Week in review: HackingTeam breach and consequences, and Android games unmasked as phishing tools

Here’s an overview of some of last week’s most interesting news and articles:


Hacking Team hacked, 400GB+ of company documents and emails leaked
Hacking Team, the (in)famous Italian company that provides offensive intrusion and surveillance software to governments, intelligence and law enforcement agencies around the world, has been hacked.

Let’s Encrypt CA releases transparency report before its first certificate
The non-profit CA launched by the EFF, Mozilla and several other businesses and organizations is determined to gain and retain users’ trust.

Old MS Office feature can be exploited to deliver, execute malware
A Microsoft Office functionality that has been in use since the early 1990s can be exploited to deliver malicious, executable files to users without triggering widely used security software, claims security researcher Kevin Beaumont.

Data-centric security with RightsWATCH
In this podcast recorded at Infosecurity Europe 2015, Rui Melo Biscaia, Product Management Director at Watchful Software, talks about RightsWATCH, a state-of-the-art data-centric information security solution that ensures sensitive information can only be used by those that have express authority to do so. Even if sensitive data is leaked, it is rendered useless to unauthorized parties that may acquire it.

The best way to prevent data breaches? It’s not what you think
When people think of hacking attempts, Hollywood makes it seem that it’s a matter of overcoming a computer system or firewall through some brilliant algorithm or brute force attack. But in reality, the easiest way to hack into an organization is through its employees.

Fake Android battery monitor app thoroughly compromises users’ devices
BatteryBot Pro is a legitimate app that monitors and shows your battery charge level, and in order to do that it asks just a few permissions. Unfortunately, scammers have reverse-engineered the app’s code, embedded into it malicious modules, and have been offering it for download on Google Play.

We don’t know what we don’t know
Citing the latest cyber security statistics is a popular way for security companies to show that they are keeping a watchful eye on the threat landscape. But the problem is that we simply don’t know. Sure, some companies claim to know, but here’s a secret: they’re wrong. They might know something, probably even a lot, but not everything.

Flaw allows hijacking of professional surveillance AirLive cameras
Nahuel Riva, a research engineer from Core Security, discovered vulnerabilities in AirLive’s surveillance cameras designed for professional surveillance and security applications. He was able to invoke some CGIs without authentication, while backdoor accounts allowed him to execute arbitrary OS commands on the device.

Flash 0-day exploit found in Hacking Team’s leaked data exploited by criminals
Human rights and privacy activists and journalists are actively reviewing the data stolen in the Hacking Team breach. In the meantime, security researchers and malicious actors have also been going through the leaked data, and have discovered previously unknown software vulnerabilities that have been exploited by the company to compromise the targets’ machines.

Another malware building toolkit leaked, botnets already popping up
Another malware building toolkit has been leaked, allowing less tech-savvy crooks to generate a fully functional variant of the KINS banking Trojan and to inject its configuration code in a JPG file in order for it not to be spotted.

Sophisticated, successful Morpho APT group is after corporate data
The group was first spotted in 2013, when they successfully compromised Twitter, Apple , Facebook and Microsoft by using the watering hole technique and a Java zero-day exploit to deliver an OS X backdoor to the companies’ developers.

Why location-based social media data is critical for security
Location-tagged social media data is utterly revolutionary and represents unprecedented opportunity for organizations to support their missions and increase security in a fundamentally new and unique way. So how do you harness this information and make sense of it?

Popular Android games unmasked as phishing tools
ESET researchers have discovered a new, ingenious, yet very simple Facebook phishing scheme: playable Android games that, before they are started, ask users to enter their Facebook credentials.

Hacking Team’s Flash 0-day exploit used against Korean targets before it was leaked
The Adobe Flash zero-day (CVE-2015-5119) exploit found in the Hacking Team’s leaked data has already been added to several exploit kits, but Trend Micro researchers have found evidence of it being used before the data was leaked.

Cyber attack on US power grid could result in losses up to $1 trillion
Lloyd’s of London has published a research report produced with the help of the University of Cambridge Centre for Risk Studies, which investigates how a severe cyber attack against the US power grid could affect US businesses and what the impact on the US economy would be.

Severe OpenSSL bug that allows certificate forgery has been plugged
Effectively, it allows attackers – or anyone else, really – to pose as a valid CA and issue a certificate that will pass muster.

FBI director insists Silicon Valley can solve the encryption dilemma – if they try hard enough
On Wednesday, the US Senate Judiciary Committee got to hear from FBI director James Comey and DOJ Deputy Attorney General Sally Quillian Yates on how end-to-end encryption employed by certain companies (but mostly Apple) is becoming a problem for law enforcement’s investigations.

Never underestimate the impact of a data breach
Organizations need to take a number of steps in order to reduce the likelihood of a data breach and to minimize the cost if successfully attacked. It is imperative that businesses specifically understand current and future risks and take steps to address them as quickly as possible.

What a business leader should know about the cloud and its impact
The Cloud Security Alliance produces guidance on risk and mitigation techniques related to cloud services, mostly aimed at IT managers and security professionals – but business leaders need to understand the risks to their business operations as well.

Sensitive info of over 21.5M people, including SSNs and fingerprints, stolen in OPM hack
The US Office of Personnel Management (OPM) has revealed on Thursday the full extent of the information stolen in the two data breaches it suffered in 2014.

Apple to introduce two-factor authentication option in iOS 9 and OS X El Capitan
Starting with OS X 10.11 (“El Capitan”) and iOS 9, Apple will introduce a two-factor authentication option that will replace the current two-step verification one.

Why is ERP security so difficult?
Many security professionals aren’t familiar with how ERP systems work and the complexities involved in properly testing them. Why are ERP systems different than other systems?

Share this