June 2019

CVE-2019-13109 (exiv2)

An integer overflow in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (SIGSEGV) via a crafted PNG image file, because PngImage::readMetadata mishandles a chunkLength – iccOffset subtraction.
Source: NIST
CVE-2019-13109 (exiv2)

Four in 10 North American Banks Don't Use EV Certificates

Four in 10 North American Banks Don’t Use EV Certificates

Despite the fact that all of the largest banks analyzed across Europe and North America do use some form of SSL certificates, a number of banks are leaving their customers vulnerable to phishing attacks, according to a new report released by Sectigo.   


According to the Secure Impressions: Online Banking Study, 40% of the North American banks studied did not receive the highest rating, which was only given to those banks that used extended validation (EV) certificates to demonstrate the website’s true, authenticated identity. 



“In Europe, 25% of banks did not receive the highest rating,” a June 27 press release stated. “Websites without EV certificates on the home and/or login pages received a lesser rating (yellow status). No banks in the study displayed ‘Not Secure’ warnings (red status).”


“Online criminals routinely use counterfeit websites to trick consumers into unknowingly providing valuable information such as account logins, credit card numbers, and personally identifiable information that can be used for identity theft,” said Tim Callan, senior fellow at Sectigo. 



“Protecting against phishing is definitely an important function in the overall cybersecurity program of almost all organizations around the world. Enabling best-practice security measures can certainly help reduce the impact of phishing that IT security teams face,” said Jonathan Deveaux, head of enterprise data protection at comforte AG



Because other threat vectors and vulnerabilities can still be exploited, organizations should consider additional security measures.  



The press release also noted that 76% of data breaches are financially motivated. As banks house a treasure trove of personal data, they will continue to be targets of cyber-attacks. 



“Since it is your data that they ultimately want, another effective method for improving cybersecurity posture is the data-centric protection model. Data-centric protection means to activate security on the data itself – de-identify personal information by anonymizing the data elements, and remove credit card numbers and social security numbers by replacing them with fake numbers,” Deveaux said. 



“Even with improved cybersecurity defenses, hackers have proved that they can still find a way to get through in order to steal data. So why not give them something they can’t use. A combined approach to cybersecurity may be the best approach for many organizations.”



Source: Infosecurity
Four in 10 North American Banks Don’t Use EV Certificates