Week in review: Hackers don’t worry about repercussions, malware targets iOS devices, Nest thermostat as a spying device
Here’s an overview of some of last week’s most interesting news, interviews, videos, podcasts, reviews and articles:
The art and science of detecting emerging threats
In this interview, Stephen Huxter, COO at Darktrace, talks about the challenges involved in detecting emerging threats, Recursive Bayesian Estimation, the evolution of AI, and more.
Review: Social Engineering Penetration Testing
We know that the human element is often the weakest link in the security chain, and that attackers – whether they are after money, user information, corporate or state secrets – regularly take advantage of this fact to gain a foothold into computer systems and networks. This book aims to show you how to plan and execute an effective social engineering penetration test and assessment, and how to write a helpful report about it.
Detect and respond
The latest buzzword spouted by many analysts (and commonly misunderstood) is technology that provides “detect and respond” capabilities.
A walk through Black Hat USA 2014
Here’s a walk through video of the Business Hall at Black Hat USA 2014.
Smart Nest thermostat easily turned into spying device
At this year’s edition of the Black Hat security conference, a group of researchers has shown how extremely easy is to hack into the smart thermostats manufactured by Nest.
US switch to chip-and-PIN cards not a panacea for fraud
Retailers were initially reluctant to add support for it, but many are now rushing to effect the transition before October 2015, when the major card issuers (AmEx, MasterCard, Visa, Discover) plan to implement a liability shift that will make retailers who haven’t deployed EMV technology liable for any and all fraudulent transactions.
Blackphone rooted at DEF CON?
The feat was executed at the DEF CON hacker conference, where Jon Sawyer (@TeamAndIRC), CTO of Applied Cybersecurity, had time to audit the smartphone.
Only 1 in 100 cloud providers meet proposed EU Data Protection requirements
Having analyzed its CloudRegistry of over 7,000 cloud services, Skyhigh can reveal that the vast majority are not prepared for these new laws, with numerous and significant issues pertaining to new requirements.
iPhones are immune to FinSpy infections
FinSpyMobile, the mobile spying software sold by German company Gamma Group, can’t be installed on iPhones that have not been jailbroken, shows one of the documents recently stolen from the firm and leaked online by a still anonymous attacker.
The dangers of backdoor passwords
In this podcast recorded at Black Hat USA 2014, Billy Rios, Director of Threat Intelligence at Qualys, illustrates how backdoor passwords get put into devices, how they manifest themselves, and the implications they bring.
What are the risks of virtual currency use?
Many consumers have heard about Bitcoin, but they don’t necessarily know anything about it: not the full spectrum of benefits, and definitely not the risks they can expose themselves to by using it. And when it comes to lesser-known digital currencies, they often don’t even know their names, let alone anything else.
Whitepaper: 5 steps to improve your network’s health
No network can be 100% secure. But diligently adhering to a simple plan can dramatically improve network security and enhance protection against new malware. This whitepaper introduces five recommended steps for building a methodical network auditing and patching process.
Square launches bug bounty program
Popular California-based financial services and mobile payments company Square has set up a bug bounty program on the HackerOne platform.
A look at advanced targeted attacks through the lens of a human-rights NGO, World Uyghur Congress
In his capacity as an academic researcher at Northeastern University, Dr. Engin Kirda collaborated with computer scientists at the Max Planck Institute for Software Systems as well as those at the National University of Singapore to study cyber-attacks against the human-rights Non-Governmental Organization representing the Uyghur ethnic minority group living in China and in exile.
Virtual machines no longer keeping malware at bay
It used to be that running and working on a virtual machine could almost guarantee you complete avoidance of malware infections, but that time has passed.
Malware targets jailbroken iOS devices, hijacks ad revenue
AdThief (or Spad) is the name of a recently discovered iOS malware that has managed to infect some 75,000 jailbroken iOS devices and steal revenue from around 22 million ads in a period that spanned a little over four months.
15 new bugs exploited at DEF CON router hacking contest
Security researchers taking part of the SOHOpelessly Broken hacking competition at this year’s edition of DEF CON have demonstrated 15 flaws affecting a number of small office/home office routers.
API security for connecting the enterprise cloud
In this interview, Don Bergal, COO at Managed Methods, answers questions regarding security around API based connections between an enterprise and the hybrid cloud.
Fake Tor Project website delivers malware instead of anonymity
A computer science student has discovered an almost perfect copy of The Tor Project’s website, offering malware for download instead of the Tor Browser Bundle and collecting donations that should rightfully go to Tor developers.
BYOD: 10 ways to fight back
As an IT professional or service provider, you are responsible for helping to avert security disasters. Here are ten best practices for vulnerability assessment and security in a multi-vendor network. Implement all ten and the chances of a successful attack are nearly eliminated, – and if a hacker does break through, you’ll know how to survive.
Continuous monitoring for your perimeter
In this podcast recorded at Black Hat USA 2014, Sumedh Thakar, Chief Product Officer at Qualys, talks about a new approach to vulnerability management and network security, enabling you to immediately identify and proactively address potential problems.
Disqus WordPress plugin vulnerabilities
During a penetration testing for a client, Australian based independent security consultant Nik Cubrilovic, discovered a couple of security issues within the very popular Disqus WordPress plugin. So far the plugin has been downloaded nearly 1.5 million times from the official WordPress plugin repository.
86% of hackers don’t worry about repercussions
Thycotic announced the results of a survey of 127 self-identified hackers at Black Hat USA 2014.
US defense contractors still waiting for breach notification rules
US Department of Defense contractors will have to wait until September 24 to see what specific rules they will be required to follow when it comes to the reporting of computer breaches to the DoD.
ZeroLocker ransomware “helps” you get your files back
Tyler Moffitt, a member of Webroot’s Threat Team, is warning about the appearance of yet another encrypting ransomware: ZeroLocker.
Is your encryption getting out of control?
The rise of encryption technology is now proliferating within many organizations at a prodigious rate. Encryption is deployed in the cloud and on premise; for protecting data at rest, data in motion and data in use; in databases, on memory sticks, in email, in storage networks; the list goes on. The trouble is that in almost all cases these encryption deployments will rely on point solutions which, although they might use familiar sounding encryption algorithms (AES, RSA etc.), are far from compatible, creating security pockets that are tied to individual applications or elements of IT infrastructure.
PGP is fundamentally broken, says crypto expert
“It’s time for PGP to die,” Matthew Green, noted cryptographer and research professor at Johns Hopkins University, opined in a recent blog post.
eBook: BYOD Policy Roadmap
Whether you’re looking to build a basic BYOD policy or one that’s tailored for your company’s specific needs, the project involves the same steps. Granted, it can seem daunting. But that doesn’t have to be the case. This GFI eBook covers strategy, creation and implementation – and breaks the entire process down into manageable jobs. It even includes a sample BYOD policy template.