Week in review: WhatsApp flaw, lip motion passwords, reinventing software patching

Here’s an overview of some of last week’s most interesting news, podcasts and articles:

Vulnerability in WhatsApp and Telegram allowed complete account takeover
The vulnerability allows an attacker to send the victim malicious code, hidden within an innocent looking image. As soon as the user clicks on the image, the attacker can gain full access to the victim’s WhatsApp or Telegram storage data, thus giving full access to the victim’s account.

Leaked: Personal info on 33+ million employees across the US
Personal and contact information on over 33 million employees of various US-based corporations and federal agencies like the Department of Defense has been leaked.

Intel is offering up to $30,000 for bugs in its hardware
Intel has become the latest tech company to launch a bug bounty program.

Online fraudsters’ preferred tools and techniques revealed
A new report by DataVisor Threat Labs has provided unprecedented insight into the behaviors and attack techniques of some of the world’s largest online crime rings, and revealed their favorite tools and attack techniques for creating accounts and evading detection.

Fileless attack framework was used in many recent attacks
In the last month or so, a number of security companies spotted attackers targeting a variety of organizations around the world with spear-phishing emails delivering PowerShell backdoors (some of them fileless), misusing legitimate utilities, and communicating with C&C servers through DNS traffic.

Lip movement: Authentication through biometrics you can change
The “lip motion password” technology uses a person’s lip motions to create a password, and the system verifies a person’s identity by simultaneously checking whether the spoken password and the behavioural characteristics of lip movement match.

Will the IoT force truck stops?
One of the more interesting topics for conversation at RSA Conference 2017 in San Francisco this year was the IoT and the next generation of ransomware. After all, if you can make money encrypting people’s hard drives (and you can, a LOT of money,) then surely the explosion of smart devices could offer the ingenious criminal even more opportunity to make money fast.

Unpatched flaw opens Ubiquiti Networks devices to compromise
A critical vulnerability in many of Ubiquiti Networks’ networking devices can be exploited by attackers to take over control of the device and, if that device acts as a router or firewall, to take over the whole network.

Reinventing software patching, curing big security holes
Today’s security updates are too big, too risky and too late. It is common for enterprises to thoroughly test security updates and install them several months after they have been released, which leaves them open to inexpensive attacks. In this podcast recorded at BSidesLjubljana 0x7E1, Mitja Kolsek, CEO of Acros Security and co-founder at 0patch, illustrates how this problem is getting a solution: micropatching – hot patching in a microsurgical manner, with patches so tiny that they could be distributed on Twitter.

Worldwide infosec spending to reach $90 billion in 2017
Enterprises are transforming their security spending strategy in 2017, moving away from prevention-only approaches to focus more on detection and response, according to Gartner.

Bad bots attack 96% of websites with login pages
Almost every website with a login page is under attack from bad bots, the automated programs used to carry out a variety of nefarious activities, according to Distil Networks.

Android devices delivered to employees with pre-installed malware
A test of Android devices used in two unnamed companies revealed that 38 of them were infected with malware before being delivered to the employees.

IoT and the resurgence of PKIs
One approach is making its resurgence as a result of the IoT and cloud – public key infrastructure (PKI) – and has the potential to close these security gaps for today’s digital businesses.

A new age of digital signatures is upon us
The increased adoption of digital signatures should not come as a surprise: many businesses are trying to digitalise their everyday processes, and digital signatures are both reliable and secure due to several features, and are increasingly easy to use.

Intel’s CHIPSEC can detect CIA’s OS X rootkit
As details about CIA’s hacking capabilities and tools are, bit by bit, popping to the surface, companies are trying to offer users some piece of mind.

Several high risk 0-day vulnerabilities affecting SAP HANA found
If exploited, these vulnerabilities would allow an attacker, whether inside or outside the organization, to take full control of the SAP HANA platform remotely, without the need of a username and password.

Sensitive US Air Force data found exposed online
A misconfigured, unsecured backup drive containing a huge amount of sensitive (but not classified) data on US Air Force officers has been sitting online, accessible to anyone, for who knows how long.

U.S. charges Russian FSB officers for hacking Yahoo, millions email accounts
A grand jury in the Northern District of California has indicted four defendants, including two officers of the Russian Federal Security Service (FSB), for computer hacking, economic espionage and other criminal offenses in connection with a conspiracy, beginning in January 2014, to access Yahoo’s network and the contents of webmail accounts.

Securing document flow: Exploring exposure and risk
There is a widespread and growing need to improve security practices surrounding confidential documents in most organizations today.

New infosec products of the week​: March 17, 2017
A rundown of infosec products released last week.