On October 15, 2014, Drupal, a free, open source software used to create and manage websites, announced the existence of a vulnerability in its Drupal 7 database API abstraction layer. The vulnerability allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks.
If there’s one thing that’s certain in the world of IT it is that change and innovation are inevitable and commonly occur at a rapid pace. Although innovation has many great benefits and makes working in IT fun and exciting, it also typically has information security professionals pulling their hair out as they try to keep pace. To defend each new product, security professionals must first learn the product themselves and then determine how best to protect it from today’s advanced threats. This then typically drives policy and procedure updates, new software purchases, end user and security staff training, and the development of new configuration standards. And as those that work in the field know, this takes a tremendous amount of time and energy.
For most of us, we will get our first glimpse of the next version of Windows, code-named Threshold on September 30. Windows executives will talk about where Microsoft is investing and show off some of the features of the new operating system. The company also has early code it will make available, according to sources, but the test code is intended mainly for developers and businesses to begin their preparations. Two expected features of the new operating system will be the ability to write universal applications that work on Windows, Xbox, and Windows Phone and a more traditional Windows interface to address critiques of the Windows 8 interface.
Cyber criminals continue to successfully target and compromise Point-of-Sale (POS) systems, oftentimes stealing millions of credit card records before being discovered. The most recent POS malware, “Backoff” was reported by the United States Computer Emergency Readiness Team (US-CERT) at the end of July and is already affecting companies such as UPS and Dairy Queen. Backoff is a family of malware that has been discovered during several breach investigations targeting POS systems with estimates as high as 1,000 U.S. businesses impacted. Reports by investigators and first responders indicate that the malware and its variants had a low to zero percent anti-virus detection rate, meaning that fully updated anti-virus engines on fully patched computers could not identify the malware as malicious.
