Week in review: Hidden security risks of top mobile apps, Facebook invites white hats to attack its networks
Here’s an overview of some of last week’s most interesting news, articles and reviews:
Penetration testing tool masquerades as surge protector
In the same way that a hardware keylogger may remain undetected by office workers, Power Pwn – a newly created piece of hardware resembling a power strip or surge protector that is actually a network-snooping device – might pass unnoticed until it’s too late.
67,000 phones to be lost or stolen during the Olympics
This year’s Games will see the largest-ever risk of corporate and personal data loss during an Olympics period, with an estimated 214.4 terabytes of potentially sensitive data likely to be lost or stolen – an equivalent of 200 million books’ worth of data.
Record number of phishing websites in the wild
The number of brands targeting by phishing attacks sustained an all-time high of 382 in February and March, while cybercrime gangs deployed a record number of phishing websites during the same quarter, according to the APWG.
8.2 million Gamigo passwords leaked
A huge batch of what appear to be Gamigo user login credentials and email addresses has been made available on a forum on the password-cracking website Inside Pro.
Bot herders try to resurrect Grum, fail
The botnet’s herders have not sat idly by while their livelihood was threatened, and they mounted a last-ditch attempt at regaining control of at least one segment of the botnet.
GFI LanGuard 2012 released
GFI Software announced GFI LanGuard 2012, providing network and system administrators with the ability to manage 100 percent of their patching needs through a single and intuitive interface, without the need for other update tools.
Bogus “Booking Confirmation” emails lead to malware
Booking.com is a well-known and very helpful website for those looking for deals when planning their travels, but if you’re a habitual user, be wary of malicious emails misusing the name.
The state of document-centric security
The growing popularity of consumer-grade, browser-based file sharing applications, such as YouSendIt and Dropbox, has improved productivity within the enterprise, but at what cost?
Sharp rise in SQL injections
FireHost revealed the latest statistical analysis of attacks successfully blocked by its servers.
Scientists develop tool for improving app security
Called RockSalt, the clever bit of code can verify that native computer programming languages comply with a particular security policy.
Seven Databases in Seven Weeks
For years, the popularity of relational databases created by Oracle, Microsoft, and IBM, and of the open source MySQL, PostgreSQL, and SQLite was undisputed. But, in time, great NoSQL alternatives sprung up: MongoDB, Apach HBase, Neo4j, and others. This book covers the ins and outs of seven different open source databases developed mostly for *nix systems, and advises on which could be the right for you.
Android malware no longer just posing as Opera Mini
The malicious app can be picked up on a fake Opera Mini support website and, during installation, it present to the user two sets of permissions: one belonging to the malware and the other to the legitimate Opera Mini app. Once the permissions are given, both apps are installed and the user can use Opera Mini without problems.
VirusTotal starts sandbox-testing, shares behavioral information
Developer Emiliano Martinez has recently confirmed what many users of VirusTotal have already noticed: that the online file scanning service has added behavioral information in its reports.
What’s going on with the Cybersecurity Act of 2012?
The Cybersecurity Act of 2012 was first introduced back in February, but because of harsh criticism from both politicians and civil society organizations, the bill was pulled back to be rewritten.
What will the workplace of the future look like?
With a shift towards increased technology choice and mobility occurring over the past three to five years, companies today are striving to better understand the value of creating IT infrastructures which support digitally savvy workers who do not adhere to 9 to 5 routines.
Hidden security risks of top mobile apps
The Appthority Platform analyzed the top 50 free apps from Apple’s App Store and Google Play for risky app behaviors.
Bogus Olympics ticket site spotted
Advertised through malicious Facebook posts and likely via other social networking sites and online forums, the site is professionally executed and looks legitimate – especially because it mimics the design and users the colors of the official site of the Olympics.
The dangers of Java and what to do about it
The problem with Java is not so much in the newly discovered vulnerabilities, as they get fixed pretty soon, but with the fact that too many users don’t update it regularly. In fact, many of them aren’t even aware of its existence on their machines.
Crisis OS X Trojan is an effective spy tool
The Crisis/Morcut OS X malware recently discovered via samples submitted to VirusTotal is more than just a backdoor Trojan.
Most users think content is more important than the device
A global F-Secure survey of broadband subscribers has identified security, privacy and issues relating to the storing and sharing of digital content as key concerns. The findings reflect a changing digital landscape marked by the use of multiple devices to access the Internet as well as an explosion in user-generated content.
Facebook invites white hats to attack its corporate network
When the social network’s security team received a tip from a researcher about a vulnerability in the company’s own network which would allow attackers to eavesdrop on internal communications, they made an unprecedented choice by broadened the scope of the bug bounty program and inviting researchers to search for other holes in the corporate network.
Researchers beat Google’s Bouncer
During a presentation at Black Hat, Trustwave’s Nicholas Percoco and Sean Schulte explained that they had created “SMS Blocker,” which appeared to be like any other SMS blocker app on the market, but was also capable of harvest information such as contacts, SMS messages, photos; launching DoS attacks; and even force a web page to load. And yet, Bouncer repeatedly failed to flag it as malicious.