Today I was in a fascinating lecture. The Lithuanian Journalism Center organized the talk conducted by Marek Miller, a journalist, and member of the Google News Lab team. Google News Lab is a part of Google News Initiative project. The primary purpose is to collaborate with journalists and entrepreneurs and help them to drive innovation in news.
The topic of this lecture “Fact checking options and tools.” Marek Miller introduced methods and tools for journalists to identify fake news. I’m not a journalist, but the topic of the lecture was very interesting for me because it is partly related to cybersecurity and useful to my Master Thesis I am currently working on.
Continue reading Google News Lab lecture with Marek Miller – Fake News Debunking
Recently I was making research on hacked websites of hotels. And step by step I reached out the website of Q Brainstorm Software company. Q Brainstorm Software is an IT company from India, established in 2004. This company offer an extensive range of various services based on several programming languages, website development, mobile app development and even SEO services. Briefly, “We do everything”. But they attracted my attention not because of their services, but because of their products.
Q Brainstorm Software products
Looking at the product page, I see the list of several products:
- Hotel Desktop – Available in three different versions, ultimate hotel management solution for small and medium accommodation facilities.
- Hotel web – Hotel Pro desktop version can be further enhanced with a web module where you can manage your reservations and view the calendar using just a web browser.
- Hotel Mobile – Hotel mobile app is a comfortable way of managing your reservations from any place in the world. Only a mobile phone or tablet is required.
- Channel Manager – Hotel can be synchronised with the most popular channel managers in the world such as YieldPlanet, Octorate or WuBook.
- Online Booking Engine – Allow customers to make reservations directly through your website with a modern, fully customizable online booking engine.
- Advanced Functionalities – Accounting, statistics, logbook, customizable documents, automated emails, rate plans, services, meals management and more!
These products are business oriented, which is a little frightening to me and I’ll tell you why.
If you’re looking for a software to power up your business one of the primary requirements is the safety of the software. The vulnerable software may endanger business in various ways. Now let’s think about whether you can trust your business to the company and its products if the website of the company itself is hacked? Yes! Hacked. Continue reading Q Brainstorm Software hacked and this endangers their customers
Exploitation of hacked websites for cryptocurrency mining is a new thing, and it gets more popular day by day. Hacking websites for fun or other reasons like spamming, other exploitation is a thing of the past. All previous exploitation methods of hacked sites are outdated, have low-profit margins (except stealing of CC credentials and similar data) and incompatible with the modern trends. Now everyone wants cryptocurrencies, everyone obsessed about crypto money and everyone is ready to do anything to get it.
Continue reading Exploitation of hacked websites for cryptocurrency mining gains popularity
phpMyAdmin cross-site request forgery (CSRF) vulnerability found by an Indian security researcher Ashutosh Barot caused a lot of noise. It’s evident that many website owners began a heated debate on this issue since phpMyAdmin is one of the most popular tools for managing MySQL databases. I find this discussion somewhat surprising because most speakers do not realize what kind of conditions needed to make it possible to exploit this vulnerability. My modest opinion is that this security issue is more dangerous theoretically than in practice. Let’s see why I think so.
phpMyAdmin CSRF vulnerability exploitation mechanism
Attacks on CSRF vulnerabilities are quite primitive. An attacker prepares specially crafted link with some parameters or commands. This link will make some unattended actions if clicked by the administrator or any logged user with sufficient rights of the targeted system. Ashutosh Barot published a short Youtube video which shows how he managed to drop one table from the database with a single click on the link. An attack is possible due to the unprotected GET request operation.
Continue reading phpMyAdmin CSRF vulnerability is dangerous but hard to exploit
Sensitive data leakage is a significant problem in the modern world. The most commonly stolen data contains personal identification data, logins to electronic banking accounts, etc. But the recent data theft case in Lithuania has caused great public resonance. One of the Lithuanian plastic surgery clinics suffered a hacker attack. Surgery clinic personnel did not detect the attack on time. Data loss discovered when hackers posted a part of the stolen data on the Darknet site.
It appears that hackers managed to download the whole database with personal data of all clinic clients. More than twenty-four thousand customers listed in this database. The database includes names, surnames, personal identification numbers, phone numbers, addresses, emails, all plastic surgery, and medical data. Moreover, the database contains all photos made before and after plastic surgeries. It made this security breach way more dramatic.
Continue reading Sensitive data theft from Lithuanian plastic surgery clinic