Week in review: Top 10 web hacking techniques, exploit kit targets Android devices

Here’s an overview of some of last week’s most interesting news, reviews and articles:

US Supreme Court approves expansion of FBI hacking powers
The US Supreme Court has approved on Thursday several changes to the federal rules around search warrants.

Attackers use open source security tools for targeted cyberespionage
Kaspersky Lab researchers have uncovered a new trend among cyberespionage threat actors: instead of developing customized hacking tools or buying them from third-party suppliers on the criminal underground, they are using tools available on the web for research purposes.

Review: The Car Hacker’s Handbook
Aside from telling you everything you need to know about all the digital parts, embedded software and control systems of your car, this book will show you how to search for weaknesses in these systems and write exploits for them.

Bangladesh Bank hackers compromised SWIFT software with bespoke malware
BAE Systems found and analyzed custom malware that compromised SWIFT software, and which they believe was used in the attack.

Who’s next? Shift focus and detect network attackers
Preventative security cannot prevent a network intruder from penetrating a network 100% of the time. The best pen testers even guarantee that they can get into a network within two days. Prevention is still necessary, but it is not sufficient to always stop an attacker. Companies need to have a plan B.

Exploit kit targets Android devices, delivers ransomware
Ransomware hitting mobile devices is not nearly as widespread as that which targets computers, but Blue Coat researchers have discovered something even less common: mobile ransomware delivered via exploit kit.

Do you have what it takes to be an independent security consultant?
Dreams of more free time, the possibility of self-organizing and working when it suits you, no unreasonable requests from the boss, or endless stories coming from that boring co-worker are great, but could you find enough work and perform all the tasks? Would your future be better or worse if you were on your own? Could you survive without regular income until your business takes off?

Top 10 web hacking techniques of 2015
Based on this year’s Top Ten, it is safe to say that SSL/TLS remains one of the key targets for emerging hacking techniques.

Gold-mining firm Goldcorp hacked, its data leaked online
On Tuesday, the attackers leaked a lot of sensitive internal data about the company and its employees, and have promised to leak more.

PCI DSS 3.2 is out: What’s new?
The Payment Card Industry Security Standards Council has published the latest version of PCI DSS, the information security standard for organizations that handle customer credit cards.

Screen overlay Android malware is on the rise
The capability was first seen in the GM Bot malware, but now there are several cheaper alternatives that offer it.

Former Tor developer helped the FBI unmask Tor users
A developer who used to work at Tor Project is the mastermind behind “Torsploit” (aka “Cornhusker”), the malware that was used by the FBI in 2012 to unmask visitors to three child pornography websites on the Dark Web, The Daily Dot has found.

Cybersecurity insurance: A global perspective
While the majority of global organizations say that it is “vital” their organization is insured against information security breaches, less than half (41%) are fully covered for both security breaches and data loss and just over a third have dedicated cybersecurity insurance.

Facebook made to serve phishing forms to users
The fraudsters made it look like the fake “Facebook Page Verification” form they’ve asked the victims to fill and submit is legitimate, as the page serving it is on a Facebook subdomain and uses HTTPS.

The economics of hacking: Change your thinking
A variety of conditions are coming together to make hacking a financially fruitful activity, driving something of a shift in the percentages around cyber attack motives.

Suspect refuses to decrypt hard drives, is detained indefinitely
A former Philadelphia Police Department sergeant suspected of possessing child pornography has spent seven months in a detention center without being charged of any particular crime.

The inherent problems of the detection paradigm
The detection paradigm as a whole suffers from several inherent weaknesses, which adversaries frequently exploit.

7 million users affected by Minecraft community Lifeboat data breach
The compromised passwords (hashed, but with an easily crackable MD5 hash) have already been changed.

Info of Qatar National Bank customers, Al Jazeera staff, others, leaked online
The data dump has over 1.4 GB and contains nine main folders named “Al Jazeera”, “Al-Qardawi”, “Al-Thani”, “Banks, corporations”, “Defence and etc”, “Gov”, “Mukhabarat”, “Police, Security” and “Spy, Intelligence”.

DDoS aggression and the evolution of IoT risks
Few organizations globally are being spared DDoS attacks, according to a Neustar survey of over 1,000 IT professionals across six continents.

How the biometrics market is entering the evolving IoT ecosystem
Two crucial obstacles need to be overcome on the way to a more biometric future.

Facebook vulnerability allowed access to personal and payment information
Bitdefender has discovered a significant vulnerability within Facebook which allowed access to any user account through simple social login manipulation. The attacker was able to gain access to personal user information, a contacts list for potential malware distribution and payment information – allowing purchases to be made in the user’s name.

Info on 93 million Mexican voters found on an Amazon cloud server
Sensitive personal information of over 93 million Mexican voters has been found, unprotected and accessible to anyone who knew where to look.

Attackers opt for discreet methods to spy inside the network
For its latest report, Vectra analyzed data from 120 customer networks comprised of more than 1.3 million hosts over the first quarter of 2016.

More about

Don't miss