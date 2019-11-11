Security Leftovers Does Your Domain Have a Registry Lock? Dijkxhoorn said one security precaution his company had not taken with their domain prior to the fraudulent transfer was a “registry lock,” a more stringent, manual (and sometimes offline) process that effectively neutralizes any attempts by fraudsters to social engineer your domain registrar. With a registry lock in place, your registrar cannot move your domain to another registrar on its own. Doing so requires manual contact verification by the appropriate domain registry, such as Verisign — which is the authoritative registry for all domains ending in .com, .net, .name, .cc, .tv, .edu, .gov and .jobs. Other registries handle locks for specific top-level or country-code domains, including Nominet (for .co.uk or .uk domains), EURID (for .eu domains), CNNIC for (for .cn) domains, and so on.

Cisco Warns of Critical Network Security Tool Flaw The flaw exists in the web-based management interface of the Cisco Firepower Management Center (FMC), which is its platform for managing Cisco network security solutions, like firewalls or its advanced malware protection service. Cisco has released patches for the vulnerability (CVE-2019-16028), which has a score of 9.8 out of 10 on the CVSS scale, making it critical in severity.

No big deal, Rogers, your internal source code and keys are only on the open web. Don't hurry to take it down Source code, internal user names and passwords, and private keys, for the website and online account systems of Canadian telecoms giant Rogers have been found sitting on the open internet. The leaked software, seemingly uploaded to GitHub by a Rogers engineer before they left the telco, is written in Java and powered various components of Rogers.com. The materials are marked "closed source" and copyright Rogers, yet can be found on the web if you know where to look. Details of and credentials for services and systems on the ISP's internal networks are included. This kind of information, along with source code to skim for security bugs, is a boon for miscreants casing the telco to compromise it. These details may have already been exploited by criminals, or may prove useful for future attacks. It's also a reminder that engineers and management must take all precautions to avoid pushing private company code to public repositories. It should be noted that no customer information nor account details – beyond the names, passwords, and email addresses of some members of the ISP's web development team – are present in the public code repository. The web app blueprints date back to 2015, so just how much of this code remains in production is unclear. One hopes the passwords and keys have been replaced over the past five years, at least. With any luck, this may well be more of an embarrassment to one of Canada's biggest broadband'n'telly telcos than anything else.

Rogers’ internal passwords and source code found open on GitHub Sensitive data of another major Canadian firm has been found sitting open on the GitHub developers platform. Security researcher Jason Coulls said he recently discovered two open accounts with application source code, internal user names and passwords, and private keys for Rogers Communications. No customer data was found. He suspects the code belonged to a developer who has left the telco. Coulls, who works in the IT department of a Toronto firm and has his own security consultancy, initially told The Register of the discovery, after which the news site contacted Rogers. One problem is the code he saw describes data payloads and how it goes between databases and web services. “You can use that to get to the stuff that people [thieves] would go after,” he explained.

How to patch your open source software vulnerabilities Software vulnerabilities are a fact of life. Researchers -- if not hackers -- constantly discover new ways to compromise popular software libraries. It's up to enterprises to quickly deploy patches to secure software before hackers get in. Consider the Equifax breach, in which a hacker exposed the data of more than 145 million users, resulting in $575 million in fines for the credit rating agency. A U.S. Senate investigation identified a backlog of over 8,500 unpatched vulnerabilities at Equifax -- the hacker gained access through just one of those unpatched systems. Vulnerability backlogs are especially prevalent within enterprises that rely on open source components. Nearly all applications make use of some open source components that take the place of either mundane or arcane coding tasks. An open source project often has an active community to maintain and augment it, but that's not always the case. Ultimately, open source software requires a leap of faith from the user that what they're adopting is secure and effective.