Week in review: Origins of Flame revealed, Windows 8 security, and active exploitation of state-sponsored 0-day

Here’s an overview of some of last week’s most interesting news, podcasts, interviews and articles:

Real life examples on hackers bypassing CAPTCHA
Computer-assisted tools and crowd sourcing can easily bypass traditional anti-spam solutions, forcing CAPTCHAs to evolve to address these techniques, according to Imperva.

Vulnerabilities in open source WAF ModSecurity
During our research of web application firewall evasion issues, we uncovered a flaw in ModSecurity that may lead to complete bypass of the installed rules, in the cases when ModSecurity is deployed to protect the backends where impedance mismatch is not mitigated. Additionally, a separate flaw in ModSecurity CRS makes the content type checks ineffective, allowing for bypass attacks, when deployed to protect the backends where impedance mismatch is not mitigated.

The dangers of NOT passing cybersecurity legislation in 2012
According to the U.S. Government, cyber-security protection of critical infrastructure is a national priority. With 85 percent of the nation’s critical infrastructure owned and operated by the private sector, the public and private sectors must work collaboratively, with trusted and open lines of communication to ensure the timeliest sharing of critical cyber-security information.

US-CERT warns of Intel CPU flaw
A flaw in Intel chips leaves users of a number or x64-based operating systems vulnerable to system hijacking, the US Computer Emergency Readiness Team warns.

Apps on iOS 6 will require explicit permission to access personal data
Users of Apple devices equipped with the upcoming iOS version 6 will be explicitly warned when the app they are trying to install asks permission to access their contacts, calendars, reminders and their photo library.

Zitmo Trojan masquerades as security app
Zeus-in-the-mobile (“Zitmo”) for Android users is back, pretending to be a security solution for the mobile operating platform.

What makes a good unified database security solution?
In this podcast recorded at the RSA Conference 2012, David Maman, the founder and CTO of GreenSQL, talks about the need for unified database security solutions, and he explains the features required by these solutions that aim to give a clear and full picture of the situation to its users.

Takedown of Japanese Android malware gang still incomplete
Six men suspected of running an adult site and serving Android malware through it have been recently arrested by the Tokyo Metropolitan Police Department, and the website in question has been shut down. But, as it turns out, there are at least two other websites out there that are affiliated with the one that was removed from the Internet.

BYOD workers pose serious security risks
Fortinet conducted a global survey that reveals the extent of the challenge posed to corporate IT systems by first generation Bring Your Own Device (BYOD) users; people entering the workplace with an expectation to use their own devices.

Facebook promotes security tips
If you have logged into Facebook in the last few days, chances are you have been faced with a new Facebook message at the top of your page saying “Stay in control of your account by following these simple security tips.”

Flame was developed by US and Israel
Quite recently, Kaspersky Lab analysts revealed the existence of rather solid proof that the developers of both Stuxnet/Duqu and Flame worked together and exchanged ideas and knowledge at one point it time.

Google detects 9500 malicious sites per day
According to Google Security Team member Niels Provos, the Google’s Safe Browsing program detects about 9,500 new malicious websites and pops up several million warnings every day to Internet users.

User activity monitoring revealed
In this interview, Matthew Ulery, Director of Product Management with NetIQ, discusses the challenges related to user activity monitoring. He talks about the various methods, technologies as well as privacy concerns.

Julian Assange asking for asylum in Ecuador
WikiLeaks founder Julian Assange has applied for political asylum at the Ecuadorian embassy in London on Tuesday.

Compromised website serving “state-sponsored” 0-day exploit
The still unpatched Microsoft XML Core Services vulnerability (CVE-2012-1889) that allows attackers to gain the same user rights as the logged on user and execute malicious code remotely is being actively exploited in the wild.

Hackers leak customer data after firm refuses to pay ransom
Hacking collective “Rex Mundi” has leaked a batch of personal and financial information belonging to individuals who have applied for loans with online loan provider AmeriCash Advance, after the company refused to pay $15,000 to prevent that from happening.

AutoCAD worm steals blueprints, sends them to China
Duqu and Flame are not the only pieces of malware interested in grabbing AutoCAD files, says ESET researcher Righard Zwienenberg.

Older means wiser to computer security
A new Dimensional Research and ZoneAlarm report found that 18 – 25s are more confident in their security knowledge than 56 – 65s, but have experienced more security issues in the past two years compared to older users.

Windows 8 will be harder to exploit
A lot of things have already been revealed about the security features of the upcoming Windows 8, and Chris Valasek, a security researcher with development testing firm Coverity, shared some more details after having analyzed the preview version released only to selected software experts.

Real-time alert system shows active cyber attacks in 3D
Researchers from Japan’s National Institute of Information and Communications Technology (NICT) have recently revealed a real-time network monitoring system that is capable of alerting support staff as soon as it notices malignant traffic going outside the network, and of showing the evolution of the attack on its 3D user interface.

ISO 27001 standard: Breaking the documentation myth
Dejan Kosutic is the founder of the Information Security & Business Continuity Academy. In this interview he discusses the future of compliance, ISO 27001 documentation, audit preparation, and much more.

User education essential against social engineering attacks
The problem with the trend of rising levels of social engineering is that it primarily exploits human weaknesses, so is almost impossible to prevent using technical controls. In the IT security industry we obsess about data protection, but the reality is that many employees remain completely unaware of the value of the information they work with from day to day.

PayPal sets up bug bounty program
Joining the likes of Google, Facebook, Mozilla and others, PayPal has announced that it will be offering money for information about security bugs that affect their site (www.paypal.com).

Trojan infection triggers massive printing jobs
If your printers start printing garbage characters until they run out of paper, it’s a sure sign your network has been hit by the Milicenso Trojan.