Week in review: Bitstamp hack, dangerous code in free apps, insider threats

Week in review: Bitstamp hack, and global defense-in-depth architectures analyzed

Here’s an overview of some of last week’s most interesting news, reviews and articles:

The hidden dangers of third party code in free apps
Research from MWR InfoSecurity has shown the various ways hackers can abuse ad networks by exploiting vulnerabilities in free mobile apps.

Scandinavian banks hit with DDoS attacks
The new year started poorly for Finnish bank OP Pohjola Group and its customers: the latter have been prevented from executing their online banking transactions by a DDoS attack that targeted the bank’s online services starting on the last day of 2014.

Identity theft for dummies
It happened again. Checking into the hotel, I was asked if I can provide my credit card to cover additional expenses (not unusual). However, the receptionist simply wrote my credit card information down on a piece of paper and put it into an unlocked drawer. This, of course, led to a very awkward conversation in my best Spanglish regarding Principle 9 of the PCI-DSS standard.

Review: Detecting and Combating Malicious Email
This book takes a stab at spelling out clearly, in a plain language that even users with modest technical knowledge can understand, how to avoid becoming a victim of malicious messaging (emails, but also text messages, social media postings, etc.).

Moonpig shamed for not fixing customer data exposing flaw
Moonpig, a popular UK-based firm that sells personalised greeting cards, has put the personal and financial information of over 3 million of its customers in danger by using a flawed API.

Gogo in-flight WiFi service serves fliers fake Google certs
Gogo, a noted provider of in-flight broadband Internet service, has been spotted serving a fake Google SSL certificate to fliers trying to access YouTube, effectively performing a Man-in-the-Middle attack against them.

Morgan Stanley fires insider who leaked client data on Pastebin
Global financial services firm Morgan Stanley has announced on Monday that it has fired an employee of its Wealth Management Group following the theft of “partial client data.”

Bitcoin exchange Bitstamp suspends service in wake of compromise
UK-based bitcoin exchange Bitstamp has temporarily suspended its service in the wake of an attack that resulted in the compromise of one of its operational wallets. Over $5 million were confirmed to have been stolen by the attackers.

Four cyber security risks not to be taken for granted
It’s pretty difficult to make information security predictions, and even more difficult to verify them afterwards: we can only judge the effectiveness of information security by the number of public security incidents that were uncovered, while the majority of data breaches remain undetected. However, High-Tech Bridge made some web security predictions based on common sense profitability (profit/cost ratio) for hackers.

Top fraud and corruption trends
Bribery and corruption will challenge organizations and their Boards, especially in highly regulated industries such as financial services and life sciences, as they look to develop new approaches to mitigate these risks while balancing demands for global growth.

HuffPo visitors targeted with malvertising, infected with ransomware
Cyphort Lab researchers first spotted the malvertising campaign on New Year’s Eve on the HuffPo’s Canadian website. A few days later, the ads were served on HuffingtonPost.com. The ensuing investigation revealed that the source of the ads is advertising.com, an AOL ad-network.

The one compliance lesson you need to learn
When asked to give one piece of advice about how companies should improve their privacy and data protection programs in 2015, Dana Simberkoff, Chief Compliance and Risk Officer at AvePoint, suggests that we begin to think about privacy and security protections in a new context – that of “Crime and Punishment”.

Review: Information Security Analytics
We’ve all heard about Big Data and security analytics as solutions to a variety of information security problems. This book explains what they are, how they work, and the value they can bring to businesses.

State of the Internet: Attack traffic, DDoS, IPv4 and IPv6
Akamai released its latest State of the Internet report, which provides insight into key global statistics such as connection speeds and broadband adoption across fixed and mobile networks, overall attack traffic, global 4K readiness, and IPv4 exhaustion and IPv6 implementation.

FBI director confident North Korea was behind Sony hack, still offers no evidence
When late last year the FBI provided an update on their investigation into the Sony Pictures Entertainment hack, they fingered the North Korean government as the instigator. On Wednesday, at the International Conference on Cyber Security held at Fordham University School of Law in New York, FBI director James Comey attempted to add the weight of his word to the claims.

Top 3 reasons businesses should prioritize web security
Instead of gambling with security and hoping the next hack passes them over, businesses need to take a proactive approach to managing the security of their web presence. Here are the top three reasons why all businesses should reevaluate their web security standards in 2015.

Hackers use Pastebin to deliver backdoor code
Cyber attackers taking advantage of legitimate online services is not a new thing, and “online clipboard” Pastebin.com is often used to anonymously leak stolen information. But the latest malicious use of the service is not tied to leaked data, but the hosting of malicious files.

Cyber intrusion lead to physical damage at German steel plant
Three weeks ago, Germany’s Federal Office for Information Security (BSI) released its traditional end-of-the-year report about the state of IT security in Germany. It described cyber attacks aimed at both German targets and those around the world, and among these incidents was one that most security experts weren’t even aware of.

Analysis of global defense-in-depth architectures
Attackers are bypassing conventional security deployments almost at will, breaching systems in a wide swath of industries and geographies. That’s the stark conclusion of new data gathered by more than 1,600 FireEye network and email sensors deployed in real-world networks.

The coming shift in security
As of December 15, 2014, there have been more than 700 data breaches and more than 500 million records compromised in 2014, spread across the business and government sectors. One could argue that security has been starved for budget dollars for a long time, and that dollar deficit has finally caught up with the industry.

Pre-Patch Tuesday alerts no longer publicly available
Instead, only Premier customers and organizations involved in the company’s security programs will receive the traditional heads-up.

Asus wireless router flaw opens network to local attackers
A researcher has discovered a security hole in the firmware of several wireless Asus router models which could be exploited by an attacker to gain complete control of the network and use it to mount other attacks from this vantage point.

Innovation must not come at the price of security
As a plethora of start-up app companies compete for our attention and business and consumer boundaries for Internet of Things (IoT) technologies become harder to define, security on these kinds of devices is no longer a “nice to have,” but a must-have.

More about

Don't miss