Menu

e-bay Security Practices under investigation by US States      

Biggest ever Distributed Denial of Service (DDoS) attack on Cloudfare Networks       

Bitcoin Exchanges continue to suspended withdrawal operations      

Snowden accessed NSA confidential data using web scrapping tools      

Barclays Bank probing the breach of client data sold to rogue City traders      

New Snapchat Flaw Can DoS and Spam iOS and Android       

World Economic Forum website closes email address leak

Published on: 2/10/2014

Security research firm finds vulnerabilities in the website of the WEF, which organises the annual conference in Davos. A security flaw on its website led to the World Economic Forum at Davos leaking attendee's email addresses for at least five days in mid-January. Embarrassingly for the organisation, even while their insecure website was exposing attendees' information, the World Economic Forum released a report arguing that a failure to deliver "a robust, co-ordinated approach to cybersecurity" could cost the world up to $3 trillion. The security flaws were revealed by information-security firm High-Tech Bridge, which discovered three major vulnerabilities on the WEF website, as well as one lesser vulnerability that leaked the emails of users. The major vulnerabilities were all of a type known as cross-site scripting (XSS), which allows attackers to run their own commands on the target website. Not every XSS vulnerability can be exploited, but all are potential vectors of attack. At their worst, attacks using XSS can hijack a user's machine entirely. Thousands of emails The firm also discovered a second flaw, which they say would have allowed them to harvest thousands of emails held by the organisation. The flaw was in the company's contact form, and allowed attackers to change a simple parameter to expose email addresses associated with the forum. It's unclear exactly which database the addresses were being drawn from, but they include individuals with addresses ending in @hsbc.com, @london2012.com and @kpmg.ca. Despite High-Tech Bridge contacting WEF, the organisation didn't fix the vulnerabilities until the security researchers went public with what they had found on Wednesday, five days after the Forum was first contacted. "It’s regrettable that such respectable, large and important organisations as the WEF don’t pay enough attention to web security," says Ilia Kolochenko, the chief executive of High-Tech Bridge. "This may not only put their own infrastructure at risk, but their stakeholders' as well. Hopefully, they will change their security policy soon and provide security researchers with a responsive security contact, just like many other companies and organisations do today. "I sincerely hope that these vulnerabilities were not exploited by hackers for whom WEF and its participants are very attractive targets."

A security flaw on its website led to the World Economic Forum at Davos leaking attendee's email addresses for at least five days in mid-January.

Embarrassingly for the organisation, even while their insecure website was exposing attendees' information, the World Economic Forumreleased a report arguing that a failure to deliver "a robust, co-ordinated approach to cybersecurity" could cost the world up to $3 trillion.

The security flaws were revealed by information-security firm High-Tech Bridge, which discovered three major vulnerabilities on the WEF website, as well as one lesser vulnerability that leaked the emails of users.

The major vulnerabilities were all of a type known as cross-site scripting (XSS), which allows attackers to run their own commands on the target website. Not every XSS vulnerability can be exploited, but all are potential vectors of attack. At their worst, attacks using XSS can hijack a user's machine entirely.

Thousands of emails

The firm also discovered a second flaw, which they say would have allowed them to harvest thousands of emails held by the organisation. The flaw was in the company's contact form, and allowed attackers to change a simple parameter to expose email addresses associated with the forum. It's unclear exactly which database the addresses were being drawn from, but they include individuals with addresses ending in @hsbc.com, @london2012.com and @kpmg.ca.

Despite High-Tech Bridge contacting WEF, the organisation didn't fix the vulnerabilities until the security researchers went public with what they had found on Wednesday, five days after the Forum was first contacted.

"It’s regrettable that such respectable, large and important organisations as the WEF don’t pay enough attention to web security," says Ilia Kolochenko, the chief executive of High-Tech Bridge. "This may not only put their own infrastructure at risk, but their stakeholders' as well. Hopefully, they will change their security policy soon and provide security researchers with a responsive security contact, just like many other companies and organisations do today.

"I sincerely hope that these vulnerabilities were not exploited by hackers for whom WEF and its participants are very attractive targets."

Source: theguardian.com



eBay denies - the stolen customer data available for public sale

What is claimed to be a copy of eBay's stolen database is offered for sale via anonymous text file site Pastebin Ebay says that a database being offered for sale online by a hacker who claims it contains details of the auction site's users which were compromised in a cyberattack that was revealed on Wednesday is not authentic. Someone claiming to have a copy of eBay's stolen database is offering to sell it for 1.45 bitcoin (about £447) via the anonymous text file site Pastebin.
Read More

e-bay Security Practices under investigation by US States

eBay came under pressure on Thursday over a massive cyber attack, as three US states began investigating the e-commerce company's security practices. Connecticut, Florida and Illinois said they were conducting a joint investigation of the matter. New York attorney general Eric Schneiderman requested eBay provide free credit monitoring for everyone affected, according to a person familiar with the matter. Details about what happened are unclear ...
Read More

Barclays Bank probing the breach of client data sold to rogue City traders

Barclays Bank announced to start investigataion of client data sold to rogue City traders. The official statement from Barclays Bank: "We are grateful to the Mail on Sunday for bringing this to our attention and we contacted the Information Commissioner and other regulators on Friday as soon as we were made aware. Our initial investigations suggest this is isolated to customers linked to our Barclays Financial Planning business which we ceased ...
Read More