Week in review: Unprecedented iOS, OS X malware, secure messaging tech, Silk Road 2 takedown
Here’s an overview of some of last week’s most interesting news, reviews and articles:
Researchers audit the TextSecure encrypted messaging app
A group of German researchers have audited TextSecure, the popular open source encrypted messaging application for Android, and the news is good.
Flaw in Visa’s contactless payment system could lead to fraud
Researchers from Newcastle University have discovered a serious flaw in Visa’s contactless credit cards which could allow attackers to siphon large amounts of money off users’ bank accounts without them even noticing.
Facebook embraces Tor users, sets up onion address
Located at , it “provides a way to access Facebook through Tor without losing the cryptographic protections provided by the Tor cloud.”
Whitepaper: 10 Things Your Next Firewall Must Do
For enterprises looking at Next-Generation Firewalls, the most important consideration is: will this new technology empower your security teams to securely enable applications to the benefit of the organization? It’s not about blocking applications, but safely enabling them. Get this whitepaper from Palo Alto Networks to learn more.
When to use tools for ISO 27001/ISO 22301 and when to avoid them
If you’re starting to implement complex standards like ISO 27001 or ISO 22301, you’re probably looking for a way to make your job easier. Who wouldn’t? After all, reinventing the wheel doesn’t sound like a very interesting job.
Backoff PoS malware becomes stealthier, more difficult to analyze
Even after the US DHS and US CERT warned about the hard-to-spot malware back in August, and a number of breaches were found to be executed by criminals wielding it, Backoff infections are still on the rise.
Targeting security weaknesses in the phone channel
Banks, retailers and credit card companies all use call centers to provide services. Those call centers represent one of the most attractive targets for fraud attacks. While online security has been a top priority for organizations over the past decade, the phone channel has not seen similar innovation.
Review: Hacking and Penetration Testing with Low Power Devices
This book is primarily intended for penetration testers who want to widen their skill set to include the knowledge of how to perform testing with small, low-powered devices that can be easily hidden in offices and boardrooms.
Three branches of security: Strengthening your posture with checks and balances
he system of checks and balances in the US government was created to ensure that the three branches – legislative, executive and judicial – are held accountable to one another, and that no individual branch can take too much power. Applying this concept to security, we can look at the three typical branches of a security program – Prevent, Detect and Respond.
OS X Yosemite sports serious privilege escalation bug
The existence of the flaw has been indirectly confirmed by Apple when they asked the researcher to delay publishing details about it until January 2015, after a fix for the bug is released and pushed out to users.
Extracting data from air-gapped computers via mobile phones
The researchers dubbed their technique “AirHopper.” The premise for making it work is that the attacker has already compromised the computer containing the sensitive data, and is now looking for a way to exfiltrate it in without anyone noticing.
WireLurker: Unprecedented iOS, OS X malware hits users
Palo Alto Networks researchers have unearthed a new family of Apple OS X and iOS malware that is able to compromise even non-jailbroken iOS devices through enterprise provisioning. It’s also the first malware family to infect installed iOS applications in a way typical for a traditional virus, and the first malware that automates the generation of malicious iOS applications through binary file replacement. Apple has reacted by blocking the Trojanized apps and revoking the certificate used to sign them.
Which messaging technologies are actually secure?
The Electronic Frontier Foundation has evaluated 39 chat clients, text messaging apps, email apps, and technologies for voice and video calls, and found that only six of them fulfil the seven criteria the organization deems necessary for user security.
New technique makes phishing sites easier to create, more difficult to spot
Researchers have spotted a new technique used by phishers which could trick even more users into believing they are entering their information in a legitimate web form.
eBook: Cybersecurity for Dummies
APTs have changed the world of enterprise security and how networks and organizations are attacked. Controlling these threats requires multiple security disciplines working together in context. While no single solution will solve the problem of advanced threats on its own, next-generation security provides the unique visibility and control of, and the true integration of, threat-prevention disciplines needed to find and stop these threats — both known and unknown.
Inside corporate privacy programs at Fortune 1000 companies
The International Association of Privacy Professionals (IAPP) released a survey of corporate privacy programs at Fortune 1000 companies. The survey found that while corporate investment in privacy is likely to increase, many privacy leaders feel their programs are relatively nascent and want greater influence over corporate decision-making.
Enterprises must prepare for attacks on supply chain and POS in 2015
Attackers keep upping their game therefore, so must we. Jason Polancich, Chief Architect at SurfWatch Labs, shares his top five predictions for what we’ll see in 2015.
One in three Americans don’t use basic malware protection
The study also finds that young females (aged 18 to 29) are the least interested in securing their computers or smart devices. In contrast, adult male computer users (aged 30 to 44) are extremely concerned about their online security and complement their antivirus solution with extra technologies such as a VPN or data backup.
Overcoming Big Data security obstacles
The consequences of a security breach affecting Big Data can be more devastating than the consequences of other breaches as it will affect a significantly larger group of people. As a result, not only will the damage be reputational, but there will also be significant legal ramifications that an organization then has to deal with.
Silk Road 2.0 shut down, operator arrested, charged
The United States Attorney for the Southern District of New York has announced today the arrest of Blake Benthall, a.k.a. “Defcon,” in connection with his operation and ownership of the Silk Road 2.0 website. The online drug bazaar was simultaneously seized and taken down by law enforcement. This was followed by the takedown of other dark markets.
53M customer email addresses were also stolen in Home Depot breach
“These files did not contain passwords, payment card information or other sensitive personal information,” they pointed out. Nevertheless, the company is directly notifying all affected customers in the US and Canada, and warning them to be on guard against phishing scams.
Brazilian, Chinese govt sites host the most phishing pages
Occasionally, cyber crooks compromise websites administered by governments and make them host phishing pages. But how often does that actually happen?