securus had been hacked, its database of hundreds of law enforcement officer usernames and passwords plundered. We also found out that Securus’ data was ultimately obtained from a California-based location tracking firm LocationSmart.
The point is, for many of us location privacy is priceless because, without it, almost everything else we’re doing to safeguard our privacy goes out the window.And this sad reality will persist until the mobile providers state unequivocally that they will no longer sell or share customer location data without having received and validated some kind of legal obligation — such as a court-ordered subpoena.
In this article Ian Anderson Gray gives us tips on how to better secure our computers from attackers. Here are the suggestions:
Some that were not mentioned in the post are anti-spyware scanners, computer cleaners (such as CCleaner) and encrypting data on your computer.
https://iag.me/tech/10-tips-to-make-your-computer-more-secure/
Helina's Computer Security Blog 