Week in review: Hijacking airplanes with an Android phone, and a call to arms for infosec professionals
Here’s an overview of some of last week’s most interesting news, articles and videos:
Spear-phishing emails targeting energy companies
Information over-sharing can lead to cleverly executed and dangerous spear-phishing campaigns, warns the US Department of Homeland Security and the ICS-CERT.
WordPress.com adds 2-factor authentication option
To set it up, users must access the Security tab in their WordPress.com account settings, where they will be offered a setup wizard.
Anonymous and affiliates attack Israeli websites
By launching “Operation Israel”, the hacktivist collective called on hacker groups and individuals to participate and launch cyber attacks as a means of protest against Israel’s occupation of Gaza, their human rights violations, and to show solidarity with newly recognized Palestinian state.
We’re losing the battle against state sponsored attacks
We are seeing a huge rise in attacks which are state sponsored and targeted at the Critical National Infrastructure. The real fight isn’t from stopping them getting in, it’s actually about how far within your organization you can stop them reaching.
Bitcoin-mining Trojan lurking on Skype
Bitcoin-mining malware is nothing new, but with the success of Bitcoin and the renewed interest it is receiving lately, cyber crooks are again concentrating their efforts to harness the power of random computers in order to create them.
The cloud: Storms on the horizon
At its heart, the cloud is really just shorthand for shared resources. The cloud is regularly touted as the answer to all of your IT woes. But, beyond the marketing pitches and the oft-discussed technological concerns, there is a storm brewing. There are very real legal concerns lurking inside this brave new world of resource sharing. This video from Shmoocon 2013 discusses current law and technology.
How simulated attacks improve security awareness training
Wombat released a new report that discusses how simulated phishing attacks can be an effective security awareness and training tactic to help companies educate employees how to avoid growing cyber security threats.
Cutwail botnet now spreads Android malware
The botnet has recently been spotted being used to deliver the peer-to-peer Gameover banking Trojan, but its masters have obviously realized that an increasing number of users is checking their email through their smartphones, and that they can also be targeted.
A call to arms for infosec professionals
An old saying says “nature abhors a vacuum,” meaning that in the absence of something nature will find a way of filling that gap. We are currently witnessing the same phenomenon in the information security field.
Instant Penetration Testing: Setting Up a Test Lab How-to
If you want to start practicing penetration testing, you will be needing a test lab. This book will tell you what you need in order to do it, how to set it up, and how to use it in a simple, straightforward manner.
Global technology supply chain security standard released
This open standard is the first of its kind to help organizations achieve Trusted Technology Provider status, assuring the integrity of COTS ICT products worldwide and safeguarding the global supply chain against the increased sophistication of Cybersecurity attacks.
Risks to retailers through point of sale systems
McAfee released a report on the growing risks the industry is facing with both legacy and newer point of sale systems (POS). The report discusses how the retailing industry’s reliance on third parties for service and support is creating security vulnerability and privacy issues.
Hijacking airplanes with an Android phone
An extremely well attended talk by Hugo Teso, a security consultant at n.runs AG in Germany, about the completely realistic scenario of plane hijacking via a simple Android app has galvanized the crowd attending the Hack In The Box Conference in Amsterdam on Wednesday.
ZeroAccess Bitcoin botnet shows no signs of slowing
FortiGuard Labs observed that the Bitcoin mining botnet, ZeroAccess, was the number one threat last quarter. Their report also reveals new analysis of the South Korea cyberattacks and two new Android adware variants that have climbed the watch list in the last 90 days.
You’ve been hacked, now what?
Once a breach has been discovered, the victims may feel at a loss and not know what to do next. But with prompt, decisive action, companies can mitigate damage and bolster their network against future attacks.
Twitter’s recipe for security awareness
Security awareness training is an issue that has been and continues to be hotly debated both online and offline. It is also a topic that seems a little out of place at the Hack in the Box conference in Amsterdam, but Bob Lord, Director of Information Security at Twitter, has raised some interesting points in his Thursday’s keynote in which he shared his company’s rather successful experiments regarding the matter.
Nipper Studio: A new approach to security auditing
Developed by UK-based Titania Ltd., Nipper Studio is an interesting solution that takes a whole new approach towards security auditing. Wouldn’t it be great to be able to analyze the security of vital aspects of your network in just a couple of seconds? It may sound overly optimistic, but Nipper Studio aims to do just that.
Sophisticated threats and thinking like the attacker
Sophisticated attackers are making us think differently about how we approach security. They are methodical, persistent, creative and often times well funded. Approaching these types of threats means that we have to spend more time understanding the objectives and tactics of the attacker and then building security technology and processes that seek to identify and combine the subtle indicators of an attack.