Week in review: Windows 8 security features, weak crypto allowed spoofing emails from Google, PayPal domains

Here’s an overview of some of last week’s most interesting news and articles:

Shortened .gov URLs lead to scams
The fact that cyber crooks often misuse URL shortening services in order to trick users into following dangerous links is not news, but Symantec researchers have lately spotted a considerable increase in malicious links shortened with the 1.USA.gov service.

Microsoft concludes Russian programmer didn’t operate Kelihos botnet
Following the settling of the Nitol botnet lawsuit earlier this month, Microsoft has announced on Friday that it has reached a settlement with Russian software programmer Andrey N. Sabelnikov, who was named earlier this year as one of the defendants in its Kelihos case.

Analysis of 15 million cyber attacks
A new web application attack report by FireHost offers an impression of the current internet security climate and provides statistical analysis of 15 million cyber attacks blocked in the US and Europe during Q3 2012.

OS X Mountain Lion Pocket Guide
Since its release, OS X Mountain Lion has been hailed as the most advanced operating system coming out of Cupertino. With lots of new features and a myriad of small alterations, this evolution of OS X offers a lot to novice and seasoned users alike. While some of the features like iCloud integration are in the spotlight, there are many others that users may not be familiar with immediately. This is where the Mac OS X Mountain Lion Pocket Guide by O’Reilly enters the picture.

Popular Android apps leaking passwords due to poor SSL
A group of researchers from two German universities claim that eight percent of the 13,500 popular, free-of-charge, legitimate Android Android apps they downloaded from Google Play and tested have poorly implemented SSL/TLS protocols that can allow attackers to collect information that the apps send and receive.

Malvertising on Yahoo Messenger hijacks browsers’ start page
It is not clear whether the banner has reached YIM customers following a legit advertising campaign that was modified by the advertiser later, or if it is an abusive attack that exploits a bug in the Yahoo Ad services.

Big data creates big jobs: 4.4 million IT jobs by 2015
By 2015, 4.4 million IT jobs globally will be created to support big data, generating 1.9 million IT jobs in the United States.

Microsoft legalizes collection of user info from its free services
In a move that has not been noted by the great majority of Microsoft users, the Redmond giant has changed its Services Agreement on Friday in order to legalize the collection of all personal information and customer content that can be gathered from the consumers of its free Web-based products (Hotmail, Bing, Outlook email service, etc.), and to use it to improve its other services.

Researchers deliver fix for Java 0-day to Oracle
Polish firm Security Explorations and its CEO Adam Gowdiak continue to be the a thorn in Oracle’s side by repeatedly questioning the giant’s decision not to issue an out-of-band patch for a critical Java flaw in Java SE (Standard Edition) 5, 6 and 7.

Top 10 strategic technology trends for 2013
Gartner defines a strategic technology as one with the potential for significant impact on the enterprise in the next three years. Factors that denote significant impact include a high potential for disruption to IT or the business, the need for a major dollar investment, or the risk of being late to adopt.

Card readers in Barnes & Noble stores hacked by crooks
On September 14, Barnes & Noble, the largest book retailer in the United States, has turned off the keypads in front of registers in all of their physical stores without offering an explanation about it to the customers. Almost a month and a half later, the company revealed the reason behind this step: at least one of the devices in 63 of their stores had been compromised and had been recording card details for crooks to misuse.

Weak crypto allowed spoofing emails from Google, PayPal domains
Zach Harris, a Florida-based mathematician, discovered that Google and many other big Internet companies use weak cryptographic keys for certifying the emails sent from their corporate domains – a weakness that can easily be exploited by spammers and phishers to deliver emails that, for all intents and purposes, look like they were sent by the companies in question.

CyanogenMod found logging Android unlock swipe gestures
The offending line of code has been discovered by Gabriel Castro, a developer attached to the CyanogenMod project, and has apparently been added to the firmware source code in August, when un update that made the default grid format for lockscreen gestures configurable.

Bogus MS “Windows license delivery” email leads to malware
Experienced users will probably have a quick glance at the stark look of the email and immediately conclude that the email is fake, but inexperienced ones might believe that Microsoft delivers Windows licenses in this way and follow the link.

New cybercrime monetization methods
AVG’s new report investigates a number of malicious software developments including the newly launched 2.0 version of the Blackhole Exploit Toolkit, the evolution in malware targeting mobile banking services, a surge in malicious ads targeting social network users and a trick to hide malware inside image files.

Most effective ways to stop insider threat
A new report catalogs information gained by analyzing the best practices and incident response tactics of the 40 organizations most effective at preventing insider threats from a surveyed sample of more than 1,000.

Best practices from healthcare and compliance experts
The American Hospital Association brought together senior executives from healthcare, information security, compliance, and legal disciplines to discuss best practices around creating a culture of patient privacy compliance. The panel was clear in their direction—build a team and leverage an interdisciplinary incident response team.

Anonymous hacks police forum, sends emails to police officers
According to the results of the investigation launched by the Metropolitan Police’s e-Crime unit (PCeU), the hackers managed to compromise the website and the databases of the UKPoliceonline.co.uk forum, on which retired and active police officers “talk shop.”

First look at Windows 8 security features
Windows 8 launched this week. It brings a new interface, but under the hood, it introduces a number of new security features.

Software backdoor makes critical infrastructure vulnerable to attacks
Ever since Stuxnet managed to disrupt the workings of the Natanz nuclear facility, the security of industrial control systems (ICS) has deservedly received a lot of attention. Many security researchers have begun analyzing the hardware and software employed in critical infrastructure installations, and have discovered a host of vulnerabilities.

Flaw in boarding pass check system puts fliers in danger
Everybody knows by now that airline boarding passes have barcodes that, when decoded, show a series of letters and numbers that “summarize” the main information about one’s flight. But what you might not know is that it also includes a code that tells the U.S. TSA officers whether you are eligible for TSA’s Precheck Program, and could consequently pass through the security check after receiving the expedited screening treatment.

More about

Don't miss