Week in review: Rethinking security, LastPass breach, and stronger data protection rules for Europe
Here’s an overview of some of last week’s most interesting news, podcasts and articles:
How data-centric security works
In this podcast recorded at Infosecurity Europe 2015, Rui Melo Biscaia, Product Management Director at Watchful Software, talks about the importance of having another layer in place on top of your IDS, IPS, firewalls, etc. This is where data-centric security comes into the picture.
Trojan uses steganography to hide itself in image files
The Dell SecureWorks CTU research team has recently analyzed a piece of malware that uses digital steganography to hide part of its malicious code.
Stronger data protection rules for Europe
More than 90% of Europeans are concerned about mobile apps collecting their data without their consent. Last Monday, an important step was taken to finalize EU data protection rules to help restore that confidence.
Rethinking security: Securing activities instead of computers
For many people involved in the infosecurity community, the notion of security is too often tied to the quality of code (resistance to specific classes of bug, for example) and effective patching – in short, to low-level security. But independent security consultant Eleanor Saitta believes that software developers and security engineers need to take a step back and look at the bigger picture.
Emojis instead of PIN codes as an alternative for forgetful users
UK-based Intelligence Environment has released on Monday a new solution for creating passcodes by choosing emojis instead of numeric characters.
Does the UK need to do more to address the threat of nuclear terrorism?
Nuclear facilities are already incredibly safe and secure through design and protection, and Government and infrastructure owners are fully committed to protecting our critical national infrastructure from terrorism. In fact, there has never been a terrorist attack on a nuclear facility in the UK, nor has there been any credible plan exposed that has intended such an attack. However, the potential impact and consequences of a successful attack means that despite the remotest probability we must consider all potential vulnerabilities, so that the license holders and responders are prepared and able neutralize the threat.
Stolen Foxconn certs used to sign malware used in Kaspersky Lab attack
After the revelation that their corporate network has been hit by APT actors wielding a newer version of the infamous, Stuxnet-related Duqu attack toolkit, Kaspersky Lab researchers have shared more details about how the attackers achieved persistence in it.
Newly patched Flash Player bug exploited to deliver crypto ransomware
It took less than a week for a functional exploit for a recently patched Adobe Flash Player vulnerability to be added to the Magnitude exploit kit, Trend Micro researchers warn.
A call to researchers: Mix some creation with your destruction
Corey Nachreiner, Director of Security Strategy and Research, WatchGuard, always respected vulnerability researchers because they were imaginative and just “wicked smart.”
LastPass breached, hashed master passwords compromised
LastPass, the company behind the popular password management service of the same name, has announced on Monday that they have suffered a breach, and has urged users to verify their account and update their master password.
How trustworthy are the world’s leading websites?
The Online Trust Alliance (OTA) evaluated nearly 1,000 websites, grading them based on dozens of criteria in three categories: consumer protection, privacy and security.
Google announces reward program for Android bugs
The Android Security Rewards are incremental. “For vulnerabilities affecting Nexus phones and tablets available for sale on Google Play (currently Nexus 6 and Nexus 9), we will pay for each step required to fix a security bug, including patches and tests,” Android Security Engineer Jon Larimer explained.
Emulating the security analyst with software
This is the second installation of a two-part article discussing why static security detection methods can no longer protect enterprises from advanced hacking efforts. In this installation, the author will discuss why the security industry must begin to look at a more dynamic approach to security alerts.
Exposing cyberattacks targeting government networks in Southeast Asia
Palo Alto Networks uncovered a series of potentially state-sponsored cyberattacks targeting government and military organizations in countries throughout Southeast Asia. Help Net Security has learned that their Unit 42 team has been gathering and analyzing data since January of 2015.
Keyboard app bug puts millions of Samsung mobile users at risk, researcher claims
A vulnerability in the Swift keyboard, which comes pre-installed on Samsung mobile devices, can be exploited by remote attackers to secretly install malicious apps, access the device’s camera and microphone and more, claims NowSecure security researcher Ryan Welton. He also says that over 600 million Samsung mobile device users are at risk due to this flaw.
Zero Trust approach to network security
This paper discusses the need for a Zero Trust approach to network security, how the Palo Alto Networks next-generation security platform delivers on these requirements, and provides guidance on how to progressively migrate to a Zero Trust architecture.
Let’s Encrypt CA to issue its first cert
Let’s Encrypt, a non-profit certificate authority (CA) set up by the Electronic Frontier Foundation, Mozilla, Cisco, Akamai, IdenTrust, and researchers at the University of Michigan, is finally ready to issue its first certificate, scheduled for next week.
Unpatched OS X, iOS flaws allow password, token theft from keychain, apps
Six researchers from Indiana University Bloomington, Peking University and Georgia Tech have recently published a paper in which they detail the existence of critical security weaknesses in Apple’s OS X and iOS – weaknesses that could be exploited by a sandboxed malicious app to gain unauthorized access to other apps’ sensitive data.
Why break in, if you can simply login?
Insider threat, credential abuse – they all describe the fact that either via some phishing attack or the simple purchase of credentials on a dark market, an attacker is logging in and operating on your network for months, maybe even years, as they impersonate a known user to your systems.
IoT developers concerned about privacy and data protection
Developers around the globe agreed security and personal privacy, data privacy and protection from malicious attack, and general integration and data management are the top challenges in designing, deploying and engaging customers with IoT apps. They also confirmed these are the biggest challenges in monetizing IoT apps.
Reddit announces switch to HTTPS-only
With a short note posted on the site’s developers subreddit, reddit – the so-called “front page of the internet” – has announced that starting with June 29, the site will be served only over HTTPS.
Why LinkedIn chose to keep its bug bounty program private
Bug bounty programs have become de rigueur for tech and Internet companies that want to improve the security of their products by (partly) outsourcing bug discovery. But while most companies opt for public programs, LinkedIn has decided to keep its program private.
Microsoft’s anti-surveillance website was hacked
Unexpectedly, the attackers are not disgruntled privacy-minded hacktivists with a bone to pick with the company, but apparently scammers trying to push “amazing” offers from online casinos.
U.S. Open primer: In the cloud or on the golf course, hazards can be devastating
In the spirit of U.S. Open golf tournament and the 18 tricky holes at Chambers Bay, Perspecsys will caddy for a full round with tips and tricks to avoid the hazards – the privacy, compliance and security hazards of cloud computing – and guide you confidently through the course to realize the full benefits enterprise cloud adoption can offer.
Relying on your insurer for security? Think again!
It is, in part at least, thanks to the growing threat landscape, that we are now seeing a focus, both from the media and the industry on cyber insurance.
EFF delves into privacy practices of Apple, Google, Twitter, and others
Our digital lives are leaving data trails through social networking sites, email providers, Internet service providers, and mobile apps. But which companies fight the hardest to protect their customers from government data grabs of this sensitive information?
Static encryption keys affect SAP security
Dmitry Chastukhin, Director of Professional Services at ERPScan, presented a report on the latest SAP security trends at the Black Hat Sessions conference in the Netherlands. He covered multiple problems related to encryption algorithms and static keys used by SAP in their products.