Week in review: Windows 10 security features, and thwarting user profiling based on typing behavior

Here’s an overview of some of last week’s most interesting news and articles:


Over 5,000 mobile apps found performing in-app ad fraud
Of the $20 billion projected to be spent by advertisers on mobile advertising in 2015, $1 billion will effectively be lost due to in-app ad fraud.

Finally! A free, open source, on-premise virus scanner framework
PlagueScanner is a multiple AV scanner framework for orchestrating a group of individual AV scanners into one contiguous scanner.

Most employees don’t understand the value of data
New research from Fujitsu has revealed that only 7% of employees rate their business data higher than their personal information.

A data security guy’s musings on the OPM data breach train wreck
Given the sensitive data the OPM was tasked with protecting, it should have had state-of-the-art data protection, but instead it has become the poster child for IT security neglect. While it’s dismal security posture is unjustifiable, the people and process challenges that hindered the implementation of appropriate security measures are pervasive.

New Google Drive phishing campaign exposed
Elastica discovered a new Google Drive-based advanced phishing campaign initiated by unknown attackers. The attackers used JavaScript code obfuscation and compromised websites in order to steal end-user account credentials using Google services.

Most malvertising attacks are hosted on news and entertainment websites
News and entertainment sites are the world’s most heavily-trafficked sites and therefore ideal targets. However, attack vectors are not limited to ads.

Dmail: A Chrome extension for sending self-destructing emails
Social bookmarking web service Delicious has released a free beta version of Dmail, an extension for the Chrome browser which allows senders to delete an email they sent and have regretted sending soon after.

One in 600 websites exposes sensitive info via easily accessible .git folder
Less experienced developers don’t know that git keeps track of the changes by storing them in a hidden folder (.git), and they expose it to the world.

Chrome extension thwarts user profiling based on typing behavior
Keyboard Privacy prevents profiling of users by the way they type by randomizing the rate at which characters reach the DOM.

Three steps to a successful cloud migration
Migrating content to the cloud is more complicated than just packing up data and shipping it off to a new location.

Breaches might be inevitable, but penalties are not harsh enough
A panel on the topic of data breaches organized by cyber security and penetration testing company Cognosec has revealed that most industry professionals believe that breaches are inevitable and that we should just accept this new reality.

Check out the Windows 10 security features
Windows 10 is now available to users around the world. Here is an overview of new security features.

Rowhammer.js: The first remote software-induced hardware-fault attack
A group of Austrian and French researchers have devised a relatively simple way to remotely exploit the Rowhammer bug present in some computer chips. Their version of the attack is JavaScript-based, doesn’t require physical access to the machine or the execution of native code or access to special instructions, and can be performed on millions of users simultaneously.

Internet of Things: Bracing for the data flood
There’s a real opportunity now to incorporate the scaling and management (including security management) needs for the IoT in the way we plan our enterprise and consumer services. How will those services work within the context of the IoT? Can they support the proliferation of potential connection points? Do we understand how they might respond when they need to deal with the complexity of management of so many users and devices? And perhaps most importantly, can those systems, and the security processes around them, cope with the explosion in raw data?

Automated threat management: No signature required
Signatures are valuable for detecting large-scale commodity threats, but the signature model falls flat with attackers who value stealth over the number of systems they control.

More than a third of employees would sell company data
A Loudhouse survey on enterprise security practices reveals that 35 percent of employees would sell information on company patents, financial records and customer credit card details if the price was right.

United Airlines hacked by same group that breached Anthem and OPM
United Airlines has been breached, and investigators believe the perpetrators to be the same group that hacked US health insurer Anthem and stole personal and employment information of 78.8 million customers and non-customers.

Researchers hack Linux-powered sniper rifle
Runa Sandvik and Michael Auger are set to present their research into TrackingPoint’s precision-guided sniper rifle at Black Hat next week, and will demonstrate both how the firearm works, how they reverse-engineered the scope, the firmware, and three of TrackingPoint’s mobile applications.

New Android bug can put devices into a coma
In the wake of the explosive discovery of the Android Stagefright vulnerability, Trend Micro researchers have revealed the existence of another, similar one that can make Android devices unresponsive, i.e. “silent, unable to make calls, with a lifeless screen”.

Sun Tzu 2.0: Is cyberwar the new warfare?
Cyberwar and its ramifications have been debated for some time and the issue has been wrought with controversy. Few would argue that cyber-attacks are not prevalent in cyberspace. However, does it amount to a type of warfare?

Researchers devise passive attacks for identifying Tor hidden services
A group of MIT researchers have devised two attacks that could identify, with a high degree of certainty (88%), an anonymous hidden service or client.

Microsoft Edge: New browser, new risks for Windows 10
Microsoft Edge, the new browser in Windows 10, represents a significant increase in the security over Internet Explorer. However, there are also new potential threat vectors that aren’t present in older versions.

US will revise Wassenaar pact changes
US Commerce Department’s Bureau of Industry and Security (BIS) will rethink the Wassenaar pact changes regarding “cybersecurity items” that it proposed and made available for comment to the public in May.

User behavior analytics for security operations efficiency
So, you’ve been informed by the FBI, a business partner, or security consultant that they have spotted a bunch of your company’s employee records on the paste bin website. Your first thought – this is obviously the result of a data breach due to unauthorized access.

OPIS

Subscribe to the Help Net Security breaking news e-mail alerts:

OPIS
More about

Don't miss