Week in review: Information the FBI can collect with NSLs revealed, VPN protocol flaw gives away users’ true IP address

Here’s an overview of some of last week’s most interesting news and articles:


Human element of security to the fore at IRISSCON 2015
Training people to take more precautions with their organisation’s data is a very effective way of strengthening security, but many businesses don’t raise user awareness in the right way.

A double whammy of tech support scam and ransomware hits US, UK users
Tech support scams and ransomware usually don’t go together, but there’s a first time for everything.

Why we need digital security forensic analysis
Basic common sense tells us you can’t fix what you don’t know is broken. Knowing the “who”, “what”, “why”, “when” and “where” is paramount, when you think about processes that are capable to generate information and, more importantly, are able to learn and act upon the accumulated knowledge.

How Europol analyzes malware
What is the Europol Malware Analysis System? How does it work?

VPN protocol flaw allows attackers to discover users’ true IP address
Dubbed Port Fail, the flaw affects all VPN protocols (IPSec, OpenVPN, PPTP, etc.) and all operating systems.

Whitepaper: Using micro-segmentation to make cybersecurity work
A fresh approach to security will tip the balance of power back to the good guys. This paper outlines the power of Micro-segmentation to do just that.

CISO at US Bank offers tips for secure online purchasing
The thrill and chaos of holiday shopping has started, and unfortunately with that comes the inherent risk of fraud. With an increased threat of digital fraud, what can consumers do to secure their personal data?

Revealed: What info the FBI can collect with a National Security Letter
After winning an eleven-year legal battle, Nicholas Merrill can finally tell the public how the FBI has secretly construed its authority to issue National Security Letters (NSLs) to permit collection of vast amounts of private information on US citizens without a search warrant or any showing of probable cause.

Telegram Android app is a stalker’s dream
Popular instant messaging service Telegram provides optional end-to-end encrypted messaging and, in general, is highly focused on protecting user privacy. Despite these efforts, some security experts have advised against using it if you want to keep your identity and your messages secret.

Simply Secure offers free usability design help to developers of privacy, security tools
Eligible software projects will receive free support from design and/or research professionals to evaluate and improve the quality of their project’s UX.

Cybercriminals will remain victorious in 2016, relief expected in 2018
While predictions are everywhere, anticipating the next wave of threats can be an insightful way in looking at what’s to come. Here are a few we will be watching for in 2016.

A deadly campaign delivers Pony info-stealer followed by Cryptowall ransomware
After the tech support scam paired with ransomware, another deadly combination has been seen targeting PC users: info-stealer coupled with ransomware.

VTech data breach gets worse: Children’s pictures and chat logs were also compromised
The hacker who breached VTech’s customer database and shared with the world the fact that the exploit was so easy anyone could do it (SQL injection), has found additional critical user data stored on the company’s servers: tens of thousands pictures of children and parents, their chat logs and even some audio recordings made by children.

Hacktivists and cyber extortionists hit Greek, Russian, UAE banks
A number of “regular” and central banks across Europe, Russia and Asia have been targeted by cyber attackers.

eBook: Fighting Known, Unknown, and Advanced Threats
Download Kaspersky Lab’s eBook to learn more about the evolution of cyberthreats that put your business at risk, how malware is often used as a door opener to launch more sophisticated, targeted attacks, and the necessary features of a multi-layered security solution to defend your IT infrastructure today.

Securing the smart home environment
A new study from ENISA proposes a holistic approach with actionable good practices to secure smart home devices and services.

Top 10 technology challenges for IT audit professionals
The top technology challenge faced by IT audit executives and professionals worldwide is to keep pace with emerging technology and infrastructure changes, including transformation, innovation and disruption.

Cybercriminals to target new payment technologies
The year 2015 has become widely referred to as the year of the data breach. What nefarious cyber-acts will define 2016?

3G/4G cellural USB modems are full of critical security flaws, many 0-days
The SCADA Strange Love team – a group of security researchers focused on ICS/SCADA – has tested eight devices sold by Huawei, Gemtek, Quanta and ZTE

Elasticsearch servers actively targeted by botmasters
Elasticsearch is one of the most popular choices when it comes to enterprise search engines. Unfortunately, a couple of remote code execution flaws discovered and publicized earlier this year are being actively exploited by botnet operators to compromise these search servers and make them part of their malicious network.

Apple’s Swift programming language is now open source
Designed for safety, Swift also eliminates entire categories of common programming errors.

High-impact DoS flaw patched in Node.js, update as soon as possible
Node.js is very popular among new startups and companies that chose to use a ‘FullStack’ based web-environment.

86% of PHP-based apps contain at least one XSS vulnerability
Four out of five applications written in PHP, Classic ASP and ColdFusion that were assessed by Veracode failed at least one of the OWASP Top 10.




Share this