Here’s an overview of some of last week’s most interesting news, podcasts and articles:
The invasion of biometrics
Depending on where you stand biometrics is a good thing or something that is downright sinister. The truth is that to a degree biometric technologies have a valid and useful purpose but also have the potential to be invasive to a degree never before known to humankind.
There’s now a decryption tool for TeslaCrypt ransomware
Here’s some very good news for victims of the TeslaCrypt ransomware: Cisco researchers have created a tool for them to decrypt the files themselves and avoid paying the asked for ransom.
Researcher neutralizes Google’s Password Alert with a few lines of code
Google’s Password Alert extension for Chrome, which was released on Wednesday, has received its first critical security update less than 24 hours later, as infosec consultant Paul Moore came up with a simple exploit that bypasses it. And then he did it one more time.
How secure are digital transactions?
According to Frost & Sullivan, host card emulation (HCE) has created a new layer of security services. On the other hand, the HCE solutions have raised several concerns as in the absence of a single network, a single protocol and a common set of rules, hackers can breach security layers using sophisticated tools.
Impact of new data protection legislation not widely understood
Almost a third of public and private sector professionals are not aware of what the forthcoming EU General Data Protection Regulation (GDPR) will mean to them or their organizations.
Unnoticed for years, malware turned Linux and BSD servers into spamming machines
For over 5 years, and perhaps even longer, servers around the world running Linux and BSD operating systems have been targeted by an individual or group that compromised them via a backdoor Trojan, then made them send out spam, ESET researchers have found.
Planning for the Internet of Things
In this podcast recorded at RSA Conference 2015, Geoff Webb, Vice President, Solution Strategy at NetIQ, discusses the implications and likely impact of the Internet of Things.
Successful POS attacks are the result of poor security, researchers find
Most breaches involved the exploitation of very simple vulnerabilities, and many of the merchants hit have very immature security programs.
NSA surveillance since Snowden revelations is strong as ever
A Thycotic survey of 202 RSA Conference 2015 attendees found that 94% feel that NSA’s surveillance of U.S. citizens has increased or remained the same since Edward Snowden leaked classified information from the agency in June 2013.
Email delivery service SendGrid confirms data breach
Sendgrid, the email delivery and management service that counts among its clients companies like Pinterest, Airbnb and Uber, has admitted that they have been breached.
Researchers mount cyber attacks against surgery robot
A group of researchers from University of Washington have tested the security of a teleoperated robotic surgery system created by their colleagues, and have found it severely lacking.
The value of patching and how to do it properly
In this podcast recorded at RSA Conference 2015, Wolfgang Kandek, CTO at Qualys illustrates specific problems that IT professionals face as they’re unable to move to a new software version because of certain dependencies. He discusses prioritization, Microsoft, Adobe, Oracle, SSL, and much more.
Crypt0L0cker ransomware avoids US computers
Yet another piece of ransomware has surfaced, and this one has several interesting things about it: it expressly avoids targeting US users, and it has a hardcoded list of file types it avoids encrypting.
Protecting and identifying your information assets
In this podcast recorded at RSA Conference 2015, Tim Upton, CEO at TITUS, illustrates how TITUS gives your data an identity by adding metadata to an information asset such as an email or a document. They identify data at the time of creation, so that your organization can make intelligent, deliberate decisions on how that information is handled.
High volume DDoS attacks still persistent
Arbor Networks released global DDoS attack data that shows a continuation of extremely high volume attacks. In Q1 2015, there were 25 attacks larger than 100Gbps globally.
Hacker exploits Android devices with self-implanted NFC chip
A security researcher has demonstrated that it’s possible to implant yourself with a NFC chip that will not be detected by body scanners at airports or other high-security locations, and which could be used to compromise devices inside a guarded perimeter.
Why you should steer users towards less predictable passwords
As users are instructed to create ever more complex passwords, and developers are starting to use encryption methods more difficult to crack than standard hashing functions, password crackers (and penetration testers) must wisely choose which type of password attack to try first, second, and so on.
Emerging trends and targeted threat intelligence
Court Little, Director of Product Management at Solutionary, talks about how the bar is being raised across the entire security space: users are getting smarter, and clients are increasingly understanding the limitations of what technologies do and what their needs are.
Infosec: Don’t fear the word
Hand an adult a children’s story about technology—well, they get a bit freaked out. Why? Because they’ve already decided the digital world is too difficult to comprehend—no matter how simple the concept. And yet, that same adult is more than happy to help their child figure out how Quidditch is played.
5,000+ e-commerce sites at risk due to buggy WordPress plugin
A popular WordPress e-commerce plugin that is actively used on over 5,000 websites contains high-risk vulnerabilities that can be exploited to compromise customers’ data, execute arbitrary PHP code, and perform Cross-Site Scripting attacks against users of WordPress installations.
Unpatched, vulnerable PDF readers leave users open to attack
The security of a PC is significantly affected by the number and type of applications installed on it, and the extent to which these programs are patched.
The importance of integrating identity and data
In this podcast recorded at RSA Conference 2015, Siva Belasamy, CEO and CTO at Deep Identity, talks about how identifying who has access to what, and the risks associated with such access, can be a daunting task.
Yahoo develops cheap, effective biometric smartphone authentication
A group of Yahoo researchers have demonstrated that apart from fingerprints, other parts of the human body, such as ears, fists, palms and fingers, can also be successfully used to authenticate users to their mobile phones.
Critical vulnerability in RealTek SDK breaks routers’ security
A critical vulnerability in version 1.3 of the RealTek software development kit (SDK) has opened hole in D-Link and Trendnet Wi-Fi routers – and possibly many others, as well – which can be exploited by attackers to execute arbitrary code on the devices.
CTO insights: Defending your organization from insider attacks
An insider knows exactly how an organization does things, what they consider valuable, and how they will respond to an attack. Who else would be better to carry out an attack than an insider?