Week in review: Criminals hacked chip-and-PIN system, secret code in printers allows tracking, and insecure WD self-encrypting hard drives

Here’s an overview of some of last week’s most interesting news and articles:

Criminals hacked chip-and-PIN system by perfecting researchers’ PoC attack
When in 2010 a team of computer scientists at Cambridge University demonstrated how the chip and PIN system used on many modern payment cards can be bypassed by making the POS system accept any PIN as valid, the reaction of the EMVCo and the UK Cards Association was to brand the attack as “improbable”. After all, the researchers used a bulky tech setup that had to be carried around in a backpack but, as it ultimately turned out, a year later an engineer based in France found a less obvious way to perform the attack.

Fitbit trackers can easily be infected with malware, and spread it on
Security researcher Axelle Apvrille has managed to deliver arbitrary code to a FitBit Flex fitness tracker, which can then be sent to computers that the device connects to over a Bluetooth connection.

Internet of Things: Rethinking privacy and information sharing
Once the IoT becomes the normal way we think about managing data, making things work, and interacting with each other, then the rulebook for privacy, and information sharing, is essentially re-written. If we want to fully participate, to fully exploit the power of the IoT, then that price of that participation will be a surrendering of control of data, the like of which we have never experienced before.

CCTV botnets proliferate due to unchanged default factory credentials
Incapsula researchers have uncovered a botnet consisting of some 9,000 CCTV cameras located around the world, which was being used to target, among others, one of the company’s clients with HTTP floods.

Malicious Google Chrome clone eFast serves ads, collects info
Posing as a legitimate application that will benefit users, eFast is actually only helpful to its creators – it sidelines other browsers, generates intrusive online ads (the creators are paid for each click), redirects users to potentially malicious pages, and monitors their Internet browsing activity, which is then sold to third party companies.

Review: Change and configuration auditing with Netwrix Auditor 7.0
Netwrix Auditor is a powerful change and configuration auditing platform that leverages the data collected from all parts of the company network to provide detailed information on everything that is going on inside.

New ransomware delivered via Windows Remote Desktop Services
A new type of ransomware – dubbed LowLevel04 – is hitting users in Greece and Bulgaria. It is apparently delivered on the affected computers manually by the attackers, via Windows’ built-in Remote Desktop Services (RDS) or Terminal Services.

Facebook starts warning users of state-sponsored attacks against their accounts
The social network won’t explain why those particular attacks are suspected to come from state-sponsored hackers – they have their own methods and processes that they want to keep secret so that attackers can’t find a way to pass their hacking attempts as generic ones.

Why everyone should care about two-factor authentication
While organizations are in a mad scramble to fortify their sensitive IT assets, as well as those of their users and customers, there is still another variable to this equation that is sorely lacking, and that is the end-users – be they a corporate employee or consumer.

Secret code in color printers enables government tracking
A research team led by the EFF recently broke the code behind tiny tracking dots that some color laser printers secretly hide in every document.

IS hackers are attacking the US energy grid
The US energy grid is under cyber attack from Islamic State hackers but fortunately, these attacks end up in failure because the hackers are simply not skilled enough to do much damage.

Employee activities that every security team should monitor
Let’s talk a closer look at user behaviors and the threats that stem from them, insider threats.

250+ iOS apps offered on Apple’s App Store found slurping user data
The latest instance of potentially malicious apps tricking Apple App Store’s vetting process comes courtesy of Youmi, a China-based mobile advertising provider whose software development kit (SDK) uses private APIs to gather user and device information.

A slew of LTE 4G vulnerabilities endanger Android users and mobile carriers
As an ever increasing number of mobile carriers around the world switches to from using GSM/UMTS networks to Long-Term Evolution (LTE 4G) ones, both carriers and users are facing a number of dangers.

Consumers increasingly adopting personal security measures
With the increase of personal data being stored on mobile devices, a new survey showed that 61 percent of wireless consumers use PINs/passwords, up 20 percent from the survey conducted in 2012.

Western Digital self-encrypting hard drives are completely insecure
A team of researchers has decided to check whether the encryption offered by Western Digital’s My Passport external self-encrypting hard drives is effective and unbreakable as it should be. Unfortunately, the results of their research revealed that the devices are riddled with vulnerabilities, which can be exploited by attackers to access the data stored on them.

Companies still lack security controls for accessing enterprise applications
Despite widespread and highly publicized security breaches, most companies still fail to require necessary security controls for accessing enterprise applications, including those applications behind the corporate firewall, according to a new study by Vidder and King Research.

Tech support scammers start targeting users of Apple devices
With the rise of popularity and the widespread ubiquity of devices made by Apple, it was only a matter of time when tech support scammers would begin targeting that ever increasing segment of the population.

WikiLeaks publishes documents stolen from CIA director’s email account
CIA Director John Brennan’s private AOL email account has been hacked, apparently by teenage hackers with good social engineering skills. While it seems that the account contained no classified information, the hackers made off with some potentially sensitive documents. They shared them with WikiLeaks, who released some of them on Wednesday and is planning to publish more over the coming days.

Smart home security and privacy checklist
Not unlike turning over all keys and remote controls, the home buyer and renter should ensure that the seller, previous tenants and unauthorized third parties no longer have access to the home’s or apartment’s critical systems and devices.

Data of 4 million TalkTalk customers likely stolen in wake of website attack
TalkTalk, one of UK’s biggest telecoms, has suffered a “significant and sustained cyberattack” on their website, and it’s possible that personal and financial information of some 4 million of the company’s customers in the UK has been compromised as a result.

12 new malware strains discovered each minute
G DATA researchers discovered a 64.8 percent spike of new malware strains as compared to the first half of 2014.


Subscribe to the Help Net Security breaking news e-mail alerts:

More about

Don't miss