Here’s an overview of some of last week’s most interesting news, interviews, articles and reviews:
There are no winners in the blame game
Every time a major security breach makes the headlines, a common reaction happens. Even before the details of the breach are known, the infosec world gets into a frenzy of speculation as to how the attack happened, who conducted it, and whether the attackers were skilled or not. Invariably the conversation focuses onto the company that is the victim of the attack, and it often tends to highlight how stupid, negligent or weak its security defenses were. In effect, we blame the victim for being attacked.
First Round of HITBSecConf Kuala Lumpur speakers announced
Here’s a taste of some presentations you can expect at HITBSecConf Malaysia in October.
NSA spied on UN officials after cracking encryption on UN teleconferencing system
The NSA has actively spied on United Nations’ officials and personnel after managing to compromise the encryption of the organization’s internal video conferencing system, German investigative magazine Der Spiegel reported.
Largest DDoS attack ever disrupts China’s Internet
The China Internet Network Information Center (CNNIC), which maintains the registry for the .cn, China’s country code top-level domain, has notified the public that two massive DDoS attacks have been aimed against the national Domain Name Service.
Tech companies received millions for PRISM compliance costs
The NSA reimbursed the costs that Google, Facebook, Microsoft and Yahoo incurred for having to meet new certification demands following a FISC ruling about the unconstitutionality of certain aspects of the PRISM surveillance program.
Social networks: Can robots violate user privacy?
High-Tech Bridge decided to conduct a simple technical experiment to verify how the 50 largest social networks, web services and free emails systems respect – or indeed abuse – the privacy of their users.
Poorly redacted court filing reveals Google contested NSL gag order
The company argued that the gag orders violated the company’s “First Amendment right to communicate transparently with its users and the public regarding its receipt of the NSL”, but has failed to secure the wanted ruling.
How did Snowden steal the NSA documents and cover his tracks?
Many things have been unveiled by the documents leaked by NSA whistleblower Edward Snowden, but the question of how he managed to extract them from the agency’s internal network without triggering any alarms is still unanswered.
Open source encrypted email service reaches crowdfounding goal
Mailpile, the open-source web-mail client with user-friendly encryption whose developers have been asking for funding on Indiegogo, has surpassed its $100,000 goal three weeks before the end of the fundraising campaign.
Computation and Storage in the Cloud: Understanding the Trade-Offs
These days, especially in the IT world, most people are familiar with the concept of cloud computing and they take advantage of it for a variety of personal and business reasons. But not many realize the huge benefits that come from using it for scientific research. The cloud is a new way for researchers to deploy data-intensive applications without any infrastructure. This book looks into the computation and storage trade-off in the cloud.
Kelihos botnet: What victims can expect
Kelihos is a botnet which utilizes P2P communication to maintain its CnC Network.
The current state of application security
New research offers a better way to understand the maturity of an organization’s application security program in comparison to the core competencies of high-performing organizations. 642 IT professionals (both executive and technical positions) were asked specific questions concerning tools usage, development team knowledge, application security policies, and secure coding best practices.
Shielding targeted applications
When we discuss exploit prevention, we often talk about “targeted applications.’ This term refers to end-user applications which can be exploited by hackers for malicious purposes. There are a few requirements that define these applications.
NYT, Twitter, HuffPo sites disrupted by Syrian hacker group
Hackers from the Syrian Electronic Army have managed to hijack, deface and / or make unavailable the websites of The New York Times, Huffington Post UK and one of Twitter domains for image serving (twimg.com).
Researchers detail attacks for compromising Dropbox user accounts
Dropbox, the popular file hosting service that has managed to amass over 100 million users in the five years since it was launched, has had its fair share of problems: security glitches, hacks, being used as a malware hosting site, etc. The latest one are two researchers that not only managed to reverse engineer (unpack, decrypt and decompile) the Dropbox client software (i.e. desktop app), but have documented the step-by-step process and have made it public.
Smart building security: Threats, tips and tricks
Martin Lee is the Technical Lead, Threat Intelligence at Cisco. In this interview he discusses the critical security threats to smart buildings, the features of a robust and secure smart building system, and much more.
94.7 percent of Americans received at least one email containing a virus, spyware, or malware, according to Halon. About one in eleven (8.8%) opened the attachment and infected their computer.
New protection mechanism prevents mobile cross-app content stealing
A group of researchers from Indiana University and Microsoft Research have recently published a paper detailing the risk of cross-origin attacks on two of the most popular mobile operating systems today – iOS and Android – and have introduced an origin-based protection mechanism of their own design.
Tor usage more than doubles
Roger Dingledine, one of the original developers of Tor and current director of the Tor Project, has noted on the tor-talk mailing list that the number of Tor clients running appears to have doubled since August 19.
Facebook spamming is a hugely lucrative business
Italian researchers that have previously unearthed the big business behind fake Twitter followers have now calculated that Facebook spammers are raking in as much as $200m every year.
Fraud and identity theft camouflaged by DDoS attacks
Prolexic shared attack signatures and details that are helpful to detect and stop DDoS attacks from the Drive DDoS toolkit, an attack tool often used as a source of distraction while criminals break into customer accounts at finance firms and e-commerce businesses.
Detailed US intelligence community’s $52.6 billion budget leaked
Leaked by NSA whistleblower Edward Snowden and analyzed by The Washington Post reporters, the summary of the $52.6 billion US National Intelligence Program budget for the 2013 fiscal year reveals many interesting things.