Week in review: Android adware infiltrates devices’ firmware, malvertising hits big Internet players, iOS design flaw lets malware in

Register for the upcoming webinar: Top 6 Security Needs for APIs and Serverless Apps

Week in review: Android adware infiltrates devices’ firmware, malvertising hits big Internet players, iOS design flaw lets malware in

Here’s an overview of some of last week’s most interesting news, interviews and articles:

McAfee uses web beacons that can be used to track and serve advertising to users
A test of seven OEM laptops running Windows has shown consistent privacy and security issues, including an interesting revelation that the McAfee Antivirus running on six of them is using web beacons to serve ads and possibly even track users online.

Android adware infiltrates devices’ firmware, Trend Micro apps
Dubbed Gmobi by Dr. Web researchers, the malware comes in the form of a software development kit (SDK), and has been found in several legitimate applications by well-known companies, as well as in firmware for nearly 40 mobile devices.

AceDeceiver iOS malware exploits Apple design flaw to infect non-jailbroken devices
Malware developers have found another hole in Apple’s iOS defenses, and this one, according to Palo Alto researchers, will be difficult to plug.

It’s time to kill the static password
We are at a point in technology’s history where the information we send and receive cannot be guaranteed to be protected

Detect observation and evade theft of sensitive data
Jacob Torrey is an Advising Research Engineer at Assured Information Security, where he leads the Computer Architectures group. He has worked extensively with low-level x86 and MCU architectures, having written a BIOS, OS, hypervisor and SMM handler. In this interview he talks about architectural tells that can be utilized to detect the presence of analysis tools, and offers practical tips for researchers.

Privacy by Design: What it is and where to build it
People tend to think about privacy in terms of the individual, but it is also critically important for the proper functioning of any business organization. This is being made increasingly relevant by the recent rise of personalization initiatives that rely on user data to recommend the right products or services to customers. The failure to build privacy into these initiatives presents a major new data breach risk and thus an added risk to the company.

Malvertising campaign hits MSN.com, NY Times, BBC, AOL
The websites themselves weren’t compromised. The problem was that the the ad networks these sites use – Google, AppNexus, AOL, Rubicon – were tricked into serving the malicious ads, which would lead users to sites hosting an exploit kit.

A rogue access point at RSA Conference? Here’s what happened
At RSA Conference, where the world’s best and brightest security experts gather to learn from each other, no one would just automatically connect to something that seems familiar, or would they?

MITRE offers temporary solution to the CVE assignment problem
MITRE thought that a short-term solution to the problem of slow CVE assignment is to set up an experimental system for issuing federated CVE IDs using a new format. But ultimately, they decided to put this program on hold and find a better solution.

Security concerns over connected devices mask the greater threat
The popular and sometimes controversial Shodan search engine made some changes recently that drew wide attention.

The next step in the battle for consumer privacy?
It seems that privacy is important to most users, but most of them are not yet ready to work for it.

Boom in Steam account hijacking is due to cheap Steam Stealers
With over 125 million active users, Valve’s Steam is the most popular online gaming platform in the world and, consequently, forms a huge pool of targets for cyber crooks and scammers.

MobSF: Security analysis of Android and iOS apps
The Mobile Security Framework (MobSF) is an open source framework capable of performing end to end security testing of mobile applications.

Google starts tracking, encourages worldwide HTTPS usage
Google has added a new section to its Transparency Report, which will allow users to keep an eye on Google’s use of HTTPS, and HTTPS use of the top 100 non-Google sites on the Internet.

Security CLTRe Toolkit: Build and improve security culture
The SaaS-based toolkit will provide organizations from SMEs to large multinationals across the globe with the tools necessary to easily assess, build and improve security culture within their organization.

Why the next wave of cybersecurity talent won’t have a ‘security’ job title
Due to the overwhelming explosion of data breaches around the world, the C-Suite has raced to scoop up any and all cybersecurity talent – to help navigate the complex task of safeguarding an organization, its employees and proprietary information.

How a digital pathology solution secures patient data
Dutch tech company Philips recently announced that its digital pathology solutions have been certified for compliance with the U.S. Department of Defense (DoD) security requirements.

Hack Chromebook in guest mode, get $100,000
Google has once again upped the ante for bug hunters concentrating on Chrome, and is now offering $100,000 to anyone capable of achieving a compromise of a Chromebook or Chromebox (the desktop variant of the Chromebook laptop) with device persistence in guest mode (i.e. guest to guest persistence with interim reboot, delivered via a web page).

Hotel replaces light switches with insecure Android tablets
Here’s another documented instance for the “insecure Internet of Things” annals, courtesy of CoreOS security developer Matthew Garrett.

Code.org website leaked volunteers’ email addresses
Code.org, the non-profit organization dedicated to increasing diversity in computer science, has admitted its website has been leaking volunteer email addresses. The discovery was made in an unusual way: the volunteers started receiving emails with job offers from a technical recruiting firm in Singapore.

Bug in surveillance app opens Netgear NAS systems to compromise
A security vulnerability in the ReadyNAS Surveillance Application can be exploited by unauthenticated, remote attackers to gain root access to Netgear NAS systems.

Why outsource risk management to people who don’t care?
In this podcast recorded at RSA Conference 2016, Travis Greene, Identity Solutions Strategist at Micro Focus, discusses why is it that in the process of implementing access certification we’re asking line of business managers, who know nothing about risk, to handle all the calculations around who should have access to what. If you’re considering access certification tools, Greene offers a number of practical recommendations.

Google Hands Free entering the mobile payments game
Google has announced that it is testing its new payment app, Hands Free, which (as the name suggests) allows users to make payments without the need to use their hands, mobile device or wallets.