Week in review: POODLE targeting TLS, insider threats, and the new issue of (IN)SECURE Magazine

Here’s an overview of some of last week’s most interesting news, reviews and articles:

Software security in a market for lemons
Programming has always been something people can pick up, for better or worse. This is especially true today, with the ridiculous pace at which the Internet is growing and the seemingly permanent skills shortage. Because security awareness is not the norm, chances are that newcomers are going to miss it.

CSA Guide to Cloud Computing
The title says it all: this is a book that will tell you what cloud computing is, how best to take advantage of it, and what things you should be careful about when you do it.

Linux backdoor used by Turla APT attackers discovered, analyzed
Kaspersky Lab researchers have discovered a new piece of the puzzle called Turla (aka Snake, aka Uroburos): the malware used by attackers does not come only in the Windows flavour, but in the Linux one as well.

(IN)SECURE Magazine issue 44 released
(IN)SECURE Magazine is a free digital security publication discussing some of the hottest information security topics.

Free webinar: What’s new in ISO 27001 2013 revision
This interactive live online training is designed to enable you to walk away with knowledge on the differences between the ISO 27001 2005 revision and the new 2013 revision, as well as how to structure the documentation.

The rise of IoT 2.0 and the battle for the connected home
Sansa Security revealed the company’s Internet of Things (IoT) predictions for 2015, highlighting six of the top trends to watch out for next year.

Internet freedom around the world is in decline
US-based NGO Freedom House has published its fifth annual Freedom of the Net study and the results are upsetting: internet users in nearly half of the 65 countries assessed in the report have experienced tightening of internet freedom.

30+ bugs found in Google App Engine
Adam Gowdiak, CEO of Polish firm Security Explorations, has announced that his team of researchers have discovered over 30 serious security issues in the Java security sandbox of the Google App Engine (GAE), Google’s popular PaaS cloud computing platform for developing and hosting web applications.

Negotiating privacy in the age of Big Data
With the evolution of data analysis technologies, you allow the data itself to show correlations and answer questions you didn’t had the foresight to ask.

POODLE attack now targeting TLS
There’s a new SSL/TLS problem and it’s likely to affect some of the most popular web sites in the world, owning largely to the popularity of F5 load balancers and the fact that these devices are impacted. There are other devices known to be affected, and it’s possible that the same flaw is present in some SSL/TLS stacks.

Cost of cybersecurity and risk management to double
Coalfire conducts more than 1,000 audits and assessments of systems containing sensitive data each year. Based on the trends in those investigations, Dakin has some predictions for 2015.

Inside the minds of senior security leaders
More than 80 percent of security leaders believe the challenge posed by external threats is on the rise, while 60 percent also agree their organizations are outgunned in the cyber war, according to IBM.

Sony hackers apparently wanted money
While we continue to wait for an official statement and/or explanation from Sony Pictures Entertainment, the stolen data leaked by the attackers and the analysis of the used malware allow us to patch together bits and pieces of what happened.

Info of millions of AliExpress customers could have been harvested due to site flaw
A programming flaw in the code of popular online marketplace AliExpress, which connects small Chinese businesses with international buyers and has over 7.7 million registered users, has endangered each and every one of them as it could reveal their names, shipping addresses and phone numbers to anyone who knew where to look.

When should unauthorized computer access be authorized?
Recently, the decentralized hacktivist collective, Anonymous, launched an attack campaign called Operation KKK (#OpKKK), targeting the racist hate group called the Klu Klux Klan. Most rational and ethical people dislike the KKK very much and won’t shed a tear for the KKK’s misfortune. Yet, hacking Twitter accounts and DDoSing websites is clearly illegal. So this incident begs the question, “When, if ever, is unauthorized computer access justified?”

Corporate data: Protected asset or a ticking time bomb?
As attention shifts from sophisticated external attacks to the role that internal vulnerability and negligence often play, a new survey by the Ponemon Institute suggests that most organizations are having difficulty balancing the need for improved security with employee productivity demands.

Browser vulnerabilities to become biggest endpoint challenge
A growing number of flaws in web browsers is viewed as the biggest endpoint security headache by today’s IT decision-makers.

Big Data analytics to the rescue
In the battle against cyber criminals, the good guys have suffered some heavy losses. We’ve all heard the horror stories about major retailers losing tens of millions of credit records or criminal organizations accumulating billions of passwords. As consumers, we can look at a handful of friends at a cocktail party and assume that most, if not all, of them have already been affected. So how can an IT security organization ensure they are not the next target (excuse the pun)?

Security trends you should NOT worry about in 2015, and five you should
Along with its latest predictions, which examine the likelihood of common network security prophecies next year, WatchGuard’s security research team also included five security trends NOT worth worrying about in 2015.

Security deficiencies that increase data breach risk
Based on a global survey of 476 information technology and security professionals located in more than 50 countries, a new Trustwave report benchmarks by which IT and security professionals can compare their risk stance against their peers.

Payment gateway provider breached
New Jersey-based Charge Anywhere, whose electronic payment gateway solutions route payment transactions from merchants’ Point-of-Sale (PoS) systems to their payment processors, has announced that they have suffered a breach that may have affected payment card data from as far back as late 2009.

10 strategies to protect patient information
Industry experts from the PHI Protection Network (PPN) offer healthcare security and risk professionals top privacy and security strategies to implement in 2015 that will protect patient data and meet the demands of the evolving healthcare and security landscape.

Cloud security: Do you know where your data is?
While many companies continue their quest to convert their own datacenters into true self-service private or hybrid clouds, the growth of public cloud is also undeniable.

Why now is the time for enterprises to implement context-based authentication
The implementation of context-based authentication can’t wait—a combination of increasing BYOD usage and sophisticated BYOD-based attacks have created a sense of urgency around enhanced security strategies.

FIDO Alliance prepares for industry adoption of strong authentication in 2015
The FIDO (Fast IDentity Online) Alliance published final 1.0 drafts of its two specifications – Universal Authentication Framework (UAF) and Universal 2nd Factor (U2F). Members of the FIDO Alliance comprise device manufacturers, online service providers and enterprises, who can now implement and broadly commercialize FIDO 1.0 specifications to make authentication simpler and stronger for all.

Insider threats 101: The threat within
The insider threat can be broken down into three issues: why do people within become threats, what damage can they do, and how these can be prevented.

More about

Don't miss