Week in review: PoS security, the Black Hat Arsenal, and securing the U.S. electrical grid

Here’s an overview of some of last week’s most interesting news, podcasts, interviews and articles:

Securing the U.S. electrical grid
The Center for the Study of the Presidency & Congress (CSPC) launched a project to bring together representatives from the Executive Branch, Congress, and the private sector to discuss how to better secure the U.S. electric grid from the threats of cyberattack, physical attack, electromagnetic pulse, and inclement weather. The result is the Securing the U.S. Electrical Grid report, and talking about critical security challenges we have Dan Mahaffee, the Director of Policy at CSPC.

Over 1,000 businesses compromised with Backoff malware
The US Department of Homeland Security has once again issued a warning to businesses about the Backoff malware.

Tool restores SynoLocker-encrypted files
Security company F-Secure has created a tool that could help SynoLocker victims get their files back, but it only works if they have received – bought – the correct decryption key.

Identity theft vendor sentenced to 100 months in prison
A northern California man who served as an information and document vendor in the identity theft and credit card fraud ring known as Carder.su was sentenced yesterday to serve 100 months in federal prison. He was further ordered to pay approximately $50.5 million in restitution.

8 ways to talk security with executive management
Having reviewed more than 300 board presentations on risk and security, Gartner found that in the vast majority of cases, the reports contained too much information and fear, were overly complex, lacked alignment with wider business strategies, and had no connection to board-relevant decision making.

Researchers exploit flaw to tie Secret users to their secrets
The secrets you share on Secret, the popular app that allows people to share messages anonymously within their circle of friends, friends of friends, and publicly, can be easily attributed to you if the attacker knows the email address you used to make an account.

Why IT security is broken and how math can save it
In this podcast recorded at Black Hat USA 2014, Stuart McClure, CEO at Cylance, talks about how the information security industry has evolved when it comes to detecting bad guys, but it’s being mostly reactive and not proactive. How can we fix the core of this problem? The answer lies in looking at other industries.

Kelihos botmasters target Russian patriots to expand botnet
The cyber crooks behind the Kelihos botnet are, once again, trying to swell the number of computers included in it.

eBook: Advanced Malware Exposed
Advanced Malware Exposed is a must read for anyone who wants to understand and protect against advanced, persistent threats who are using this new generation of highly sophisticated advanced malware.

Facebook to fix flaw that can force iPhones to make calls
Facebook will soon be pushing out an update to its iOS Messenger app meant to patch a vulnerability that could allow attackers to place pricy calls from users’ phones by simply making them click on a web link.

NSA’s metadata search engine used by US, foreign agencies
The NSA has secretly built a “Google-like” search engine to be used by various US government agencies and intelligence agencies of the Five Eyes countries to sift through phone call, email, and Internet chat metadata, as well as cellphone locations collected and stored in a number of different databases.

Cellphone surveillance systems can track almost anybody
The surveillance tech industry is booming, and we should be worried about it. Poorly regulated and exceedingly secretive, the companies that create surveillance solutions for law enforcement and intelligence agencies may say that they are vetting their customers carefully, but the depressing reality is that their tools can easily find their way into the hands of repressive regimes.

How important is website security?
In this interview, Nicholas Sciberras, Product Manager at Acunetix, illustrates why website security should be a priority in any organization. He talks about the challenges involved in auditing website security, illustrates the pros and cons of using remote vs. in-house security testing, and more.

Beware of malicious “Windows 9 free download” offers
The developer preview release of Windows 9 is scheduled to be publicly available this September, and cyber crooks have already started peddling bogus versions of the announced OS.

The synergy of hackers and tools at the Black Hat Arsenal
Black Hat USA 2014 recently welcomed more than 9,000 of the most renowned security experts – from the brightest in academia to world-class researchers and leaders in the public and private sectors. Tucked away from the glamour of the vendor booths giving away t-shirts and the large presentation rooms filled with rockstar sessions, was the Arsenal – a place where developers were able to present their security tools and grow their community.

50 confirmed, possibly more Norwegian oil companies hacked
Among the likely targets is Statoil, Norway’s largest oil company. The identities of other firms that have been breached haven’t been disclosed.

10 most significant software security design flaws
The IEEE Center for Secure Design, a cybersecurity initiative focused on the identification of software design flaws, released a report based on real-world data collected and analyzed by experts at the world’s leading technology companies.

California phone kill-switch law could lead to abuse
While this new law is hailed by many, there are those who worry that the feature can be misused by law enforcement, hackers, and other criminals.

Point of Sale system architecture and security
In this podcast recorded at Black Hat USA 2014, Lucas Zaichkowsky, Enterprise Defense Architect at AccessData, talks about how financial criminals breach hundreds of merchants each year, displaying a better understanding of how these systems operate than the dealer technicians that install and maintain them.

Why every security-conscious organization needs a honeypot
In the mid 1900s, a guy named John Haldane figured out that birds die pretty quickly when poisoned by carbon monoxide, after which coal miners started using them as early warning systems for toxic gas. We need the same for computer security. No defense is infallible, so organizations need digital canaries to warn us about poisoned networks.

70% of finance apps vulnerable to input validation attacks
A growing number of data breaches and security incidents can be directly linked to poor code quality, according to CAST. The data reveals finance and retail industry applications are the most vulnerable to data breaches, with 70 percent of retail and 69 percent of financial services applications shown to have data input validation violations.

JPMorgan attackers altered bank records
The number of US banks that have apparently been targeted and breached by hackers is slowly rising, as newer reports say that seven financial organizations have been hit.

DHS urges website admins to minimize risk of Google hacking
The US Department of Homeland Security and the FBI has recently sent out a notification to police, public safety and security personnel, warning them about “Google dorking”, i.e. hacking.

Netflix open sources tools for detecting planned attacks
Making good on their word to open source many of their internally developed tools and libraries, Netflix has released three new tools that allow security teams to keep an eye out for Internet-based discussions regarding potential attacks against their organization’s infrastructure, whether it’s DDoS attacks or any other kind.

The economics of hacking
In this podcast recorded at Black Hat USA 2014, Wade Williamson, Security Researcher at Shape Security, talks about the economics of hacking and how some of today’s techniques are trying to invert it.

A closer look at Acunetix Web Vulnerability Scanner
Acunetix Web Vulnerability Scanner automatically checks your web applications for SQL Injection, XSS and other web vulnerabilities.

5 things infosec can learn from adventure games
As an active adventure gamer and a natural seeker of reusable patterns, Dwayne Melancon has noticed that some of the things he does to achieve success in video games can be applied to information security.

Patching: The least understood line of defense
How many end users, indeed how many IT pros, truly get patching? Sure, many of us see Windows install updates when we shut down our PC and think all is well. It’s not. Our clients and especially our servers are exposed to all kinds of grief unless they are regularly and properly patched.




Share this