Week in review: VENOM bug, infosec and ethics, and flawed crypto endangers smart grid devices

Here’s an overview of some of last week’s most interesting news, podcasts and articles:


IoT and the great data heist
With the introduction of new mobile devices in every facet of our lives, we have increased our understanding of the environment around us but also within us. A conversation Raj Samani, VP and CTO EMEA at Intel Security, had with the manufacturer of one wearable wristband at this year’s Mobile World Congress surprised even him regarding the amount of data it collected.

Why WinSCP became an open source classic
WinSCP is the brainchild of Martin Prikryl, a 36-year old Czech developer living in Prague, who’s been refining it for 15 years.

ThreatStream’s approach to threat intelligence
Imagine being able to make sense of all the threat information that’s flowing through your security controls and coming from your threat feeds in minutes, not weeks, months or years.

APT group’s malware retrieved C&C IP addresses from Microsoft’s TechNet portal
A China-based APT group has been using Microsoft’s TechNet web portal to host encoded Command and Control IP addresses for its BLACKCOFFEE malware.

Do ethics get in the way of security professionals?
While it’s convenient to think that the information security industry is made up of highly ethical individuals who make the right decision every time, a stressful situation can turn things around faster than you can say black hat.

Flawed crypto endangers millions of smart grid devices
The cryptography used in the Open Smart Grid Protocol (OSGP), one of the most widely used smart meter and smart grid device networking standards, can be easily cracked.

Data privacy endangered by international trade agreements
You might or might not know that some countries – especially some European ones – have (or are working on) strong data protection laws. What most people don’t know is that these laws might be voided by a number of legally enforceable trade agreements that are currently under negotiation: the Trans-Pacific Partnership Agreement, the Trade In Services Agreement, and so on.

US Passport Agency contractor stole applicants’ data to steal their identities
Three women from Houston, Texas, stand accused of engaging in an identity theft scheme in which one of them, a contract employee of the Department of State Passport Agency, was in charge of stealing personally identifiable information of persons applying for a passport.

Former employee claims cybersecurity firm extorted clients
Tiversa, a privately held cybersecurity company based in Pittsburgh, Pennsylvania, has been accused by a former employee of hacking and then trying to effectively extort money from potential clients by forcing them to hire them.

Defend your network from APTs that exploit DNS
Malware and APTs commonly use the Domain Name System (DNS) as a communication mechanism for these breaches. And yet many companies are not taking the necessary precautions to detect and mitigate against these types of attacks. Nor are they using the best tool at their disposal to combat these threats – DNS itself.

Product spotlight: Entrust IdentityGuard
Existing point authentication solutions are no longer up to the task of thwarting advances that exploit vulnerabilities in a variety of channels or mediums.

Can you correctly identify phishing emails?
An Intel Security quiz presented ten emails and asked respondents to identify which of the emails were phishing attempts designed to steal personal information and which were legitimate. Of the approximately 19,000 survey respondents from 144 countries, only 3% were able to correctly identify every example correctly and 80% of all respondents misidentified at least one of the phishing emails, which is all it takes to fall victim to an attack.

Scammers are draining payment cards linked with Starbucks customer accounts
Scammers are actively targeting Starbucks customers and syphoning money from the credit or debit card they have tied to their Starbucks accounts.

11-year-old VM escape bug opens host machines to compromise
CrowdStrike researchers have recently discovered a security vulnerability in the virtual floppy drive code used by many computer virtualization platforms, which could be exploited by attackers to escape the confines of the virtual machine and to gain code-execution access to the underlying host machine, other VMs running on that host, and potentially to the the host’s local network and neighbouring systems.

Why saying YES is changing information security
The most valuable information security tool of the past, the denial, is dead. The threat surface is increasing dramatically, yet CISOs are under pressure to say yes to new technologies and hardware, to enable easier collaboration, sharing, BYOD.

New domains revive old spam
The new generic top-level domain (gTLD) registration program, launched in January 2014 and intended for use by relevant communities and organizations, has proved irresistible to spammers.

The slow death of static security detections: Beginning of SIEM deployments
We’ve been outsmarted and we appear to be in denial. Every large data breach starts with some form of social engineering. All of us are the weakest link in the chain. As long as humans are involved, they will be social engineered (and they’ll make configuration errors).

US House of Representatives votes to stop NSA’s bulk data collection
While supporters of the bill say that the main aim of the bill will be achieved with its passing, opponents say that instead of reigning end dragnet surveillance by government agencies, it will legitimize dragnet data collection – something that section 215 of the Patriot Act didn’t allow, and is, according to Michigan Representative Justin Amash, “in violation of the Fourth Amendment to the Constitution.”

United Airlines offers air miles for vulnerability information
United Airlines has become the first airline to start a bug bounty program and instead of monetary rewards, it offers air miles. But searching for bugs in the company’s aircrafts or aircraft systems is not allowed.

Total data protection outside the firewall
In this podcast recorded at RSA Conference 2015, Rich Campagna, VP, Products & Marketing at Bitglass, talks about how Bitglass protects corporate data throughout its life cycle: in the cloud, at access, on the device, and on the corporate network.

Combating insider threats in the contact center
Advances in security technology are making many payment channels safer than ever for consumers, however, they are also forcing professional fraudsters to concentrate on an ever-diminishing number of more vulnerable targets. One of these is the traditional contact centre, where the huge volume of daily Card Not Present (CNP) transactions being processed, combined with often lax physical security measures, is making them an increasingly attractive target for criminal gangs.

Product spotlight: Qualys Continuous Monitoring
In this podcast recorded at RSA Conference 2015, Wolfgang Kandek, CTO at Qualys, talks about how their Continuous Monitoring (CM) solution for the perimeter now includes internal monitoring capabilities enabling organizations to proactively monitor and get real-time alerts for critical internal IT assets such as desktops, servers and other devices.

Cloud security best practices during all phases of the infrastructure lifecycle
Organizations often struggle to identify the right security practices to implement in their agile product pipelines. The reason for this pain is that security behaviors tend to be expensive, laborious, time-intensive and/or technologically invasive. So how do you adapt your organization to the new realities of cloud security?

Sensitive customer data leaked following mSpy data breach
mSpy, a company that sells “customized and user-friendly mobile and computer monitoring solutions,” has apparently suffered a data breach.

Security firm publishes details, exploit code for Google App Engine flaws
Polish firm Security Explorations has published technical details and PoC code for several security issues identified in Google App Engine (GAE) for Java.

Practical applications of machine learning in cyber security
Experts believe that most organizations’ cyber-security programs are not a match for the attackers’ persistence and skills. Does the answer to this problem lie in machine learning and artificial intelligence?

Share this
You are reading

Week in review: VENOM bug, infosec and ethics, and flawed crypto endangers smart grid devices