Week in review: New OS X threats, and how to protect your privacy on Windows 10

Here’s an overview of some of last week’s most interesting news and articles:

What’s the state of your software?
In the face of the repeated high profile breaches of US Office of Personnel Management (OPM), Target and Sony, it may be tempting to throw up one’s hands and give up on building secure applications or fixing vulnerabilities in the applications that have already been deployed. The truth is that most organisations are yet to seriously address this problem.

The rapid growth of the bug bounty economy
On average, nearly five high-to-critical priority vulnerabilities are found within the lifetime of a single program, according to Bugcrowd. Another observed trend includes the migration from public programs over to invitation-only programs.

Malvertisers abused Yahoo’s ad network for days
A large-scale malvertising attack abusing Yahoo’s ad network has been hitting visitors of the Internet giant’s many popular and heavy-traffic sites for nearly a week.

79% of companies release apps with known vulnerabilities
The application development process is rampant with security risks due to current business pressures.

Attackers are downing DNS servers by exploiting BIND bug
As predicted, the critical and easily exploitable flaw that affects all versions of BIND, the most widely used DNS software on the Internet, has started being exploited by attackers.

Chinese APTs use commercial VPN to hide their attack activity
Dubbed Terracotta, the VPN service is marketed mostly to Chinese users under multiple brand names, mostly as a means to bypass the Great Firewall of China.

Best practice application security: Does it exist?
Website security is an ever-moving target. New websites are launched all the time, new code is released constantly and new web technologies are created and adopted every day. As a result, new attack techniques are frequently disclosed that can put every online business at risk.

Hackers actively exploiting OS X zero-day to root machines, deliver adware
The flaw, which is present in OS X 10.10.4 and the beta of OS X 10.10.5, but has been fixed in the beta of the upcoming OS X 10.11, allows attackers to silently saddle victims with unwanted adware and malware.

How to protect your privacy on Windows 10
So, you have decided to switch to Windows 10, but you heard that the new OS is a veritable vacuum for user data, which it sends back to Microsoft. Fear not! While most of the capabilities and permissions to slurp the data are on by default, they can be switched on and revoked.

Phishing attacks targeting businesses are escalating
Phishing attacks have increased by 38 percent overall in Q2 2015, and the growth has been spurred partly by the ever-growing number and sophisticated types of phishing attacks specifically designed to gain access to corporate information.

Attackers use Google Drive, Dropbox to breach companies
A new type of attack, “Man in the Cloud” (MITC), can quietly coopt common file synchronization services to turn them into devastating attack tools.

Disrupting trust models: An evolution in the financial services sector
From Uber to Spotify to Airbnb, digital disruptors have shaken up the status quo, breaking traditional business models to respond to a consumer that is online, globally connected, and mobile. The heavily regulated financial services sector, under intense scrutiny following the 2008 crisis remained immune to this disruption for longer than other industries. However, new entrants are now driving innovation in this sector, forcing banks to keep pace with an extraordinary pace of change.

NIST releases SHA-3 cryptographic hash standard
Nine years in the making, SHA-3 is the first cryptographic hash algorithm NIST has developed using a public competition and vetting process that drew 64 submissions worldwide.

Corporate networks can be compromised via Windows Updates
Researchers from UK-based Context Information Security demonstrated how Windows Update can be abused for internal attacks on corporate networks by exploiting insecurely configured enterprise implementations of Windows Server Update Services (WSUS).

Android users rejoice! Security updates will be coming out faster
August 5, 2015, is the date that (hopefully) marks the beginning of one of the biggest positive changes in the Android ecosystem.

Easily exploitable Certifi-gate bug opens Android devices to hijacking
“Certifi-gate” is a vulnerability – a set of vulnerabilities, actually – in the architecture of mobile Remote Support Tools (mRSTs) used by virtually every Android device manufacturer and network service provider.

Macs can be permanently compromised via firmware worm
Dubbed Thunderstrike 2 because it’s an improved variant of the Thunderstrike attack demonstrated by Trammell Hudson in January, the worm can be easily delivered via a phishing email or a malicious website, and spread to other computers.

Getting BYOD right
Kaspersky Lab’s specialists have several recommendations that should be borne in mind when connecting employees’ personal devices to corporate IT networks.

The GasPot experiment: Hackers target gas tanks
Physically tampering with gasoline tanks is dangerous enough, given how volatile gas can be. Altering a fuel gauge can cause a tank to overflow, and a simple spark can set everything ablaze. But imagine how riskier it is if a hacker can do all this remotely, especially now that a number of fuel companies worldwide use Internet-connected systems to monitor their tanks.

Pentagon’s unclassified email system breached, Russian hackers blamed
Pentagon’s Joint Staff unclassified email system, used by 4,000 military and civilian personnel, has been compromised by attackers, and it has been taken offline until the threat is dealt with.

File-stealing Firefox bug exploited in the wild, patch immediately!
The exploit leaves no trace it has been run on the local machine.