Week in review: JPMorgan Chase breach, iOS spyware, and BadUSB attack code

Here’s an overview of some of last week’s most interesting news and articles:

Bash Shellshock bug: More attacks, more patches
As vendors scramble to issue patches for the GNU Bash Shellshock bug and companies rush to implement them, attackers around the world are probing systems for the hole it opens.

CloudFlare offers free SSL encryption
Web performance and security company CloudFlare launched Universal SSL, making Secure Socket Layer (SSL) encryption available to anyone at no cost.

PoS vendor confirms Jimmy John’s breach was their fault
Signature Systems, the PoS system vendor that has been named as the likely point of origin of the Jimmy John’s payment data breach, has confirmed that the attacker(s) gained access to a user name and password the company used to remotely access POS systems.

WordPress vulnerability database
Ryan Dewhurst and the team behind the popular WPScan open source black box used the funding from the 5by5 project to setup the WPScan Vulnerability Database, an online version of WPScan’s data files used to detect WordPress core, plugin and theme vulnerabilities.

Education is the key to increasing mobile security
The swathes of high-profile security breaches in recent months have only served to highlight the need to educate the public on the inadequacies of the security systems currently in general use. For too long people have relied on simple to remember PINs and passwords and used lax security practices on their connected devices.

Whitepaper: Planning a career path in cybersecurity
The need for personnel knowledgeable and experienced in security implementation and management has never been greater, and the need is growing. Get this whitepaper and learn more.

FBI will share its Malware Investigator portal with businesses
The US Federal Bureau of Investigation has announced that its internal Malware Investigator portal – previously available only to law enforcement and government entities – will soon be accessible to private sector businesses and non-profit organizations, as well.

Hong Kong protesters hit with malware, turn to “off-the-grid” chat app
The pro-democracy protests started by Hong Kong students’ and backed by the Occupy Central protesters (Central is the name of Hong Kong’s financial district) are picking up speed, supporters, and have, unfortunately, also resulted in violent confrontations with the police. As it was to be expected, the government is trying to disrupt and shut down the protests and, at the same time, prevent news of it to reach the rest of the country.

Password security is not just a user problem
User-centric scrutiny is a good place to spend time when we’re dealing with phishing attacks, but it doesn’t help much if an attacker breaks into a company’s systems and grabs the entire password database.

The Crime-as-a-Service business model
A new iOCTA report highlights that entry barriers into cybercrime are being lowered, allowing those lacking technical expertise – including traditional organized crime groups – to venture into cybercrime by purchasing the skills and tools they lack.

People will do anything for free Wi-Fi
In the experiment, which involved setting up a “poisoned’ Wi-Fi hotspot, unsuspecting users exposed their Internet traffic, their personal data, the contents of their email, and even agreed to an outrageous clause obligating them to give up their firstborn child in exchange for Wi-Fi use.

Apple patches Shellshock bug in OS X
Security updates have been provided for OS X Mavericks, Mountain Lion, and Lion users.

Modes of defense against security breaches in healthcare
Along with new threats have come new rules: OCR audits for compliance with HIPAA/HITECH privacy and security rules are affecting more and more healthcare providers. In this fraught landscape, how can organizations protect themselves?

Researchers unearth Xsser mRAT, Chinese iOS spyware
Researchers looking into the mobile malware attack directed against Hong Kong protesters using Android devices have discovered that the attackers can also target iOS device owners – if the device is jailbroken.

Google triples Chrome bug bounties
As before, not all bugs and not all reports are rewarded the same.

Joomla update fixes high risk bug that could lead to site compromise
The developer team behind the popular open-source content management system Joomla is urging users to update the software to the latest version as soon a possible.

New OS X backdoor malware roping Macs into botnet
The malware, dubbed Mac.BackDoor.iWorm, targets computers running OS X and makes extensive use of encryption in its routines, the researchers noted.

Unpatched systems and apps on the rise
As the number of software vulnerabilities increases, and people connect across personal and corporate devices using a multitude of different platforms each day, time and time again, patch management has proven to be one of the most effective practice users can take in securing their PCs.

Local US cops distributing questionable, unsafe spyware to families
A few days after the creator of the StealthGenie application has been indicted in what is the first-ever criminal case concerning the advertisement and sale of a mobile device spyware app, EFF’s investigative researcher Dave Maas warns that police and sheriff departments around the US have been giving out spying software (ComputerCOP) for free to families at schools, libraries, and community events.

Researcher release BadUSB attack code
When, two months ago, researchers from German security consultancy SR Labs demonstrated a new and potentially very deadly class of attacks executed via malware injected in the firmware of USB-connected devices, they didn’t want to share the attack code with the public. But Adam Caudill and Brandon Wilson, two independent security researchers, disagree. They believe that this type of attack is likely already in the arsenal of intelligence agencies.

Rising interest in IT security careers
Demand for cybersecurity professionals is growing 3.5 times faster than the overall IT job market, and 12 times faster than the total labor market.

JPMorgan Chase breach confirmed, 83 million customers affected
A filing made by JPMorgan Chase with the US Securities and Exchange Commission on Thursday has finally confirmed that the biggest bank in the US has suffered a data breach.

Destructive Android Trojan poses as newest Angry Birds game
Android malware masquerading as a legitimate app or game being offered on online app stores is not a rare occurrence, but purposefully destructive malware that does not ask for ransom is.