Week in review: SATCOM (in)security, Heartbleed fallout, and the security of programming languages
Here’s an overview of some of last week’s most interesting news and articles:
Appeals court overturns AT&T hacker’s sentence
Andrew “weev” Auernheimer, a hacker and member of Goatse Security, was sentenced to spend 41 months in prison for his role in the harvesting and publishing emails and AT&T authentication IDs of 114,000 early-adopters of Apple’s iPad in 2010.
Jetpack pushes update to close critical security hole
The developers of Jetpack, one of the most widely used WordPress plugins, are urging users to download and implement the latests versions that fix a critical security bug.
Identifying security innovation strategies
Tom Quillin is the Director of Cyber Security Technology and Initiatives at Intel Corporation. In this interview he talks about security innovation, current and future threats.
Heartbleed: Private crypto keys can be extracted from vulnerable servers
The recently discovered Heartbleed bug can be exploited to obtain private encryption keys from vulnerable websites, Web services firm CloudFlare confirmed.
Whitepaper: Adapting security to the cloud
This whitepaper describes how adoption of cloud technology can potentially change an organization’s security requirements and how organizations can adapt their IT and security infrastructure to address these challenges.
First phase of TrueCrypt audit finds no backdoors
Remember when late last year cryptographer Matthew Green and Kenneth White, Principal Scientist at Social & Scientific Systems, called for – and then organized – a crowdfunded, public security audit of TrueCrypt? Well, the results of the first phase of the audit have been published, and the news is good in regards to potential backdoors present in the code.
Half of IT pros make undocumented changes to IT systems
57% of IT professionals have made undocumented changes to their IT systems that no one else knows about; while as many as 40% of organizations don’t have formal IT change management controls in place.
Blocking DDoS attacks with a cloud-based solution
In this interview, Jag Bains, CTO of DOSarrest, talks about various types of DDoS attacks and why a cloud-based solution is a good fit for most organizations.
Hardware manufacturer LaCie suffered year-long data breach
French computer storage hardware manufacturer LaCie has suffered a data breach that affected a yet unconfirmed number of their customers.
The security of the most popular programming languages
A new WhiteHat Security report takes a deeper look into the security of a number of the most popular programming languages including .Net, Java, ColdFusion, ASP and more.
Heartbleed threatens mobile users
As time passes, it becomes more and more obvious that almost no-one is safe from the danger created by the existence of the OpenSSL Heartbleed bug.
Heartbleed should jumpstart important security changes
Taking a step back from the immediate frenzy of finding OpenSSL, and patching websites and network infrastructure to mitigate this security risk, it’s pretty clear that we have a lot of work to do as a security community on numerous fronts.
Security pros actively hiding negative facts from executives
A new Ponemon Institute study exposes a severe gap in security visibility and perception between C-level executives and IT security staff.
Samsung Galaxy S5 fingerprint scanner can be tricked
Samsung’s newly released Galaxy S5 phone sports a fingerprint scanner embedded in the home button that works well but unfortunately, like iPhone 5S’ TouchID before it, can be tricked with a mould of the user’s fingerprint.
Secure email service Lavaboom launches
Lavaboom, a German secure email service that aims to provide users with the most secure email account they will ever own (their words), will go into private beta around Easter.
Student arrested for Heartbleed-exploiting tax agency breach
A 19-year-old Canadian student has been arrested for breaching the systems of the Canada Revenue Agency (CRA) and extracting Social Insurance Numbers of some 900 taxpayers. It is believed that he was able to do so by exploiting the infamous Heartbleed bug.
Tor relays vulnerable to Heartbleed dropped from anonymity network
Thanks to the OpenSSL Heartbleed bug, the Tor anonymity network is set to temporarily lose around “12 per cent of the exit capacity and 12 per cent of the guard capacity.”
The dismal state of SATCOM security
Satellite Communications (SATCOM) play a vital role in the global telecommunications system, but the security of the devices used leaves much to be desired, says Ruben Santamarta, principal security consultant with IOActive. The list of security weaknesses he and his colleagues found while analyzing and reverse-engineering firmware used on the most widely deployed Inmarsat and Iridium SATCOM terminals does not include only design flaws, but also features that could be of use to attackers.
Zeus/rootkit combo delivered via Starbucks-themed emails
The criminals have used several tricks to make the potential victims believe the email is genuine and important enough to be perused immediately and the attachment downloaded and run.
Compliance is no guarantee of security
While there is nothing wrong with the PCI DSS standard as a set of controls, it is little more than the basic minimum that an organisation should set out to achieve. It should not be a replacement for solid Business-as-Usual (BAU) security practices.
3M payment cards compromised in Michaels Stores/Aaron Brothers breach
“After weeks of analysis, the company discovered evidence confirming that systems of Michaels stores in the United States and its subsidiary, Aaron Brothers, were attacked by criminals using highly sophisticated malware that had not been encountered previously by either of the security firms,” the company stated in the press release.
Beware of clever phishing scam that bypasses Steam Guard
Malwarebytes’ Chris Boyd is warning owners of Steam accounts about a relatively new phishing approach that goes after both their account login credentials and a file that allows them to bypass the entering of the Steam Guard verification code.