10Fold – Security Never Sleeps – 35

Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.

Big items to consider: Security researchers have found that nearly all versions of the Magento e-commerce platform allows hackers to embed malicious JavaScript code insider customer registration forms on millions of e-commerce sites. A symantec partner has allegedly been caught running a tech support scam by leveraging bogus threats to sell overpriced security software. Sixteen lawmakers are trying to end congress’ gridlock by offering new bills that would help ensure student and employee privacy. Blockchain has emerged as a more secure, transparent, faster and less expensive financial alternative and continues to push for adoption throughout various industry.

Bug In Magento Puts Millions Of E-Commerce Sites At Risk Of TakeOver – Publication: Ars Technica – Reporter name: Dan Goodin

Millions of online merchants are at risk of hijacking attacks made possible by a just-patched vulnerability in the Magento e-commerce platform. The stored cross-site scripting (XSS) bug is present in virtually all versions of Magento Community Edition and Enterprise Edition prior to 1.9.2.3 and 1.14.2.3, respectively, according to researchers from Sucuri, the website security firm that discovered and privately reported the vulnerability. It allows attackers to embed malicious JavaScript code inside customer registration forms. Magento executes the scripts in the context of the administrator account, making it possible to completely take over the server running the e-commerce platform.


Symantec Partner Caught Running Tech Support Scam – Publication: Network World – Reporter name: Gregg Keizer

According to San Jose, Calif.-based Malwarebytes, Silurian Tech Support ran a scam in which its employees, who billed themselves as support technicians, used obscure but harmless entries in Windows’ Event Viewer and Task Manager to claim that a PC had been overwhelmed by malware, then leveraged those bogus threats to sell overpriced copies of Symantec’s Norton security software and an annual contract for follow-up phone support.


5 Things Congress Should Learn From New State Privacy Bills – Publication: Wired – Reporter name: Any Greenberg

On Wednesday 16 states’ lawmakers, with the advice and coordination of the American Civil Liberties Union, introduced bills designed to shore up Americans’ privacy on a long list of issues that federal lawmakers have either ignored or allowed to become paralyzed in Congress’s endless gridlock. That collective legislative push, which the ACLU is calling Take CTRL, addresses everything from student and employee privacy to new police surveillance techniques. The bills, together, would cover more than a 100 million Americans, by the count of the ACLU’s advocacy and policy counsel Chad Marlow.


How Will Bitcoin And Blockchain ‘Cross The Chasm’? An Analysis Of 5 Strategies – Publication: Forbes – Reporter name: Laura Shin

Blockchain, or distributed ledger, technology is more secure, transparent, faster and less expensive than current financial systems. And it has applications in other sectors like identity issuance, land titles, provenance and more. But for all its superiority, it finds itself in what disruptive innovation author Geoffrey Moore would call “the chasm”: Right now, tech enthusiasts and other people who have strong reason to prefer this technology over existing options have adopted it, but the companies in the space now need to attract users outside the core believers.