Week in review: vBulletin.com hack, new perspective on Stuxnet, and ongoing large-scale MitM attacks
Here’s an overview of some of last week’s most interesting news, reviews and articles:
Netflix users in danger of unknowingly picking up malware
Users of Silverlight, Microsoft’s answer to Adobe Flash, are in danger of having malware installed on their computers and being none the wiser, as an exploit for a critical vulnerability (CVE-2013-0634) in the app framework has been added to the Angler exploit kit.
A look into the MongoHQ breach
A recent security breach in MongoHQ (a MongoDB cloud services provider) left the company working hard to patch up security holes. Unfortunately common, this breach was only detected when one of MongoHQ’s customers (Buffer) realized they had been hacked.
Anonymous hacker sentenced to 10 years in prison
Jeremy Hammond (aka “Anarchaos”), the Anonymous hacker that earlier this year pleaded guilty to conspiracy and hacking charges regarding the much publicized breach of Strategic Forecasting (“Stratfor”), has been sentenced to spend 10 years in jail.
vBulletin.com hacked, hackers trying to sell info on 0-day used
The company has reacted by immediately resetting all users’ passwords and is asking them to choose a new, more complex one that they won’t be using on other sites, but haven’t shared more details about how the hack came to pass. But another group has. Hacker group Inj3ct0r Team has claimed responsibility for the hack on their Facebook page, and they have also professed to be the ones who breached MacRumors forums.
Google broadens Patch Rewards Program
Google has announced the expansion of its recently unveiled Patch Reward Program, which urges security researchers to submit patches for third-party open source software critical to the health of the entire Internet.
1.2% of apps on Google Play are repackaged to deliver ads, collect info
According to BitDefender, more than one percent of 420,000+ analyzed apps offered on Google’s official Android store are repackaged versions of legitimate apps. In the long run, their existence hurts the users, the legitimate developers, and Google’s reputation in general.
Bogus “free Bitcoin generator” offer leads to malware
The offers are promulgated via Youtube videos, Pastebin posts, and promo sites, and when they explicitly state that to get the Bitcoin generator you will not have to complete a survey, you are asked to pay for a premium account in order to download the file.
90% of workers in Britain cannot resist clicking on a web link
90% of UK workers surveyed have clicked on a web link embedded in an email with two-thirds (66%) admitting they very rarely first check to ensure the link is genuine.
GitHub accounts hacked in ongoing brute force attack
GitHub users should consider changing their account password to a more complex one and setting up 2-factor authentication in order to protect themselves from automated brute force attacks, warns GitHub security engineer Shawn Davenport. An attack of that kind is currently aimed at GitHub users, and has been for the past few days.
Ruling that authorized NSA bulk email data collection is disclosed
A new batch of declassified documents released by the Obama administration include one ruling made by the then chief judge of the Foreign Intelligence Surveillance Court, with which she authorized the NSA to massively collect e-mail metadata and data regarding other Internet communications under the provisions of the Foreign Intelligence Surveillance Act of 1978.
The enemy within
While many organizations are aware of the threat coming from internal sources, they are often reluctant to acknowledge it as it implies they don’t trust their employees. Another problem is our natural instinct telling us not to trust strangers, and consequently we focus much more on external threats.
Researcher offers new perspective on Stuxnet-wielding sabotage program
Stuxnet, the malware that rocked the security world and the first recorded cyber weapon, has an older and more complex “sibling” that was also aimed at disrupting the functioning of Iran’s uranium enrichment facility at Natanz, but whose modus operandi was different.
Review: Unified Communications Forensics
“Unified Communications is the integration of real-time communication services such as instant messaging, presence information, telephony (including IP telephony), video conferencing, data sharing, call control and speech recognition with non-real-time communication services such as unified messaging (integrated voicemail, e-mail, SMS and fax),” Wikipedia explains. This book concentrates on VoIP and the attacks leveraged against it.
Data sharing and interoperability are key for mitigating cyber attacks
The EU Agency ENISA launches its new report – Detect, SHARE, Protection on how to make data threat exchange easier and better between the “digital fire brigades” (i.e. CERTs.) The Agency concludes that improving information sharing must build on existing solutions and standardisation efforts in data exchange formats, so as to make them interoperable.
Google encourages teens to contribute to open source projects
For the fourth year in a row, Google has organized its Code-in contest for pre-university students to contribute to open source projects.
Green light given to Galileo, the EU alternative to America’s GPS
Plans to start up the EU’s first global satellite navigation system (GNSS) built under civilian control, entirely independent of other navigation systems and yet interoperable with them, were approved by MEPs on Wednesday.
SAP Trojan based partially on Carberp code
Bit by bit, details about the first information-stealing Trojan discovered targeting SAP enterprise software are being unveiled, and Microsoft researchers have tied at least part of its source code to that of the infamous Carberp banking Trojan.
Are tablets secure enough for business?
Amazon is launching its first enterprise-ready tablet. A smart move, as the much-loved mobile device can finally be integrated into business. However it does beg the question, how can SMEs ensure they are prepared for this new mobile device onslaught?
NTRU public key crypto released to open source community
Today, Security Innovation announced the availability of NTRU crypto for free use in open source software. With the GPL open source license, NTRU can be confidently deployed in open source products such as web browsers and TLS/SSL servers. For those wishing to incorporate NTRU into a proprietary product, a commercial license is available.
Unofficial guide to Tor: Really private browsing
The issue of privacy on the Internet has long been a difficult one: there are a lot of good reasons that you might be leery of strangers reading your emails or spying on the websites you visit. Tor is a powerful, easy-to-use piece of software that lets you keep your online life private. This guide will provide a step-by-step guide to installing, configuring, and using Tor, and getting you started taking an active role in defending your privacy on the Internet.
Large-scale net traffic misdirections and MitM attacks detected
Man-In-the-Middle BGP route hijacking attacks are becoming regular occurrences, but it’s still impossible to tell who is behind them, and what their ultimate goal is, warns Jim Cowie, co-founder and CTO of Internet intelligence company Renesys.
Top 10 data disasters from 2013
Kroll Ontrack announced its 11th annual list of the top 10 data disasters from 2013. For the last 11 years, the company has annually been collecting and publishing a list of the 10 most interesting data losses from its offices around the globe.
New threats subverting digital signature validation
McAfee Labs found new efforts to circumvent digital signature app validation on Android-based devices. The McAfee Labs team identified a new family of mobile malware that allows an attacker to bypass the digital signature validation of apps on Android devices, which contributed to a 30 percent increase in Android-based malware.
Fake AV update notifications deliver malware
Spam emails impersonating a variety of antivirus vendors have been spotted targeting worried users around the globe, urging them to download and run an “important system update.”