OneLogin
By Lionel Thomas / Cyber SecurityWebsite Hacked / 0 Comments

This is a public service announcement from Vofer. The Password Manager “OneLogin” has had a serious security incident.

OneLogin “We detected that there was unauthorized access to OneLogin data in our US data region. All customers served by our US data center are affected; customer data was compromised, including the ability to decrypt encrypted data. We have since blocked this unauthorized access, reported the matter to law enforcement, and are working with an independent security firm to assess how the unauthorized access happened and to verify the extent of the impact. We want our customers to know that the trust they have placed in us is paramount, and we have therefore created a set of required actions.”

In essence, the attackers where able to decrypt the encrypted data, putting at risk user date and logins.

Here are OneLogin Suggestions for actions to take:
http://i.imgur.com/5hEyYgo.png

Blog update by OneLogin – https://www.onelogin.com/blog/may-31-2017-security-incident

WordPress Website Security

Thousands of WordPress websites have been hacked after a recent disclosure of a vulnerability in WordPress. WordPress delayed the disclosure for over a week and worked with security companies to have a patch ready, yet not all websites have patched and it’s a WordPress Hacker Smorgasbord.

Yet, even though the patch was released thousands of admins didn’t bother to update their websites either by removing the auto update or just not updating. Some admins may disable the auto update so they can run tests on patches prior to updating, yet with such patches a different approached should be deployed to ensure the website is secure.

The famous Linux distribution OpenSUSE (news.opensuse.org) was hacked, just quickly restored without further breaches in others parts of openSUSE’s infrastructure, the CIO reported.

The vulnerability is within the WordPress REST API, that allows an unauthenticated user to delete or modify pages and redirect their visitors to malicious exploits.

The security researcher at Sucuri, stated that they notices multiple campaigns running over the internet trying to find unpatched WordPress websites.

The call to update has been going for some time an if you have not updated to WordPress 4.7.2, then you should do so urgently in addition to checking your website.

This is a clear indication that websites nowadays need multiple layers of security and some suggestions to look into are:

 

Pokemon go security risk
By Lionel Thomas / Cyber SecurityMobile Apps / 0 Comments

Pokémon GO, a location-based augmented reality game using Google Maps has recently released by Nintendo on iOS and Android; it has been a huge success, yet it has also created a huge security Risk.

Pokémon GO, grants itself FULL Account Access to your Google Account.
Full Access includes the ability to:

  • Read your Emails
  • Send Emails from your Account
  • Access Google Drive documents
  • Look at Search History
  • Access Private Photos on Google Photos
  • And More…

Are you playing Pokémon GO with a Business Email or are your employees? If yes, then this has potentially opened up the business to a major security risk.

As we become more connected, we need to be more cautious in what connects with what, especially when it comes to business.

All businesses need a policy in place around how their Google Accounts are to be used and an approval process in place as to what it can be connected to.

All other situations in connecting to software/applications, a Free Gmail account should be created and only used for this purpose, also known as a Burn (or Burner) Email Account to reduce the risk to the business.

Remove Pokémon GO’s Access to your Google Account:

  1. Open your Google Account permissions page
  2. Find and Select Pokémon GO
  3. Click “REMOVE” button to revoke Full Account Access

Pokémon GO’s Access to be changed in the future:

From the Developer: “We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account,” Niantic said.

The fact that it was released with Full Access should be a warning to all Businesses to be aware of what their employees are connecting to and the potential Security Risks created.