A security issue and vulnerability have been reported in MySQL, which can be exploited by malicious people to bypass certain security restrictions.
It is possible to execute a one-liner bash command to exploit the vulnerability:
$ for i in `seq 1 1000`; do mysql -u root --password=bad -h 127.0.0.1 2>/dev/null; done
Recommended steps include the following:
a) Secure MySQL so that it’s not exposed to the network at large in the first place. Most Linux distributions bind the MySQL daemon to localhost, preventing remote access to the service.
In cases where network access must be provided, MySQL also provides host-based access controls. For the few use cases where the MySQL daemon should be intentionally exposed to the wider network and without any form of host-based access control.
By modifying the my.cnf file – you can restrict access to the local system – Open my.cnf > find the section labeled [mysqld] > change (or add a new line to set) the “bind-address” parameter to “127.0.0.1”. Restart the MySQL service to apply this setting.
b) The next step would be to upgrade to a stable, non-vulnerable update, as per vendor recommendation.
The following distros have been confirmed vulnerable:
Ubuntu Linux 64-bit ( 10.04, 10.10, 11.04, 11.10, 12.04 )
Here’s how to set it up if you aren’t currently using a passcode:
Unlock your iPhone and open Settings > General > Passcode Lock.
Toggle Simple Passcode to Off.
Tap Turn Passcode On (assuming you don’t already have it turned on) and enter your new passcode using only numbers. You’ll see the standard alphanumeric keyboard during your initial passcode creation and confirmation, but don’t worry—if you stick with numbers, you’ll get the numeric keyboard later.
Cyber-Ark Software have recently launched their new product, an Inter-business Vault (IBV) as a cloud service which enables cloud users to secure their sensitive and confidential files during transfer.
A tool called BEAST decrypts secret PayPal cookies residing in versions 1.0 and earlier of TLS by attacking the confidentiality model of the protocol. According to the researchers, Thai Duong and Juliano Rizzo, they claim BEAST is: “…the first attack that actually decrypts HTTPS requests.” As opposed to other attacks which targeted the authenticity of the protocol. Continue reading →
Twitter lists are great for organizing your favorite follows into one column or page. However, manually curating lists can be a laborious task. A couple of weeks ago I got to know about Formulists, a web-app for auto-creating and managing Twitter lists and exploring new people in various ways.
To get your security list done, link your Twitter account to Formulists to group your favorite security-tweeps into a group.
To create a generic list of security tweeps:
Tweep Search List Options: Don't Exclude People
Basic Options: 40 to 50 - This is more of a personal option
Profile Filter Options:
Bio: Infosec OR security OR hacker
Filter by when they last tweeted: Last 30 days
Filter by following and followers: More than 50 followers
Now, if you would like to add a list of people who you’re not following yet, do this quick-fix:
Tweep Search" List Options: Exclude people I already follow from list
This should give you a good start feed with bunch of interesting and informative security tweets.
Selecting a Cloud service provider (CSP) isn’t just about picking the better deal that fits your company’s budget. The cloud provider framework is where your data will be stored and, more often than not, data plays a huge part of the day-to-day running of a business. Therefore, it is essential to go over other key points that make sure enough efforts are done to provide you with available, confidential and unchanged data. It is essential that your CSP voluntarily discloses this information on how your data will be stored whenever you need it. Infact, doing such checks will only be possible if the provider has transparent processes and procedures. Transparency plays a huge factor in this. You can read more about Transparency & Trust within the cloud environment, in my previous article.
A Cloud service provider (CSP) can decide to expose various levels of its internal procedures. This article discusses how transparent processes adopted by CSP’s increase the confidence levels in an organization making use of cloud services.
Spear Phishing is one of the big malware trends this year. What makes these types of attacks so different from conventional phishing attacks is that they are targeted at individuals, mostly high-profile users, instead of a mass user base. The main aim of a spear-phishing attack is to get the user to run a 0-day malware infected file that opens a backdoor, consequently allowing access to sensitive information or access to elevated privileges.
Disaster Recovery Plans (DRP’s) have always been a subject of debate due to various factors such as the amount of capital required and resources invested in the system. It’s not easy to convince management to invest in such a plan when there may never be a return on investment, mostly when management also factor in solutions like insurance in the equation.
So why does DRP in the cloud make everyone’s (including your Financial Controller’s) life easier?
We all know that hacking is a 24/7 business; and as much as we good people enjoy keeping our workplaces and homes safe from wrong-doers, most of us cannot afford watching out for attacks 24/7. Especially today, where security is becoming broader, encompassing new and old practices.