Week in review: Securing networks in the IoT era, and taking control of Android app permissions

Get a copy of the upcoming book "Secure Operations Technology"

Here’s an overview of some of last week’s most interesting news, podcasts, interviews and articles:

Breaking the security of physical devices
In this podcast recorded at Black Hat USA 2014, Silvio Cesare, Director of Anti-Malware Engineering at Qualys, discusses the security measures of a number of household devices and things.

Gyroscopes on Android devices can be used to eavesdrop on users’ conversations
If you think that denying an app permission to use your phone’s microphone is enough to prevent it from listening in on your conversations, think again, as a group of researchers have demonstrated that the device’s gyroscopes can serve as a crude microphone.

Research unveils improved method to let computers know you are human
CAPTCHA services that require users to recognize and type in static distorted characters may be a method of the past, according to studies published by researchers at the University of Alabama at Birmingham.

Using the iStorage datAshur Personal secure USB flash drive
The iStorage datAshur Personal is a PIN-activated USB flash drive designed for everyday use, both private and corporate.

Keeping college networks secure
Morris Altman is the Director of Network Services and Internet Security Officer at Queens College, a senior college of the City University of New York. Queens College is the third largest university system in the US in terms of enrolment, with a faculty and staff of 5,000 and student population of nearly 20,000. In this interview he talks about his job, the biggest challenges and threats his team faces, exchanging knowledge, and more.

New ransomware emulates CryptoLocker, CryptoWall
Security experts from iSIGHT Partners have detected a new piece of PC ransomware they dubbed TorrentLocker, and say that it is an entirely new strain that imitates both CryptoLocker and CryptoWall.

Coder tries shaming apps and site owners into using HTTPS
How can we force website owners and software developers to start using HTTPS? Coder Tony Webster believes shaming might be the right answer.

BGP hijacking for cryptocurrency profit
In this podcast recorded at Black Hat USA 2014, Joe Stewart, Director of Malware Research at Dell SecureWorks, talks about his team’s discovery of suspicious activity occurring on mining systems connected to the wafflepool.com mining pool.

Mobile device security: Tackling the risks
Mobile devices with their large data capacities, always on capabilities, and global communications access, can represent both a business applications’ dream and a business risk nightmare. For those in the security industry, the focus is mainly on deploying “solutions” to provide protection. However, we are now at one of those key points of change which happen perhaps once in a generation, and that demand a new way of looking at things.

Crooks trying out new tactics to spread fake AV
Infection numbers of well-established fake AV families have reached the lowest level in years, and Microsoft researchers believe the drop is the result of the antimalware industry’s efforts and greater user awareness. As vacuums usually tend to get filled again pretty soon, other malicious players have tried to step in.

CHS hackers exploited the Heartbleed bug
The recent massive Community Health Systems breach, which resulted in the compromise of personal information of some 4.5 million patients, was executed by exploiting the infamous OpenSSL Heartbleed vulnerability.

Whitepaper: 10 network security tools you should use
Whether you are operating a home system, overseeing a small startup, or performing security governance for an enterprise, everyone can benefit from paying attention to security. This paper provides a list of 10 security tools or tests that will help you check out suspicious issues and keep ahead of new risks and threats.

Analysis reveals many malicious Chrome extensions
An analysis of 48,332 browser extensions from the Chrome web store has revealed 130 outright malicious and 4,712 suspicious extensions, some of which have been downloaded by millions of users.

51% of consumers share passwords
Consumers are inadvertently leaving back doors open to attackers as they share log in details and sign up for automatic log on to mobile apps and services, according to new research by Intercede.

What can we learn from the top 10 biggest data breaches?
You can’t blink these days without hearing about yet another data breach. While some may be suffering from “breach fatigue” and becoming jaded, we argue that it’s more important than ever to take cyber threats seriously.

Reveton ransomware now comes with password stealers
One of the new modules is Pony, a universal password stealer that occasionally gets added to trojans that have a modular structure.

How the role of the CSO is changing
In this podcast recorded at Black Hat USA 2014, Rick Howard, CSO at Palo Alto Networks, talks about the role of the CSO and how it’s fundamentally changing.

Most popular Android apps open users to MITM attacks
An analysis of the 1,000 most popular free Android apps from the Google Play store has revealed a depressing fact: most of them sport an SSL/TLS vulnerability that can be misused for executing man-in-the-middle (MITM) attacks, and occasionally additional ones, as well.

Critical Delphi and C++Builder VCL library bug found
A buffer overflow vulnerability that could be exploited to execute malicious code has been discovered in the Visual Component Library (VCL) library of Embarcadero’s Delphi and C++Builder application development environments, and could, therefore, also affect applications that were built by using the software and that use the affected library.

Why you’re not as secure as you think you are
There are 2.4 billion Internet users in the world today. Many of these users, in good faith, leave their personal online security up to their service providers. Sadly, time and time again, we see these companies fail to effectively protect sensitive customer data.

51 UPS stores hit with PoS malware
UPS Stores, a subsidiary of UPS, has discovered malware on systems at 51 locations in 24 states (about 1%) of 4,470 franchised center locations throughout the United States.

Extracting encryption keys by measuring computers’ electric potential
A group of researchers from Technion and Tel Aviv University have demonstrated new and unexpected ways to retrieve decryption keys from computers.

Control Android app permissions with NativeWrap
Tired with using mobile apps that demand unneeded permissions that open the door to data collection and worse? Researchers from North Carolina State University have come up with a brilliant solution to the problem. It’s called NativeWrap, and is unfortunately currently available only for Android.

Bitcoin-themed phishing campaign creates quite a stir
The latest massive email phishing campaign targeting Bitcoin users has had an unexpected click-through rate.

Sneak attack through smartphone shared memory
A weakness believed to exist in Android, Windows and iOS operating systems could be used to obtain personal information from unsuspecting users, research at the University of Michigan has shown. The team demonstrated the hack in an Android phone.

Securing networks in the Internet of Things era
The IoT will probably represent the biggest change to our relationship with the Internet since its inception.