Here’s an overview of some of last week’s most interesting news, reviews and articles:
Welcome to the new Help Net Security
We rolled out a brand new version of Help Net Security. This is the 10th version of the site since we launched back in 1998, and it presents an ambitious and comprehensive overhaul that was months in the making.
3-in-1 Android malware acts as ransomware, banking Trojan and infostealer
Why stop at asking ransom for encrypted files when you can also steal personal info, passwords, online banking credentials and credit card details, and then sell it or use it to get even more money?
Review: Mobile Data Loss
Employees increasingly use mobile devices for work and to access their company’s resources. Unfortunately, this use opens the companies to data loss, a situation both employees and employers are eager to avoid. This book will explain how to minimize the possibility of that happening.
Hollywood hospital pays ransom to get their computers, files back
Some of the medical center’s departments were prevented from normal functioning and were temporarily shut down, and emergency patients were sent to other hospitals.
Year-old critical Magento flaw still exploited, payment info stolen
A whole year has passed since a critical e-shop hijacking flaw in the Magento CMS has been patched, but the vulnerability is still being exploited in attacks in the wild.
Anonymous networks 101: Into the heart of the Darknet
This article discusses Darknets and what these tools hold for the future of security.
Smart buildings security: Who’s in charge?
As the Internet of Things became an accepted reality, and the security community realized that they have to get involved in securing it, days without news about the insecurity of this or that Smart Thing are few and far between. One of the latest attempts to shine a light on the problem was a recently published report by the IBM X-Force Ethical Hacking Team. The document detailed the team’s successful attempt to penetrate a building automation system (BAS) that controlled sensors and thermostats in a commercial office, and to ultimately access the central BAS server that controls building automation in this and several other locations.
Teenage admin of anonymous XMPP service arrested in connection to fake bomb threats
The teenage administrator of the Darkness.su XMPP service has been arrested by the French police, in connection to the wave of false bomb threats that were made against several French schools on January 26 and February 1, 2016, and later against educational institutions around the world.
UK security tribunal decides GCHQ’s hacking is legal
The UK GCHQ intelligence agency’s hacking of computers, mobile devices, smart devices, and computer networks has been ruled to be legal, no matter where it happens in the world, and compatible with the European convention on human rights.
VoIP phones can be turned into spying or money-making tools
A security vulnerability present in many enterprise-grade VoIP phones can easily be exploited by hackers to spy on employees and management, says security consultant Paul Moore.
The rise of the Chief IoT Officer
Half of UK businesses (54%) plan to employ a Chief IoT Officer in the next year, especially in the education (63%), retail (63%) and telecomms (64%) industries, according to Webroot and IO.
(IN)SECURE Magazine issue 49 released
(IN)SECURE Magazine is a free digital security publication discussing some of the hottest information security topics.
Critical Glibc flaw opens Linux distros, other software and devices to compromise
A critical bug has been found to open an unimaginable number of computers, networking and other connected devices to attacks that can result in complete system compromise.
Apple will fight court order to unlock gunman’s iPhone
A US magistrate judge has ordered Apple to help the FBI gain access to the contents of a PIN-locked iPhone 5C used by Syed Farook, one of the shooters in the San Bernardino shooting spree that unfolded last December.
Why a single point of failure should be your primary concern
Many organizations are transitioning to digital systems, which has increased the dependency on cloud service providers, web hosting platforms, and other external services. Cyber criminals are recognizing that these outside vendors and subcontractors can often be their best point of entry into many companies.
Is your WordPress site being misused for DDoS attacks?
Many WordPress websites are still being misused to perform layer 7 DDoS attacks against target servers, even though preventing them from participating in these attacks is as simple as disabling the pingback feature.
E-commerce web apps vulnerable to hijacking, database compromise
High-Tech Bridge researchers have published details and PoC exploit code for several serious vulnerabilities in Osclass, osCmax, and osCommerce, three popular open source e-commerce web apps.
W3C launches effort to replace passwords
The World Wide Web Consortium (W3C) is launching a new standards effort in web authentication that aims to offer a more secure and flexible alternative to password-based logins on the Web.
Email security still an afterthought
While 64 percent regard email as a major cyber security threat to their business, 65 percent don’t feel fully equipped or up to date to reasonably defend against email-based attacks, according to a Mimecast survey of 600 IT security professionals.
IT spending to slow down in 2016
Worldwide IT spending is expected to post a major slowdown in 2016, as economic weakness in emerging markets and saturation of the smartphone market combine to result in a significantly slower pace of tech spending growth compared to the past six years.
IRS warns of 400 percent surge in tax-related phishing emails
The most noticeable increase was that of emails and messages impersonating the IRS or other persons and entities in the tax industry (e.g. tax software companies, accountants, etc.).