Friday, 1 February 2013

News Update

Chinese Hackers Infiltrate New York Times; Wall Street Journal, Too.

The New York Times reports that Chinese hackers targeted its computer systems in an attack that began in September 2012. The attackers managed to gains access to a domain controller that holds account access
credentials for all Times employees; this particular attack targeted the accounts of the current and former Times Beijing bureau chiefs. The hackers appear to have been looking for information identifying sources
in China who may have provided information to journalists investigating a story about the fortunes amassed by family members of Chinese Prime Minister Wen Jiabao. The hackers took circuitous routes, directing their
attacks through previously compromised systems at several different US universities and shifting IP addresses often. Such deceptive strategy is similar to that used in other cyberattacks that have been linked to
China. Chinese officials deny involvement in the attacks. The Times called in Mandiant to help monitor and block the attacks, gather evidence, and expunge the hackers. The attackers have been ousted from
the system for now and more cyberdefenses have been established, but the Times harbors no illusions that its systems will not be targeted again. Bloomberg was targeted in a similar attack earlier last year after they
published a story about the net worth of then-vice president Xi Jinping's family members.


Alleged Cyberextortionist Arrested

The FBI has arrested a California man in connection with numerous instances of cyberextortion in which he threatened to post compromising pictures of women whose social networking accounts he had hacked
hijacked. Investigators believe that Karen "Gary" Kazaryan had more than 350 victims between 2009 and 2011. A recently unsealed indictment charges Kazaryan with 15 counts of computer intrusion and 15 counts of aggravated identity theft.

PayPal Fixes SQL Injection Flaw

PayPal has fixed a SQL injection vulnerability in its e-commerce website application that could have been exploited to compromise company databases and steal sensitive information. PayPal awarded a US $3,000
bounty to the organization that discovered the flaw and alerted the company to its existence in August 2012.


Another Critical Fix for Ruby on Rails

Ruby on Rails developers have released yet another "extremely critical" update for the web development framework. The developers urge users to upgrade to versions 3.0.20 and 2.3.16 as soon as possible. The update was released for 3.0.x even though that version is no longer supported. The issues do not affect versions 3.1.x and 3.2.x.



More Headaches for Java

Apple has blocked Java completely in OS X 10.6 and above. Other companies are taking steps to protect their users from Java as well; virtually all plug-ins will be blocked in Firefox (see story above). Oracle admits that there are serious problems with Java, but says that those problems lie with the Java browser plug-ins and that server-side, desktop, and embedded Java are not vulnerable to the same attacks.

No comments:

Post a Comment