Australian Bureau of Statistics suffers DDoS

absThe Australian Bureau of Statistics suffered four attacks during the week in the process of her five-yearly census. The census website was taken offline overnight on Tuesday.

The Bureau in a statement on their website mentioned that they took an abundance of caution by closing down the online Census form to protect data already submitted and the system from further incidents and minimize disruption on the Australian public of an unreliable service. They also confirmed that the disruption was not a hack and no data was compromised.

The attack is suspected to be launched from overseas and the site will be restored as soon as the necessary defenses are effected.

Advertisements

2 Million Users Exposed in Ubuntu Forum Breach

A data breach of Ubuntu forum database has exposed two million usernames, email addresses and IPs to hackers. The hack was confirmed by Ubuntu Linux developer, Canonical. The forum was shut down and all system and database passwords were reset as a precautionary measure.

The breach is reported to be an exploitation of a known SQl injection vulnerability in the Forumrunner add-on on the forum which wasn’t patched. A  part of the statement from Canonical reads, “The attacker had the ability to inject certain formatted SQL to the Forums database on the Forums database servers. This gave them the ability to read from any table but we believe they only ever read from the ‘user’ table,”

Infosecurity Magazine reports that Canonical has wiped and rebuilt the servers that were affected and patched it to the latest release and have also added a web application firewall to improve their security.

Free Android App “Black Jack” uncovered as a Trojan

google-play-store-5-12-10-google-play-store-android-tvA free gambling app, Black Jack which has been downloaded by as many as 5,000 users from Google Play Store has been found to be a banking Trojan,  reports HELPNETSECURITY .

The App’s main goal is to steal users’ personal and banking information and login credentials to a handful of popular online services and social networks by presenting fake pop-up windows to users containing forms to be filled with credentials.

The app was also found to contain a variant of the Acecard malware family which has the ability of intercepting and sending sms messages, forwarding phone calls, locking the device screen and wiping all user data from the device.

It also attempts to download another app name Play Store Update (cosmetiq.fl).

Lookout researchers who uncovered this malware have advised users who downloaded Black Jack to uninstall it as well as the cosmetiq.fl app and change their online accounts passwords immediately.

White Hat Researcher Jailed for Exposing SQLi Flaws

jail-featA cybersecurity researcher who exposed vulnerabilities in a Florida elections website was last week arrested and charged on three third-degree felony counts.

Vanguard Cybersecurity boss David Levin handed himself in on Wednesday and spent five hours in the Lee County Jail cells before being released on a $15,000 bond, according to local reports.

He had posted a YouTube video detailing his research, which found simple SQL injection flaws in the website of the Lee County Supervisor of Elections Office, using the popular Havij automated SQLi tool.

Dan Sinclair, one of the candidates currently running for the supervisor of elections position, appears alongside Levin in the video, although he was not involved in the research itself.

“Dave didn’t do anything wrong,” he’s quoted as saying. “This is political corruption.”

However, Troy Hunt, security researcher and owner of the Have I Been Pwned? site, argued that Levin was in the wrong as he could have demonstrated security weaknesses in the site without exposing personal data.

Continue reading

Google Switches on HTTPS for All Blogspot Domains

600-x-360-https-secure-keremyucel-istock-thinkstock-thinkstockphotos-181290353The web got a little bit safer this week after Google switched on HTTPS for all of its blogspot domains.

First trialed last September, the change means everyone can now access a blogspot page over an encrypted channel, Google revealed in a blog post.

It added the following:

“We’re also adding a new setting called HTTPS Redirect that allows you to opt-in to redirect HTTP requests to HTTPS. While all blogspot blogs will have an HTTPS version enabled, if you turn on this new setting, all visitors will be redirected to the HTTPS version of your blog at https://.blogspot.com even if they go to http://.blogspot.com. If you choose to turn off this setting, visitors will have two options for viewing your blog: the unencrypted version at http://.blogspot.com or the encrypted version at https://.blogspot.com.”

However, Google warned that mixed content – sometimes caused by “incompatible templates, gadgets, or post content” – might cause a blog not to work in HTTPS.

Continue reading

WordPress, Joomla Subject to Widespread Injection Attack

hosting-wordpressHackers are using the popular jQuery library to inject malicious code into websites powered by WordPress and Joomla. It’s a fairly widespread issue: Since November 2015, Avast has registered more than 4.5 million users who encountered the infection.

Malicious code was found in almost 70 million unique files on hacked websites.

According to Avast researcher Alexej Savcin fake jQuery injections have been very popular among hackers, because jQuery itself is popular.

“JQuery is a very popular JavaScript library,” he explained in a blog. “The basic aim of this library is to erase the differences between implementations of JavaScript in various web browsers. If you have ever tried web coding, you know how tedious it can be to make the code do the same thing in different browsers. Sometimes it is a really big challenge. In such situations, this library can be very useful.” Continue reading

Email Security Awareness is High—Preparedness Is Not

emailDespite risk awareness, many businesses are ignoring critical cyber-issues. Case in point: Although 83% of IT staff highlight email as a common attack vector, one out of 10 reports not having any kind of email security training in place.

That’s according to Mimecast’s Email Security Uncovered global research study, which also shows that while 64% regard email as a major cybersecurity threat to their business, 65% also feel ill-equipped or too out of date to reasonably defend against email-based attacks. One-third of respondents also believe email is more vulnerable today than it was five years ago. Continue reading