Top 10% of Top Alexa Websites are weak to CSRF Attacks
A CloudFlare engineer (Mr. Johnson) found that around 10% of top Alexa sites are using incorrect Cross-Origin Resource Sharing (CORS) policy that exposed users to data theft. CORS is a technique that defines the role of server resources to be shares with other domains. CORS is a part of Same Origin Policy (SOP) that refers general standards for web security model. These misconfigured CORS can expose website to CSRF and XSS vulnerabilities. The engineer also makes a list of websites that trespassed these guidelines.
The Growth of Android Malware reached on its peak in 2015
G DATA – a cyber security platform has conducted a malware research on Android malware and detected around 2.3 million malware samples in 2015 year. In the last year, every 11 seconds there was a new malware sample emerged. If we compare 2014 result, there were almost 1.5 million samples collected by the team. The reason behind targeting android is the broad usage of android OS and many users using their Smartphone for banking and financial transactions.
University of California Berkeley suffered from Data Breach
University of California Berkeley (UCB) confirmed about unauthorized attack on its system. The data breach included data related to 80K present and former faculty, staff, students and business partners. The university also sent out letters to affected individuals and declared about the data breach. The staff of university gained access of few computers that are part of the Berkeley Financial System (BFS), which is an app that handles numerous financial transactions.
Mozilla allows SHA-1 certificate for its client Worldpay PLC
Mozilla is in mood to extend the date for Sunsetting SHA-1 certificates for one of its client Worldpay PLC. Mozilla allowed Symantec to issue nine SHA-1 certificates for Worldpay. However, the client is in process to migrate to SHA-2 but it caused risk for many of its users, as they are not compatible with SHA-2 algorithm. In this case, Worldpay approached Mozilla via Symantec and requested to issue these certificates. Mozilla agreed to permit SHA-1 certificate with two terms: the process must follow transparency and the certificate should have expiry of 90 days.
Google announced Project Shield for DDoS Protection
Google comes with Project Shield that will help to protect small organizations from DDoS attacks. Few years back, Google also urged few news websites to join the project in its initial stage. Now, Google has prescribed categories to be included in Project Shield, which are political focused news portals, election monitoring websites, and human rights organizations. They all have to fill the form at Google Project Shield website.
MasterCard announced Face Recognition for Payment Authorization
Mobile World Congress held in Barcelona, MasterCard announced face recognition facility for payment authorization. In addition, MasterCard will use bio-metrics in place of classical PIN. To enable this feature, users have to install MasterCard app on their smartphone or MasterCard-issued wristbands. Users can take selfie while making payment, use fingerprint recognition, voice recognition or wristband. The countries in which the program will be started include the UK, Belgium, Spain, Italy, France, Germany, Switzerland, Norway, Sweden, Finland, Denmark, and Canada.