PHP Authors: Liz McMillan, Carmen Gonzalez, Hovhannes Avoyan, Lori MacVittie, Trevor Parsons

Blog Feed Post

CTO Security Weekly

Notcompatible Android Security Buzz:

This week a new malware package for Android managed to spark the internet intrest in the security of the Android mobile computing platform.  The new malware, dubbed “Notcompatible” is limited in scope and vector — it is installed via user interaction and can only be installed on those phones which the user has enabled the ability to install packages from 3rd-party sources.
The notable part of Notcompatible isn’t really the malware itself, but how it spreads to it’s victims through the use of a technique called drive-by downloading.  Drive-by download techniques involve the infection or poisoning of a website through delivery of malicious advertisement or website compromise.  Once compromised, malware is sent to users that browse to that website in the attempt to infect them.  Typically this is done to infect traditional computing platforms such as Windows, but with the growing popularity and trend of browsing the web from smartphones, the addition of an Android-based vector was only a matter of time.

Read More: http://www.blogham.com/notcompatible-android-malware-spreads-via-hacked-websites.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+BlogHam+(Blog+Ham)

Critical PHP Bug Discloses Your Source Code

Source code disclosures are among some of the worst exploits that can happen to an organization, especially since passwords for databases and other programs are usually among the code in PHP programs.  Disclosure of the source code to these programs could lead to serious compromise.  An explanation of the vulnerability follows:
PHP in a CGI setup will accept flags on GET requests and return different results based on the flags.  The flag that discloses source code to the requested page is -s and is appended the the GET request for a page as follows:

If the target is set up using a PHP-cgi environment running a PHP version lower than PHP 5.3.12 then the target site is vulnerable.

It is recommended that those affected by this bug update to the most recent version of PHP.  A fair number of sites could be affected by this bug, which has been around since 2004 and was only recently discovered and (accidentally) released to the public.

Read More: http://www.infoworld.com/t/application-security/critical-php-vulnerability-exposes-servers-data-theft-or-worse-192428

Hack Attack! New Group Makes Name Hacking NASA, Airforce

A new hacking group has made a bit of a splash after they hacked several governmental and private institutions this week.  A quick read of the twitter accounts mentioned on the Pastebin post (URL below) confirms that the breaches occurred as the result of database intrusions.  A review of the password choices reveals that a brute-force password-guessing attack may have been used as well to gain access to some of the systems.
While database attacks are common, the attackers seemed to have gained access to a number of targets including the Airforce and the Bahrain Ministry of Defense.  The latter is somewhat surprising, given that Anonymous has been taking every opportunity to shame the Bahraini Government for its continued human rights abuses.  This indicates that the group is probably not at all affiliated with Anonymous.

Pastebin Link: http://pastebin.com/uhWSRrSf
Read More: http://www.zdnet.com/blog/security/mystery-group-hacks-us-military-harvard-nasa-more/11789?tag=mantle_skin;content

Microsoft Boots Chinese Company from Vulnerability Sharing Club

Microsoft announced that Hangzhou DPTech Technologies Co., Ltd would be removed from their vulnerability sharing program following the leak of a proof-of-concept for a serious vulnerability in the Windows operating system.  This is the second time that Microsoft has had to remove a Chinese company from the program, and the leak marked the third occasion that a vulnerability from the program had been shared to a chinese-language website.
While the risk of sharing high-impact vulnerabilities with private (and international) companies is a risk for Microsoft and its customers, Microsoft still believes that there are more benefits to keeping the program than scrapping it, since the sharing program allows corporations to protect users and customers in advance of an official patch.

Read more:

Read the original blog entry...

More Stories By Bob Gourley

Bob Gourley writes on enterprise IT. He is a founder of Crucial Point and publisher of CTOvision.com

IoT & Smart Cities Stories
According to Forrester Research, every business will become either a digital predator or digital prey by 2020. To avoid demise, organizations must rapidly create new sources of value in their end-to-end customer experiences. True digital predators also must break down information and process silos and extend digital transformation initiatives to empower employees with the digital resources needed to win, serve, and retain customers.
Early Bird Registration Discount Expires on August 31, 2018 Conference Registration Link ▸ HERE. Pick from all 200 sessions in all 10 tracks, plus 22 Keynotes & General Sessions! Lunch is served two days. EXPIRES AUGUST 31, 2018. Ticket prices: ($1,295-Aug 31) ($1,495-Oct 31) ($1,995-Nov 12) ($2,500-Walk-in)
Business professionals no longer wonder if they'll migrate to the cloud; it's now a matter of when. The cloud environment has proved to be a major force in transitioning to an agile business model that enables quick decisions and fast implementation that solidify customer relationships. And when the cloud is combined with the power of cognitive computing, it drives innovation and transformation that achieves astounding competitive advantage.
Machine learning has taken residence at our cities' cores and now we can finally have "smart cities." Cities are a collection of buildings made to provide the structure and safety necessary for people to function, create and survive. Buildings are a pool of ever-changing performance data from large automated systems such as heating and cooling to the people that live and work within them. Through machine learning, buildings can optimize performance, reduce costs, and improve occupant comfort by ...
René Bostic is the Technical VP of the IBM Cloud Unit in North America. Enjoying her career with IBM during the modern millennial technological era, she is an expert in cloud computing, DevOps and emerging cloud technologies such as Blockchain. Her strengths and core competencies include a proven record of accomplishments in consensus building at all levels to assess, plan, and implement enterprise and cloud computing solutions. René is a member of the Society of Women Engineers (SWE) and a m...
IoT is rapidly becoming mainstream as more and more investments are made into the platforms and technology. As this movement continues to expand and gain momentum it creates a massive wall of noise that can be difficult to sift through. Unfortunately, this inevitably makes IoT less approachable for people to get started with and can hamper efforts to integrate this key technology into your own portfolio. There are so many connected products already in place today with many hundreds more on the h...
Digital Transformation: Preparing Cloud & IoT Security for the Age of Artificial Intelligence. As automation and artificial intelligence (AI) power solution development and delivery, many businesses need to build backend cloud capabilities. Well-poised organizations, marketing smart devices with AI and BlockChain capabilities prepare to refine compliance and regulatory capabilities in 2018. Volumes of health, financial, technical and privacy data, along with tightening compliance requirements by...
Charles Araujo is an industry analyst, internationally recognized authority on the Digital Enterprise and author of The Quantum Age of IT: Why Everything You Know About IT is About to Change. As Principal Analyst with Intellyx, he writes, speaks and advises organizations on how to navigate through this time of disruption. He is also the founder of The Institute for Digital Transformation and a sought after keynote speaker. He has been a regular contributor to both InformationWeek and CIO Insight...
Digital Transformation is much more than a buzzword. The radical shift to digital mechanisms for almost every process is evident across all industries and verticals. This is often especially true in financial services, where the legacy environment is many times unable to keep up with the rapidly shifting demands of the consumer. The constant pressure to provide complete, omnichannel delivery of customer-facing solutions to meet both regulatory and customer demands is putting enormous pressure on...
Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settlement products to hedge funds and investment banks. After, he co-founded a revenue cycle management company where he learned about Bitcoin and eventually Ethereal. Andrew's role at ConsenSys Enterprise is a mul...