Week in review: PHP.net compromise, Facebook data mining, and how to social engineer a social network

Here’s an overview of some of last week’s most interesting news, podcasts, videos and articles:

The Basics of Web Hacking: Tools and Techniques to Attack the Web
Web security is one of the hot topics that we cover quite a lot on Help Net Security and is something that generates news and catches the interest of ever growing number of Internet users. If you are completely out of web security waters, but would like to get a primer on it, this is a book to check out.

Can you trust the apps you use?
In this podcast recorded at Virus Bulletin 2013, Bullguard’s Alex Balan asks the question: “How much control we have over our security once we’ve allowed apps access to our private information?”, and explains the unwelcome answer.

The IT road to hell
Although this article is primarily intended to look at the IT security implications of the Snowden and Manning affairs, the question that needs asking is whether the incessant drive to reduce costs and increase shareholder value is ultimately resulting in the demise of our economies, and the destruction of our infrastructures.

Facebook data mining tool uncovers your life
You know you shouldn’t post potentially damaging data on Facebook, but more often that not, your friends don’t think twice about it, and this can impact you even more than you think. At the Hack In The Box conference in Kuala Lumpur, security consultants Keith Lee and Jonathan Werrett from SpiderLabs revealed how a simple tool can enable anyone to find a comprehensive amount of data on any user.

Video: Operationalizing security intelligence in the enterprise
This DerbyCon video covers security intelligence end-to-end from definition to incorporation, and why it’s vital to your organization’s strategy and tactics.

How to social engineer a social network
At this year’s edition of Hack In The Box Conference in Kuala Lumpur, Ruhr University Bochum researcher Ashar Javad’s demonstrated the possibilities offered by Facebook’s “Lost my password” / trusted friends feature. His rather extensive presentation also contained a section on several attack vectors related to social networks that should be impossible to use by now.

Free eBook: Linux From Scratch
This 318 page eBook provides readers with the background and instruction to design and build custom Linux systems. Users can dictate all aspects of their system, including directory layout, script setup, and security. The resulting system will be compiled completely from the source code, and the user will be able to specify where, why, and how programs are installed.

A new classification for potentially unwanted mobile apps
In this podcast recorded at Virus Bulletin 2013, Svajcer talks about their efforts to create a mobile PUA taxonomy that would be accurate and helpful to all the stakeholders in the mobile environment, and especially the end users.

Building an information security awareness program from scratch
This talk from DerbyCon will show you how to build a security awareness program from scratch for little or no money, and how to engage your users so that they get the most out of the program.

iPhone secure messaging with self-destruct mechanism via Wickr app
Wickr is a free app designed to provide private communication over a range of devices running Android and iOS. From a technical point of view, Wickr uses AES256 for encryption and ECDH521 for the key exchange. SHA256 is used for hashing and Transport Layer Security (TLS). All the encryption keys are used only once, and the Wickr servers don’t store any decryption keys. Besides the tough crypto, the key functionality of the service is the usage of a self-destruction mechanism for messages. Sounds quite good, especially with the recent snooping controversies.

Young employees don’t care about corporate policies
There’s a growing appetite of Generation Y employees to contravene corporate policies governing use of own devices, personal cloud storage accounts and new technologies such as smart watches, Google Glass and connected cars.

What has changed in ISO 27001?
Learn what has changed in ISO 27001 using this easy to understand infographic.

US allies demand explanations about NSA surveillance
Following Le Monde’s Monday report on NSA’s systematic gathering of phone call data of French citizens and the recording of certain calls and text messages has made the French prime minister, Jean-Marc Ayrault, call in the US ambassador in Paris and demand explanations.

Most young adults not interested in a cybersecurity career
While U.S. government officials find the current pipeline for cybersecurity talent to be lacking, 82 percent of U.S. millennials say no high school teacher or guidance counselor ever mentioned to them the idea of a career in cybersecurity.

PHP.net compromised to serve malware
On Thursday, Google’s Safe Browsing service began warning visitors to php.net that the website was discovered serving malware. Initially, most people and PHP maintainers thought that it was a false positive, but subsequent investigation confirmed that some of the project’s servers did get compromised.

Insider threat: Users are out of control
One of the most startling statistics from a new BeyondTrust survey reveals that 28 percent of respondents admitted to having retrieved information not relevant to their job. When asked what information was accessed, nearly one-quarter identified financial reports and almost half provided written responses specifying salary details, HR data and personnel documents, etc

Mozilla releases add-on to reveal online data tracking
With a new version (1.0.2) released on Wednesday, Mozilla has once again put the spotlight on its Collusion add-on that aims to show users which first and third parties are tracking them as they surf the Internet. In addition to several improvements, the add-on also has a new name – Lightbeam – that, according to Alex Fowler, Mozilla’s head of global privacy and public policy, describes the concept better.

Bypassing security scanners by changing the system language
A substantial security oversight is present in a variety of penetration testing tools, and it has to do with the different languages that a computer system can be set up to use, claimed and proved Trustwave researchers at the recently held Hack In The Box conference in Kuala Lumpur.

More about

Don't miss