Which Course is the Best in IT?

IT is a fast-booming industry, giving many career options to those interested in technology. For beginners looking forward to entering the IT world, and for those wanting to upgrade their knowledge, choosing the right IT course is very essential for their careers.

At Sovorun Academy, we know that industry-specific skills are what matters, and we offer the best IT courses to match the needs of the market. In this blog, we will look at the best IT courses so you can make an informed decision.

Why Choose a Career in IT?

The demand for IT professionals has been rapidly increasing in India. With the ever-growing trend of digital transformation within the world of businesses, there is a definite need for skilled IT experts in various industries. IT course provides such an opportunity that can lead to high-paid jobs, freelance work, and eventually even entrepreneurship.

Benefits of Pursuing an IT Course

Work from home and freelance options

Best IT Courses to Advance Your Career

High-paying job opportunities

Top IT Courses to Boost Your Career

1. Full Stack Web Development

Full Stack Web Development is one of the most in-demand courses for IT. You learn front-end and backend technologies, allowing you to build a whole application from start to finish.

Key Skills: HTML, CSS, JavaScript, React, Node.js, MongoDB.

Career Roles: Web Developer, Full Stack Developer, UI/UX Designer.

2. Data Science & Artificial Intelligence (AI)

Data Science and AI are revolutionising industries worldwide. This course focuses on data analysis, machine learning, and AI-driven solutions. 

Key Skills: Python, Machine Learning, Data Visualisation, AI Algorithms.

Career Roles: Data Scientist, AI Engineer, Business Analyst. 

3. Cybersecurity & Ethical Hacking

With increasing cyber threats, companies require skilled cybersecurity experts to protect their digital assets. Ethical hacking is a sought-after skill in the IT industry. 

Key Skills: Network Security, Ethical Hacking, Cryptography, Risk Management.

Career Roles: Cybersecurity Analyst, Ethical Hacker, Security Consultant .

4. Mobile App Development

The mobile app industry is booming, and skilled developers are in demand. This course covers Android and iOS app development using popular frameworks. 

Key Skills: Flutter, React Native, Kotlin, Swift .

Career Roles: Mobile App Developer, Software Engineer, UI/UX Designer  .

5. Cloud Computing & DevOps

Cloud Computing is the backbone of modern IT infrastructure. Learning DevOps and Cloud technologies can enhance your career prospects considerably.

Key Skills: AWS, Azure, Kubernetes, Docker, CI/CD Pipelines.

Career Roles: Cloud Engineer, DevOps Engineer, System Administrator.

Which IT Course is Best for You?

The best IT course for you would be the one that suits your interest and career goals. If you enjoy coding, Full Stack Development or Mobile App Development might be perfect. If you are interested in AI and data, Data Science would be the way to go. For those who have a passion for cybersecurity, Ethical Hacking is the best option.

At Sovorun Academy, we offer expert guidance to help you choose the right IT course based on your strengths and aspirations. 

Why Choose Sovorun Academy?

Industry-Relevant Curriculum – Learn the latest technologies used in the IT industry. 

Hands-on Training – Work on real-world projects and case studies. 

Expert Mentors – Learn from experienced IT professionals.

Job Support – Get career guidance and placement support. 

Flexible Learning – Online and offline classes available. 

Take the First Step Towards Your IT Career!

The IT industry offers a wide variety of opportunities. The right course can set you off on a track to success, whether it's to become a developer, data scientist, or cybersecurity expert. Sovorun Academy is perfect for every course in the IT industry.

Join our community and start your IT journey now!

At  Sovorun Academy, we are committed to providing world-class IT education to help you succeed in this competitive industry. Start your IT journey with ustoday!

Which computer course is best for high salary?

In today’s competitive job market, computer skills are a must-have for high-paying careers. Whether you’re just starting your professional journey or looking to upskill for a better salary, choosing the right computer course can make all the difference. At TCCI Computer Coaching Institute, we’ve identified the top courses that pave the way to lucrative job opportunities. Let’s explore which computer courses can help you achieve your financial goals.

Data Science and Machine Learning

Why It’s Lucrative: Data is the new oil, and companies are investing heavily in extracting insights from it. Data scientists and machine learning engineers are among the highest-paid professionals globally.

What You’ll Learn at TCCI:

Python and R programming

Statistical modeling and data visualization

Machine learning algorithms

Big Data tools like Hadoop and Spark

Career Opportunities: Data Scientist, Machine Learning Engineer, Business Analyst

Full-Stack Web Development

Why It’s Lucrative: Web development remains a high-paying skill as every business needs an online presence. Full-stack developers with expertise in both frontend and backend technologies are especially valued.

What You’ll Learn at TCCI:

HTML, CSS, JavaScript, and frameworks like React and Angular

Backend development with Node.js and PHP

Database management (SQL and MongoDB)

API integration and deployment

Career Opportunities: Full-Stack Developer, Frontend Developer, Backend Developer

Cybersecurity

Why It’s Lucrative: As cyber threats grow, companies are willing to pay top dollar for experts who can protect their digital assets.

What You’ll Learn at TCCI:

Network security protocols

Ethical hacking and penetration testing

Risk management and compliance

Security tools like Wireshark and Metasploit

Career Opportunities: Cybersecurity Analyst, Ethical Hacker, Security Consultant

Artificial Intelligence (AI)

Why It’s Lucrative: AI is transforming industries, from healthcare to finance, creating a huge demand for skilled professionals.

What You’ll Learn at TCCI:

Deep learning and neural networks

Natural Language Processing (NLP)

AI frameworks like TensorFlow and PyTorch

Robotics and automation

Career Opportunities: AI Engineer, Research Scientist, AI Consultant

Why Choose TCCI Computer Coaching Institute?

At TCCI, we understand the importance of equipping our students with industry-relevant skills. Our expert trainers, hands-on projects, and flexible learning schedules ensure you’re prepared to excel in high-paying roles. Additionally, our career guidance and placement support will help you navigate the job market confidently.

Take the First Step Towards a High-Paying Career

Investing in the right computer course can change your life. Whether it’s data science, AI, or cybersecurity, the courses at TCCI Computer Coaching Institute are tailored to help you achieve a high salary and a fulfilling career.

Contact us today to learn more about our programs and enroll in a course that’s perfect for your aspirations!

Location: Ahmedabad, Gujarat

Call now on +91 9825618292

Get information from https://tccicomputercoaching.wordpress.com/

MongoDB extorted by a kraken ransomware virus. SOLVED

Recently plenty of servers became a victim of hacker attacks. The reason was the vulnerability of non-relational database mongodb. Hackers used this security hole to erase database from the server and demanded a ransom by inserting the following code in your database:

The victim could find this record in mongodb logfile (for ubuntu-servers the path is /var/log/mongodb/mongod.log).

When you recover the database hacker will erase it again, so even if you have backups on your server this will not solve a problem.

What should I do to protect my server?

DO NOT PAY TO THIS RASCAL! He will not return your database.

1. If your database should not be reachable for external ips, you may just disable remote access to a MongoDB server. Change mongod.conf (standart path for Ubuntu is /etc/mongod.conf) and uncomment or add the rule: If you need access to your database from external ip-address go to point 2.

2. Deny all incoming traffic from external ip-adresses on port 27017 (or your custom port for MongoDB server)! For Linux systems use iptables program. Remember that rules in iptables configurations fall into chains and chains have an order. At first you should open the port for some external ip and then close it for others. If you will change an order you will disable access for all ips. Insert this rule to open port for local database Insert rules for external servers that use your database (new rule for each ip) Then deny access for everyone else Attention! Do NOT use this command BEFORE you read next! Important additional information, you can read next rule in mongodb help Change Default Policy to DROP https://docs.mongodb.com/manual/tutorial/configure-linux-iptables-firewall/ iptables -P INPUT DROP Unfortunately some people don't read all sentences. This rule you can use only after completing all iptables configuration, because this rule can close to You all connections to your server including SSH immediately. And you should not use this rule in this exactly case, because closing mongodb port are good enough. But do not worry if you lost connection to your server, just restart it from provider web interface. All iptables rules will be dropped. To check all iptables configuration use this command: To drop ALL iptables: Important! This rules will work up to server restart. So if some rule working wrong and you lost connection to your server, just restart it via your provider web interface. Use iptables-persistent if you need automatically restarting service. Installation: If rules are determined but iptables-peristent are not installed, rules will be saved automatically during installation. To start service: Rules are saved to /etc/iptables/rules.v4 and /etc/iptables/rules.v6

Using this service, you can check your server for open ports: https://www.shodan.io (Just type your server's ip in the search box)

Top Cloud Computing Interview Questions with their Answers

1.What is the difference between cloud computing and mobile computing?

Cloud Computing is when you store your files and folders in a “cloud” on the Internet, this will give you the flexibility to access all your files and folders wherever you are in the world– but you do need a physical device with Internet access to access it. Mobile computing is taking a physical device with you. This could be a laptop or mobile phone or some device. Mobile computing and cloud computing are somewhat analogous. Mobile computing uses the concept of cloud computing. Cloud computing provides the users with the data which they require while in mobile computing, applications run on the remote server and give the user access for storage and managing the data.

2. What is the difference between scalability and elasticity?

Scalability is a characteristic of cloud computing which is used to handle the increasing workload by increasing in proportion amount of resource capacity. By the use of scalability, the architecture provides on-demand resources if the traffic is raising the requirement. Whereas, Elasticity is a characteristic which provides the concept of commissioning and decommissioning of a large amount of resource capacity dynamically. It is measured by the speed at which the resources are on-demand and the usage of the resources.

3. What are the security benefits of cloud computing?

Complete protection against DDoS: Distributed Denial of Service attacks have become very common and are attacking cloud data of companies. So the cloud computing security ensures restricting traffic to the server. Traffic which can be a threat to the company and their data is thus averted. Security of data: As data develops, data breaching becomes a significant issue and the servers become soft targets. The security solution of cloud data helps in protecting sensitive information and also helps the data to stay secure against a third party. Flexibility feature: Cloud offers flexibility, and this makes it popular. The user has the flexibility to avoid server crashing in case of excess traffic. When the high traffic is over, the user can scale back to reduce the cost. Cloud computing authorizes the application server, so it is used in identity management. It provides permissions to the users so that they can control the access of another user who is entering into the cloud environment.

4. What is the usage of utility computing?

Utility computing, or The Computer Utility, is a service provisioning model in which a service provider makes computing resources and infrastructure management available to the customer as needed and charges them for specific usage rather than a flat rate Utility computing is a plug-in managed by an organization which decides what type of services has to be deployed from the cloud. It facilitates users to pay only for what they use.

5. Explain Security management regarding Cloud Computing.

– Identity management access provides the authorization of application services – Access control permission is given to the users to have complete controlling access of another user who is entering into the cloud environment – Authentication and Authorization provide access to authorized and authenticated users only to access the data and applications

6. How would you secure data for transport in the cloud?

When transporting data in a cloud computing environment, keep two things in mind: Make sure that no one can intercept your data as it moves from point A to point B in the cloud, and make sure that no data leaks (malicious or otherwise) from any storage in the cloud. A virtual private network (VPN) is one way to secure data while it is being transported in a cloud. A VPN converts the public network to a private network instead. A well-designed VPN will incorporate two things: A firewall that will act as a barrier between the public and any private network. Encryption protects your sensitive data from hackers; only the computer that you send it to should have the key to decode the data. Check that there is no data leak with the encryption key implemented with the data you send while it moves from point A to point B in a cloud.

17. What are some large cloud providers and databases?

Following are the most used large cloud providers and databases: – Google BigTable – Amazon SimpleDB – Cloud-based SQL

18. List the open-source cloud computing platform databases?

Following are the open-source cloud computing platform databases: – MongoDB – CouchDB – LucidDB

19. Explain what is the full form and usage of “EUCALYPTUS” in cloud computing.

“EUCALYPTUS” stands for Elastic Utility Computing Architecture for Linking Your Programs to Useful Systems. Eucalyptus is an open-source software infrastructure in cloud computing, which enables us to implement clusters in the cloud computing platform. The main application of eucalyptus is to build public, hybrid, and private clouds. Using this, you can produce your personalized data center into a private cloud and leverage it to various other organizations to make the most out of it and use the functionalities offered by eucalyptus.

20. Explain public, static, and void class.

Public: This is an access modifier, it is used to specify who can access a particular method. When you say public, it means that the method is accessible to any given class. Static: This keyword in Java tells us that it is class-based, this means it can be accessed without creating the instance of any particular class. Void: Void defines a method which does not return any value. So this is the return related method.

Know more about India’s best Cloud computing Course from greatlearning.

Kalepso looks to break into the crowded encrypted database space

Databases might be the least sexy thing in tech. Second to that might be encryption. That isn’t stopping Kalepso, a Montreal, Canada-based encrypted database startup that’s trying to fill in the gaps in an already crowded security space. (No pressure, then.)

Kalepso says it can do better than other database offerings out there by melding strong security with high reliability, while filling in the spots where sensitive data can be accessed or obtained in the clear. Its Harvard-educated founders found that all the existing database services out there are either slow or insecure. The team says Kalepso, its eponymous database system, sits between the database storage and the application, providing several layers of additional security, which they say doesn’t sacrifice speed, security or functionality of the database. The company launched today at Disrupt Berlin on the Startup Battlefield stage.

In other words, you can access your data securely without it leaking — or getting stolen.

Insider threats, check. Data breaches, protected. Chip-level exploits? No problem, said Kalepso co-founder Georgios Depastas. Kalepso says that its database encryption software covers all bases. Kalepso uses differential privacy to allow database analysis without revealing individuals’ data, while oblivious RAM re-scrambles the database after each query to avoid pattern leakages.

Depastas and team said that they’re already using their technology to help one unnamed financial institution — where data security is paramount — switch from a clunky and cumbersome data transfer setup to Kalepso, by intercepting and encrypting data from its runtime environment in real time and feeding it to its storage server. That means the encrypted data can’t be read on the server — either in storage or its memory. But Kalepso’s technology still lets authorized users run analytics on the data set without decrypting the data. “Every time a new query is fired, the data gets dynamically re-encrypted,” said Depastas, referring to its use of oblivious RAM.

[gallery ids="1752107,1752108,1752104,1752103"]

But what does Kalepso’s security offer better than the other major players — Oracle’s MySQL, PostgreSQL or MongoDB? Kalepso doesn’t have a punchy nor convincing answer.

The product sounds good in theory, but Kalepso faces an uphill battle for relevance. The database and database security market is busy and competitive, and the startup is fighting against a raft of already established database encryption offerings, from Baffle to in-house providers like Amazon. The database market is huge — and growing, as much as double-digit billions by 2025.

Kalepso has so far struggled to find its voice — instead relying on catchy cartoon videos, and buzzwords like “hack-proof data protection” and “military-grade encryption” — terms that draw ire from the security community for their baseless and unprovable claims.

The company gets points for using existing, tried and tested cryptographic standards to scramble the data, but loses points for offering a security product — another layer of code that hackers can use to attack — that isn’t open source. That means the code is proprietary and could have flaws — or worse, susceptible to backdoors or exploitation. “We haven’t experienced significant pushback to this approach,” said Depastas. That may work for now, but it’s not likely to fly in the wider enterprise market, which relies on extensive testing and auditing rather than trust or blind faith.

Three years of research later, there’s hope for Kalepso’s success. The company has a beta product and a staging area for companies to test the product — but little else to show for it, beyond impossible promises and thoughtless marketing.

Bad Actors Target MongoDB Databases, Threatening to Contact GDPR Legislators Unless Ransom is Paid

Bad actors are targeting unsecured MongoDB servers, wiping their database and leaving ransom notes outlining threats to leak the stolen information and report owners for GDPR violations.

According to Victor Gevers, the chairman of the international non-profit organizations GDI Foundation, hackers are actively scanning the Internet for unsecured and vulnerable MongoDB servers.

More than 22,000 ransom notes have been uploaded to exposed MongoDB databases, accounting for nearly 47% of all MongoDB NoSQL databases that are accessible online.

This type of attack has been observed since April 2020. After cyber criminals infiltrate and steal the data, they leave a “READ_ME_TO_RECOVER_YOUR_DATA” ransom note:

“All your data is a backed up. You must pay 0.015 BTC to [redacted] 48 hours for recover it. After 48 hours expiration we will leaked and exposed all your data. In case of refusal to pay, we will contact the General Data Protection Regulation, GDPR and notify them that you store user data in an open form and is not safe. Under the rules of the law, you face a heavy fine or arrest and your base dump will be dropped from our server! You can buy bitcoin here, does not take much time to buy https://ift.tt/PdA2lf with this guide https://ift.tt/106qBiJ After paying write to me in the mail with your DB IP: [redacted]”

Gervers also noted that Shodan, the IoT search engine, has listed more than 15,000 affected MongoDB databases, while Binary Edge filed around 23,000.

Cyber criminals have been capitalizing on unsecure databases for years. However, this series of targeted attacks brings a new feature – threats related to GDPR legislation. Victims who refuse the pay 0.015 BTC (around 140 US dollars) will be reported to GDPR authorities, and possibly face a larger fine.

“The trick is if you pay, then you want your data back and no GDPR trouble,” Gerver added. “So this means you are willing to pay even more when they extort for more? People pay for real valuable data. So this way, they figure out what has value, I guess.”

from HOTforSecurity https://ift.tt/38sE7T0

Hacker ransoms 23k MongoDB databases and threatens to contact GDPR authorities

The hacker is giving companies two days to pay, and threatens to leak their data and then contact their local General Data Protection Regulation (GDPR) enforcement authority to report their data leak. from Cyware News - Latest Cyber News http://blog.rafinia.info/2020/07/hacker-ransoms-23k-mongodb-databases.html

Senior Software Engineer (Java)

Trustwave Government Solutions is a leading provider of data security and compliance services to the U.S. Federal government. Our team of security experts, ethical hackers and researchers, enables our government partners to transform the way they manage their information security and compliance programs results to ensure each customer receives valuable outcomes at the best value. The agencies we work with benefit from our collaborative, innovative approach to meeting their unique needs. We listen carefully and respond nimbly. Our solutions combine industry best practices with customized technology to ensure quality and integrity. Trustwave is headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit www.trustwave.com.

Trustwave, a leader in cloud-based compliance and information security solutions, is seeking a Senior Software Engineer to join Trustwave’s Product Engineering Team.

Responsibilities:

Work in small, agile teams to design, prototype and build new product offerings and enhance existing products and tools

Collaborate with Product Management to and identify, prioritize and document detailed product requirements

Design, develop and document application and framework code in Java, DART and other object-oriented programming languages

Create robust automated unit/functional test suites and deployment scripts

Work with internal QA team on system, performance and acceptance testing

Technical Requirements:

Familiarity with Agile/iterative development methodologies (XP, SCRUM, etc.)

Strong object-oriented design and Java programming skills, including experience with leading open source frameworks such as Spring, Hibernate and JUnit

Experience developing rich application UIs using Google DART and/or newer JavaScript Frameworks (Angular, Polymer, Ember, et.) is highly desirable

Familiarity with C/C++ or other object-oriented languages (e.g. Groovy, Python, Ruby) is also desirable

Solid relational DBMS skills using MySQL, PostgreSQL or other DBMS products.  Experience with Big Data Technologies (Hadoop, ElasticSearch, MapReduce, MongoDB, etc.) is highly desirable.

Real-world experience building very large scale, high availability applications

Experience developing web services using REST, SOAP, orXML-RPC, approaches.

General Requirements:

Ability to work with distributed teams in a dynamic, iterative development process

Occasional overnight travel to other Trustwave offices in the U.S. may be required

Excellent oral and written communication skills

BS in Computer Science or Engineering is preferred

Familiarity with the security industry is desirable but not required

Education: We prefer college-educated applicants, but at minimum, high school diploma or equivalent is required for employment.

Trustwave is an Equal Opportunity Employer of Minorities, Females, Protected Veterans, and Individuals with Disabilities.

To All Agencies:

Please, no phone calls or emails to any employee of Trustwave outside of the Talent Acquisition team. Trustwave’s policy is to only accept resumes from agencies via the Trustwave Agency Portal. Agencies must have a valid fee agreement in place and they must have been assigned the specific requisition to which they submit resumes, by the Talent Acquisition team. Any resume submitted outside of this process will be deemed the sole property of Trustwave and in the event a candidate is submitted outside of this policy is hired, no fee or payment of any kind will be paid. #VR

from Naperville Employment https://ift.tt/2NP89a9 via IFTTT

Critical Windows 10 vulnerability used to Rickroll the NSA and Github

Less than a day after Microsoft disclosed one of the most critical Windows vulnerabilities ever, a security researcher has demonstrated how attackers can exploit it to cryptographically impersonate any website or server on the Internet.

Researcher Saleem Rashid on Wednesday tweeted images of the video "Never Gonna Give You Up," by 1980s heartthrob Rick Astley, playing on Github.com and NSA.gov. The digital sleight of hand is known as Rickrolling and is often used as a humorous and benign way to demonstrate serious security flaws. In this case, Rashid's exploit causes both the Edge and Chrome browsers to spoof the HTTPS verified websites of Github and the National Security Agency. Brave and other Chrome derivatives, as well as Internet Explorer, are also likely to fall to the same trick. (There's no indication Firefox is affected.)

Rashid's simulated attack exploits CVE-2020-0601, the critical vulnerability that Microsoft patched on Tuesday after receiving a private tipoff from the NSA. As Ars reported, the flaw can completely break certificate validation for websites, software updates, VPNs, and other security-critical computer uses. It affects Windows 10 systems, including server versions Windows Server 2016 and Windows Server 2019. Other versions of Windows are unaffected.

Rashid told me his exploit uses about 100 lines of code but that he could compress it down to 10 lines if he wanted to remove a "few useful tricks" his attack has. While there are constraints and several potentially difficult requirements in getting the exploit to work in real-world, adversarial conditions (more about that later), Wednesday's proof-of-concept attack demonstrates why the NSA assesses the vulnerability as "severe" and said sophisticated hackers could understand how to exploit it "quickly."

“Fairly terrifying”

Other researchers shared the NSA's sense of urgency.

"What Saleem just demonstrated is: with [a short] script you can generate a cert for any website, and it's fully trusted on IE and Edge with just the default settings for Windows," Kenn White, a researcher and security principal at MongoDB, said. That's fairly horrifying. It affects VPN gateways, VoIP, basically anything that uses network communications." (I spoke with White before Rashid had demonstrated the attack against Chrome.)

The flaw involves the way the new versions of Windows check the validity of certificates that use elliptic-curve cryptography. While the vulnerable Windows versions check three ECC parameters, they fail to verify a fourth, crucial one, which is known as a base point generator and is often represented in algorithms as G'. This failure is a result of Microsoft's implementation of ECC rather than any flaw or weakness in the ECC algorithms themselves.

Attackers can exploit the flaw by extracting the public key of a root certificate that ships by default in Windows. These certificates are described as root because they belong to big certificate authorities that either issue their own TLS certificates or validate intermediate certificate authorities that sell certificates on the root CA's behalf. Any root certificate will work, as long as it's signed with an ECC algorithm. Rashid's attack started with a root certificate from Sectigo, the Internet's biggest CA, which previously used the name Comodo. The researcher later modified his attack to use a GlobalSign root certificate. His code made the switch automatic.

The attacker examines the specific ECC algorithm used to generate the root-certificate public key and proceeds to craft a private key that copies all of the certificate parameters for that algorithm except for the point generator. Because vulnerable Windows versions fail to check that parameter, they accept the private key as valid. With that, the attacker has spoofed a Windows-trusted root certificate that can be used to mint any individual certificate used for authentication of websites, software, and other sensitive properties.

The behavior is tantamount to a law enforcement officer who checks someone's ID to make sure it properly describes the person's height, address, birthday, and face but fails to notice that the weight is listed as 250 pounds when the person clearly weighs less than half that.

"It's such a strange bug, because it's like they're only halfway checking something that is at the root of the entire trust system," White said. "It's a core part of the whole chain of trust."

For more detailed technical explanations of the bug, see posts here and here, and the Twitter thread here.

The caveats

As noted earlier, there are several requirements and constraints that significantly raise the bar for Rashid's attack to work in real-world uses by an adversary. The first is that it most likely requires an active man-in-the-middle attack. These types of attacks, which modify data as it passes through networks, may be difficult to carry out. An alternative to an active MitM is to convince a target to click on a fake URL. This method is much easier, but it also requires some targeting. (It wouldn't apply to attacks against websites or other servers that require a certificate from the connecting client.)

The exploit also requires that the target has recently visited a site with a transport layer security certificate that's chained to an ECC-signed root certificate. That's because the root certificate must already be cached by the targeted system. In the event a targeted system doesn't have the root certificate cached, Rashid said, an attacker could still pull off an exploit by adding JavaScript that accesses a site chained to the root certificate.

Another constraint: Chrome uses a mechanism known as certificate pinning for google.com and a variety of other sensitive websites. Pinning requires that the certificate authenticating a website contain a specific cryptographic hash, even if the certificate offered is otherwise valid. This measure would prevent exploits from working when they spoofed protected sites.

While installing Tuesday's patch by Microsoft is by far the only reasonable way to prevent attacks, a Google representative said Chrome developers have already distributed a fix in a beta version and will fold the fix into stable versions soon. A word of caution: even with this fix, users of vulnerable Windows versions will still face considerable risk from other attack scenarios.

A matter of time

Despite the requirements and limitations, the vulnerability is serious. As NSA officials put it in the above-linked advisory:

The vulnerability places Windows endpoints at risk to a broad range of exploitation vectors. NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable. The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.

The vulnerability may not pose as extreme a threat as those caused by the Heartbleed flaw in 2014 that allowed attackers to steal private keys, passwords, and other highly sensitive data from hundreds of thousands of vulnerable sites. But because of the breadth of security measures foiled by the Microsoft vulnerability, it's worse even than Apple's critical goto fail flaw, which prevented iOS and macOS systems from detecting invalid TLS certificates served by websites. That makes CVE-2020-0601 one of the most severe vulnerabilities in recent memory.

Windows' automatic update mechanism is likely to have patched vulnerable systems already. For anyone else, fixes for various vulnerable version are available here. Readers who haven't patched yet should do so immediately.

Original Post from InfoSecurity Magazine Author:

Choice Hotels Breach: Hackers Leave Ransom Note For 700K Records

Hackers claim to have stolen 700,000 customer records from Choice Hotels thanks to an exposed MongoDB instance, it has emerged.

The US-based chain, which runs franchised outlets in over 40 countries worldwide, is now being held to ransom after the hackers left a note demanding 0.4 Bitcoin (around $3800) in payment for the data, which they claimed to have copied.

Security researcher Bob Diachenko worked with security firm Comparitech to discover the database, which was left completely exposed online. However, hackers had already got there. It was only left online for four days without password protection before attackers found the account.

Although the database held 5.6 million records in total, Choice Hotels told Comparitech that most of these related to test data. Of the 700,000 genuine records stolen, names, email addresses and phone numbers of customers are among the details taken.

The server itself is said to have been owned and managed by a third party who was working with the hotel chain on a new “tool.”

“We have discussed this matter with the vendor and will not be working with them in the future,” Choice Hotels told Comparitech in an email.

“We are evaluating other vendor relationships and working to put additional controls in place to prevent any future occurrences of this nature. We are also establishing a Responsible Disclosure Program, and we welcome Mr Diachenko’s assistance in helping us identify any gaps.”

Diachenko believed the ransom note was left by an automated script set up specifically to target exposed MongoDB databases, although it didn’t succeed in wiping the data.

This is only the latest of many similar incidents involving unsecured MongoDB instances.

This year alone, hundreds of millions of individuals have had their personal data exposed, including 200 million Chinese CVs, 12.5 million Indian mothers, and 808 million records from an email validation firm.

Unsurprisingly, hackers are getting wise to these misconfigurations: earlier this month it was revealed that attackers stole 2.1 million records from a Mexican bookstore, demanding a ransom.

KnowBe4 security awareness advocate, Javvad Malik, argued that the Choice Hotels incident is yet another example of user error.

“While Choice Hotels may be correct in that the data was hosted by a third party and none of their servers were compromised, it does not change the fact that it was their customer data which was breached,” he added. “It has an obligation to ensure the security of its customer data whether its kept by themselves, or handed over to a third party.”

#gallery-0-6 { margin: auto; } #gallery-0-6 .gallery-item { float: left; margin-top: 10px; text-align: center; width: 33%; } #gallery-0-6 img { border: 2px solid #cfcfcf; } #gallery-0-6 .gallery-caption { margin-left: 0; } /* see gallery_shortcode() in wp-includes/media.php */

Go to Source Author: Choice Hotels Breach: Hackers Leave Ransom Note For 700K Records Original Post from InfoSecurity Magazine Author: Choice Hotels Breach: Hackers Leave Ransom Note For 700K Records…

A Plan to Stop Breaches With Dead Simple Database Encryption

Data breaches and exposures have become so common these days, it’s difficult to keep track of them all, much less step back to mull a solution. But, perhaps out of necessity, researchers from the database giant MongoDB have spent the past two years developing a new database encryption scheme aimed squarely at reducing these damaging incidents. Their secret weapon? Radical simplicity.

The idea of encrypting databases in various ways isn’t new. But in practice there have been limitations on where and when data was actually protected. Databases are often encrypted “server-side,” meaning that random strangers can’t just query it for information, but credentialed users can access some or all of the information in it. But that also means that anyone with full access to the data—like the database operator and administrators—can decrypt and access everything. This puts the data at risk to both outside hackers wielding stolen credentials and rogue insiders who have been granted more access than they need.

Lily Hay Newman covers information security, digital privacy, and hacking for WIRED.

Other types of encryption schemes, though, typically add both complexity and cost, which is why it’s taken so long for companies like MongoDB to offer something that’s both usable and secure. And given that companies as large as Adobe and Google rely on MongoDB database architecture, it’s a solution that could have outsized impact.

“One reason that no one did this before was because they didn’t perceive customer demand the way that it’s easy to perceive today,” says Davi Ottenheimer, MongoDB’s vice president of trust and digital ethics. All those high-profile database breaches have finally started to make companies aware of what solid encryption is worth.

MongoDB calls the new feature Field Level Encryption. It works kind of like end-to-end encrypted messaging, which scrambles data as it moves across the internet, revealing it only to the sender and the recipient. In such a “client-side” encryption scheme, databases utilizing Field Level Encryption will not only require a system login, but will additionally require specific keys to process and decrypt specific chunks of data locally on a user’s device as needed. That means MongoDB itself and cloud providers won’t be able to access customer data, and a database’s administrators or remote managers don’t need to have access to everything either.

For regular users, not much will be visibly different. If their credentials are stolen and they aren’t using multifactor authentication, an attacker will still be able to access everything the victim could. But the new feature is meant to eliminate single points of failure. With Field Level Encryption in place, a hacker who steals an administrative username and password, or finds a software vulnerability that gives them system access, still won’t be able to use these holes to access readable data.

The focus, Ottenheimer says, was on trying to offer that security in a form customers would actually adopt—a classic cybersecurity problem. “We really focused on making this easy for developers to put into their path to release,” he says. “We want them to be able to release new products and code as quickly as possible.”

Field Level Encryption is built on well-tested, public encryption standards and is open source, so it can be extensively vetted by the cryptoanalysis community. That auditing process has already begun, but it will expand significantly during the tool’s beta testing phase, set to start next week. Brown University cryptographer Seny Kamara has been assessing Field Level Encryption and says that MongoDB has already made changes based on his team’s feedback.

“This cryptographic technology is new, and like much of cryptography there are trade-offs between efficiency and security,” he says. “MongoDB’s effort to involve the cryptography community is unusual and welcomed. Being proactive about getting new cryptography analyzed is definitely the right way to do things.”

As with any defense mechanism, Field Level Encryption does come with some limitations and caveats. Most importantly, MongoDB databases are what’s called “NoSQL” databases, meaning they can accommodate all sorts of unstructured data and fan out across many servers as they grow. But while MongoDB offers the most popular type of NoSQL database, so-called SQL databases, or relational databases, are still more common overall. This means that Field Level Encryption, or something like it, won’t be coming to every database anytime soon. Additionally, the new feature creates challenges to managing all of the different system encryption keys across cloud providers, and also makes it more complicated for the database system to perform certain types of information sorting and querying, since data is scrambled and unreadable.

Still, given MongoDB’s reach, Field Level Encryption is an important step—one the company hopes other database makers will now be motivated to take too. And Kenn White, MongoDB’s product security lead, says that he thinks the company will be able to overcome more and more of these limitations as it works with beta testers and beyond. Above all, the goal of the new defense, he says, is to limit access to the data as much as possible. He likens the feature to putting valuables in a safe, then placing the safe in a locked storage unit. Even if someone pressures the storage provider to cut the lock, they’ll still have to contend with your safe.

Nothing can ever be a total security panacea, though. “If you put a pair of bolt cutters and a sticky note with the safe combo on the ground outside your unit, then yeah, I got nothing,” White says. “But if you have confidential workloads, now you don’t need to trust MongoDB. If you have a backup that’s sitting in a cloud bucket—no one can read the encrypted fields. You can run highly sensitive workloads and have protection against an insider attack or an internal breach. That’s a much better position to be in.”

More Great WIRED Stories

The post A Plan to Stop Breaches With Dead Simple Database Encryption appeared first on Gyrlversion.

from WordPress http://www.gyrlversion.net/a-plan-to-stop-breaches-with-dead-simple-database-encryption/

Thousands of Unprotected Kibana Instances Exposing Elasticsearch Databases

The Hacker News : In today’s world, data plays a crucial role in the success of any organization, but if left unprotected, it could be a cybercriminal’s dream come true. Poorly protected MongoDB, CouchDB, and Elasticsearch databases recently got a lot more attention from cybersecurity firms and media lately. More than half of the known cases of massive data breaches over the past year originated from unsecured http://dlvr.it/R1yvjQ Posted by : Mohit Kumar ( Hacker )

Kalepso looks to break into the crowded encrypted database space

Databases might be the least sexy thing in tech. Second to that might be encryption. That isn’t stopping Kalepso, a Montreal, Canada-based encrypted database startup that’s trying to fill in the gaps in an already crowded security space. (No pressure, then.)

Kalepso says it can do better than other database offerings out there by melding strong security with high reliability, while filling in the spots where sensitive data can be accessed or obtained in the clear. Its Harvard-educated founders found that all the existing database services out there are either slow or insecure. The team says Kalepso, its eponymous database system, sits between the database storage and the application, providing several layers of additional security, which they say doesn’t sacrifice speed, security or functionality of the database. The company launched today at Disrupt Berlin on the Startup Battlefield stage.

In other words, you can access your data securely without it leaking — or getting stolen.

Insider threats, check. Data breaches, protected. Chip-level exploits? No problem, said Kalepso co-founder Georgios Depastas. Kalepso says that its database encryption software covers all bases. Kalepso uses differential privacy to allow database analysis without revealing individuals’ data, while oblivious RAM re-scrambles the database after each query to avoid pattern leakages.

Depastas and team said that they’re already using their technology to help one unnamed financial institution — where data security is paramount — switch from a clunky and cumbersome data transfer setup to Kalepso, by intercepting and encrypting data from its runtime environment in real time and feeding it to its storage server. That means the encrypted data can’t be read on the server — either in storage or its memory. But Kalepso’s technology still lets authorized users run analytics on the data set without decrypting the data. “Every time a new query is fired, the data gets dynamically re-encrypted,” said Depastas, referring to its use of oblivious RAM.

[gallery ids="1752107,1752108,1752104,1752103"]

But what does Kalepso’s security offer better than the other major players — Oracle’s MySQL, PostgreSQL or MongoDB? Kalepso doesn’t have a punchy nor convincing answer.

The product sounds good in theory, but Kalepso faces an uphill battle for relevance. The database and database security market is busy and competitive, and the startup is fighting against a raft of already established database encryption offerings, from Baffle to in-house providers like Amazon. The database market is huge — and growing, as much as double-digit billions by 2025.

Kalepso has so far struggled to find its voice — instead relying on catchy cartoon videos, and buzzwords like “hack-proof data protection” and “military-grade encryption” — terms that draw ire from the security community for their baseless and unprovable claims.

The company gets points for using existing, tried and tested cryptographic standards to scramble the data, but loses points for offering a security product — another layer of code that hackers can use to attack — that isn’t open source. That means the code is proprietary and could have flaws — or worse, susceptible to backdoors or exploitation. “We haven’t experienced significant pushback to this approach,” said Depastas. That may work for now, but it’s not likely to fly in the wider enterprise market, which relies on extensive testing and auditing rather than trust or blind faith.

Three years of research later, there’s hope for Kalepso’s success. The company has a beta product and a staging area for companies to test the product — but little else to show for it, beyond impossible promises and thoughtless marketing.

Via Zack Whittaker https://techcrunch.com

MongoDB is a bit miffed that some cloud providers — especially in Asia — are taking its open source code and are offering a hosted commercial version of its database to their users without playing by the open source rules. To combat this, MongoDB today announced that it has issued a new software license, the Server Side Public License (SSPL), that will apply to all new releases of its MongoDB Community Server, as well as all patch fixes for prior versions.

Previously, MongoDB used the GNU APGLv3 license, but it has now submitted the SSPL for approval from the Open Source Initiative.

For virtually all regular users who are currently using the community server, nothing changes because the changes to the license don’t apply to them. Instead, this is about what MongoDB sees as the misuse of the APGLv3 license. “MongoDB was previously licensed under the GNU AGPLv3, which meant companies who wanted to run MongoDB as a publicly available service had to open source their software or obtain a commercial license from MongoDB,” the company explains. “However, MongoDB’s popularity has led some organizations to test the boundaries of the GNU AGPLv3.”

So while the SSPL isn’t all that different from the GNU GPLv3, with all the usual freedoms to use, modify and redistribute the code (and virtually the same language), the SSPL explicitly states that anybody who wants to offer MongoDB as a service — or really any other software that uses this license — needs to either get a commercial license or open source the service to give back the community.

“The market is increasingly consuming software as a service, creating an incredible opportunity to foster a new wave of great open source server-side software. Unfortunately, once an open source project becomes interesting, it is too easy for cloud vendors who have not developed the software to capture all of the value but contribute nothing back to the community,” said Eliot Horowitz, the CTO and co-founder of MongoDB, in a statement. “We have greatly contributed to — and benefited from — open source and we are in a unique position to lead on an issue impacting many organizations. We hope this will help inspire more projects and protect open source innovation.”

I’m sure this move will ruffle some feathers. It’s hard to discuss open source licenses without getting religious about what this movement is all about. And since MongoDB is the commercial entity behind the software and manages outside contributions to the code, it does have a stronger grip on the actual code than other projects that are managed by a large open source foundation, for example. For some, that alone is anathema to everything they think open source should stand for. For others, it’s simply a pragmatic way to develop software. Either way, though, this will kick off a discussion about how companies like MongoDB manage their open source projects and how much control they can exert over how their code is used. I, for one, can’t wait to read the discussions on Hacker News today.

via TechCrunch

Mongo Lock: The attack that deletes MongoDB databases

The attack has already generated revenues for the hackers

Ethical hacking Specialists report that an attack called “Mongo Lock” targets accessible and unprotected MongoDB databases, eliminating their content, and then demanding a ransom to get back the deleted content.

Even though this is a recently deployed campaign, this type of attack is not new and MongoDB databases have been a favorite target for hackers for a while. These attackers operate by scanning online with services like the Shodan search engine to find MongoDB servers without protection. Once connected, attackers can export the databases, delete them, and then create a ransom note explaining how to retrieve the databases.

Bob Diachenko, the ethical hacking expert who discovered the Mongo Lock campaign, claims that attackers get into unprotected databases and eliminate them. In its place, attackers will leave a new database called “Warning” with a collection within it called “ReadMe”.

The ReadMe collection contains a note explaining that the database has been encrypted and that the victims must pay a ransom to retrieve it. In the Mongo Lock campaign the attackers do not leave an online wallet address of Bitcoin, but they instruct the victim to communicate with them by email.

In the ransom note of the attack Mongo Lock attack it can be read:

“Your database was encrypted by ‘Mongo lock’. If you want to retrieve your information, you must pay 0.1 Bitcoin. Do not delete ‘Unique_KEY’ and store it in a safe place, without it we will not be able to help you. Send an email: [email protected] to decrypt your data”.

Other variants of the attack will show the Bitcoin address to be used for payment before contacting attackers via the included email.

Despite the fact that the ransom note claims that the attackers are exporting the database before eliminating it, experts in ethical hacking agree that it is not possible to affirm whether they are indeed doing so.

The victims are paying for the ransom

Searching for some of the Bitcoin addresses used in MongoDB recent attacks, it has been possible to verify that the victims have been paying for the rescue of their databases.

For example, the Bitcoin address 3FAVraz3ovC1pz4frGRH6XXCuqPSWeh3UH, which has been used frequently in recent days, has received 3 ransom payments for a total of 1.8 units of Bitcoin. This is equivalent to a little over $11k USD, according to the current value of this digital currency.

Scripts don’t always work

According to the ethical hacking specialist, apparently the attackers are using a script that automates the process of accessing a MongoDB database, then possibly exporting it, eliminating the database and then creating the ransom note.

However, Diachenko has realized that this script sometimes fails and the data is still available for the user, even if the user has been sent the ransom note.

Secure a MongoDB database properly

These attacks are possible because MongoDB databases can be accessed remotely and do not have sufficient security measures, the good news is that attacks can be prevented by simply implementing appropriate security measures in a MongoDB database.

The company has published on its website a guide to provide a database with the correct protection; Experts in ethical hacking from the International Institute of Cyber Security mention that the most important steps to protect a MongoDB implementation are the establishment of an authentication step, and the restriction of remote access to the database.

MongoDB switches up its open source license

MongoDB is a bit miffed that some cloud providers — especially in Asia — are taking its open source code and are offering a hosted commercial version of its database to their users without playing by the open source rules. To combat this, MongoDB today announced that it has issued a new software license, the Server Side Public License (SSPL), that will apply to all new releases of its MongoDB Community Server, as well as all patch fixes for prior versions.

Previously, MongoDB used the GNU APGLv3 license, but it has now submitted the SSPL for approval from the Open Source Initiative.

For virtually all regular users who are currently using the community server, nothing changes because the changes to the license don’t apply to them. Instead, this is about what MongoDB sees as the misuse of the APGLv3 license. “MongoDB was previously licensed under the GNU AGPLv3, which meant companies who wanted to run MongoDB as a publicly available service had to open source their software or obtain a commercial license from MongoDB,” the company explains. “However, MongoDB’s popularity has led some organizations to test the boundaries of the GNU AGPLv3.”

So while the SSPL isn’t all that different from the GNU GPLv3, with all the usual freedoms to use, modify and redistribute the code (and virtually the same language), the SSPL explicitly states that anybody who wants to offer MongoDB as a service — or really any other software that uses this license — needs to either get a commercial license or open source the service to give back the community.

“The market is increasingly consuming software as a service, creating an incredible opportunity to foster a new wave of great open source server-side software. Unfortunately, once an open source project becomes interesting, it is too easy for cloud vendors who have not developed the software to capture all of the value but contribute nothing back to the community,” said Eliot Horowitz, the CTO and co-founder of MongoDB, in a statement. “We have greatly contributed to — and benefited from — open source and we are in a unique position to lead on an issue impacting many organizations. We hope this will help inspire more projects and protect open source innovation.”

I’m sure this move will ruffle some feathers. It’s hard to discuss open source licenses without getting religious about what this movement is all about. And since MongoDB is the commercial entity behind the software and manages outside contributions to the code, it does have a stronger grip on the actual code than other projects that are managed by a large open source foundation, for example. For some, that alone is anathema to everything they think open source should stand for. For others, it’s simply a pragmatic way to develop software. Either way, though, this will kick off a discussion about how companies like MongoDB manage their open source projects and how much control they can exert over how their code is used. I, for one, can’t wait to read the discussions on Hacker News today.