Week in review: The life of a social engineer, and the end of TeslaCrypt

Here’s an overview of some of last week’s most interesting news and articles:

The life of a social engineer: Hacking the human
A clean-cut guy with rimmed glasses and a warm smile, Jayson E. Street looks nothing like the stereotypical hacker regularly portrayed in movies (i.e. pale, grim and antisocial). But he is one – he just “hacks” humans.

LinkedIn users’ data on sale on the dark web
A hacker has put up a batch of info about 167 million LinkedIn accounts for sale on dark web marketplace The Real Deal. Of these, some 117 million records contain email addresses and encrypted (hashed) passwords.

Review: The Architecture of Privacy
When it comes to technological innovation, it’s the technologists who set the pace and ultimately push the boundaries of our concept of privacy. It should be on them, then, to make choices that will not result in the complete death of it.

The end of TeslaCrypt: Master decryption key released
The operators of TeslaCrypt ransomware have decided to close up shop and have published a master key that decrypts the files encrypted by the malware. They also wrote that the project is closed and that they are sorry.

Phineas Fisher records, publishes latest attack
This time his target was Sindicat de Mossos d’Esquadra (the Catalan police union). He defaced the union’s website, plundered their web server, published personal information about police officers (including their badge numbers), and hijacked their Twitter account.

Security startup confessions: Limited funds and their impact on security
A startup, just like any other organization, has a limited budget. This means that tough decisions have to be made.

The gravest dangers for CMS-based websites
Over a third of all websites on the Internet are powered by one of these four key open source platforms: WordPress, Joomla!, Drupal and Magento. This makes the life of attackers looking to compromise websites much easier, as they can simply concentrate on exploiting vulnerabilities in one of them, or one of the popular plugins and extensions for them.

FindFace app heralds the end of public anonymity and privacy?
The FindFace app has been launched on Google Play and Apple’s App Store in February 2016, and there have already been instances where it was used to harass people.

Google Allo messaging app offers end-to-end crypto, but not as default
Allo has an Incognito mode, powered by Open Whisper Systems’ open source Signal Protocol.

You are what you click: Online search security risks
Cybercriminals are becoming increasingly savvy at understanding the seasonality of consumer search habits and exploiting that information to their full potential.

Tech support scammers start locking Windows computers
Tech support scammers have come up with a new way to trick users into sharing their payment card information: screen lockers showing fake Windows alerts telling users that their Windows copy has expired or has been corrupted.

Ubiquiti routers hit by backdoor-generating worm
To spread it, whoever is behind these attacks is exploiting an old bug in airOS, the firmware that runs on the company’s networking devices.

Phone metadata can reveal sensitive info about individuals
Stanford computer science and law researchers discovered that by possessing the numbers, times and lengths of communications that the volunteers effected, and by pairing that information with the information on the volunteers’ Facebook account, they could infer or discover much about those individuals.

The 3 biggest cybersecurity risks posed in the 2016 presidential election
It’s clear that cybersecurity protections of our democratic political proceedings are severely lacking. But to take a step deeper, we need to examine the start of security in politics, which can be found in the mission of the U.S. Secret Service.

Bitly partners with Let’s Encrypt for HTTPS links
Bitly processes data associated with more than 12 billion clicks per month, leading to massive troves of intelligence. Now, they’re partnering with Let’s Encrypt to generate SSL certificates for more than 40,000 Bitly branded domains used to create links and share content across the channels, devices, and networks.

Almost all Android users vulnerable to Accessibility Clickjacking attacks
Android banking malware with screen overlay capabilities might soon start tricking users into turning on Android’s Accessibility Service, so that it can know which apps are in use and be able to show the appropriate fake login screens. But getting users to turn on Android’s Accessibility Service is often difficult to do. Skycure researchers believe that a clickjacking approach could soon become popular.

Cybercrime economy: The business of hacking
Today’s adversaries often create a formalized operating model and ‘value chain’ that is very similar to legitimate businesses in structure, and delivers greater ROI for the cybercriminal organization throughout the attack lifecycle.

Bug in Symantec’s anti-virus engine can lead to system compromise
Google Project Zero researcher Tavis Ormandy has unearthed a critical remote code execution vulnerability in the anti-virus engine powering Symantec’s endpoint security products (including Norton-branded ones).

Most organizations can’t protect digital information in the long-term
New research has revealed that the majority of organizations do not have a coherent long-term strategy for their vital digital information even though virtually all of them (98%) are required to keep information for ten years or longer.

Latest Flash 0day exploit delivered via booby-trapped Office file
Genwei Jiang, the FireEye researcher who has been credited, along with several others, with the discovery of the flaw (CVE-2016-4117), says that the initial attacks were leveraged against targets running Windows and Microsoft Office.

Many Americans refrain from shopping, stating opinions online
Recently released results of a survey by the US Department of Commerce’s National Telecommunications and Information Administration (NTIA) have revealed that security and privacy fears stopped 45 percent of polled households from conducting financial transactions, buying goods or services, posting on social networks, or expressing opinions on controversial or political issues via the Internet.

iOS app detecting phones jailbroken by malware booted from App Store
The System and Security Info iOS app by German IT security outfit SektionEins has been pulled from Apple’s App Store less than a week after it was made available.

Security spending rises in areas ineffective against multi-stage attacks
Something doesn’t add up in the plans of financial services organizations for protecting data.

More about

Don't miss