Week in review: Android locker ransomware, password management done right, IE 0-day exploit details

Here’s an overview of some of last week’s most interesting news, podcasts, interviews, videos and articles:

Researchers debunk severity of OAuth “Covert Redirect” bug
A Ph.D. student at the Nanyang Technological University in Singapore made the information security world pause for a moment by claiming that he had found a “serious” OAuth 2.0 and OpenID security flaw that could be attackers to obtain sensitive information from both providers and clients.

NIST updates Transport Layer Security (TLS) guidelines
The document, NIST Special Publication 800-52 Revision 1: Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations, updates the original SP 800-52, released in 2005.

Researchers share details about recent IE 0-day exploit and its delivery
Given that Microsoft has closed the Internet Explorer 0-day vulnerability that was exploited to compromise US-based defense and financial firms, the Sourcefire vulnerability research team has decided to share some more details about the exploit.

Tips for utilities to comply with new cybersecurity standards
When the North American Electric Reliability Corporation (NERC) signed Order 791 in January 2014, more than 400 utilities suddenly faced a tight timetable to plan for and comply with version 5 of the Critical Infrastructure Protection (CIP) cybersecurity standards.

Convergence of physical and cyber security
The concept of security convergence, where physical and cyber security issues overlap, has been around for more than a decade. But it has only been in the last few years that the IP-enablement of everyday business functions has forced companies to come to terms with the fact that physical and cyber security must be treated in a unified manner.

Android “Police Locker” ransomware set to attack
The malware is detected by most AV solutions as Trojan Koler, and the researcher has already spotted another threat actor delivering it.

The Heartbleed effect
In this podcast, recorded at Infosecurity Europe 2014, Ivan Ristic, Director of Engineering at Qualys, talks about the Heartbleed bug and its impact on the security industry. He tackles open source as well as the amazing patch rate.

Windows flaw allows access to data after accounts are revoked
A disabled account in Windows’ network does not take effect immediately, according to Aorato. In fact, due to design considerations disabled accounts – and the same goes for deleted, expired and locked-out accounts – effectively remain valid up to 10 hours after they had supposedly been revoked.

Reset the Net action aims to thwart online mass surveillance
The action is aimed at website administrators, online services, mobile app developers, and users in general, and its goal is to make mass Internet surveillance more difficult for the NSA and other spy agencies and governments.

Password management done right
Despite their inherent insecurity, passwords are here to stay. Among the advantages they offer are the fact that they can be used straight away, and that they are a good alternative to tying yourself to a specific authentication token, smartphone or location.

Dropbox fixes link-sharing data-leaking flaw
Popular file hosting service Dropbox has announced that it has patched a vulnerability that would make privately shared links accessible to those for whom they weren’t intended.

Infosecurity Europe 2014 showcase
Here’s a video overview of Infosecurity Europe 2014, that took place last week in London.

Attackers rope DVRs in bitcoin-mining botnet in record time
How long does it take for one out of the box digital video recorder to be compromised with malware once the device has been connected to the Internet? The unfortunate answer is just one day.

4chan launches bug bounty program
In the wake of the recent data breach that spelled the end of art products Canvas and DrawQuest, 4chan founder and owner Chris “moot” Poole has announced that they will be launching the 4chan Vulnerability Disclosure Program.

EU Data Protection Regulation: Detection is the best prevention
What steps can IT managers take to ensure their data is protected and how can they convince the board that each solution is worth the investment?

Responding to data breaches and increasing security
In this podcast, recorded at Infosecurity Europe 2014, Josie Herbert interviews Craig Carpenter, the Chief Cybersecurity Strategist for AccessData. Carpenter tackles the issues surrounding data breaches, incident response and BYOD. He offers tips for organizations working to resolve the IT security challenges following a breach. He also discusses the future of the IT security market and how it will respond to a series of evolving threats.

Industries on the cyber war front line
ThreatTrack Security published a study that looks at the security vulnerabilities of two industries most often targeted by cybercrime: energy and financial services.

Calling the cloud: Challenges of managing information
The cloud continues to be much discussed and the many benefits it offers organizations of all sizes. Rarely is it mentioned, though, that there are a number of complications that come with managing data there, especially in regard to end user accounts and access of applications.

Malware peddlers prefer deceptive tactics to exploits
Cyber crooks are losing interested in exploits as an attack vector, and are concentrating on deceptive downloads and ransomware as a means of earning/stealing money.

Warbiking tour reveals dismal state of wireless security
In this podcast James Lyne, Global Head of Security Research at Sophos talks about how he took his computer-equipped bicycle onto the streets of several cities to test how safe homes, businesses, and even people on mobile phones are from cyber criminals.

eBook: Enterprise Mobility for Dummies
This guide outlines how your enterprise can leverage mobility to gain real-time access to vital business information and meet consumer needs.

Top 4 strategies to mitigate cyber intrusions
In this podcast, recorded at Infosecurity Europe 2014, Wolfgang Kandek, CTO at Qualys, talks about the Top 4 Critical Security Controls to fend off attacks.

Bitly resets compromised credentials
URL shortening service Bitly has suffered a breach of yet undefined proportions, and it seems that Bitly account credentials have been compromised.

Snapchat promises of disappearing messages were false
Snapchat, the developer of a popular mobile messaging app, has agreed to settle Federal Trade Commission charges that it deceived consumers with promises about the disappearing nature of messages sent through the service. The FTC case also alleged that the company deceived consumers over the amount of personal data it collected and the security measures taken to protect that data from misuse and unauthorized disclosure.

A month after Heartbleed, many servers are still vulnerable
Given that this open-source implementation of the SSL and TLS protocols is used in many operating system and apps, not to mention being the default encryption engine for popular Web server software, it’s a given that fixing this mess will take some time.

More about

Don't miss