Week in review: Apple OS X sandbox hole, hiding messages in VoIP packets and U.S. water utility attack

Here’s an overview of some of last week’s most interesting news, podcasts, interviews and reviews

Apple OS X sandbox hole allows bypassing of restrictions
Following Apple’s announcement that all applications submitted for inclusion in the App Store will have to have sandboxing implemented starting from March 1, 2012, researchers from Core Labs, the research arm of Core Security Technologies, have decided to analyze whether this requirement and the sandboxing practice offer the protection that app developers and Apple believe it does.

Top five tips to avoid bad apps
There are some common sense practices that anyone can take to help protect their smartphones and tablets from the growing threat of malware and the persistent threat of unsecured devices.

Security threats to expand in 2012
Traditional techniques such as SQL injection, web app hijacking and unauthorized server access are now being bypassed in favor of more rewarding social engineering practices which yield the data necessary to carry out highly organized systematic attacks.

Mass manipulation through automated social engineering
In this podcast BitDefender’s Catalin Cosoi talks about how the existing information from social networks, capable search engines and free data aggregators can very easily be used for compiling thorough “resumes” about each particular target, and how various templates filled with specific personal information can be used to organize massive – but targeted – spam campaigns that will surely yield considerably greater results that spear-phishing campaigns lovingly crafted by the attackers to target 3 or 4 specific users.

Trojan masquerading as PDF signed with stolen government certificate
Seeing that security professionals around the world are slowly losing faith in the digital identity certificate system, news that another piece of malware signed with a stolen code signing certificate has been discovered by F-Secure researchers doesn’t come as a great shock.

Free webinar: ISO 9001 for ISO 27001 implementation
Most of the companies that have implemented ISO 9001 have no idea they can implement ISO 27001, this increasingly popular information security standard, with much less effort than they initially anticipate. Information Security & Business Continuity Academy is organizing a free webinar to explain how to achieve this.

What hides behind the get-rich-working-from-home offers?
Do you ever get tempted to click on one of the myriad of work-from-home, get-paid-huge-money adverts that are littering the Internet? Do you ever wonder if those claims are true and how the scheme works?

Hiding messages in VoIP packets
A group of researchers from the Institute of Telecommunications of the Warsaw University of Technology have devised a relatively simple way of hiding information within VoIP packets exchanged during a phone conversation.

Cloud security best practices and tips
To help enterprises maintain compliance while using the cloud, and keep their networks, applications and data safe, Verizon is offering best practices and tips.

Windows 8 to do away with constant restarts after updating
As great as the automatic updating is for Microsoft, they are obviously aware of the difficulties that users have been known to face following these events. And finally, they decided to do something about it.

Hacker breached, changed grades in university academic record system
Santa Clara University, a private university run by the Jesuits and located in the Silicon Valley, has issued a statement confirming that it has called the FBI to investigate an intrusion into its computerized academic record system.

The Basics of Hacking and Penetration Testing
Have you always wondered about how penetration testing is performed, but never had the opportunity to ask a professional about it to witness him (or her) at work? If that’s the case, this book is definitely for you. Simple and to the point, written in a very free and easy manner, it effectively explains all the phases of the pentesting process and introduces a great variety of helpful tools used by the great majority of professionals in this field.

Why do companies backup infrequently?
Businesses are on average backing up to tape once a month, with one rather alarming statistic from the same survey showing 10 percent were only backing up to tape once per year, according to a survey by Vanson Bourne.

Testing web applications for security flaws
David Hoelzer is the Director of Research, Enclave Forensics and a SANS Trainer. In this interview he discusses web application testing, offers advice for those on the hunt for web application vulnerabilities and introduces his training course at SANS London 2011.

The future of cybersecurity in cars
In this podcast recorded at SecurityByte 2011, U.S. Cyber Consequences Unit’s CTO John Bumgarner talks about the obvious computer and physical security problems that will surely arise with the advent of malware targeting on-board computers, and the need for doing something about it before they start happening en masse.

Cybercriminals to turn mobile phones into ATMs
With all of the crazy 2011 security breaches, exploits and notorious hacks, what can we expect for 2012? Researchers of the Websense Security Labs provide their top predictions for the coming year.

Backdoor Trojan pushed via versatile Facebook campaign
Microsoft recently spotted a considerably versatile social engineering campaign used to trick Facebook users into installing a particularly nasty backdoor Trojan with keylogging capabilities. The messages used to lure in users vary, but they all lead to fake YouTube pages.

Hackers destroy pump in U.S. water utility attack
Setting aside Iran and attacks against its nuclear program for a moment, the U.S. seems to attract a seemingly disproportionate amount of attacks against SCADA systems. The latest has targeted the control system of the city water utility in Springfield, Illinois, and has resulted in the destruction of a water pump.