Over a million fiber routers can be remotely accessed, thanks to an authentication bypass bug that's easily exploited by modifying the URL in the browser's address bar. The bug lets anyone bypass the router's login page and access pages within -- simply by adding "?images/" to the end of the web address on any of the router's configuration pages, giving an attacker near complete access to the router. Because the ping and traceroute commands on the device's diagnostic page are running at "root" level, other commands can be remotely run on the device, too. The findings, published Monday, say the bug is found in routers used for fiber connections. These routers are central in bringing high-speed fiber internet to people's homes. At the time of writing, about 1.06 million routers marked were listed on Shodan, the search engine for unprotected devices and databases. Half the vulnerable routers are located on the Telmex network in Mexico, and the rest are found on in Kazakhstan and Vietnam.
If you’re unfamiliar with Nuxt and how to work with it to create Vue.js applications, there’s another article I wrote on the subject here. If you’re familiar with React and Next.js, Nuxt.js is the Vue equivalent. It offers server-side rendering, code splitting, and most importantly, hooks for page transitions. Even though the page transition hooks it offers are excellent, that’s not how we’re going to accomplish the bulk of our animations in this tutorial. In order to understand how the transitions we’re working with today do work, you’ll also need to have basic knowledge around the <transition /> component and the difference between CSS animations and transitions. I’ve covered both in more detail here. You’ll also need basic knowledge of the <transition-group />component and this Snipcart post is a great resource to learn more about it. Even though you’ll understand everything in more detail if you read these articles, I’ll give you the basic gist of what’s going on as we encounter things throughout the post.
The reality is that many companies will not be fully GDPR compliant by the required date. But it’s important to remember that GDPR is not an exhaustive list of what is and isn’t allowed; it’s a principle-based, legal framework to drive change, as opposed to a tick-box exercise. Those companies who purely view it as such will not be building the best platform to succeed in the future – and may even trip up along the way. With less than a month to go, we’ve pulled together some key learnings to help your business remain calm under pressure and show how keeping the right attitude and culture is crucial for true compliance. The main element to a positive GDPR journey is to remember that the regulation has been designed to better facilitate business across the digital market in Europe. Key to this is building trust with citizens and customers by clearly demonstrating that their rights are respected and their data is managed responsibly. It shouldn’t be looked at as another regulation as it essentially builds on data privacy and security principles which organisations should already be abiding by.
GoSDL is, he says, a fairly simple PHP application that allows any team member to begin the process of interacting with security. "The beginning of the process of a new feature is one where they can check whether they want direct security involvement," Feldman says. If so, the feature is flagged "high risk," not because of any actual risk but to make it high priority for security team action. If the security involvement box isn't checked, it doesn't mean that security steps aside, but their involvement begins with a series of questions about the impact on existing products and features. Once the security team is involved it begins to put together risk assessments (high, medium, or low) for each component of the feature. The product engineer or manager is responsible for a component survey with additional checklists of potential issues. All of the checklists and communications to this point are created in the PHP application running on the Slack platform. Once the lists reach the point of requiring action, the application generates a Jira ticket that creates the action item checklist.
Most hacks have their signature DNA. More than money, hackers are also driven by their ego to beat the system, so to speak. Cyber forensics typically reveals this signature. Automating the process will drastically reduce the time to sniff for these threats. The DNA is hard-coded into their system, which makes it almost impossible for hackers to change their signature mid-stream. This is, and has always, been their vulnerability. A good analogy would be the police and criminals. Unless investigators develop a predictive model to anticipate a crime before it happens, they will always be playing behind. The FBI’s Behavioral Analysis Unit was established precisely to find patterns on serial offenders in the hopes of identifying them through their signature, and finally pinning them down. Going back to Zero Day Live, the platform can be fully integrated into the IT or business enterprise with hardly any termination in the operations. Combing through large data, the tool is able to assess vulnerabilities and craft an extensive threat analysis.
An emerging best practice is to write your configurations with new code, change configurations with existing code, and couple those configurations directly to the code tree when sending it up the devops chain. That way, the other tools and/or people can see the configuration bound to that particular code tree and database configuration without having to look for it in a configuration repository. This goes well beyond application configurations: Security configurations, governance configurations, compliance configurations, database configurations, and testing scripts also need to be coupled to the application code tree. You should do this as a best practice, so your workloads are logically and physically bounded so they are very easy to keep track of. You should do this no matter how few workloads you need to track or how simple your devops tool chain is. Trust me: Your workloads will grow and your tool chain will get more complex quickly. And if you don’t manage configurations the right way upfront, you’ll pay a very heavy price later in either inefficiencies and erros or in retrfittng your applications’ configurations to what they should have been all along.
The survey highlighted the importance of culture change, but only 37% of those surveyed believed that deep cultural change was needed in their company by 2020. Raskino said: “Digital business is colossal, changing fundamentally certain kinds of products and service. This does not happen overnight. It is a long haul. “If you remember the shift from WAP banking to app banking – this took eight years, and it was a relatively superficial change. But a deeper change to the product and services of your business can take 10 or more year – some will even take 15 years. The risk for business leaders is that some people believe you can do it in three years.” The challenge for business leaders is that investment in new business models and digital products changes the investor proposition, said Raskino. “Investor confidence is expressed through board governance. Often no one on the board of directors will have a tech background, so the group behaviour is not to be risk aggressive.” This risk-averse governance can hamper a CEO’s ability to drive a long-term fundamental shift in the business towards digital products and services, he said.
One solution to improve cyber-security resilience is for city officials to talk more openly about attacks they have endured, said Paul Argyle, who advises the mayor of Greater Manchester in Britain. “We need to accept it doesn’t necessarily mean you’ve done anything wrong if you’ve been attacked. We need to start sharing all that information,” he said. Manchester is striving to be recognized as a global digital ‘smart city’, and recently hosted a series of digital summits to push its reputation as Britain’s leading interconnected region. Encouraging tech start-ups, investing in digital research and introducing smart ticketing on public transport so that passengers can use one ticket to ride a bus, tram or bike are some of the measures being taken, Argyle told the Thomson Reuters Foundation. Hospitals in the city were last year affected by the ‘WannaCry’ ransomware attack that infected computers and crippled hospitals, banks and companies across the globe. Britain and the U.S. held North Korea responsible.
One of the simplest and most effective ways in which attackers can circumvent basic 2FA is via real-time phishing. With a real-time phishing attack, it is relatively easy for an attacker to coerce the user into giving up their username, password, and one-time-passcode, by asking them to log into a phishing website. The phishing website will look and feel and imitate the log-on experience of a “real” application. This is all with the intent of gaining unauthorized access to an organizations systems and data. Recently, FireEye released a real-time phishing tool - ReelPhish which they claim to have used successfully during their red team engagements. In fact, the FireEye article calls out that IBM Security Intelligence first reported on the use of real-time phishing in 2010. The research from the report concluded that 30% of attacks against websites that are using 2FA were being bypassed.
Quote for the day:
"Speak in such a way that others love to listen to u. Listen in such a way that others love to speak to u." -- Nicky Gumbel