ClickSSL Weekly InfoSec Snipper November 7, 2016

This entry is part 48 of 73 in the series Weekly Infosec Snipper

IMSI catcher is being used to track mobile users

Your mobile device can be hijacked anytime with IMSI catcher that is currently being used by law enforcement to track mobile users. IMSI catcher can mimic the cellphone tower and fool the device to connect with this fake tower. This catcher can intercept calls and internet traffic, send text, and install spyware. IMSI works on 15-digit unique authentication number that is stored in sim card in read only mode. Hackers can catch smartphone’s IMSI number within second over WI-FI.

Google found zero day exploit in Windows 10

Google’ Threat analytics has found vulnerability in Windows 10 but Microsoft criticized this step for making it publicly before it was patched. Microsoft is believed to be release patch on 8 November 2016. The vulnerability can be exploited by malware to gain access on windows system. Until the patch is not released, users can update chrome, adobe flash or remove them. Microsoft rated this bug on low volume scale.

Google banned to use WoSign and Startcom certificates

Google has joined Mozilla and Apple and banned WoSign and startcom certificates from 2017. Now, Microsoft is only player to use WoSign certificate. Github informed in August 2017 about the issuance of unauthorized certificate for Github’s domain. After that, in cooperation with Mozilla, there were many certificates issued without requiring any authorization. Such mis-issued certificates were lacking high standards of issuance made by the CAs and will not be trusted in Google chrome.

Cheap SSL

Cisco faced data breach on company’s career portal

Cisco had faced data breach in the company Professional careers portal that leaked information. However, it was done due to incorrect security settings made after system maintenance. The leaked data included name, username, password, email address, phone number, security question FAQs, education profile, cover letter, and personal information. The incorrect configuration was exposing information from August 2015 to September 2015 and from July 2016 to August 2016.

Outlook Web Access has designed flaw that bypass 2FA

A researcher from Black Hills Information security found a flaw in Microsoft Outlook Web Access (OWA). It has designed flaw that allows attacker to bypass two-factor authentication. Hackers can access email boxes, calendars, contacts, and enterprise sensitive data. Exchange server also discloses exchange web service interface together with OWA that is not secured with two-factor authentication. Hackers can hack OWA server by attacking EWS on the same port.

Wrong oAuth 2.0 implementation made Android apps vulnerable

A wrong implementation of oAuth 2.0 allowed hacker to expose more than 1 billion android app accounts. Researchers from the Chinese University of Hong Kong, who revealed that most of android mobile apps that use SSO (single sign-in) service do not have properly, implemented oAuth 2.0. is even used on many social media sites including Facebook and Google plus. A wrong implemented oAuth 2.0 works on third party service and allows attackers to check user’s identity with provided data by the ID provider.

Series Navigation<< ClickSSL Weekly InfoSec Snipper October 31, 2016ClickSSL Weekly InfoSec Snipper November 14, 2016 >>
 

We Assure to Serve

Leading Brands

ClickSSL is platinum partner of leading CAs & offering broad range of SSL certificate products.

Valued Price

You are at right place to get cheapest SSLs; our prices are up to 79% low as compared to CAs.

100% Refund Policy

If you are not satisfied, our all SSL certificates are backed by 30-day 100% money back guarantee.

24×7 Support

Our experts are always active to help you, so you will get instant solutions for your queries.