Week in review: Chrome bugs turns browser into listening device, Target POS malware author reveals himself
Here’s an overview of some of last week’s most interesting news and articles:
Ad-pushers buy Chrome add-ons, update them to inject ads
Google has a new problem: original add-on developers are being bought out by ad firms and their creations equipped with code serving ads to unsuspecting users.
“123456” unseats “password” from top of worst passwords list
SplashData has announced its annual list of the 25 most common passwords found on the Internet, and for the first time since the company began compiling its annual list, “password” has lost its title as the most common and therefore Worst Password, and two-time runner-up “123456” took the dubious honor.
Unofficial guide to Tor: Really private browsing
This guide will provide a step-by-step guide to installing, configuring, and using Tor, and getting you started taking an active role in defending your privacy on the Internet.
Speakers boycotting RSA Conference will speak at TrustyCon
The event will “prioritize and refocus trust in technology and technology companies, during a time of cynicism and contempt towards consumer security and privacy.”
Apple users hit with “Update using new SSL servers” phishing email
Users with Apple Accounts are again being targeted with legitimate-looking phishing emails that are after their account credentials, personal and financial information.
Card data stolen in Target breach starts getting misused
Two Mexican citizens have repeatedly entered the US and used cards cloned from the information stolen from Target to effect a great number of purchases in South Texas.
Mac and Windows users targeted with malicious “Failed delivery” emails
The emails in question impersonate a series of existing courier brands such as DHL, FedEx, and the UK Royal Mail, but these malware peddlers have also thought about creating an imaginary service as well, and to create a website for it.
Target POS malware author reveals himself
In an unexpected turn of events, the suspected Russian author of the BlackPOS (or Kaptoxa) has confirmed that he was, indeed, the one who developed it.
16 million logins compromised, warns German infosec agency
The German Federal Office for Information Security (BSI) has issued on Tuesday a notification warning that some 16 million online user accounts have been compromised, and urged users to check whether theirs are among them.
Motivation and techniques of world’s most sophisticated cyber attackers
CrowdStrike released “CrowdStrike Global Threats Report: 2013 Year in Review,” the product of its year-long study of more than 50 groups of cyber threat actors. The 30-plus page report offers insight on the activities of several sophisticated groups of attackers.
Hacker Guccifer arrested in Romania?
A Romanian man believed to be the (in)famous hacker Guccifer has been arrested by the Romanian Directorate for Investigating Organized Crime and Terrorism (DIICOT) on Wednesday.
Penetration testing: Accurate or abused?
The quality of pen testing can vary by the skill and thoroughness of the pen tester. Given the limited time available for testing it is impossible to exercise all aspects of an application with all possible attack vectors.
ENISA: Industrial Control Systems require coordinated capability testing
EU’s cyber security Agency ENISA published a new report to give advice regarding the next steps towards coordinated testing of capability of the often outdated Industrial Control Systems (ICS) for European industries.
Most top 500 Android mobile apps have security and privacy risks
After testing the top 500 Android applications, MetaIntell identified that approximately 460 of those 500 Android applications (available in apps stores such as Amazon, CNET, GETJAR, and Google Play) create a security or privacy risk when downloaded to Android devices.
Chrome bugs allow websites to listen in on your conversations
Several security flaws in the popular Google Chrome browser can be exploited to turn the computer into a surreptitious listening device, claims Israeli developer Tal Ater.
New Snapchat CAPTCHA system hacked in record time
On Wednesday, the company introduced a new way to verify if a user looking to register an account is human: he or she has to choose 4 pictures out of 9 that contain the “Snapchat ghost” (the app’s logo). Less than 30 minutes later, graduate student researcher at Georgia Tech Steven Hickson wrote a simple script that allows a computer to trick the system.
Looking back at 10 years of mobile malware
From Cabir to FakeDefend, the last decade has seen the number of mobile malware explode. Besides the sheer growth in numbers, an important trend to note is that mobile malware has followed the same evolution as PC malware, but at a much faster pace.
Beware of malicious specialised software keygens!
Researchers warn that in the last few weeks, malware peddlers have been targeting professionals working in a variety of industries with this approach.
Fixing the Internet of Things
The Internet of Things is everyone’s problem. The good news is that the Internet connects everything, but that is also the bad news. Internet security is, therefore, not just your problem but everyone’s, and there is a certain responsibility we must all take as we share this amazing resource.
1.1 million affected in Neiman Marcus breach
American luxury department store chain Neiman Marcus has finally offered some details about the breach it suffered during the end of the year holidays. It’s not as bad as the Target breach, but it’s bad nonetheless.
$2.7 million await successful Pwnium 4 contestants
The fourth edition of the hacking contest will, as last year, focus on the company’s Chrome OS, and competitors will contend for sizeable prizes.