Displaying items by tag: SQL Injection

Here we are with another story about MOVEit and just how bad things have gotten for the Managed File Transfer application and their parent company Progress Software. The group behind the attack, Cl0p ransomware gang, has started to extort the companies that they stole data from. They have listed the names of companies on their data leak site, in the same manner they would for ransomware victims after failing to pay. We know that someone (Cl0p has taken credit) was able to finally exploit a zero-day in the software after about a year of tinkering with the flaw and months of access.

A new report from security research firm, Aspect Security confirms what we have been saying for years: developers simply do not know how to secure their applications. In a recent study where a group of developers were asked questions on security Aspect found that about 80% of them did not know how to protect sensitive data. This is something that we have found in our experience in dealing with vendors and other application developers.

2012 is most certainly the year of the hack. So far in 2012 we have heard of more large scale security breaches related to allegedly secure companies and banks than in just about any previous year. What make this year very interesting is that it is also the year that many companies are joining the push for the “cloud”. Now the term “cloud computing” has been around for a very long time and derives from the symbol for the internet (which is a cloud if you did not guess) although many view it as a new technology it is not.

We have two additional hacks to report this morning. The first was a little shocking as it has been learned that nVidia’s Developer Zone form was under attack. Although details of this attack are small it does appear that nVidia recognized that there was an attack on the forum and shut it down to prevent additional attack. However nVidia warns that the hashed passwords for the forum may have been accessed. Right now the forum is still down with only a canned message in its place warning users about the attack and advising them to change their passwords especially any passwords that might be identical across multiple sites.

We have said this once and we will say it again; 2012 will be remembered as the year of the breach. This year alone we have seen a significant number of services penetrated with relative ease and user account information pulled out at an alarming rate. So far this year we have watched as Linkedin, eHarmony, Last.fm, Formspring, League of Legends and more have been compromised and literally Millions of user account details have been posted to the Internet. It is a very disturbing trend considering the rather big push to the cloud for so many critical services (like hosting our personal records).

The online movement known as Anonymous had a fairly busy weekend and even managed to push their “fun” into Monday. According to several of the Anonymous twitter accounts they are now rather upset at PasteBin. It seems that the owner of PasteBin is unhappy about the uses that Anonymous has put his “code sharing” site to. He laments that it was never intended for the sharing of sensitive information and has even stated he is going to hire additional workers to help remove these types of posts. This had an interesting effect on the collective where tweets saying things like “Srsly Pastebin, f*** you - @Pastebin to hire staff to tackle hackers' 'sensitive' posts” .