Week in review: ImageMagick 0day, and why you need a Security Evangelist

Here’s an overview of some of last week’s most interesting news, reviews and articles:

Web servers and sites under attack via ImageMagick zero-day flaw
The flaw (CVE-2016–3714) is extremely easy to take advantage of – a booby-trapped image file that carries the exploit that will force the ImageMagick software to run malicious code on the server will do the trick. What’s more, it is already being exploited in attacks in the wild.

Whitepaper: Protecting financial institutions from DDoS attacks
In response to the growing DDoS threat, the FFIEC issued a statement requiring banks and financial institutions to monitor their networks for DDoS attacks and proactively implement DDoS mitigation strategies.

What a Security Evangelist does, and why you need one
Here is a simple truth: You can create the most revolutionary product ever, but if you can’t get word about it out, you’ll fail.

Review: The Information Systems Security Officer’s Guide, Third Edition
This is not a technical book, nor is it a book that purports to include everything that a cyber security officer needs to know. Instead, it’s a primer on building a cyber security program and on being a cyber security officer.

Ransomware enters companies through RDP servers
Attackers wielding ransomware are targeting enterprises through an often-found hole in the corporate network: Internet facing, poorly secured remote desktop servers.

Samsung’s smart home platform flaws let attackers fiddle with your doors
Researchers have managed to exploit design flaws in the Samsung SmartThings smart home programming platform and successfully mount a series of attacks that could result in smart homes being entered, burglarized, and generally made insecure by attackers via malicious apps.

Hidden in plain sight: Four signs your network might be under attack
It’s a well-documented fact that an organization may be under attack and not even know it, with malware spreading undetected across the network for days, weeks or even years.

US FISC approved all surveillance requests in 2015
The requests are usually made by the NSA and the FBI and, once approved, they often require ISPs and telecoms to help with the surveillance.

Cybercriminals filtering out victims by location
There’s a growing trend among cybercriminals to target and even filter out specific countries when designing ransomware.

Dridex botnet hacked, delivers dummy file
Someone is toying with the Dridex botmasters. The botnet, or at least one or more of its subnets that are sending out spam email delivering Locky ransomware, has been compromised again, and has been distributing a dummy file instead of the malware.

Security startup confessions: Choosing a tech partner
Kai Roer, a co-founder of a European security startup, shares his experiences from his own startups (his first was in 1994), and things he has have learned by watching and advising numerous other startups around the world.

IoT and virtual reality: What’s next?
What could be cooler than mixed reality? That is, the merging of our senses with virtual reality gear, such that we get not just a walled off world of virtual stuff, but a mixed, mingled world of the physical and the digital.

State of security: Human error and remembering the essentials
It seems that in a sea of complex digital ploys, companies are trying so hard to guard against the next big threat that they have forgotten the basics.

Companies are hungry for professional open source talent
Recruiting open source talent is a top priority for hiring managers focused on recruiting technology talent, and recruiters are increasingly looking for more professional training credentials from their candidates.

Malicious Chrome update actively targeting Android users
The malicious file – Update_chrome.apk – is hosted on a continually changing list of pages whose URLs sport variations on expressions like “Google”, “Google apps”, “Google market”, “Android update”.

Living in a password free world in the modern enterprise
The era of password security in the modern enterprise is over. Passwords are dead.

Android banking malware may start using adware tricks
Android banking and credential-stealing malware with screen overlay capabilities is on the rise, but for it to be effective, it must detect when banking, email, social media apps are opened, identify them, and show the appropriate pop up intended to harvest sensitive data.

For PoC exploits, go on Twitter
Proof-of-Concept exploits are increasingly being shared and discussed online.

Build security design principles into cyber-physical systems
To help bake security into the very core, a new draft NIST publication recommends ways to incorporate time-tested security design principles and concepts into these systems at every step, from concept to implementation.

Online transaction fraud to reach $25 billion by 2020
Online transaction fraud is expected to reach $25.6 billion by 2020, up from $10.7 billion last year, according to Juniper Research. This means that by the end of the decade, $4 in every $1,000 of online payments will be fraudulent.