IMSI catcher is being used to track mobile users
Your mobile device can be hijacked anytime with IMSI catcher that is currently being used by law enforcement to track mobile users. IMSI catcher can mimic the cellphone tower and fool the device to connect with this fake tower. This catcher can intercept calls and internet traffic, send text, and install spyware. IMSI works on 15-digit unique authentication number that is stored in sim card in read only mode. Hackers can catch smartphone’s IMSI number within second over WI-FI.
Google found zero day exploit in Windows 10
Google’ Threat analytics has found vulnerability in Windows 10 but Microsoft criticized this step for making it publicly before it was patched. Microsoft is believed to be release patch on 8 November 2016. The vulnerability can be exploited by malware to gain access on windows system. Until the patch is not released, users can update chrome, adobe flash or remove them. Microsoft rated this bug on low volume scale.
Google banned to use WoSign and Startcom certificates
Google has joined Mozilla and Apple and banned WoSign and startcom certificates from 2017. Now, Microsoft is only player to use WoSign certificate. Github informed in August 2017 about the issuance of unauthorized certificate for Github’s domain. After that, in cooperation with Mozilla, there were many certificates issued without requiring any authorization. Such mis-issued certificates were lacking high standards of issuance made by the CAs and will not be trusted in Google chrome.
Cisco faced data breach on company’s career portal
Cisco had faced data breach in the company Professional careers portal that leaked information. However, it was done due to incorrect security settings made after system maintenance. The leaked data included name, username, password, email address, phone number, security question FAQs, education profile, cover letter, and personal information. The incorrect configuration was exposing information from August 2015 to September 2015 and from July 2016 to August 2016.
Outlook Web Access has designed flaw that bypass 2FA
A researcher from Black Hills Information security found a flaw in Microsoft Outlook Web Access (OWA). It has designed flaw that allows attacker to bypass two-factor authentication. Hackers can access email boxes, calendars, contacts, and enterprise sensitive data. Exchange server also discloses exchange web service interface together with OWA that is not secured with two-factor authentication. Hackers can hack OWA server by attacking EWS on the same port.
Wrong oAuth 2.0 implementation made Android apps vulnerable
A wrong implementation of oAuth 2.0 allowed hacker to expose more than 1 billion android app accounts. Researchers from the Chinese University of Hong Kong, who revealed that most of android mobile apps that use SSO (single sign-in) service do not have properly, implemented oAuth 2.0. is even used on many social media sites including Facebook and Google plus. A wrong implemented oAuth 2.0 works on third party service and allows attackers to check user’s identity with provided data by the ID provider.