Week in review: Security risks of networked medical devices, mobile apps still vulnerable to FREAK attacks

Here’s an overview of some of last week’s most interesting news and articles:

Why senior managers need to be involved in data security
There is now a growing groundswell of change in the way we approach and look at data security. Clearly, in a world where breaches, and the associated consequences, are inevitable, relying solely on, or blaming, the information security team is no longer viable.

The Andromeda botnet is ballooning once again
According to G Data security experts, the botnet’s C&C server is currently just waiting to hear from compromised computers, and is still not sending out instructions to the bots, meaning that the botnet masters are still in the botnet building stage.

Online trust is at the breaking point
For the first time, half of the more than 2,300 IT security professionals surveyed by The Ponemon Institute now believe the technology behind the trust their business requires to operate is in jeopardy.

Cutting-edge security research comes to Amsterdam
Held once again at De Beurs van Berlage, HITB2015AMS takes place from the 26-29 May 2015 and runs alongside HITB Haxpo, a 3-day technology expo for hackers, makers, builders and breakers.

Yahoo announces email encryption plugin, password-free logins
Yahoo email users will soon be able to encrypt the emails they send out by simply clicking on a button. In addition to this, users will be able to effectively forget their email passwords and request an on-demand password (a verification code) each time they want to access their account.

Exploit kits in 2015: What can we expect?
At the moment, over 70 different exploit kits taking advantage of more than a hundred vulnerabilities are actively used by attackers.

Information security innovation and research
Sin-Yaw Wang is the Vice President of Engineering at WatchGuard Technologies. In this interview he talks about the the main challenges for delivering innovative information security technologies as well as long-term investments in security R&D.

How Snowden’s revelations affected Americans’ communication habits and online activities
Nearly two years after news outlets started reporting on previously publicly unknown surveillance and data collection practices by the US NSA and its counterparts around the world, not many Americans have changed their communication habits or online behavior, but nearly two-thirds of those who know a lot or a little about the government’s actions have become less confident the surveillance efforts are serving the public interest.

Do smart machines require ethical programming?
Realizing the potential of smart machines — and ensuring successful outcomes for the businesses that rely on them — will hinge on how trusted smart machines are and how well they maintain that trust. Central to establishing this trust will be ethical values that people recognize and are comfortable with.

Deanonymizing Tor users with Raptor attacks
A group of researchers from Princeton University and ETH Zurich have found yet another way to deanonymize Tor users.

A billion data records leaked in 2014
2014 was the year when “designer vulnerabilities” emerged, when breaches and security incidents were being announced so fast that we struggled to keep up, when old financial malware began being used to hit new targets.

The evolution of vendor risk management in financial institutions
The Financial Services industry has long been recognized as a leader in establishing many of the security and fraud detection practices that have influenced best practices in other sectors. It is with little surprise, then, that we would again look to this sector to define best practices in vendor risk management.

SSL Labs unveils free open source tool, new APIs
Qualys SSL Labs now includes free assessment APIs, accompanied by a free open source tool that can be used for bulk and automated testing of websites. These new enhancements provide the same results as those obtained manually on SSL Labs, while enabling security professionals managing several websites to consolidate testing, detect changes in results and receive notifications on certificate expiration.

Native Hadoop security tools are not enough
While an overwhelming majority of Hadoop users agree that data security is a critical requirement, most disagree or are not sure that its native security tools provide enough protection for their sensitive data.

Fake job seeker’s emails deliver ransomware and info-stealer
The latest Cryptowall-delivery campaign comes with an additional menace: the Fareit Trojan, which is designed to steal logins and passwords from compromised computers, download additional malware, and can be used in DDoS attacks.

Many Android and iOS apps still vulnerable to FREAK attacks
An attacker can intercept the encrypted traffic between the mobile app and backend server via a number of techniques, record it and decrypt it at his lesure, accessing thus the confidential information exchanged between the app and the server.

Payments via Facebook Messenger soon to be a reality
A few months from now, US-based users of Facebook’s Messenger app will be able to send and receive money via it for free, the company has announced on Tuesday.

Personal, healthcare info of over 11M Premera customers compromised
The breach was detected on January 29, 2015, and the investigation mounted by the company and by forensic investigators from Mandiant has revealed that the initial attack happened on May 5, 2014.

Google aims to make Play Store safer, sets up human app review team
The time has come for Google to add some more hoops for Android app developers to jumpt through in order to get their offering accepted to the Google Play store.

Do your attackers know your network better than you?
While attackers have the advantage of time on their side, organizations must adopt strategies to be forward thinking and to identify any ‘weak spots’ before an attack occurs. In short, they need to take proactive measures to understand their network better than their attackers.

Signature antivirus’ dirty little secret
If you rely only on traditional, signature-based antivirus, you are going to get infected—and probably a lot! Antivirus was, and still is, a valuable addition to your layered security strategy, but only if you understand its limitations, which have become more and more prominent over time.

Smart cities to use 1.1 billion connected things
Increasing urbanization is putting unprecedented pressure on city mayors to constantly balance the challenge of resource constraints against environmental sustainability concerns. Gartner estimates that 1.1 billion connected things will be used by smart cities in 2015, rising to 9.7 billion by 2020.

Security risks of networked medical devices
Networked medical devices may improve fitness, medical outcomes and quality of life. However, the benefits of networked healthcare come with several main areas of concern: theft of personal information, intentional tampering with devices to cause harm, widespread disruption and accidental failures.

Windows 10 will let you log in with your face and fingerprint
Microsoft is drumming up interest in the new OS by sharing new features. Among them is Windows Hello, which will allow users to authenticate themselves and access their machine seamlessly by simply showing their face to the camera, or putting their finger on a fingerprint reader.

State-sponsored hackers target European, Israeli organizations
Rocket Kitten, the APT group of attackers that have been delivering spear-phishing emails with the Ghole malware to Israeli and European institutions late last year, have lately been spotted mounting a new operation.

WordPress plugin used by millions sports critical site-hijacking flaw
Another popular Yoast WordPress plugin has been found sporting a critical vulnerability that can be exploited by attackers to take over control of the site.

OPIS

Subscribe to the Help Net Security breaking news e-mail alerts:

OPIS
More about

Don't miss