Gotham Security Daily Threat Alerts

By Nancy Rand
Posted in Security
On March 03, 2016

February 29, ZDNet – (International) Snapchat falls foul of CEO impersonation, hands over employee pay data. The video messaging application, Snapchat reported that many of its current and former employees’ payroll information was compromised after a cyber-attacker impersonated the firm’s chief executive officer (CEO) via a phishing campaign and collected employee payroll information from staff at the firm. Snapchat stated that the incident was contained and reported the scheme to the FBI. Source

February 28, Softpedia – (International) One in ten top internet sites may be vulnerable to CSRF and XSS attacks. A CloudFlare engineer discovered that about 10 percent of Alexa Top 1 Million websites allowed resources to be shared outside of their domain due to improperly configured Cross-Origin Resource Sharing (CORS) settings, enabling hackers to steal users’ private session details and log into users’ accounts to carry out fraudulent operations via cross-site request forgery (CSRF) and cross-site sLcripting (CSS) attacks. Source

February 27, Softpedia – (International) The most common vulnerabilities in open source Web applications are XSS and SQLi. The security firm, Netsparker released a report detailing that 396 web applications were plagued with 269 security vulnerabilities after a study revealed that 180 vulnerabilities were cross-site scripting (XSS) flaws, 55 vulnerabilities were Structured Query Language (SQL) injection (SQLi) flaws, and 16 vulnerabilities were Remote and Local file Inclusion flaws, among other vulnerabilities. Source

February 26, Agence France-Presse – (National) Pentagon boosts spending to fight cyber attacks. The U.S. Secretary of Defense reported February 25 that the Pentagon will spend a total of $6.7 billion in 2017 in an effort to deter advanced cyber adversaries, invest in cyber warfare capabilities, and fund cyber strategy. Source

February 26, SecurityWeek – (International) Google helps news sites thwart DDoS attacks. Google announced the public release of its Project Shield initiative which aims to protect news websites from distributed denial-of-service (DDoS) attacks and aims to keep smaller journalism websites safe from cyber-attacks. The initiative now allows small news sites to serve their content through Google’s infrastructure without having to move their hosting location. Source

February 26, Softpedia – (International) 90 percent of all SSL VPNs use insecure or outdated encryption. Researchers from High-Tech Bridge discovered that many Secure Sockets Layer (SSL) Virtual Private Networks (VPNs) servers were using insecure or outdated encryption after an analysis of 10,436 servers revealed that about 76 percent of all SSL VPN servers used untrusted SSL certificates, allowing attacks to mimic and launch man-in-the-middle (MitM) attacks on unsuspecting users. Source

Nancy Rand

Nancy Rand

Nancy has more than 20 years’ experience in information technology and security, solving business issues and implementing best-practice solutions that support organizational objectives. Her expertise includes leveraging, optimizing, and implementing diverse technology platforms, and management of large-scale technology projects.