What is ‘Zip Slip’ and How It Can Affect Your Websites?

What is ‘Zip Slip’ and How It Can Affect Your Websites?

Zip Slip is the name given to a critical vulnerability that, as the name suggests, is all about Zip files. The massive vulnerability was discovered and researched by cyber security firm Snyk who disclosed that thousands of projects may be affected by the vulnerability.

How Hackers Use Zip Slip

The most interesting (and alarming) thing about Zip Slip is its simplicity. Hackers can create Zip files that utilize path transversal to enable the overwrite of vital system files and either destroy or overwrite the code with potentially malicious alternative code. The Zip Slip vulnerability also gives attackers the ability to execute remotely in part of the system that are used on a regular basis, such as system files and even popular applications used daily.

What Is Affected?

According to Snyk, it is not a single operating system issue, nor is it a problem with the Zip file format. It is a small section of programming that has been repeated across many different projects and operating system ecosystems. Some of the programming ecosystems that have the bad sections include Ruby on Rails, Go, and .Net, however the most severely affected is JavaScript due to the lack of a central library that can offer high level processing of Zip, or archive files. This oversight, the lack of a central library, meant that handcrafted code had to be deployed and this code was shared between many different development platforms. A software library is a small section of code that is designed to work across other software projects. The Zip Slip vulnerability has therefore spread to many programming languages and projects. It’s a multi-step fix: the libraries need to be patched, as well as the software that uses the library.
Snyk has posted a list of projects and libraries with diagnosed vulnerabilities on GitHub and users should check to see if they are utilizing vulnerable software and download the patch to get your system fixed.

Could Helpful Alexa Be Secretly Harming You?

Could Helpful Alexa Be Secretly Harming You?

Your New Friend Alexa May Have an Issue with Boundaries

Make sure to check your Amazon Echo to find out whether your helpful virtual assistant Alexa is not spying on you. There is no doubt that the dulcet tones of Alexa on the Amazon Echo can be a massive help around the home or office. Popular with millions of people around the world, Alexa is always ready to respond when you call, but recently researchers from a cybersecurity company have created a ‘hack’ that may allow Alexa to be a little too proactive.

Always Listening – That’s the Problem

Alexa is designed to stay in sleep mode, until voice-activated with the command, “Alexa!”. Cybersecurity experts, however, have designed a simple program that forces Alexa to remain always-activated, record conversations and then send those recordings to a third party. The malicious program was camouflaged as an app calculator that is activated when a user opens the app, or tells Alexa to open the calculator app. Once activated, Alexa is always listening, even when you think your Echo is off.

Hacker on a computer

Hacking into Alexa

The device’s inbuilt security protocols should force the program to terminate the session once complete, or to request permission to continue the session. But the hack was able to bypass the protocols and force Alexa to continuously listen and record voices.

How to Protect Your Systems

This specific program was created purely to test the system’s security and was immediately reported to Amazon, which has since fixed the vulnerability. However, it is a sobering reminder of the potential dangers of such a system. What can you do to protect yourself from your Alexa? Just like any other online systems, computers and mobile phones, it’s important to check regularly for malware, unknown applications and small files that you know you did not install. Also, take a look at the little blue light every now and again. It indicates the Amazon Echo is activated. When you’re not using it, it should be off. If it isn’t there might be a problem.

NEWS: HolistiCyber & Parker Fitzgerald Join Forces to Protect Banks from Nation State Level Cyber Threat

Cyber-security company HolistiCyber have formed an exciting new cyber-security partnership with the highly respected risk management and data security company Parker Fitzgerald. Using the key skills and experience of both entities, this innovative partnership aims to equip banks and other financial organizations with every resource they will need to protect their essential data against a growing number and range of attacks from cybercriminals. The new project was initiated by Shimon Sheves, joint founder and chairman of HolistiCyber, who sees it as a major step forward in the vital task of defending banks against these attacks.

Shimon Sheves - cyber risksThe Changing Threat Landscape

It’s hardly surprising that cybercriminals tend to see banks as tempting targets, both because of the sums involved and because of the specific weaknesses that can often be found in their IT and data systems. Banks are naturally doing their best to protect the sensitive information they hold regarding customers, employees and others. Because their core skills are focused elsewhere, though, they need the best available outside expertise to keep up to date and properly address a threat environment that is continuously changing. This is confirmed by high-profile recent attacks, which collectively confirm that current protection standards are lagging behind the capabilities of the criminals who are intent on breaching security systems. The unfortunate fact is that these threats are highly complex, well planned and very much on a level that would previously have been associated more with attacks on nation states. Another worrying factor is the potential of the “dark net” to provide growing numbers of would-be attackers with the information and technology that will enable them to carry out their harmful plans.

Combining Proven Resources Leads to Greater Security

This is why Shimon Sheves, whose stellar CV includes overseeing the Israeli Prime Minister’s office for the late Yizhak Rabin, is so enthusiastic about the new project his company is undertaking jointly with Parker Fitzgerald. With the latter company’s proven success in the field of strategic risk management (particularly with reference to the banking sector) combined with HolistiCyber’s position as a trusted provider of cybersecurity solutions, the new undertaking will not only provide much-needed data security but will do so with particular attention to the specific needs of financial organisations. Sheves highlights the extensive expertise that the new venture will draw on since many of the analysts and operatives involved received their training from the Israeli armed forces. The expertise of both firms in the new project means that this unparalleled expertise will be blended with deep knowledge of the particular risks that confront the banking sector. This combination underpins Sheves’s firm belief that the partnership has game-changing potential and will help to map out a secure future for banks and their data systems.

The vital point is that the partnership between HolistiCyber and Parker Fitzgerald will enable client organizations to be fully aware of and protected against the particular threats that such institutions face in a rapidly changing cyber-crime landscape. This is surely the best possible news for banks and their customers. The only people who will have to worry, it seems, are the cybercriminals whose threats will be identified and counteracted.

About HolistiCyber

HolistiCyber is a global leader in Cyber Defence and delivers advanced cybersecurity defense strategies to leading financial institutions around the world.Our certified experts are cybersecurity veterans of the intelligence branch of the Israel Defense Forces (IDF). They are world-class experts who have served at the front-line of critical nation-state cybersecurity offensive and defensive operations