Week in review: “Lawful interception” mobile malware, top infosec tech in 2014, and the new issue of (IN)SECURE Magazine

Here’s an overview of some of last week’s most interesting news, articles and interviews:

(IN)SECURE Magazine issue 42 released
(IN)SECURE Magazine is a free digital security publication discussing some of the hottest information security topics.

Skills development for information security professionals
In this interview, John Colley, MD for (ISC)2 EMEA, talks about the challenges of his job, discusses critical information security areas, and tackles the future of certification.

Improving transaction security for financial institutions
Data from the ThreatMetrix Global Trust Intelligence Network shows that for financial institutions, mobile app transactions provide the highest level of security for banks and consumers. But that doesn’t mean that mobile apps are threat-proof—financial institutions need to do more to secure apps and mobile-based transactions from the dangers posed by increasingly sophisticated cyber thugs.

Cisco releases source code for experimental block cipher
A team of Cisco software engineers has created a new encryption scheme, and has released it to the public along with the caveat that this new block cypher is not ready for production, i.e. is still in the experimental phase.

Key Internet of Things privacy and security issues
Completed in June 2014, the survey asked 1,801 tech-savvy homeowners questions relating to the Internet of Things as it pertains to the connected home. These were the top findings.

Google forks OpenSSL: BoringSSL will be used in company products
“We have used a number of patches on top of OpenSSL for many years. Some of them have been accepted into the main OpenSSL repository, but many of them don’t mesh with OpenSSL’s guarantee of API and ABI stability and many of them are a little too experimental,” Google engineer Adam Langley shared in a blog post.

Havex malware targets ICS/SCADA systems
F-Secure researchers have, for a while now, been monitoring the spreading of the Havex malware family and have been trying to determine who are the attackers that wield it.

Who is ultimately responsible for data security in the cloud?
With increased reliance on cloud computing and so much data being entrusted to it, the question must be asked: how do cloud providers ensure that business data is secure and where does responsibility for data security ultimately lie?

Capabilities of “lawful interception” mobile malware revealed
Researchers from Russian AV company Kaspersky Labs and the Citizen Lab of the University of Toronto have released details about the mobile surveillance tools provided by Hacking Team to governments, intelligence and law enforcement agencies around the world.

Hackers to attack routers at DEF CON
The competition will run during DEF CON, from 7-10 August 2014 at the Rio Hotel & Casino in Las Vegas, NV. The contest will host a range of activities, including multiple talk tracks, Capture the Flag, 0-day vulnerability discovery, and others.

Improperly anonymized taxi logs reveal drivers’ identity, movements
Software developer Vijay Pandurangan has demonstrated that sometimes data anonymizing efforts made by governments and businesses are worryingly inadequate, as he managed to easily deanonymize data detailing 173 million individual trips made by New York City taxi drivers.

Banking fraud campaign steals 500k euros in a week
Experts have grounds to believe that important financial data was intercepted automatically and fraudulent transactions were carried out as soon as the victim logged onto their online bank accounts.

eBook: Top 3 Big Data security myths
Data volumes are growing rapidly with no end in sight. Big Data represents massive business possibilities and competitive advantage for organizations that are able to harness and use that information. How are they protecting that data? This eBook addresses three myths of Big Data security.

Symantec addresses global workforce gap in cybersecurity
Symantec launched a first-of-its-kind program, the Symantec Cyber Career Connection (SC3), to address the global workforce gap in cybersecurity and provide new career opportunities for young adults who may not be college-bound.

Top 10 technologies for information security in 2014
Gartner highlighted the top 10 technologies for information security and their implications for security organizations in 2014.

Invasive Selfmite SMS worm uncovered
AdaptiveMobile has discovered a previously unknown piece of mobile malware dubbed Selfmite. It spreads via SMS and fools users into installing a worm app which propagates by automatically sending a text message to contacts in the infected phone’s address book.

Business risk: Tales from the TrueCrypt
The recent incidents with the Heartbleed OpenSSL vulnerability, along with the strange turn of events involving TrueCrypt shine a light on a big issue for security practitioners. Both of these situations rattled our confidence in specific technologies, but the implications are much broader.

Cops must get a warrant before looking through cellphone content
The nine judges of the US Supreme Court have unanimously ruled that law enforcement officers can’t search the contents of an arrested individual’s cell phone(s) without a search warrant.

What’s next: Advanced Evasion Techniques
McAfee released a What’s Next: Industry Experts Speak Out on Advanced Evasion Techniques, featuring Mirko Zorz, Editor in Chief of Help Net Security.

Critical Android code-execution flaw affects all but the latest version
IBM researchers have discovered a critical security vulnerability in Android 4.3 (Jelly Bean) and below which could allow attackers to exfiltrate sensitive information – credentials, private keys – from vulnerable devices.

A look at Interflow, Microsoft’s threat information exchange platform
In the last few years, there has been one constant call from almost all participants in the information security community: the call for cooperation. But that is easier said then done – you need to make collaboration mutually beneficial and, above all, easy. Microsoft recently announced the private preview of Microsoft Interflow, a security and threat information exchange platform for analysts and researchers working in cybersecurity, and they believe that this project ticks both of the aforementioned boxes.

Why security awareness matters
In this interview, Paulo Pagliusi, CEO at MPSafe Cybersecurity Awareness, talks about the value of security awareness and how it influences the overall security posture of an organization.

Exploiting wildcards on Linux
DefenseCode released an advisory in which researcher Leon Juranic details security issues related to using wildcards in Unix commands.

How does a rogue ad network function?
Malwarebytes’ researchers have recently analyzed the workings of one ad network that has obviously been set up to earn its handlers money in two different way: bogus ad-clicking, and by delivering malware.

Germany cancels Verizon’s government contract due to spying fears
Verizon will no longer provide internet services to a number of German government departments, as their contract has been cancelled as part of a restructuration of the federal government’s interdepartmental communication network.

More about

Don't miss