Week in review: Adobe breach, Silk Road takedown, and the future of information security

Here’s an overview of some of last week’s most interesting news, videos, interviews and articles:

The impact of false positives on web application security scanners
Ferruh Mavituna is the CEO at Mavituna Security and the Product Architect of Netsparker. In this interview he discusses what impact false positives have on web application security scanners and what his team is doing to deliver false positive free scans.

Two youngsters arrested for different DDoS attacks
Following the massive DDoS attack against anti-spam outfit Spamhaus earlier this year, a 35-year-old Dutch citizen believed to be Sven Kamphuis, the owner and manager of Dutch hosting firm Cyberbunker, was arrested in Spain because he was suspected of having participated in the attack. But what only now came to light is that, simultaneously, a 16-year-old London schoolboy had been detained by the London Metropolitan Police because of similar suspicions.

UK to create new cyber defence force
Defence secretary Philip Hammond has announced that the UK is to create a new cyber unit and speak full cyber warfare competency including both offensive and defensive capabilities. The Joint Reserve Unit will be made up of technical experts and Britain’s top IT “geniuses’. The disclosure was made ahead of the Conservative Party Conference in Manchester and is the first time any country has openly admitted having the capabilities to attack other nation states’ internet infrastructure. Here are some comments received by Help Net Security.

The motives behind nation state driven cyber attacks
FireEye released a report that describes the unique international and local characteristics of cyber attack campaigns waged by governments worldwide.

Latest IE 0-day still unpatched, attacks exploiting it go back three months
While Microsoft is yet to issue a patch for the latest Internet Explorer zero-day (CVE-2013-3893), reports are coming in that the flaw has been exploited more widely and for a longer time than initially believed.

NSA creates US citizens’ profiles by collecting metadata, public and commercial data
In 2010, NSA analysts were instructed to disregard previous restrictions when it came to analyzing phone call and email logs belonging to Americans that had connections to foreign targets, and to use any other information data they could collect about the person from public, commercial and other sources to create a detailed picture of their lives and their connection to the person of interest.

Hackers gather in Colombia for Security Zone 2013
The first Security Zone event was held in 2011, as a group of people within the Colombian infosec community decided to do a national event on information security. They reached out to Ian Aamit and asked him to name a selection of recognized information security speakers to invite to Cali, Colombia. Good sport that he is, he not only gave them the names, but also helped talking these experts into coming.

Researchers sinkhole half a million ZeroAccess bots
In a race against time and ZeroAccess developers and botmasters, Symantec researchers managed to sinkhole a large chunk of the infamous P2P-based botnet before its herders managed to update the bots and close down the security holes that allowed the researchers to do so.

Rapid7 offers free tools and terabytes of its own research
HD Moore, chief research officer at Rapid7, has called for all security professionals to collaborate on security data research and analysis to create greater awareness and understanding of security issues and their implications. To facilitate this, Rapid7 Labs has launched Project Sonar, offering free tools and terabytes of data from its own research efforts.

Common data breach handling mistakes
A data breach is an issue that can affect any organization and National Cyber Security Awareness Month is an opportune time for organizations to start to prepare for an incident or enhance their current response plan.

Cybercrime service providers arrested in Europe
The European Cybercrime Centre (EC3) at Europol has supported Spanish National Police in arresting two Ukrainian criminals in Madrid who sold cybercriminals access to a huge number of compromised computer servers for anonymising their Internet activities. They are also suspected of laundering the illicit proceeds of police ransomware.

Over 50% don’t protect their Android devices
Over 50 percent of Android-based smartphone and tablet owners do not use any security software to protect their devices against cyber-threats, according to Kaspersky Lab.

Facebook extends Graph Search to include posts, updates, comments
This Monday, Facebook announced that from now on, Graph Search will include posts, status updates, photo captions, check-ins and comments (still only for US English users).

Innovation, big data and the future of information security
Dr. Herbert (Hugh) Thompson is Program Chair for RSA Conferences and a world-renowned expert on IT security. He has co-authored several books on the topic and has written more than 80 academic and industrial publications on security. He has been an adjunct professor at Columbia University in New York and is Advisory Board member for the Anti-Malware Testing Standards Organization. In this interview he talks about innovation in the information security industry, the job landscape, privacy solutions, and more.

Get a VIP ticket to HITBSecConf and $1337 of travel money
Following the success of the first #HITB1337Giveaway held in conjunction with HITBSecConf2013 – Amsterdam, Hack In The Box is now bringing this popular Twitter-based contest to Malaysia, offering contestants a chance to join some of the world’s greatest hackers, makers, breakers and builders in Kuala Lumpur for the 11th annual Hack In The Box Security Conference taking place later this month.

Video: Cracking corporate passwords
Cracking corporate passwords is different than cracking public MD5 leaks off of pastebin. Corporate passwords are not in the same formats you are used to, they require capital letters, numbers and/or special characters.

Connections between personality types and phishing
Phishing scams are some of the most effective online swindles, hooking both savvy and naive computer users. New insights from researchers at the Polytechnic Institute of New York University (NYU-Poly) point to two factors that may boost the likelihood that a computer user will fall prey: being female and having a neurotic personality.

Bruce Schneier: The battle for power on the Internet
Bruce Schneier gives us a glimpse of the future of the internet, and shares some of the context we should keep in mind, and the insights we need to understand, as we prepare for it.

Silk Road taken down, owner arrested
Silk Road, the infamous black market drug website hidden in the so-called Deep Web, has been taken down, and its founder and owner arrested and charged for conspiracy to traffic narcotics and computer hacking, murder solicitation, and conspiracy to launder money.

Adobe breached, customer info and source code compromised
Hackers have breached Adobe’s network and have made off with personal, account, and encrypted financial information of nearly 3 million Adobe customers, as well as the source code for Adobe Acrobat, ColdFusion, ColdFusion Builder and other Adobe products. And here are some reactions from the security community to the breach.

Whitepaper: Beginner’s Guide to SSL Certificates
Read the Beginner’s Guide to SSL Certificates that will enable you to make the best choice when considering your online security options.

Video: Practical exploitation using a malicious SSID
In this video from DerbyCon, Deral Heiland discusses the leveraging of SSIDs to inject various attacks into wireless devices, and management consoles. The type of injection attacks discussed includes XSS, CSRF, command injection and format strings attacks.

More about

Don't miss