Category: IT Security

Developers of phpMyAdmin, one of the most popular and widely used MySQL database management systems, today released an updated version 4.8.4 of its software to patch several important vulnerabilities that could eventually allow remote attackers to take control of the affected web servers.

The phpMyAdmin project Sunday gave an

early heads-up

about the latest security release on its blog, informing website administrators about this significant update.

phpMyAdmin is a free, open-source administration tool for managing MySQL databases using a simple graphical interface over the web-browser.

Almost every web hosting service pre-installs phpMyAdmin with their control panels to help webmasters easily manage their databases for websites, including WordPress, Joomla, and many other content management platforms.

Besides many bug fixes, there are primarily three critical security vulnerabilities that affect phpMyAdmin versions before release 4.8.4, phpMyAdmin revealed in its latest advisory.

Details of three newly

discovered

phpMyAdmin vulnerabilities are as described below:

1.) Local file inclusion (CVE-2018-19968) —

phpMyAdmin versions from at least 4.0 through 4.8.3 includes a local file inclusion flaw that could allow a remote attacker to read sensitive contents from local files on the server through its transformation feature.

“The attacker must have access to the phpMyAdmin Configuration Storage tables, although these can easily be created in any database to which the attacker has access. An attacker must have valid credentials to log in to phpMyAdmin; this vulnerability does not allow an attacker to circumvent the login system.”

2.) Cross-Site Request Forgery (CSRF)/XSRF (CVE-2018-19969) —

phpMyAdmin versions 4.7.0 through 4.7.6 and 4.8.0 through 4.8.3 includes CSRF/XSRF flaw that could allow attackers to “perform harmful SQL operations such as renaming databases, creating new tables/routines, deleting designer pages, adding/deleting users, updating user passwords, killing SQL processes, etc.” just by convincing victims into opening specially crafted links.

3.) Cross-site scripting (XSS) (CVE-2018-19970) —

The software also includes a cross-site scripting vulnerability in its navigation tree, using which an attacker can inject malicious code through a specially-crafted database/table name.

Since phpMyAdmin has now released its latest version 4.8.4 to address all reported flaws, website administrators and hosting providers are highly recommended to install the update immediately.

Bitglass has released its 2018 BYOD Security Report. The analysis is based on a survey of nearly 400 enterprise IT experts who revealed the state of BYOD and mobile device security in their organizations.

According to the study, 85 percent of organizations are embracing BYOD. Interestingly, many organizations are even allowing contractors, partners, customers, and suppliers to access corporate data on their personal devices.

Amidst this BYOD frenzy, over half of the survey’s respondents believe that the volume of threats to mobile devices has increased over the past twelve months.

Key findings

• Organizations are embracing BYOD, making it available to employees (76 percent), contractors (27 percent), partners (25 percent), customers (22 percent), and suppliers (19 percent).
• 51 percent of respondents believe the number of threats targeting mobile devices has increased in the past year. Unfortunately, only 30 percent of firms are confident that they are properly defending against malware on personal and mobile devices.
• 30 percent of enterprises cite company security concerns as the leading inhibitor to BYOD adoption; specifically, they are worried about data leakage (61 percent), unauthorized data access (53 percent), and the inability to control uploads and downloads (53 percent).
• One in five organizations lacks visibility into basic, native mobile apps (like email) on personal devices.
• Only 56 percent of companies can employ key functionality like remote wipe for removing sensitive data from endpoints.

“While most companies believe mobile devices are being targeted more than ever, our findings indicate that many still lack the basic tools needed to secure data in BYOD environments,” said Rich Campagna, CMO of Bitglass. “Enterprises should feel empowered to take advantage of BYOD’s myriad benefits, but must employ comprehensive, real-time security if they want to do so safely and successfully.”

Hardly a week goes by that we don’t hear about an organization leaving sensitive data exposed on the Internet because they failed to properly configure their Amazon S3 buckets.

Amazon Web Services, to their credit, are trying to prevent this from happening.

For one, all newly created S3 buckets and objects (files and directories in the bucket) are by default private, i.e. not publicly accesible by random people via the Internet. Secondly, changes implemented earlier this year made it possible for customers to easily identify S3 buckets that are publicly accessible due to Access Control Lists (ACLs) or policies that allow read/write access for any user:

But even that’s not enough, so the company is rolling out a new security feature: Amazon S3 Block Public Access.

About Amazon S3 Block Public Access

This new feature allows account owners/administrators to centrally block existing public access (whether made possible via an ACL or a policy) and to make sure that newly created items aren’t inadvertently granted public access.

The feature allows four new options:

They allow account users to protect against future attempts to use ACLs to make buckets or objects public, to override current or future public access settings for current and future objects in the bucket, to disallow the use of new public bucket policies, and to limit access to publicly accessible buckets to the bucket owner and to AWS services.

The options can be configured to affect the entire account or selected buckets. Options set at the bucket level cannot override account-level settings.

“If an AWS account is used to host a data lake or another business application, blocking public access will serve as an account-level guard against accidental public exposure,” AWS Chief Evangelist Jeff Barr explained.

The feature can be accessed from the S3 Console, the command-line interface, the S3 APIs, and from within CloudFormation templates.

Vulnerabilities in mPOS (mobile point-of-sale) machines could allow malicious merchants to defraud customers and attackers to steal payment card data, Positive Technologies researchers have found.

The use of mPOS devices has seen huge growth over the last few years as the barriers to entry to be provided a device and start accepting card payments are effectively zero. Like ATMs and traditional POS, they are at the end point of payment infrastructure, meaning they are very attractive and accessible to criminals for both the testing of these devices and in the movement of fraudulent money.

mPOS vulnerabilities

The vulnerabilities have been discovered in a number of market-leading mPOS devices popular in both the U.S. and Europe: Square, SumUp, iZettle, and PayPal.

mPOS devices work by communicating through a Bluetooth connection to a mobile application, which then sends data to the payment provider’s server. By intercepting the transaction it is possible to manipulate the amount value of magstripe transactions.

A fraudulent merchant can gain access to the traffic, modify the amount that is presented to the customer on the card reader, forcing the customer to authorize an entirely different amount without being aware. Still only 58.5 percent of debit and credit cards in the U.S. are EMV-enabled, and, lower still, 41 percent of transactions are made in this way, making attacks against magstripe a very significant threat.

A number of the mPOS devices were also vulnerable to Remote Code Execution (RCE) attacks. With this vulnerability, it is possible to gain access to the whole operating system of the reader.

In addition, it is possible to send arbitrary commands to some of the readers and influence the purchaser’s behavior. For example, fraudulent merchants can force customers to use a more vulnerable payment method (such as magstripe) or say that a payment was declined, encouraging the customer to make multiple payments.

What to do?

The vulnerabilities were disclosed to all of the vendors and manufacturers, and Positive Technologies is assisting the affected parties to close the issues that were identified.

“These days it’s hard to find a business that doesn’t accept faster payments. mPOS terminals have propelled this growth, making it easier for small and micro-sized businesses to accept non-cash payments,” noted Leigh-Anne Galloway, Cyber Security Lead at Positive Technologies.

“Currently there are very few checks on merchants before they can start using an mPOS device and less scrupulous individuals can therefore, essentially, steal money from people with relative ease if they have the technical know-how. As such, providers of readers need to make sure security is very high and is built into the development process from the very beginning.”

Fellow researcher Tim Yunusov says that anyone who is making a payment on an mPOS device should not make the transaction via magstripe, but instead use chip and pin, chip & signature, or contactless.

“Merchants should also assess the risk of any device they plan on integrating into their business. Those using cheaper devices need to take steps to mitigate the risk. There is no need to still be reliant on magstripe transactions. While the market for most of these products is currently not very mature, the popularity is growing so it is imperative that security is made a priority,” he added.

Singapore’s largest healthcare group, SingHealth, has suffered a massive data breach that allowed hackers to snatch personal information on 1.5 million patients who visited SingHealth clinics between May 2015 and July 2018.

SingHealth is the largest healthcare group in Singapore with 2 tertiary hospitals, 5 national specialty , and eight polyclinics.

According to an advisory

released

by Singapore’s Ministry of Health (MOH), along with the personal data, hackers also managed to stole ‘information on the outpatient dispensed medicines’ of about 160,000 patients, including Singapore’s Prime Minister Lee Hsien Loong, and few ministers.

“On 4 July 2018, IHiS’ database administrators detected unusual activity on one of SingHealth’s IT databases. They acted immediately to halt the activity,” MOH said.

The stolen data includes the patient’s name, address, gender, race, date of birth, and National Registration Identity Card (NRIC) numbers.

The Ministry of Health said the hackers “specifically and repeatedly” targeted the PM’s “personal particulars and information on his outpatient dispensed medicine.”

So far there’s no evidence of who was behind the attack, but the MOH stated that the cyber attack was “not the work of casual hackers or criminal gangs.” The local media is also speculating that the hack could be a work of state-sponsored hackers.

Investigations by the Cyber Security Agency of Singapore (CSA) and the Integrated Health Information System (IHiS) also confirmed that “this was a deliberate, targeted, and well-planned cyberattack.”

PM Comments On SingHealth Healthcare Data Breach

Commenting on the cyber attack through a Facebook post

published

today, Singapore’s Prime Minister said he believes that the attackers are “extremely skilled and determined” and they have “huge resources” to conduct such cyber attacks repeatedly.

“I don’t know what the attackers were hoping to find. Perhaps they were hunting for some dark state secret or at least something to embarrass me. If so, they would have been disappointed,” Singapore PM said. “My medication data is not something I would ordinarily tell people about, but nothing is alarming in it.”

The Singapore government has assured its citizens that no medical records were tampered, or deleted and that no diagnoses, test results, or doctors’ notes were stolen in the attack.

All affected patients will be contacted by the healthcare institution over the next five days.

Since the healthcare sector is part of the critical nation’s infrastructure, alongside water, electricity, and transport, it has increasingly become an attractive target for hackers.

In the past few years, we have reported several hacks and data breaches, targeting the healthcare sector. Just last month, it was revealed that

DNA registries

of more than 92 million MyHeritage customers were stolen in the previous year by some unknown hackers.

Earlier this year, it was reported that more than

half of Norway’s population

exposed its healthcare data in a massive data breach that targeted the country’s major healthcare organization.

The foremost thing to protect against any data breach is to stay vigilant, as nobody knows when or where your stolen identities will be used. So, affected consumers will just have to remain mindful.