Week in review: The inconvenient truth about API security, and the perfect exfiltration technique

Here’s an overview of some of last week’s most interesting news and articles:

Uninstall QuickTime for Windows today!
Trend Micro’s Zero Day Initiative has released advisories detailing two new, critical, remote code execution vulnerabilities affecting QuickTime for Windows, but Apple is not going to fix them.

EU approves new data protection rules
The reform will replace the current data protection directive, dating back to 1995 when the internet was still in its infancy, with a general regulation designed to give citizens more control over their own private information in a digitised world of smartphones, social media, internet banking and global transfers.

Microsoft patches Badlock, but doesn’t call it critical
As it turns out Badlock was not directly part of an exploit in Server Message Block (SMB) as original anticipated but rather part of Microsoft authentication framework, Security Account Manager (SAM) and Local Security Authority (LSAD).

Petya ransomware encryption has been cracked
The ransomware not only encrypts the victims’ files, but also their disk’s Master File Table (MFT), and it replaces the boot drive’s existing Master Boot Record (MBR) with a malicious loader.

Developing the perfect exfiltration technique
At SafeBreach, one of the major research areas is exfiltration (sending sensitive data out of the corporate network). In one of their research projects in late 2015, they set out to find the perfect exfiltration technique.

3 steps to embracing NIST 800 security controls
One proven path to improving any organization’s security posture is to embrace the National Institute of Standards and Technology’s risk management framework set forth in its NIST 800 series of documents. NIST 800-53, in particular, lays out recommended policies and procedures covering access control, incident response, business continuity, disaster recoverability and about a dozen more key areas.

How to prepare for your first infosec job hunt
You’re new to the information security industry and you’re wondering what to expect during an interview. A quick online search will bring up horror stories involving large IT corporations asking absurd questions like “How much should you charge to wash all the windows in San Francisco?” You sit in front of your computer and you wonder why the university or that expensive certification hanging on your wall didn’t prepare you for this type of situation.

Identify the ransomware you’ve been hit with
Michael Gillespie, a coder that has created a password generator for unlocking the files stashed in a password-protected archive by the CryptoHost ransomware, has also created ID Ransomware, a free online tool for victims to identify with which particular ransomware they’ve been hit.

Million-plus sites hosted on WordPress.com get free SSL
Friday brought some very good news for existing and future owners of sites hosted on WordPress.com: they will be getting HTTPS protection without having to pay for an SSL certificate or trouble themselves with managing it.

Google’s poor design decision undermines 2FA protection
A design decision by Google can be exploited by attackers to gain control of both devices needed to access users’ accounts protected via SMS-based 2-factor authentication.

Panama Papers: A data security disaster
While most of the Panama Papers attention will focus on the salacious aspects, the breach of the Panamanian law firm Mossack Fonseca’s files exposes another dirty little secret – the trouble law firms have keeping clients’ data secure.

The inconvenient truth about API security
Ovum Consulting asked IT and security professionals across a variety of industries globally about their use of APIs, adoption of API management platforms, and the security features included in those platforms.

Cybercriminals are adopting corporate best practices
Advanced criminal attack groups now echo the skill sets of nation-state attackers.

GoPhish: Free phishing toolkit for training your employees
Too many system and network breaches today start with a well-designed, persuasive phishing email, and organizations and businesses would do well to continually train their staff to spot bogus and potentially malicious emails.

After issuing 1.7M certificates, Let’s Encrypt CA officially leaving beta
The CA’s goal – “to encrypt 100% of the Web” – is still far off, but the number of issued certificates has risen steeply since the CA’s inception

Why ICS network attacks pose unique security challenges
Securing these networks poses unique challenges, primarily because ICS networks are unlike traditional IT networks. They use different technologies and perform discrete functions. In order to protect them we first need to understand how they operate.

Software tools and services used to achieve ISO 27001
With high profile breaches becoming almost a daily occurrence in the media, many organizations are now turning to the ISO 27001 information security standard to help them stay out of the press and prove to their customers that they take security seriously.

Why the smart office is highly susceptible to data breaches
Modern commercial buildings are already typically equipped with control systems and hundreds, if not thousands, of sensors. Many facilities, however, quite simply have systems that have not been properly integrated – with non-integrated points of entry, what was once an inconvenience has now become a realistic threat.

Samsung Galaxy devices can be made to make calls, send messages while locked
Half a dozen (and possibly even more) Samsung Galaxy phones can be made to place phone calls or send text messages even when they are locked, thanks to exposed USB modems.

Short URLs plus cloud services equal bad security
URLs created by many URL shortening services are so short that the entire space of possible URLs can be scanned or at least sampled on a large scale.

Cisco UCS servers can be hijacked with malicious HTTP request
A data center server platform running Cisco’s Unified Computing System (UCS) Central Software can be compromised by unauthenticated, remote attackers with a single, malicious HTTP request, security researcher Gregory Draperi has discovered.

Why few US consumers penalize hacked companies?
About a quarter of American adults reported that they were notified about their personal information being part of a data breach in the previous year, but only 11 percent of those who have ever been notified say they stopped doing business with the hacked company after the event occurred, according to a new study.

Blackhole exploit kit author sentenced
Dmitry Fedotov, aka “Paunch”, the creator of the infamous Blackhole and Cool exploit kits, has been sentenced to spend 7 years in prison, Russian news agency TASS has reported.

CryptoHost locks files, but you can get them back
CryptoHost is ransomware, but it doesn’t encrypt users’ files (although it claims it does). It simply takes a variety of files – images, movies, sound files, Office documents, archive files – found on the victims’ computer and places them into an RAR archive and protects it with a password.




Share this