Week in review: ICANN systems breached, critical Git and SOHO router flaws

Here’s an overview of some of last week’s most interesting news, reviews and articles:

The problem with security shortcuts
A combination of irresponsible user behavior and weaknesses in the protection of networks could create more risks for data breaches during the holiday period than at any other time, according to BalaBit.

Companies invested millions in privacy in 2014
As the number of data breaches in the U.S. reached 708 in 2014, new research shows that companies are investing millions in privacy and multiple business units are now involved in addressing growing consumer concerns and compliance risks.

100k+ WP websites compromised by SoakSoak malware
Sucuri Security researchers are warning about a massive compromise of WordPress sites sporting malicious JavaScript leading visitors to malware.

Review: Python Forensics
This book was touted as a “no-nonsense resource for the rapid development of new Python-based digital forensic applications.” Given my deep love for Python and an interest in digital forensics, I had high hopes.

HIPAA security compliance: How risk tolerant are you?
At the heart of HIPAA lies a set of core security tenets for which every affected organization is responsible. These fundamentals are absolutely non-negotiable – but the Security Rule as a whole actually allows for a certain degree of flexibility in how requirements are implemented. When it comes to HIPAA compliance, many organizations lose sight of the fact that they have the power to balance risk and keep costs down. What do organizations need to know to assess their own risk tolerance and implement a balanced, efficient, and effective security strategy?

Attackers worm their way into QNAP NAS devices through Shellshock hole
A worm intent on creating surreptitious backdoors is actively being used to compromise unpatched QNAP network-attached storage (NAS) systems around the world by exploiting the GNU Bash Shellshock vulnerability, SANS ISC CTO Johannes Ullrich warned.

Help Google design the Open Web of Things
The internet giant has long had an interest in IoT technologies, but is aware that more researchers working on making the idea a reality is better that less, and has announced they are looking for research proposals from academics for the Open Web of Things.

1 in 5 employees going rogue with corporate data
Companies around the world have reason to be worried about the use of cloud applications to share mission-critical information. In fact, 1 in 5 employees has uploaded proprietary corporate data to a cloud application, such as Dropbox or Google Docs, with the specific intent of sharing it outside of the company.

Sony details employee data compromised in GOP hack
After having disclosed the extent of the employees’ information stolen in the recent hack to the California Attorney General’s Office, Sony Pictures Entertainment (SPE) has sent out an email to the affected workers, outlining the scope of the potential damage the “brazen cyber attack” might bring to them personally.

How employees put your company at risk during the holidays
As the year comes to a close, and employees feel the pressure of both the holidays and year-end close, three seemingly harmless behaviors can put an organization at risk.

Top 5 malware attacks: 35 reused components
CyActive identified the top five malware that returned the highest ROI for hackers with the least effort per dollar — achieved by recycling code and using the same methods from previous malware attacks to once again inflict damage.

Tackling the growing web of data residency and privacy regulations
Users of cloud services need to think about where their data will flow during the entirety of its cloud journey, and then dig into each jurisdiction’s rules and regulations, as well as fully understand the home country requirements their cloud provider is subject to based-upon their country of incorporation.

Protecting the underground electronic communications infrastructure
ENISA has released a new report on the Protection of Underground Electronic Communications Infrastructure. This report – targeted at Member States (MS), public institutions, owners of underground communication assets, as well as excavators and civil workers – is the first to investigate the use of automated information systems for damage prevention against civil work, and provides recommendations to increase the resilience of electronic communication infrastructures.

Researchers confirm multiple Google App Engine security sandbox bypasses
Polish firm Security Explorations, which announced last week that they found over 30 serious security issues in the Java security sandbox of the Google App Engine (GAE), has been permitted by Google to continue their investigation. In order to allow them to do that, the Internet giant has reenabled the company’s GAE test account, with the understanding that they will restrict their testing to the Java VM and will not try to break into the sandboxing layer.

Only 1% of consumers feel safe using mobile payments
Evaluating online cybersecurity awareness of 2,011 consumers from the U.S. and U.K., a new survey revealed that more than 40 percent of respondents believe using a third party payer such as PayPal or Google Wallet is the safest way to pay for goods online.

ICANN systems breached via spear-phishing emails
As many organizations before it, the Internet Corporation for Assigned Names and Numbers (ICANN) has been compromised after some of its employees fell for cleverly constructed spear-phishing emails sent by the attackers.

Malware peddlers take advantage of Sony’s decision to pull controversial film
Copyright intelligence firm Excipio has been monitoring the Internet for pirated copies of “The Interview” and the conclusion is that there are none. But there are torrents leading to files that purport to be a copy of the movie, and unfortunately for those eager to get their hands on them, they are usually malicious executables.

Researcher publishes JavaScript DoS tool
Trigger-happy attackers looking for additional ways to bring websites to their knees by means of a DoS attack have been given another tool that can aid in their efforts: FlashFlood.

Your email, your data, your control
The dramatic increase in applications is only exacerbating the problem of increased avenues for sharing – and potentially exposing – personally identifiable information (PII).

New Zeus variant targets users of 150 banks
A new variant of the infamous Zeus banking and information-stealing Trojan has been created to target the users of over 150 different banks and 20 payment systems in 15 countries, including the UK, the US, Russia, Spain and Japan.

Top 5 social media security predictions for 2015
Mobile ransomware, targeted job fraud and Trojans lurking behind shocking videos are all expected to make their appearance on social media in 2015.

Critical Git flaw allows attackers to compromise developers’ machines
A critical vulnerability affecting all versions of the official Git client and all related software that interacts with Git repositories has been found and patched, and developers are advised to update their software as soon as possible.

Critical flaw on over 12M routers allows device hijacking, network compromise
The Misfortune Cookie vulnerability is due to an error within the HTTP cookie management mechanism present in the affected software, allowing an attacker to determine the “fortune’ of a request by manipulating cookies.

USBdriveby: Compromising computers with a $20 microcontroller
Security researcher Samy Kamkar has devised a fast and easy way to compromise an unlocked computer and open a backdoor on it: a simple and cheap ($20) pre-programmed Teensy microcontroller.

More about

Don't miss