Web Application Security News for December, 2016

Print Friendly, PDF & Email

Happy New Year everyone! In our last bit of business for 2016, let's take a look at the biggest news in web application technologies from December, 2016.

Disclosing the Primary Email address for each Facebook user

…This post is going to be discussing how I was able to get the primary/hidden email address for any Facebook user. This also happens to be my first accepted bug to the Facebook Bug Bounty Program…

2016 goes out with a hack as thedarkoverlord dumps more data

Several days ago, DataBreaches.net reported on several hacks TheDarkOverlord (TDO) had announced.  As expected, TDO has now dumped more data from two of those previously disclosed victim companies, but also announced some other hacks.

TDO appears to have dumped pretty much everything of any significance from two of the previously disclosed victims companies, Pre-Con Products, LTD, and G.S. Polymers, Inc. Other entities whose data TDO dumped include PcWorks, L.L.C. (in Ohio), International Textiles & Apparel, Inc. in Los Angeles, and UniQoptics, L.L.C. in Simi Valley…

No, I won't help you blackmail the company you just hacked

…And then there are the hacking gangs who are breaking into businesses, stealing corporate data and email archives, and then threatening to share it with security journalists who will write juicy stories about the information that has been stolen.

The idea, I suppose, is that the sheer fact that a company has been hacked does damage to the company's brand. Partners and customers may be concerned, it might be bad for business. Malicious hackers, therefore, try to leverage the threat of releasing details of a hack in order to extort hush money…

The Year’s Biggest Hacks, From Yahoo To the DNC

In many ways, forces were already in motion to make 2016 the biggest year of corporate and government hacks yet. Company breaches have been on the rise for a decade, and an election year always invites drama. The reality of what hackers—both state-sponsored and independent—delivered in 2016, though, still managed to exceed expectations.

Not all of the hacks on this list took place in the last 12 months, but all were disclosed in 2016. And each expanded the scale and scope of what the average person expects from digital meddling in practice. A handful of corporate breaches included half a billion records, and one was a full billion. Meanwhile on the political side, Russian state-sponsored hackers used leaks, probes, and disinformation campaigns to undermine and destabilize campaign discourse leading up to the US presidential election.

In short, there was a lot going on, so here’s WIRED’s look back at the biggest hacks in 2016.

We're living through the first world cyberwar – but just haven’t called it that

Nation states have been attacking each other electronically for a decade or more. Historians will eventually give it a name and a start and end date

Hackers Threaten to Take Down PSN and Xbox Live on Christmas Day

…In case you’re wondering why these hackers are trying to take down gaming networks on such a busy day for gamers across the world, their answer is as simple as it could be.

“We do it because we can. We have not been paid a single dollar for what we do,” they said. Previously, when taking down Tumblr, hackers said they did it “just for fun.”…

More Than 50% Of Biggest Holiday Retailers May Not Be PCI-Compliant

…A first-ever study of the 48 biggest holiday retailers from April 1 through Oct. 31, 2016, reports some unsettling data:
· 100% of the biggest holiday retailers were found to have multiple issues with domain security.
· Nearly 80% may not be using intrusion detection or prevention systems to monitor all traffic within the cardholder data environment.
· All bottom-performing holiday retailers have a D or lower in Network Security, which suggests that their network may have an unaccounted access point ready to be exploited.
· 62% of the biggest holiday retailers were using end-of-life products in the last month of the study.
· 83% of the biggest holiday retailers had unpatched vulnerabilities in October 2016.

All websites have something of value for attackers: reputation

…Now this, clearly, isn't a good look. This is the official site and not a spoof or phishing site, yet Google had just put up a massive barrier to entry. It got me thinking about the old adage we hear so many times in security, the one that goes like this:
But we don't have anything of value on our site anyway
This defence is frequently preceded by an observation of a security deficiency somewhere and a suggestion that perhaps they're taking unnecessary risks. The opinion that many hold is that without the presence of credit cards or passwords or some other piece of useful data, the site simply doesn't pose any value to malicious parties…

Nearly Half Of The Top 1 Million Websites Deemed Risky

…Nearly half (46%) of the Alexa top one million websites were found to be risky, putting businesses at risk as their users visits these sites.
The finding is part of a new report published by Menlo Security entitled “State of the Web 2016: Quantifying Today's Internet Risk,” where researchers examined key characteristics of the top one million websites, as ranked by Alexa, to determine sources of risk.

Meanwhile in a parallel universe…

Visit CommitStrip web comic to read the full strip!


Tushar Richabadas is a Product Manager for the Barracuda Web Application Firewall team in our India office. You can connect with him on LinkedIn here.

Scroll to top
Tweet
Share
Share