Loading...
 

View Articles

Drupal modules vulnerability, THE third party plugins issue (again)

Bernard Sfez -

Drupal is calling upon its users to patch a dangerous remote code execution hole that can easily let attackers hijack sites. The content management system has some 15 million downloads, compared to WordPress with 140 million and Joomla with 30 million. Drupal is deployed on big ticket and business sites including nine percent of the world’s 10,000 most popular sites.

If Drupal core is not affected and not all sites will be impacted, the issue is again raising the question about third-party modules/plugins/add-ons that are not part of the core (code) but may cause significant damage to the project itself, your users, your business, all your hard work.... It is critical to review published advisories (July 12 2016) to determine if any modules you currently use have been flagged up.

Security update: Tiki 15.2, Tiki 14.4 and Tiki 12.9 released!

Bernard Sfez -

The Tiki Community has released updates to all current versions of Tiki Wiki CMS Groupware. This update addresses a critical vulnerability found in third-party code that is included with Tiki. The update also includes many fixes and updates.

Special thanks to Mehmet Dursun İNCE of www.invictuseurope.com and to Robert Abela of www.netsparker.com for their cooperation and assistance in reporting the security issues.

We highly encourage all Tiki administrators to update their sites to the latest Tiki versions: Tiki 15.2, Tiki 14.4, and Tiki 12.9 LTS.

Visit https://tiki.org/Download to update the latest version.

FortiOS SSH Undocumented Interactive Login Vulnerability

Bernard Sfez -

Aoutch... after an "unauthorized" backdoor was found in Juniper Networks firewalls, Juniper's ScreenOS, the first report of a highly suspicious code in FortiOS firewalls has been confirmed and tested as an SSH backdoor that can be used to access its firewall equipment.

This issue affected all FortiOS versions from 4.3.0 to 4.3.16 and 5.0.0 to 5.0.7, which cover FortiOS builds from between November 2012 and July 2014.
Proof-of-Concept exploit code was made available online by an anonymous user (operator8203@runbox.com), who posted the exploit code on the Full Disclosure mailing list this week, helping wannabe hackers generate the backdoor's dynamic password. FortiOS SSH backdoor can be then accessed via the Fortimanager_Access username.

Are DoS attacks just crashing or disrupt your service on the internet ?

Bernard Sfez -

From what we are monitoring DoS denial of service (also named DDoS - distributed denial of service) attack are the most usual weapon in the worldwide and middle-east scene. It is cheap, easy to set up and doesn't require much knowledge. IT Admin tend to think that the technique consist only to overload the target servers by increasing exponentially the requests getting into it. But can it really hurts target's business or even disrupt country services for more than a short period of time ?

Beside direct motive like blackmailing/ doing harm to a competitor / political reasons for DoS attack. Are there other, more indirect motives ?
Would it be possible to get data or even control from the service with a DoS attack ?

Password, Passkey, Access, Login and Credentials why ?

Bernard Sfez -

While there are plans to move the identification method to the next level using a Microchip implemented under our skin passwords are now a part of our (must of us) life. I wrote life and not digital life because there is no more such thing.

Realize that your family, personal, business and financial life is protected by a few strings of characters. So (big) yes good password is important no matter how poisoning it is to manage them. Manage them because it is important to change them from time to time, important to have a password for every thing, or at least a password for a group of lock, important to take the time and not try to avoid complication by bypassing simple security practice.

As always I'll try to Keep It Simple Stupid using a handy guide published by the F-Secure team that will help you to improve your every day security to protect privacy and business assets.

  • 1
  • 2 (current)
  • »