Week in review: Popular VPNs leaking data, and the new issue of (IN)SECURE Magazine

Here’s an overview of some of last week’s most interesting news and articles:


5 ways to stop the Internet of Things from becoming the Internet of Thieves
This is the Internet universalized, embedded more deeply into every aspect of our lives, using volumes of data to automate what we humans don’t always get right. But it won’t be possible to take human nature completely out of the mix.

(IN)SECURE Magazine issue 46 released
(IN)SECURE Magazine is a free digital security publication discussing some of the hottest information security topics.

Why a low-level threat can open the door for serious infections
A device hi-jacked for the purpose of conducting ‘click-fraud’ can become a conduit for more serious malware such as ransomware.

Hackers are exploiting Magento flaw to steal payment card info
Attackers are exploiting a vulnerability in eBay’s Magento platform to steal users’ billing information (including payment card info).

Why vulnerability disclosure shouldn’t be a marketing tool
Brian Honan talks about a vulnerability disclosure trend that he believes may ultimately cause more harm than good.

Researcher proves how easy it is to pull off homographic phishing attacks
Security consultant Paul Moore has managed to register a domain that, at first glance, looks like that of UK-based Lloyds Bank, and get a valid TLS certificate for it from CloudFlare.

Popular VPNs leak data, don’t offer promised privacy and anonymity
Virtual Private Network (VPN) services can be used for circumventing Internet censorship and accessing blocked content, but researchers warn that you shouldn’t believe the companies’ claims that they offer privacy and anonymity.

US OPM takes vulnerable background investigation portal offline
The US Office of Personnel Management announced that it has temporarily suspended the E-QIP (Electronic Questionnaires for Investigations Processing) system, a web-based platform used to complete and submit background investigation forms.

Fake Twitter verification profiles trick victims into sharing personal, payment card info
A little over 18,000 Twitter users looking for a way to get their accounts verified have been duped by a single fake account promising to provide the service into visiting a phishing page.

You’ve been breached, now what?
Ilia Kolochenko, CEO at High-Tech Bridge, offers advice on what to do after you have been hacked.

Update your Flash Player if you don’t want ransomware
It didn’t take long for exploit kit authors to incorporate an exploit for the recently discovered zero-day Adobe Flash vulnerability (CVE-2015-3113) into their malicious wares.

Confidence in antivirus falls to all-time low
While concern for end-user risk persists, confidence is waning in traditional detection-based security solutions, such as antivirus and firewalls. Instead, interest is shifting toward prevention-based security solutions, such as endpoint threat isolation, according to a new Bromium report.

Researchers eliminate coding errors by using good code from “donor” apps
A group of MIT researchers has come up with a technique for automatically transferring code between systems to eliminate errors.

Researchers point out the holes in NoScript’s default whitelist
Security researchers Linus Särud and Matthew Bryant hav recently discovered some pretty big holes in NoScript, a popular Firefox plugin that prevents executable web content such as JavaScript, Java, Flash, and other plugins to be loaded from sites users haven’t designated as “trusted”.

Rise in DDoS reflection attacks using abandoned routing protocol
There’s been an increase in the use of outdated Routing Information Protocol version one (RIPv1) for reflection and amplification attacks, according to Akamai.

How safe is the Windows 10 Wi-Fi sharing feature?
A feature that went almost unnoticed in Windows Phone 8.1 because of its modest installation base has been raising security questions now that it has been added to Windows 10.

Harvard University suffers IT security breach
Discovered on June 19, the intrusion was first spotted on the Faculty of Arts and Sciences and Central Administration information technology networks, but a subsequent investigation revealed that eight schools and administrative organizations have been affected altogether.

Amazon releases new, easily auditable TLS implementation
Dubbed s2n (shorthand for “signal to noise”), the library doesn’t implement rarely used options and extensions, meaning its size – currently some 6,000 lines of code – is much, much smaller than that of OpenSSL.

4,900 new Android malware strains discovered every day
“New samples are not the same as infected devices. This is the crux of the challenge for those trying understand what action, if any, to take,” points out Stephen Newman, CTO, Damballa.

How you can anonymously use public Wi-Fi from miles afar
Benjamin Caudill, founder of Rhino Security Labs, is scheduled to demonstrate at the upcoming DefCon a new device that could help users achieve and maintain their online anonymity.

Mastercard is trying out purchase verification with selfies
Five hundred US MasterCard users will soon be testing out the company’s new system for quickly processing of digital payments, without having to input a PIN or password.




Share this