Week in review: IE 0-day patched, Windows XP gets unexpected update, and tips on how to learn information security

Here’s an overview of some of last week’s most interesting news, reviews and articles:

XSS bug in popular Chinese site exploited to launch DDoS attack
DDoS mitigation firm Incapsula has put a stop to the speculations that the video content provider whose vulnerable website was misused to launch a DDoS attack was YouTube, and has revealed that it was actually Sohu.com, currently the 27th most visited website in the world.

Mozilla offers $10,000 for bugs in its new cert verification library
In the wake of the recent discoveries of the Heartbleed OpenSSL bug and the SSL “gotofail” bug, Mozilla has announced a new and topical bug bounty program: it offers $10,000 to any researcher that discovers and responsibly reports critical security flaws in a new certificate verification library that will soon be implemented in the company’s products.

Infosecurity Europe 2014 coverage
The popular conference unfolded this past week in Earl’s Court in London, and our team was there to feel the pulse of the infosec industry. Check out our dedicated coverage page for news and photos.

Flash 0-day exploited in watering hole attacks, Adobe provides patch
In the security bulletin the company published to warn users and urge them to update, Kaspersky Lab researcher Alexander Polyakov has been credited with discovering the attacks. Almost simultaneously the Russian security company published a blog post detailing them.

Whitepaper: How Big Data fights back against APTs and malware
This whitepaper is essential reading for CEOs, CTOs, Network Security Professionals, and everyone else who needs to know why “Big Data = Big Protection” in today’s threat landscape.

Six infosec tips I learned from Game of Thrones
If you’re a GOT fan, you’re probably excited about the recent launch of season four. Accordingly, the second article of Corey Nachreiner’s pop-culture/cyber-security series explores the information security tips you might extract from the morbidly dark, yet inescapably intriguing fantasy series.

99 percent of Q1 mobile threats targeted Android
Over 99% of new mobile threats discovered by F-Secure Labs in the first quarter of 2014 targeted Android users, according to the company’s new Mobile Threat Report. In comparison, the same quarter last year brought 149 new threat families and variants, 91% of which targeted Android.

Key security technologies can help cloud adoption
Using real world and survey data aggregated by Bitglass sampled 81,253 companies across a range of industries and varying company sizes. They found that private companies are more likely to have adopted cloud-based email than public companies.

Spike in DDoS attack size driven by NTP misuse
Arbor Networks released global DDoS attack data derived from its ATLAS threat monitoring infrastructure, which shows an unprecedented spike in volumetric attacks, driven by the proliferation of NTP reflection/amplification attacks.

AOL breach confirmed, bigger than initially thought
Recent spam emails apparently sent from AOL email addresses and hawking diet products are a direct consequence of a breach of the company’s networks and systems, AOL has confirmed on Monday.

Only 1% of Q1 data breaches were “secure breaches”
Of the 254 data breaches that occurred during the first quarter of 2014, only 1 percent were “secure breaches,” i.e. breaches where strong encryption, key management, or authentication solutions protected the data from being used.

Wearable technology privacy and security issues
In this interview, Dominic Storey, EMEA Technical Director at Cisco, talks about the security attacks wearable devices are susceptible to at the moment, how security should be implemented for such devices, and much more.

How to learn information security
Twenty years ago, security was a very different, and much narrower field than it is today. As technology evolves, so do the threats, and with new threats come new protection requirements. In order to be able to do a great job in the infosec field, you need to constantly up your game, and learn as much as you can every single day.

New Android Trojan spreads like a worm
The Trojan is difficult to spot – its package is named in a way to make it seem that the software is a system utility app and, once installed, it does not show an icon, and doesn’t have a GUI that the user can access by accident.

Security-oriented Blackphone specifications published
SGP Technologies SA, the Switzerland-based joint venture of Silent Circle and Geeksphone behind Blackphone, announced the specifications of its eagerly awaited privacy-minded handset.

Target announces move to chip-and-PIN card technology
Target has announced that, effective May 5, Bob DeRodes will lead the company’s information technology transformation in the wake of the massive breach it recently suffered, and that, beginning in early 2015, the entire REDcard portfolio, including all Target-branded credit and debit cards, will be enabled with MasterCard’s chip-and-PIN solution.

Researcher says traffic control systems can be hacked
Hacking control systems that regulate traffic lights in United States’ big, gridlocked cities is not only possible in action films, but in reality as well, says Cesar Cerrudo, a security researcher with IOActive.

London warbiking reveals worrying state of Wi-Fi security
Sophos sent security expert James Lyne and his computer-equipped bicycle onto the streets of London to test how safe homes, businesses, and even people on mobiles phones are from cyber criminals.

IoT security requirements will reshape enterprise IT security programs
Gartner predicts that IoT security requirements will reshape and expand over half of all global enterprise IT security programs by 2020 due to changes in supported platform and service scale, diversity and function.

Microsoft updates IE against latest 0-day, updates also XP
Microsoft has issued an out of band security update to patch the zero day vulnerability that affects all versions of Internet Explorer and is being actively exploited in the wild. The company has also pushed out an update for all versions of Windows XP, citing “the proximity to the end of support for Windows XP” as the reason for the unexpected move.

Guide to the UK government cyber essentials scheme
The Cyber Essential Scheme, the new best-practice guidance emitted by the UK government in response to industry demands of a better cyber security policy for the business landscape, was released on the 7th of April 2014. The project follows a call for evidence which concludes that cyber security standards should be internationally recognized, promote international trade, allow systems to exchange and use information efficiently and be auditable.

Stanford professor scrutinizes India’s biometric identification program
The cutting edge of biometric identification — using fingerprints or eye scans to confirm a person’s identity — isn’t at the FBI or the Department of Homeland Security. It’s in India.

US bank customers targeted with vishing messages
Customers of a number of US banks have recently been hit by Voice over IP phishing (vishing) attacks orchestrated by eastern European cyber crooks, warns John LaCour, founder and CEO of PhishLabs.

Facebook unveils Anonymous Login
Anonymous Login will allow users to try an app without having to share any of the personal information contained in their Facebook account. They might choose to share more information with it at a later date.

More about

Don't miss