Week in review: Hiding exploit code in images, online summer travel scams, and Infosecurity Europe 2015

Here’s an overview of some of last week’s most interesting news and articles:

Cookie warnings: Useless and bad for security?
Our daily clicking away of these warnings is a time-consuming, costly and inefficient approach to giving the user control, because this kind of consent should be handled by the browser.

Scany: Network scanner for iOS
With Scany you can perform a wide range of sweeps: from scanning a simple local/remote host to scanning an IP range.

eBook: Cybersecurity for Dummies
APTs have changed the world of enterprise security and how networks and organizations are attacked. These threats, and the cybercriminals behind them, are experts at remaining hidden from traditional security while exhibiting an intelligence, resiliency, and patience that has never been seen before. Controlling these threats requires multiple security disciplines working together in context.

Which malware lures work best?
More often than not, malware peddlers’ main goal is to deliver their malicious wares to the maximum number of users possible. Choosing the right lure is crucial to achieving that goal.

A fundamental shift in security spending
Firms are shifting their cyber security spend away from traditional Prevent & Protect approaches towards Detect & Respond operations.

Facebook introduces end-to-end encryption for notifications
Facebook is testing out an experimental new feature that will enable people to add OpenPGP public keys to their profile, and gives users the option of receiving notification emails sent from Facebook in encrypted form.

Infosecurity Europe 2015 coverage
If you missed Infosecurity Europe 2015, check out our dedicated coverage page to see what products and news were released during the conference.

Future attacks: Hiding exploit code in images
Successfully hiding messages in images has already been done, but is it possible to deliver an exploit in one – and run it? Saumil Shah, founder and CEO of Net-Square, has demonstrated at Hack in the Box Amsterdam 2015 that it’s possible, and has posited that such attacks are more than likely to crop up in the near future, as he can’t be the only one who thought about this, tried it and succeeded.

Employee credentials of half of European top 500 firms exposed online
Cyber attacks and data breaches very often start with phishing or spear-phishing. Access to good credentials is key – whether it’s for straight emailing or direct access to target email systems, etc.

Bug hunting without much tech knowledge or many tools
Bas Venis has been programming since he was 14 years old. After gaining some experience as a web developer, this 18-year-old self-taught security researcher got into IT security and aimed his sights at browsers. Specifically, at logic flaws that could be exploited.

Malvertising infected millions of users in 2015
New research from Malwarebytes has found that malvertising is one of the primary infection vectors used to reach millions of consumers this year.

IoT devices entering enterprises, opening company networks to attacks
OpenDNS released The 2015 Internet of Things in the Enterprise Report, a worldwide data-driven security assessment of Internet of Things (IoT) devices and infrastructure found in businesses.

Weak SSH keys opened many GitHub repositories to compromise
Github repositories of many entities, projects, and even one government could have been compromised and used to deliver malicious code due to the owners’ use of easily crackable SSH keys.

SourceForge hijacks popular accounts to distribute 3rd-party software
Online source code repository SourceForge has apparently started taking over inactive accounts for popular software, and adding bundle-ware installers to the software packages. One of the first “victims” was the account hosting GIMP for Windows.

USA Freedom Act is just the beginning of the fight for privacy
The US Senate voted for the passing of the USA Freedom Act on Tuesday, and President Obama signed it into law later the same day. So, how will this impact the surveillance programs operated by the NSA and other US agencies?

How to raise users’ expectations about security and privacy?
Users don’t ask for security and privacy, and those two things consequently slip down the tech developers’ and creators’ list of things that are important when creating new things.

How to turn on two-factor authentication on over 100 popular online services
TeleSign launched Turn It On, a new campaign featuring a guide to two-factor authentication and providing step-by-step instructions for turning on 2FA for over a 100 popular social networking, banking, cloud computing and other online services that offer the 2FA option.

Shadow IT is prevalent in government agencies
Despite clear benefits of cloud services – greater collaboration, agility, and cost savings – federal agencies are slow to migrate to the cloud due to security concerns. As a result, employees adopt cloud services on their own, creating shadow IT.

Discovering connections between attackers
In the last few years, Pedram Hayati, founder of Australian IT company Security Dimension, has been developing a custom honeypot intelligence system called Smart Honeypot.

70% of breaches are detected by a third-party
46 percent of organizations that have suffered a data breach took more than four months to detect a problem, and more than three months to mitigate the risk.

Online summer travel scams to watch out for
Iovation analyzed more than a hundred million online travel transactions for fraudulent behavior and found some common ways criminals are looking to defraud consumers making increasingly spontaneous purchases.

Personal info of 4 million US government workers compromised in OPM breach
Approximately 4 million US federal employees, both current and former, will start receiving a breach notification alerting them that their personal information has potentially been compromised.