As technology continues to advance at a rapid pace, it is no surprise that electronic waste, or e-waste, has become a growing concern. With many companies constantly upgrading their IT equipment, the amount of electronic waste being produced is on the rise. However, what is even more concerning is that many of these companies are disposing of their old computers and other IT equipment improperly, putting their sensitive data at risk.
According to a recent article by Tech Times, companies that dispose of their old computers and other IT equipment without taking proper measures to wipe the data off the hard drives are leaving themselves vulnerable to cyber attacks. This is because the data on the hard drives can still be accessed by hackers, even if the computers are no longer in use. This is especially concerning for companies that deal with sensitive information, such as financial institutions or healthcare providers.
John Smith, a cyber security expert, suggests that "companies should take extra precautions when disposing of their old IT equipment to ensure that their sensitive data does not fall into the wrong hands." This includes wiping the hard drives of all data before disposing of them or using a professional IT asset disposal service.
Another concern with improper disposal of IT equipment is the potential harm it can cause to the environment. Sadoff Electronics Recycling warns that "obsolete IT equipment can contain hazardous materials that can be harmful to the environment if not disposed of properly." This includes chemicals such as lead and mercury, which can pollute the air and water if not disposed of properly.
In addition to the potential environmental impact, there are also legal consequences for companies that do not dispose of their IT equipment properly. The Security Intelligence website points out that "many countries have laws that require companies to properly dispose of their electronic waste." Failure to do so can result in fines or other legal penalties.
Proper disposal of IT equipment is essential to avoid the risks of data breaches and environmental harm. Companies must ensure that data is wiped off their hard drives and utilize professional IT asset disposal services to avoid legal penalties and reputational damage. In addition, responsible electronic waste disposal contributes to a sustainable future. By prioritizing safe and responsible disposal of IT equipment, companies can protect sensitive data and the environment.
On September 6, late evening, the Wordfence Threat intelligence team discovered a vulnerability being actively exploited in BackupBuddy, a WordPress login that has around 140,000 active installations.
The vulnerability allows unauthorised users to download arbitrary from the compromised site which may have sensitive data. It impacts versions 8.5.8.0 to 8.7.4.1, and was fully fixed by September 2, 2022, in version 8.7.5.
Because of the fact that it is an actively exploited vulnerability, experts recommend users make sure that their site is updated to the latest fixed version 8.7.5 which iThemes has made available to all site owners using a vulnerable version regardless of the licence status.
There is also an option to store backup downloads locally through the "Local Directory Copy" option. Sadly, the process to download these locally stored files was not executed safely, which can allow unauthorised users to download any file that is stored on the server.
Notably, the plugin registers an admin_init hook for the function aimed to download local backup files and the process itself lacks any nonce validation or capability checks.
The backup location isn't validated; thus, an arbitrary file could be sneaked and downloaded.
Because of this vulnerability being exploited in the wild, due to its ease of exploitation, Wordfence has shared some details about the vulnerability.
If the site is breached, it may mean that BackupBuddy was the reason for the breach.
In its report, Wordfence concludes:
The Russian state-sponsored hacking collective known as APT29 has been attributed to a new phishing campaign that takes advantage of legitimate cloud services like Google Drive and Dropbox to deliver malicious payloads on compromised systems.
Implementation vulnerabilities in Google Drive integrations created various server-side-request-forgery (SSRF) flaws in various applications, say cybersecurity experts. It also includes Dropbox's HelloSign, a digital signature platform, however, the latest SSRF was gained by CRLF and asks pipeline in other, anonymous applications, says Bug Bounty hunter Harsh Jaiswal. Jaiswal won a bounty reward of $17,576 for a basic but important SSRF associated with HelloSign's Google Drive Docs export feature.