ICYMI: SSL and Magento flaws, APT gangs & the breach blame game
ICYMI: SSL and Magento flaws, APT gangs & the breach blame game

ICYMI: Anonymous targets ISIS, 'advanced' attacks & TV takeover

Last week's In Case You Missed It looked at the online battle between Anonymous and ISIS, a takeover of a French TV network and demystifying those excessive claims of 'advanced' cyber-attacks.

Cyber-security pros blame breaches on skills gap

The much-publicised information security skills gap shows no sign of slowing down, with one new report suggesting there will be a shortage of 1.5 million trained professionals by 2020.

The seventh annual (ISC)² Global Workforce Survey, conducted by Frost & Sullivan, was released last Wednesday and it makes for dark reading for CISOs, IT security teams and the information security sector in general.

The headline statistic is that there will be a shortage of 1.5 million information security professionals by 2020, in line with other estimates, with this shortage interestingly cited by half of cyber-security staff as a key reason for data breaches and for “heavily impacting” on customers (48 percent).

PCI gives 14 months to fix high risk SSL problem

The Payment Card Industry Security Standards Council (PCI SSC) moved to fix the security vulnerabilities in the Secure Sockets Layer (SSL) and early versions of the Transport Layer Security (TLS) protocols, exposed by both Heartbleed and Poodle, with an out-of-band updated release of PCI DSS v3.1.

This latest iteration of the PCI Data Security Standard, however, has split the IT security profession when it comes to just how much protection it is really providing the card holder who shops online.

15% of e-commerce sites hit by critical Magento RCE flaw

eBay's e-commerce platform Magento has a critical remote code execution (RCE) flaw, which could be used by hackers to remotely compromise up to 200,000 online stores in order to steal credit card details and personal information.

As discovered by security researchers at Check Point Technologies, the flaw in the open-source e-commerce platform stems from a number of different vulnerabilities which, when pieced together, could allow an attacker to execute PHP code on the store's web server, bypassing security controls in the process.

The same attackers could also grab administrator access to the system, at which point they could do everything from steal money, credentials and personal details to taking control of certain databases.

APT gang caught exploiting Flash and Windows zero-days

FireEye Labs detected a limited and targeted Advanced Persistent Threat (APT) campaign designed to exploit zero-day vulnerabilities in Adobe Flash and Microsoft Windows. The cyber-security firm says it believes that the attack “may be” perpetrated by Russian nation-state sponsored threat actors.

Adobe has already independently patched the vulnerability and, at the time of writing, Microsoft is aware of the outstanding local privilege escalation vulnerability in Windows

Using the firm's own Dynamic Threat Intelligence (DTI) cloud service, FireEye researchers detected a pattern of attacks beginning on April 13 this year. The highly complex attacks are said to have been targeted at “specific foreign government organisations”, although no further geographic area of impact or shape of victim organisation could be detailed.