Expert(s):
Solutions Architect feature_status*/ ?>
Edgescan

Comments Dotted : 5
August 24, 2020

Expert Insight: Instacart Discloses Security Incident Caused By Two Contractors
You cannot leave the door the wide open and expect that everyone will pass by and not take a peek in.
You can conduct all the vetting in the world of your employees, but it is not a sure fire way to protect yourself from these type of issues. What will help is good compliance standards. In technical terms, that means enforcing least privilege, keeping and reviewing logs and having the correct security awareness training to all staff. It is not clear from whether any malicious intent was involved, so we are yet to find out if the action taken was on the strong side. You cannot leave the door the .....Read More
You can conduct all the vetting in the world of your employees, but it is not a sure fire way to protect yourself from these type of issues. What will help is good compliance standards. In technical terms, that means enforcing least privilege, keeping and reviewing logs and having the correct security awareness training to all staff. It is not clear from whether any malicious intent was involved, so we are yet to find out if the action taken was on the strong side. You cannot leave the door the wide open and expect that everyone will pass by and not take a peek in.  Read Less
February 27, 2020

Multiple WordPress Plugin Vulnerabilities Actively Being Attacked – Experts Analysis
Files and administration portals should not be exposed and the application should follow best practice frameworks and secure coding guidelines.
WordPress Vulnerabilities can represent low hanging fruit for attackers. The overall popularity of WordPress means we will continue to get a steady stream of new vulnerabilities for the foreseeable future. The interesting thing is that the same approach is always applied pre-exploitation, and that is information gathering. The sheer amount of exposed WordPress interfaces and configuration files exposed across the web is simply staggering. Attackers can gather a list of potential targets in a.....Read More
WordPress Vulnerabilities can represent low hanging fruit for attackers. The overall popularity of WordPress means we will continue to get a steady stream of new vulnerabilities for the foreseeable future. The interesting thing is that the same approach is always applied pre-exploitation, and that is information gathering. The sheer amount of exposed WordPress interfaces and configuration files exposed across the web is simply staggering. Attackers can gather a list of potential targets in a matter of minutes. From there, they can start the process of file enumeration and testing input validation to refine their list further. Clients need to be using WP-scan combined with good vulnerability management on a continuous basis to ensure that various WordPress components are up to date. WP-scan is an opensource program, so there is no excuse for not doing the bare minimum. Files and administration portals should not be exposed and the application should follow best practice frameworks and secure coding guidelines.  Read Less
February 06, 2020

Experts Reaction On Researcher Finds Vulnerability In WhatsApp Desktop Platform
Organisations worried of this potential entry vector should also consider blocking the desktop version of WhatsApp.
First of all, users should ensure they use the latest safe release of the software. But while defences on the software side may add a layer of protection, it’s been proven the most effective approach to these types of attacks is educating your users. Organisations need to invest in proper phishing campaigns, educating non-security savvy people to review and look closely at the link they are about to click. This can be as simple as simply hovering over the link and observing where you will be.....Read More
First of all, users should ensure they use the latest safe release of the software. But while defences on the software side may add a layer of protection, it’s been proven the most effective approach to these types of attacks is educating your users. Organisations need to invest in proper phishing campaigns, educating non-security savvy people to review and look closely at the link they are about to click. This can be as simple as simply hovering over the link and observing where you will be taken or what you are downloading. Organisations worried of this potential entry vector should also consider blocking the desktop version of WhatsApp, and - if not required on company held smartphones – disabling the app with management systems such as MobileIron.  Read Less
February 03, 2020

Social Captain Instagram Account Exposed And Experts Reactions
Security needs to be as important as user experience.
There is so much peak "millennial" in this story. Unfortunately, social status has become such a talking point of modern life, so much so that users and companies do whatever they can to improve their presence on social media. This also means that security may take a back seat. This application was certainly not ready to process data from a such a large social media platform when it stores the username and passwords in plaintext, an issue that would be identified using a basic vulnerability .....Read More
There is so much peak "millennial" in this story. Unfortunately, social status has become such a talking point of modern life, so much so that users and companies do whatever they can to improve their presence on social media. This also means that security may take a back seat. This application was certainly not ready to process data from a such a large social media platform when it stores the username and passwords in plaintext, an issue that would be identified using a basic vulnerability scan. The actual bug is interesting, as it highlights how easily security can wrong when facilitating third party integration. In this case, it was integration with a third party email service. In my experience, this represents one of the toughest areas from a security testing scenario. What's exposed, who's scope does it fall under, do I have the right to test it?. API's and other methods of integration have greatly enhanced the web experience for users, but it's time for organisations to realise that security needs to be as important as user experience. API's and third party libraries should be mapped out and tested with the same depth and rigour as the application and network that feeds them. A "Full-stack" approach needs to be taken. As always, it will be interesting what action with be taken from GDPR, CCPA in relations to this breach.  Read Less
November 24, 2019

Experts Reaction On 1.2 Billion Records Were Found Online On An Exposed, Unsecure Single Server
Social media companies should also be doing more to make users aware of privacy options and how to adjust them.
The sheer amount of data that has been exposed is the issue here. Its concerning to have such a large database wide open in the wild. The type of data exposed is not sensitive in nature however to an attacker it can be gold dust. The data will allow for large scale phishing campaigns against users. The attack path will likely be the usual methods of delivery such as emails, profile impersonations and scam phone calls. Also we may see wide spread brute force attempts made on applications which.....Read More
The sheer amount of data that has been exposed is the issue here. Its concerning to have such a large database wide open in the wild. The type of data exposed is not sensitive in nature however to an attacker it can be gold dust. The data will allow for large scale phishing campaigns against users. The attack path will likely be the usual methods of delivery such as emails, profile impersonations and scam phone calls. Also we may see wide spread brute force attempts made on applications which use email as the method of login. The disclosed profile information can also lead to other issues such as answers to recovery questions being discovered. The first port of call for concerned individuals is to ensure ground zero is secure. That’s secure passwords, secure recovery questions, enforcing multi-factor authentication were possible and of course not opening mail or answering phone calls from unrecognised sources. We may see this leak on https://haveibeenpwned.com/ which is a website where users can check if their data was exposed. Users should also review the privacy settings in any social media platforms which they use do help combat against other routes of phishing attacks. For developers, ensuring lockout policies to block against brute force attempts is a good first step to take. Social media companies should also be doing more to make users aware of privacy options and how to adjust them.  Read Less