Week in review: Facebook bug gives access to private photos, zero-day exploited in ongoing attacks, and the new issue of (IN)SECURE Magazine

Here’s an overview of some of last week’s most interesting news, articles and interviews:

IT pros can’t resist peeking at privileged information
IT security staff will be some of the most informed people at the office Christmas party this year. A full 26 per cent of them admit to using their privileged log in rights to look at confidential information they should not have had access to in the first place.

U.S. financial fraud increasing rapidly
Research reveals that financial fraud and spam via SMS texts is now growing at a rate of over 300 percent year over year.

Microsoft spam-detecting algorithm helps with HIV research
When the first computer viruses popped up, their behavior was so similar to that of their biological counterparts that security researchers simply chose to appropriate the already existing expression. And it is that very same similarity that has now – years and years later – helped medical researchers glean crucial insights into how a particular virus still manages to avoid being beaten.

Only U.S. customers targeted with Carrier IQ?
So far it seems that most European mobile operators haven’t been using Carrier IQ. Vodafone and Orange have denied using the software, and Samsung confirmed that their mobile phones destined for the European market have not been preinstalled with it.

Key concern for 2012? Application DDoS attacks
Imperva announced its predictions for the top cyber security trends for 2012.

Facebook bug allows users to access private photos
A bug tied to Facebook’s “Report/Block” process can be misused to access uploaded photos of people who have chosen not to share them publicly.

Fraudsters beat two-factor authentication, steal $45k
It seems that two-factor authentication solutions that deliver verification codes to mobile phones are not as foolproof as one might think – a lesson that an Australian business owner learned the hard way.

Personal information of 3.5 million poker players leaked
The data included the users’ full names, screen names, birth dates, e-mail, mailing and IP addresses, phone numbers, UB account numbers and balances, deposit methods used, VIP, affiliate and blacklist status.

Zero-day Adobe Reader flaw exploited in ongoing attacks
Adobe has issued a security advisory notifying users about a newly discovered and still unpatched vulnerability in Adobe Reader and Adobe Acrobat which has been spotted being used in “limited, targeted attacks in the wild”.

QualysGuard Web Application Scanning
On Tuesday, Qualys released version 2.1 of QualysGuard Web Application Scanning (WAS), that integrates with Selenium to help companies further automate scanning of web applications with complex authentication. Mike Shema, Director of Engineering at Qualys, offers insight into the latest release of QualysGuard WAS.

8 out of 10 applications fail to meet security standards
Considered “low hanging fruit” because of their prevalence in software applications, XSS and SQL Injection are two of the most frequently exploited vulnerabilities, often providing a gateway to customer data and intellectual property. When applying the new analysis criteria, Veracode reports eight out of 10 applications fail to meet acceptable levels of security, marking a significant decline from past reports.

Top 5 Android malware families
On November 15, Gartner issued a report that cited Google’s Android mobile operating system had reached a global 52.5% smart phone market share, while iOS trailed in third, behind Symbian, with an 18% market share. FortiGuard Labs found interesting the disparity between the amount of malware found on the Android operating system compared to that found on iOS relative to their market share size.

Inside the latest issue of (IN)SECURE Magazine
(IN)SECURE Magazine is a free digital security publication discussing some of the hottest information security topics.

Top 10 HTML5 threats and attack vectors
Each time, every new technology stack throws up new security challenges and vulnerabilities. HTML 5, though very promising, is no different. There are security concerns that need to be addressed when creating applications. Let us look at the top 10 possible attack vectors associated with HTML5 and modern browser architecture.

Download.com “cleans up” Nmap but not other downloads
It took less than a day for Download.com to react and quietly switch their Nmap downloads back to the software’s real installer, and for Microsoft to contact him and explain that they weren’t aware of the fact that they were sponsoring CNET to trojan open source software.

Multimillion credit card data theft
Four Romanian nationals were charged for their alleged participation in an international multimillion dollar scheme to remotely hack into and steal payment card data from hundreds of U.S. merchants’ point of sale computer systems.

Delivering banking Trojan via malicious boot loaders
Brazil is a country whose Internet users are targeted almost exclusively by cyber crooks wielding banking Trojans. It is also a country where a majority of users still runs Windows XP on their computers. This last fact has been taken into consideration and misused by criminals, as they devised a way to exchange the legitimate ntldr boot loader with a malicious boot manager.

Telstra privacy blunder reveals account details of some 1m customers
Personal and account details of over one million customers of Australian telecom giant Telstra were accessible to any Internet user – and may have been taken advantage of – for an unknown period of time.

OPIS

Subscribe to the Help Net Security breaking news e-mail alerts:

OPIS
More about

Don't miss