- If You Thought The DMV Couldn’t Get Worse… & The Top 5 Security Stories of the Week
From the latest credit card breach to Microsoft’s privacy ‘faux pas’, here are the week’s top security stories – take a few minutes and catch up before the madness begins again!
Another breach break for Brian Krebs: After blogging about the possibility of a credit card breach, an investigation at the California Department of Motor Vehicles is now underway, focusing on online transactions that took place between August 2nd of last year and January 31st.
Krebs was tipped by an alert sent privately to various financial institutions by MasterCard warning about an ‘entity’ that had experienced a ‘card not present’ breach – “industry breach for transactions conducted online.” The compromised cards held similar “STATE OF CALIF DMV INT” charges. MasterCard is also investigating the breach, spokesman Seth Eisen said.
In its official statement, the DMV said that while “there is no evidence at this time of a direct breach of the DMV’s computer system…the DMV has opened an investigation into any potential security breach in conjunction with state and federal law enforcement.”
Get the whole scoop here.
In a little bit of a twist, it seems that the NSA conducted a years-long operation, deemed “Shotgiant”, reported to have repeatedly hacked into major Chinese tech company Huawei. Deemed a “security threat,” U.S. officials have already blocked the company from doing business in the U.S. due to fears that the company would implant backdoors to give secret access to China’s military.
To counter the threat and collect intelligence, the NSA’s elite Tailored Access Operations team planted backdoors into the company’s network, watched the company executives, and stole source code. Huawei North America VP William Plummer told the times: “If [the allegation] is true, the irony is that exactly what they are doing to us is what they have always charged that the Chinese are doing through us.”
Read the whole report here.
A flaw in the PHP language that was first documented in March of 2012, continues to ravage sites written in one of the most popular coding languages today. Hackers have spent the last few years exploiting a common gateway interface vulnerability in PHP versions earlier than 5.3.12 and 5.4.2. A patch was released soon after the vulnerability surfaced, but sites have apparently been hesitant to upgrade.
To learn more about the exploit and how hackers were utilizing it, security researchers created a “honeypot” server with exploitable sites and counted over 300 IP addresses that hacked it. The scripts used to exploit the vulnerability were later removed from the server to remove all traces of the attack. Around 16% of public sites are thought to be running a vulnerable version of PHP.
Continue reading about the PHP exploit at Ars Technica.
The ‘Blue Giant’ unveiled a new programming language this week that was designed for maximum safety and speed. It’s called Hack and it’s already used in much of the site, phasing out the previously used PHP language.
The beauty of the language, its developers say, is that Hack runs without compiling, so when a developer reloads the page they’ve been working on they get immediate visual feedback on exactly what changes were made. The code combines the power of a dynamic language with the more precise, early error-detection static language, the company wrote on its engineering blog. Facebook also released the code to the open source community, giving everyone the chance to use and improve the brand new language.
The world’s largest software maker landed itself in deep water after coming clean about spying on a rogue employee’s email. The security and privacy ethics get murkier, though: The employee in question (now ex-employee, if you were still wondering) leaked Windows 8 code, pre-release, to a tech blogger.
After discovering that the blogger was, ironically, using Hotmail to communicate with Kibkalo, Microsoft’s internal investigations team scanned the bloggers email in hopes of finding the leaker. Within the account they found an email including zip files of pre-release hot fixes for the yet-unreleased Windows 8 and an Activation Server SDK that would allow hackers to copy Microsoft’s programs.
“I would leak enterprise today probably,” software architect Alex Kibkalo allegedly told the blogger during an online conversation in August of 2012. “Hmm,” the blogger replied. “Are you sure you want to do that? Lol.” Did Microsoft have the authority to scan a customer’s email under the circumstances? It seems Microsoft answered it themselves, with a new policy that will require the company to “meet a more rigorous standard” before diving into customer accounts in the future.
As Time’s Harry McCracken suggests: “You can be sympathetic to Microsoft about the crime apparently committed against it and still deeply unhappy with its response.”
Read McCracken’s 10 Things I Know to Be True About This Microsoft Hotmail Privacy Case here.
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.