Week in review: Malicious USB device firmware, insecure IoT devices, and using Hollywood to improve your security program

Here’s an overview of some of last week’s most interesting news, reviews, articles and interviews:

What influences corporate security strategies?
Sixty eight percent of businesses stated that the NSA breach by Edward Snowden and the number of PoS system breaches in the past year were the most impactful in terms of changing security strategies to protect against the latest threats.

I2P patched against de-anonymizing 0-day, Tails integration still to follow
The improvement was made in the wake of the revelation that Exodus Intelligence researchers have found a critical de-anonymization 0-day in Tails, the security-focused Debian-based Linux distribution used by privacy-seeking users around the world.

Researchers successfully attack Android through device’s speaker
A group of researchers from the Chinese University of Hong Kong have demonstrated that even applications with zero permissions can be used to launch attacks that allow attackers to forge text and email messages, access private information, receive sensitive data, and even gain remote control of the targeted device.

Using Hollywood to improve your security program
I spend a lot of time on airplanes, and end up watching a lot of movies. Some of my favorite movies are adventures, spy stuff, and cunning heist movies. Recently, I realized that a lot of these movies provide great lessons that we can apply to information security.

AV engines are riddled with exploitable bugs
A security researcher has found a great number of exploitable vulnerabilities in popular security solutions and the AV engines they use, proving not only that AV engines are as vulnerable to zero day attacks as the applications they try to protect, but can also lower the operating system’s exploit mitigations.

Android Fake ID bug allows malware to impersonate trusted apps
The Bluebox Security research team has unearthed another critical Android vulnerability. Named “Fake ID,” the security bug can be used by malicious applications to impersonate specially recognized trusted apps – and get all the privileges they have – without the user being none the wiser.

6 best practices to assure PCI compliance
With recent PCI DSS compliance incidents costing companies millions of pounds in fines and losses and inflicting damage to valuable brand reputations, Netwrix is urging organizations processing payment cards to follow six best practices to safeguard against a security incident.

IoT devices are filled with security flaws, researchers warn
We are living in an increasingly interconnected world, and the so-called Internet of Things is our (inescapable) future. But how safe will we, our possessions and our information be as these wired and interconnected devices begin to permeate our lives?

0-days found in Symantec Endpoint Protection
While testing of the systems and networks of a financial services company, a team of penetration testers from Offensive Security have unearthed a number of vulnerabilities, including three privilege escalation zero-day bugs affecting Symantec Endpoint Protection, the firm’s security software of choice.

Looking at insider threats from the outside
No business wants to admit its own employees are potential threats, and not all employees deserve to be considered suspects. But when it comes to securing IT assets, preparation is key.

PC gamers increasingly under attack
Many gamers either disable their security or remove it altogether, thereby sacrificing protection to maximize system performance and leaving themselves vulnerable to gaming-focused malware and cyber-attacks.

BitTorrent’s decentralized chat app keeps content, metadata safe
BitTorrent, the company that develops the eponymous peer-to-peer protocol and two popular clients that use it, has announced the release of Bleep, an online communication (voice and text) application that lets users “make a direct, decentralized connection to someone they trust.”

Security contest rewards builders of secure systems
More often than not, computer security competitions come in the form of Capture The Flag (CTF) contests, and the emphasis is on breaking systems. This approach helps defenders step in the shoes of attackers and improve their defensive skills, and hopefully makes them think about what can be done about securing those very systems they were tasked to breach. But what about pushing them towards constructing secure software in the first place? Well, now there is a contest that does exactly that.

How security analytics help identify and manage breaches
In this interview, Steve Dodson, CTO at Prelert, illustrates the importance of security analytics in today’s complex security architectures, talks about the most significant challenges involved in getting usable information from massive data sets, and much more.

Failure is an option
We need to design our systems and security programs to be resilient in the event of a failure. This means shifting our thinking away from solely preventing attacks to trying to develop strategies on how to ensure the business can continue to function should an attack happen and be successful.

Malicious USB device firmware the next big infection vector?
Researchers from German security consultancy SR Labs have created a whole new class of attacks that can compromise computer systems via ubiquitous and widely used USB-connected devices (storage drives, keyboards, mice, smartphones, etc.)

Reactions to the Paddy Power data breach
Paddy Power is contacting 649,055 customers in relation to a data breach from 2010. The historical dataset contained individual customer’s name, username, address, email address, phone contact number, date of birth and prompted question and answer. Customers’ financial information such as credit or debit card details has not been compromised and is not at risk. Here are some of the comments Help Net Security received.

CIA chief admits agency employees hacked Senate computers
CIA Director John Brennan has confirmed that five CIA employees have, indeed, “improperly accessed” computers of Senate staffers and the computer network that was set up to help the Senate Intelligence Committee review the CIA Detention and Interrogation Program and compile a report.

Competition to crack a virtual terrorist HDD, break into CCTV systems
Sophos is calling amateur security talent to turn sleuth and to investigate confiscated crime scene computer systems belonging to a cyber terrorist group as part of the latest Cyber Security Challenge.

The role of the cloud in the modern security architecture
In this interview, Stephen Pao, General Manager, Security Business at Barracuda Networks, offers advice to CISOs concerned about moving the secure storage of their documents into the cloud and discusses how the cloud shaping the modern security architecture.

Retailers warned of attacks using hard-to-spot PoS malware
Retailers, beware: cyber crooks are increasingly targeting remote desktop applications by brute-forcing passwords, and are using that access to plant hard-to-detect PoS malware that scrapes and exfiltrates consumer payment data via an encrypted POST request.

Layered security in the cloud
When designing your cloud architecture you may notice several differences between the cloud-computing environment and the “old world” of physical infrastructure. Two of the main differences are elasticity and dynamism, which are part of the cloud’s DNA.

Russian government offers money for Tor-cracking tech
The tender, which was published earlier this month, was recently changed to say that the offered money was for research work on the Tor cipher.

Whitepaper: Planning a career path in cybersecurity
As a society, we have all become heavily dependent on computers, network, and data stores. This in turn has exposed us to the risk of loss or compromise of those data systems. The need for personnel knowledgeable and experienced in security implementation and management has never been greater, and the need is growing. Get this whitepaper and learn more.

Targeted Cyber Attacks
Targeted cyber attacks against individuals, organizations, businesses, groups, and critical services happen every day around the globe. This book aims to tell you how attackers go about pulling off such attacks, and what you can do to protect yourself and your organization against them.

9 tips for communicating your BYOD policy
Getting employees to pay attention to new rules is no simple task. Here are some ways to make sure that employees are listening to and internalizing BYOD guidelines.

A peek into Police Locker’s distribution infrastructure
An analysis of the distribution infrastructure for the bothersome Android “Police Locker” ransomware has revealed that the attackers behind it are not putting all of their eggs in one basket, and have been looking to target Internet users using a variety of devices and software.




Share this