IBM Db2 Vulnerabilities Left IBM Database Installations At Risk Of Hacks

IBM patched a couple of serious vulnerabilities in the previous week in their Db2 database installations. These IBM Db2 vulnerabilities could allow an attacker to execute arbitrary commands with admin privileges. The vendors have advised the users to update their respective machines to stay protected from potential cyber attacks.

IBM DB2 Database Vulnerabilities Spotted

As disclosed recently, a couple of IBM Db2 vulnerabilities could let an attacker take over the targeted systems. IBM has published separate security advisories regarding the flaws.

The first of these vulnerabilities is a privilege escalation flaw that could allow an attacker for arbitrary code execution. As explained by IBM in their advisory,

“IBM Db2 db2pdcfg is vulnerable to a stack based buffer overflow, caused by improper bounds checking which could allow an attacker to execute arbitrary code.”

Allegedly, a researcher from Beijing Dbsec Technology Co., Ltd., Eddie Zhu, discovered the flaw who then reported it to IBM. To exploit the bug (CVE-2018-1897), an attacker with local user access could elevate user privileges by running specially crafted applications.

The second vulnerability existed in IBM® Spectrum Scale. According to the description given in IBM’s advisory,

“IBM Spectrum Scale could allow a GPFS command line utility allows an unprivileged, authenticated user with access to a GPFS node to read arbitrary files available on this node.”

Patches Released

The vulnerability CVE-2018-1897 allegedly affected the IBM Db2 versions 9.7, 10.1, 10.5, and 11.1. The vendors have patched the flaw in V11.1.4.4. Whereas, for the other editions, the users can download the corresponding fixed editions: Db2 V9.7 FP11, V10.1 FP6, and V10.5 FP10. Regarding the other bug CVE-2018-1723, IBM stated,

“All fix pack levels of IBM DB2 V10.5 and V11.1.1 editions running on AIX and Linux are affected, and only for those customers who have DB2® pureScale™ Feature installed.”

For fixing the flaw, the users of DB2 V10.5 can obtain the GPFS efix 4.1.1.17 efix 8  by contacting the technical support at IBM. Whereas, the customers of DB2 V11.1 can download the patched version V11.1.4.4.

Original Source Here

[Update: Google Confirms Shut Down, Denies Timeline] 2019 Is Your Last Year To Use Google Hangouts If You Haven’t Moved On Already

According to source familiar with the product’s internal roadmap, Google Hangouts for consumers will be shutting down sometime in 2020. That’s not surprising at all since Google essentially ceased development on the app more than a year ago. But just know, going into 2019, this is indeed your last year to keep using the beloved (?) legacy chat app. Last spring, Google announced its pivot for the Hangouts brand to enterprise use cases with Hangouts Chat and Hangouts Meet, so the writing has been on the wall for quite some time regarding the Hangouts consumer app’s demise. Meanwhile, Google has transitioned its consumer-facing messaging efforts to RCS ‘Chat’ and Android Messages following Allo’s misadventures.

Given Google’s abandonment of the app in terms of development and its presumed eventual death, many have already transitioned away from using it. But Hangouts is still the prominent chat option in Gmail on the web and the app remains on the Google Play Store to this day. Many recent reviews say that the app is showing signs of age, noting bugs and performance issues.

As mentioned, Hangouts as a brand will live on with G Suite’s Hangouts Chat and Hangouts Meet, the former intended to be a team communication app comparable to Slack, and the latter a video meetings platform. Meanwhile, Google Voice calling, which was at first independent and then long integrated into Hangouts, was moved back out to its own redesigned app earlier this year.

Interestingly, despite its forthcoming axing, Hangouts was one of a few apps to get early support for Android Auto’s new MMS and RCS functionality, alongside Android Messages and WhatsApp.


Update 12/1: Google’s Scott Johnston has chimed in and denies that any decisions have been made about the timeline of legacy Hangouts’ shutdown. Confusingly, however, he says that users of consumer Hangouts users will be somehow “upgraded” to Hangouts Chat and Hangouts Meet, both being enterprise-focused products that fill different needs.

Scott also explicitly confirms for the first time that Hangouts Classic, the subject of this report, will be shutting down “eventually.”

Meanwhile, a second source has since corroborated my initial report and says decisions have indeed been made for the deprecation of legacy Hangouts.

Scott Johnston@happyinwater

Hey @hallstephenj, I run Hangouts and this is pretty shoddy reporting. No decisions made about when Hangouts will be shut down. Hangouts users will be upgraded to Hangouts Chat and Hangouts Meet. Your source is severely misinformed. You can do better.

2019 is your last year to use Google Hangouts if you haven’t moved on already

According to source familiar with the product’s internal roadmap, Google Hangouts for consumers will be shutting down sometime in 2020.

Stephen Hall

@hallstephenj

Hey Scott, will update my report, but I stand by my sourcing. Would you be able to elaborate on exactly how legacy Hangouts users will be “upgraded” to Hangouts Chat and Meet, since those are entirely separate enterprise products that fill different needs?

Scott Johnston@happyinwater

1/ I can’t comment on your sourcing, since I don’t have any details. The frustrating part about your reporting is it leaves the reader to jump to dramatic conclusions, because it is only half the story. Hangouts users will be migrated to Chat and Meet.

Scott Johnston@happyinwater
1/ I can’t comment on your sourcing, since I don’t have any details. The frustrating part about your reporting is it leaves the reader to jump to dramatic conclusions, because it is only half the story. Hangouts users will be migrated to Chat and Meet.

Scott Johnston@happyinwater

2/ So while that will result in the eventual shut down of Hangouts classic (as we now call it), it doesn’t imply we are ending support for the use case supported by the product: messaging and meetings.

Our response:

Stephen Hall

@hallstephenj

1/ I have immense respect for this team and their products; my report was not meant to disparage Hangouts Chat/Meet, which we have covered extensively since their announcement, nor to suggest that their use cases were going anywhere.

Scott Johnston@happyinwater
Replying to @hallstephenj

1/ I can’t comment on your sourcing, since I don’t have any details. The frustrating part about your reporting is it leaves the reader to jump to dramatic conclusions, because it is only half the story. Hangouts users will be migrated to Chat and Meet.


Google’s Take

Shutting down Hangouts has been a long time coming, so if anything, its retirement still being more than a year away is what’s surprising here. I’d venture to guess that its actual usage numbers are still significant given that Google’s initiative to build a true messaging alternative, Allo, flopped miserably. Meanwhile, the ‘Chat’ RCS initiative that Google’s leading up still isn’t off the ground, either.

Original Source Here

Hacker Austin Thompson, a.k.a. “DerpTroll Pleads Guilty To DDoSing Sony, EA and Steam Gaming Servers

A 23-year-old hacker from Utah pleaded guilty this week to launching a series of denial-of-service (DoS) attacks against multiple online services, websites, and online gaming companies between 2013 and 2014.

According to a Justice Department (DoJ) press release, Austin Thompson, a.k.a. “DerpTroll,” took down servers of several major gaming platforms including Electronic Arts’ Origin service, the Sony PlayStation network, and Valve Software’s Steam, between December 2013 and January 2014, by flooding them with enough internet traffic.

Thompson then typically used the Twitter account the @DerpTrolling handle to announce his attacks, subsequently posting screenshots or other photos of the server being unavailable after launching DDoS attacks.

The attacks usually took down game servers and related computers of the victim companies for at least a few hours at a time, causing at least $95,000 in damages to the gaming companies around the world.

“Denial-of-service attacks cost businesses millions of dollars annually,” said U.S. Attorney Adam Braverman while announcing the plea. “We are committed to finding and prosecuting those who disrupt businesses, often for nothing more than ego”

Thompson pleaded guilty in federal court in San Diego on Thursday and was charged with causing damages to a protected computer, which carries a maximum penalty of 10 years prison, a fine of $250,000, as well as three years supervised release.

Active since 2011, the DerpTrolling hacking group is believed to be operated by Thompson, who write malware used to launch the DDoS attacks against online services around the world.

However, the hacking group made headlines in late 2013 and early 2014 after disrupting online gaming servers owned by Sony, Riot Games, Microsoft, Nintendo, Valve, and Electronic Arts.

Thompson’s sentencing is scheduled for March 1, 2019, before United States District Judge Jeffrey Miller.

It wasn’t just DerpTrolling that created chaos in 2014. The infamous Lizard Squad hacking group also made headlines in 2014 by launching DDoS attacks against Microsoft Xbox Live and Sony PlayStation Network and knocking them offline during the Christmas holidays.

Several teenagers last year from around the world were charged with participating in the Lizard Squad 2014 DDoS attacks.

Original Source From @ thehackernews.com