ICYMI: Big data leaking; Salesforce vulnerability; suppressed car hack; sound authentication and critical IE fix

In this week's In Case You Missed It (ICYMI): Big data leaking; Salesforce vulnerability patched; suppressed car hack; ambient sound authentication and critical IE fix.

ICYMI: Big data leaking; Salesforce vulnerability; suppressed car hack; sound authentication and critical IE fix
ICYMI: Big data leaking; Salesforce vulnerability; suppressed car hack; sound authentication and critical IE fix

One petabyte of sensitive data exposed online in big data security gaff

Poorly configured Big Data applications are potentially leaking over one petabyte of data according to a new report. The research, carried out by Swiss security firm BinaryEdge, found that over 35,000 instances of Redis cache and store archives could be accessed without authentication. It also discovered that over 39,000 MongoDB NoSQL databases is also unprotected.

Cross-site scripting vulnerability uncovered in Salesforce cloud

Researchers at cloud application security vendor Elastica have published details of a Cross-Site Scripting (XSS) vulnerability within a Salesforce sub-domain providing the potential for attackers to use a trusted Salesforce application as a platform for end-user credential gathering attacks.

Disclosed in early July, Salesforce finally patched the vulnerability just two days before Elastica went public with the disclosure. Admittedly, XSS vulnerabilities are not the most exciting of attack vectors, but that doesn't mean they are not dangerous. Nor does it mean that organisations shouldn't know better when it comes to detecting them.

Security researchers reveal car hack after two-year injunction

Researchers have demonstrated how a flaw in a car security system could allow a vehicle to be stolen. The system is used in the cars of several manufacturers including Volkswagen, Audi, Fiat, Honda, and Volvo. However, details of the vulnerability have up until now been blocked thanks to an injunction in a UK court.

The supressed paper has finally seen the light of day at the USENIX security conference in Washington, DC. Titled "Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer," the paper shows how a flaw in the cryptography and authentication protocol used in the Megamos RFID transponder found in car immobilisers could be used to break into vehicles from Volkswagen-owned luxury-brands, including Audi, Porsche, Bentley, and Lamborghini, and other brands including Volvo, Honda, Fiat, and some Maserati models.

Sound Proof: new two-factor authentication through ambient noise

A research paper emanating from the Institute of Information Security ETH in Zurich has proposed a new method to achieve more secure ‘two-factor authentication' through the use of ambient sound and a user's smartphone.

Two-factor authentication is a method of user validation above and beyond the single solitary use of passwords. Examples include use of an ATM (bank card, plus PIN), biometrics (fingerprint scan, plus the user themselves) and credit card reader random number generators (PIN number, plus random number).

Microsoft forced to release out-of-band patch to fix IE

Microsoft has been forced to release a patch outside of its normal Patch Tuesday cadence in order to fix a problem that could allow criminals to remotely execute code on a user's PC and take control of it.

The flaw affects all versions of Internet Explorer from 7 to 11 on Windows from Vista onwards. Windows Server 2008, 2012, 2012 R2 and the Windows Server Technical Preview are all affected by the flaw but IE running in its Enhanced Security Configuration" should mitigate the problem there. Microsoft has reported that this vulnerability is being actively exploited. Microsoft's new browser, Edge, is not affected by the flaw.

SC Webcasts UK

Sign up to our newsletters

FOLLOW US