Week in review: HealthCare.gov leaks user data, Angler kit exploits Flash 0-day, researchers recreate NSA’s spying tools on the cheap
Here’s an overview of some of last week’s most interesting news, interviews and articles:
Has the time come to give up penetration testing?
The more miles of fencing there are to patrol, with more potential points of entry, the harder it will be to keep attackers out. Logically, this would suggest that pen testing is now more important than ever, but this isn’t necessarily the case.
The cost of malware containment
The Ponemon Institute surveyed more than 600 US IT and IT security practitioners with the aim of understanding the true cost of dealing with today’s volume of malware threats.
North Korean networks compromised by NSA for a while now
A report based on documents from Edward Snowden’s NSA trove and published by Der Spiegel on Saturday described the extensive cyber spying and sabotaging capabilities of the US National Security Agency, and gave an indication of how they knew who’s to blame for the massive attack sustained by Sony Pictures Entertainment late last year.
2+ million US cars can be hacked remotely, researcher claims
Security researcher Corey Thuen has made a surprising discovery when he reverse-engineered the firmware of the Snapshot tracking dongles that US-based Progressive Insurance gives out to its customers: the devices are woefully insecure, and can lead to data theft, as well as to the compromise of a car’s functions crucial to passenger safety.
Guide on actionable information for security incident response
ENISA publishes a good practice guide on Actionable Information for Security Incident Response, aiming to provide a picture of the challenges national CERTs and other security organizations encounter as they try to generate actionable output from large amounts of data.
Gamers hit with trojanized versions of official League of Legends releases
The attackers targeted well known Asian consumer Internet platform provider Garena, which partners with a number of high-profile game developers from around the world.
Hacker hits Australian travel insurer, leaks records of 800,000 customers
Personal and limited financial information of over 800,000 customers of Australian travel insurance company Aussie Travel Cover have been stolen by a hacker that goes by the online handle “Abdilo” and is believed to be a member of the infamous Lizard Squad.
UK GCHQ collected emails of UK, US journalists
British intelligence agency GCHQ has, at least on one occasion, slurped up emails sent by and to journalists working for a number of high-profile news organizations and shared their contents on its own intranet, the Guardian reported.
11% of Android banking and finance apps are dangerous
RiskIQ found that more than 40,000 of the 350,000 apps which reference banking in the world’s top 90 app stores contain malware or suspicious binaries.
Reactions to President Obama’s 2015 State of the Union Address
President Obama’s State of the Union Address featured a new legislative focus on cyber security issues. Bill Solms, President & CEO, Wave Systems, believes we need bold reform to strengthen U.S. cybersecurity. Here are some of the other comments Help Net Security received.
Researchers create inexpensive versions of NSA’s spying tools
Michael Ossman and fellow enthusiasts started a project dubbed NSA Playset, which aims to make cutting edge security tools more accessible. Security researchers are welcome to contribute to the NSA Playset with their own interception and reconnaissance tools and techniques and share details on how to create them.
Infosec management strategies and the modern CTO
Lumenta recently appointed Brandon Hoffman as their new CTO. We took this opportunity to get his perspective on the management strategies that are essential in the information security industry. He also offers advice to those stepping into the CTO role for the first time, and talks about the evolution of network situational awareness.
How health care providers can protect sensitive data
Industry regulations that establish requirements for IT security for health care providers are often diverse and confusing. Netwrix outlines three major steps that help meet compliance requirements and ensure security of IT infrastructure.
HealthCare.gov sends out users’ personal info to ad companies
The sent information apparently includes the users’ age, income level, ZIP code, parental status, pregnancy status and whether they are a smoker. And while no name is associated with it, the computer’s IP address can occasionally be included in the sent information, de facto allowing the companies to associate it to a person.
DMARC: The time is right for email authentication
The early IETF groups that defined core Internet standards around SMTP undoubtedly pondered the integration of authentication into the core spec, but were more worried about building a sufficiently simple, scalable solution that developers would implement and people would use. Email security is really, really hard, which is why we are still talking about it 20 years after SMTP was standardized.
Click-fraud malware brings thousands of dollars to YouTube scammers
A malware delivery campaign aimed at making victims’ computers surreptitiously view YouTube videos and, consequently, artificially inflate their popularity so that scammers might earn money from the ads embedded in them, has been targeting users around the world for months now, and is still going on.
5 tips for dealing with cyberbullying in education
According to the latest figures by nobullying.com, 68 per cent of teens agree that cyber bullying has now become a serious problem in schools. This is exacerbated by the fact more than half of young people admit they never confide in their parents when cyber bulling happens to them.
Angler exploit kit goes after new Adobe Flash 0-day flaw
An exploit for a zero-day vulnerability in Adobe Flash Player has been added to the popular Angler exploit kit and is, along with exploits for several other Flash flaws, opening users’ Windows machines to the Bedep trojan.
Journalist Barrett Brown sentenced to 63 months
Barrett Brown, the journalist that at one time claimed to be a spokesman for the hacktivist collective Anonymous, has been handed a 63-months-long prison sentence and has been order to pay $890,000 in restitution – most of it to Stratfor, the company whose stolen data he linked to, and other companies hit by Anonymous.