Week in review: Forged SSL certs in the wild, NSA allegedly backdoors network devices, (IN)SECURE Mag special issue released

Here’s an overview of some of last week’s most interesting news, podcasts and articles:

Bitly breach details revealed
Bitly has released more details about the breach that made them reset user account credentials and disconnect all users’ Facebook and Twitter accounts.

Google account passwords stolen in phishing attack
Hackers have been stealing Google account passwords in a new and better crafted phishing attack that is hard to catch with traditional heuristic detection.

What keeps senior IT security pros up at night? It’s not what you think
In the security space, last year was one for the books. Edward Snowden made waves after leaking classified documents detailing government surveillance programs, which raised privacy and security concerns for individuals and enterprises worldwide. Data breach after data breach of major retailers and brands shook every industry to its core, leaving IT teams wondering, “could this happen to us?”

The story of Pwnie Express
In April, Help Net Security attended InfoSec World 2014 Conference & Expo in sunny Orlando where we sat down with Mark Hughes, who had a number of roles with Pwnie Express since its inception. In this very interesting 40-minute podcast, Mr. Hughes shares the story of Pwnie Express – from its roots in the security community, over initial success to their new enterprise-class solutions.

Researchers find, analyze forged SSL certs in the wild
A group of researchers from Carnegie Mellon University and Facebook has managed to get a concrete sense of just how prevalent SSL man-in-the-middle attacks using forged SSL certificates are in the wild.

Building a more secure and agile Internet
The National Science Foundation’s (NSF) Directorate for Computer and Information Science and Engineering (CISE) awarded $15 million to support three, multi-institutional projects that will further develop, deploy and test future Internet architectures. These pilot networks are designed to enhance security, respond to emerging service challenges and enable the scalability of the information infrastructure upon which Internet users increasingly rely.

NSA allegedly puts backdoors on American-made network devices
Glenn Greenwald’s new book titled No Place to Hide was published last week. Aside from telling the story of how he worked with NSA whistleblower Edward Snowden and journalist Laura Poitras to make public the mind-blowing extent of mass US surveillance, the book also includes a number of revelations and documents that have not been previously shared with the public.

Whitepaper: 10 network security tools you should use
Whether you are operating a home system, overseeing a small startup, or performing security governance for an enterprise, everyone can benefit from paying attention to security. This paper provides a list of 10 security tools or tests that will help you check out suspicious issues and keep ahead of new risks and threats.

Despite hearing about Heartbleed, 47% have not changed their passwords
Of those consumers who have heard of Heartbleed, just 53 percent had changed their passwords. When asked to give a reason why they did not change their password, 44 percent said they weren’t concerned about the security issue.

The importance of continuous monitoring
In this podcast, recorded at Infosecurity Europe 2014, Corey Bodzin, VP of Product Management at Qualys, discusses the need for continuous monitoring of the growing perimeter and the new QualysGuard Continuous Monitoring solution, which can scan the entire perimeter of even large global networks on a frequent basis and report any rules violations as email alerts or to the company’s SIEM.

NIST guidelines help developers build security in from the start
The goal, according to computer scientist Ron Ross, a NIST Fellow, is to help establish processes that build security into IT systems from the beginning using sound design principles, rather than trying to tack it on at the end.

Bad news for Cryptocat as it debuts Encrypted Facebook Chat
Mere days after Cryptocat creator Nadim Kobeissi announced that the latest update of the popular software will allow Facebook users to use encrypted chat, the social network has made known its intention of shutting down its Chat API/XMPP Services by April 30th 2015.

Making the web a safe place to visit
In this podcast, recorded at Infosecurity Europe 2014, Branden Spikes, CEO, CTO & Founder of Spikes Security, talks about making the web a safe place to visit with the use of isolation technology for preventing malicious content from infecting endpoints.

Malvertising up by over 200%
Online Trust Alliance (OTA) Executive Director and President Craig Spiezle testified before the U.S. Senate’s Homeland Security and Governmental Affairs Permanent Subcommittee on Investigations, outlining the risks of malicious advertising, and possible solutions to stem the rising tide.

(IN)SECURE Magazine Infosecurity Europe special issue released
(IN)SECURE Magazine is a free digital security publication discussing some of the hottest information security topics. Presented in this issue are some of the most interesting news and companies we’ve seen at this year’s Infosecurity Europe conference and exhibition.

US retailers set up center for cyber intelligence sharing
The US Retail Industry Leaders Association (RILA), along with several of America’s most recognized retail brands, launched the Retail Cyber Intelligence Sharing Center (R-CISC).

Fake mobile AV apps sold on Google Play and Windows Phone Store
Remember when the popular but totally useless security app named Virus Shield appeared for sale on Google Play and netted its creators over $40,000 before being removed from the online market? Well, the app has been resurrected, and this time the targets are Windows Phone users.

NIST’s cryptographic material under review
The National Institute of Standards and Technology (NIST) announced that its primary advisory committee, the Visiting Committee on Advanced Technology (VCAT), has begun its review of the institute’s cryptographic standards and guidelines program.

Cybercriminals targeting unlikely sources to carry out high-profile exploits
Cybercriminals continuously discover more ways to successfully target new outlets for financial theft, according to Trend Micro. Greed is motivating cybercriminals to take a non-traditional approach in the selection of unlikely targets, such as advanced threats to Point-of-Sale (PoS) terminals and the exploitation of disasters.

Tor cannot protect you from targeted surveillance
In the wake of all the revelations about mass Internet surveillance efforts by the US NSA, a lot of users but also many businesses and government agencies around the world have turned to using the Tor anonymity network to keep their sensitive information away from the intelligence agencies’ hands and that of anyone else who’d like to steal it. But Andy Malone, founder of the Cybercrime Security Forum and Microsoft MVP, warns that using Tor does not guarantee the information you’re trying to keep hidden won’t be compromised.

Tech companies and privacy practices: Who has your back?
The Electronic Frontier Foundation (EFF) has published its fourth annual “Who Has Your Back” report that aims to show which major technology companies are good at protecting your data from government requests.

More about

Don't miss