Week in review: Critical SIM encryption flaw, Apple Dev Center hack, key security metrics

Week in review: Critical SIM encryption flaw, Apple Dev Center hack, key security metrics

Here’s an overview of some of last week’s most interesting news, reviews and articles:

Apple developer center hacked by security researcher?
The mystery of why Apple’s Developer Center has been inaccessible for users since last Thursday has apparently been solved, as UK-based security researcher Ibrahim Balic claims that the outage is due to its penetration testing efforts.

Passwords of 1.8M Ubuntu Forums users compromised in hack
Ubuntuforums.org, the home of a variety of support forums dedicated to users of this popular Linux distribution, has been hacked and defaced to show an image of a penguin toting a rifle – the “logo” of the hacker who’s responsible for the breach.

Multiple Java versions on endpoints risky for enterprises
Java represents a significant security risk to enterprises because it is the endpoint technology most targeted by cyber attacks.

Children as adversaries in technologically-enhanced homes
You might sometimes consider your child an adversary when he or she prevents you from sleeping enough hours or having a sit-down meal without interruptions, but Microsoft researcher Stuart Schechter uses the same unexpected word for describing the effect of children’s natural tendency to “hack” technology made for adult use.

HTML ransomware goes global
Last week we saw that a ransomware scheme does not need to involve actual malware, as clever cyber crooks leveraged browsers’ “restore from crash” feature to make inexperienced users believe they cannot escape the ransomware page. Now the scheme has gone global.

Study connects cybercrime to job loss
After years of guesswork and innumerable attempts to quantify the costly effects of cybercrime on the U.S. and world economies, McAfee engaged the Center for Strategic and International Studies (CSIS) to build an economic model and methodology to accurately estimate these losses, which can be extended worldwide.

Syrian hackers hit Tango, The Daily Dot
Pro-Assad hacker group the Syrian Electronic Army claims to have breached the back-up database of Tango, the company behind the popular eponymous app, and to have exfiltrated 1.5 TBs of daily back-ups.

SIM encryption flaw opens 500M users to attack
A flaw in the encryption technology used by some SIM cards can allow attackers to make the target phone download malicious apps and even effectively clone a user’s card in order to impersonate the device, a German security researcher has found.

A question of trust
In information security, trust is a cornerstone in all that we do. We trust the technology we use to help defend our systems, we trust our staff to comply with policies and not to fall victim to phishing emails, we trust those we appoint to manage our sensitive data not to divulge it to others, we trust our business partners to take the necessary steps to protect information we share with them, and we trust our governments to provide a safe business environment and to protect our rights.

Introduction to Cyber-Warfare
If you’re looking to learn about cyber warfare, but don’t know where to start, you might prefer picking up a book instead of searching for information dispersed on the Internet. Read on to see if this is the right one for you.

Lessons learnt from the Lakeland attack
The Lakeland attack highlights some key issues that all companies need to be aware of.

Internet Explorer best at malware and privacy protection
Back in May, NSS Labs shared the results of their testing of how successful popular Web browsers are in detecting malware, showing that the latest versions of Internet Explorer and Chrome were considerably more effective that those of Safari, Firefox and Opera. Their latest testing and reports concentrate on phishing protection and privacy settings.

Malicious apps exploiting Android “Master Key” bug found
Symantec researchers have initially unearthed two modified applications that help users find and made doctor appointments, but have after discovered four more: a lottery app, a news app, and to game apps – all very popular in China.

A historical overview of the cyberattack landscape
Venafi released a new report that chronicles the last 16 years of attacks, threats and exploits, and analyzes how they’ve evolved and intensified over time. They also offer advice to enterprises on how to better defend against new attacks that increasingly leverage unprotected cryptographic keys and digital certificates.

Key security metrics revealed
A new Ponemon Institute study examined the key risk-based security metrics IT security managers used most frequently to gauge the effectiveness of their organizations’ overall security efforts. Top Metrics included: time taken to patch, policy violations, uninfected endpoints, data breaches, reduction in the cost of security, end users training and reduction in unplanned system downtime.

US lawmakers shoot down legislation for limiting NSA spying
An amendment to the Department of Defense Appropriations Act of 2014 that would curtail funding for NSA’s collection of electronic communication data in cases where the subject is not a subject of a specific investigation has been shot down in the US House of Representatives.

TOR-based botnets on the rise
Keeping their botnet’s C&C centers online is crucial for bot herders, so that they can keep taking advantage of the computers they zombified. But given that cyber security firms and law enforcement agencies have ramped up their efforts to take them down in the last couple of years, cyber crooks are looking for ways to thwart them.

Five charged with stealing 160+ million credit card numbers
The five defendants conspired with others to penetrate the computer networks of several of the largest payment processing companies, retailers and financial institutions in the world, stealing the personal identifying information of individuals.

Preventing the exploitation of human vulnerabilities
Secure Mentem released the Human Incident Response Service to specifically address the issue of exploiting human vulnerabilities. The service analyzes the root cause of the attack, creates a plan to mitigate the damage and the underlying vulnerabilities, and assists in implementing the plan.

Feds to web firms: Hand over encryption keys and user passwords
The US government and its intelligence and law-enforcement agencies have apparently been trying to get Internet firms to hand over both their users’ account passwords and their master encryption keys.

US SEC data leak shows lax data access practices
When a former employee of the US Securities and Exchange Commission left the organization for a job with another federal agency, he “inadvertently and unknowingly” took with him sensitive personal data of SEC employees and transferred it on the computer system of his new employer.