Week in review: Bash Shellshock bug, jQuery.com compromise, and a replacement for TrueCrypt
Here’s an overview of some of last week’s most interesting news and articles:
Behavioral analysis and information security
In this interview, Kevin Watkins, Chief Architect at Appthority, talks about the benefits of using behavioral analysis in information security, how behavioral analysis can influence the evolution of security technologies and offers several behavioral analysis strategies.
Every budget is now an IT budget
IT is more and more a key component of all business initiatives and is becoming an important part of those budgets, according to Gartner, Inc. CIOs must work with business executives and the CFO to ensure that the critical contribution of IT is incorporated early in the strategic planning and budget planning processes.
Bash “Shellshock” bug: Who needs to worry?
As expected, attackers have begun exploiting the GNU Bash “Shellshock” remote code execution bug to compromise systems and infect them with malware.
Home Depot security was anything but, say former employees
Bit by bit, information about the Home Depot security breach is coming to light, and the picture it paints is extremely unflattering for the retailer.
Payment card info of 880k Viator customers compromised
Additionally, some 560,000 customers may have had their account information compromised.
CipherShed: A replacement for TrueCrypt
Ever since TrueCrypt developers terminated the development of the popular encryption utility and announced that it was not safe to use, users who need such a tool have been looking for an alternative, safe solution.
Number of malicious eBay listings rises, accounts are hijacked
This particular problem exists for years because eBay allows the use of custom Javascript and Flash content on listings pages so that they might “pop out” and attract more potential buyers.
Whitepaper: Good password practice
The password remains one of the most susceptible components of even the most advanced security system. Alternative and supplementary forms of authentication have become far more common (and affordable), but the humble password remains the somewhat crumbling gatehouse to many a security structure. Learn how to tighten the weakest link of your security system.
jQuery.com compromised to serve malware via drive-by download
While any website compromise is dangerous for users, this one is particularly disconcerting because of the demographic of its users.
Blackphone and Silent Circle announce bug bounty program
The Silent Circle program encompasses the client apps, network services, cloud infrastructure, web sites, and web services. The Blackphone program encompasses PrivatOS, update servers, and associated web portals.
High-volume DDoS attacks on the rise
More than 90 percent of attacks detected lasted less than 30 minutes. This ongoing trend indicates that latency-sensitive websites, such as online gaming, eCommerce and hosting service should be prepared to implement security solutions that support rapid response.
Minimizing privacy risks of location data collection
Users’ location data is routinely collected at a large scale by cellular network operators, location-based services, and location-enabled social network platforms. But this type of information can reveal too much about our lives.
We can fix security, but it’s not going to be easy
We need to ask ourselves whether we are focusing our efforts on the right problems.
Board practices regarding IT oversight and cybersecurity
Greater director involvement in social media oversight, concern about the Department of Homeland Security/NIST cybersecurity frameworks and increased use of IT consultants are among the trends shaping governance and the board of the future, according to PwC.
Emerging international data privacy challenges
According to a new survey from the Cloud Security Alliance there is a growing and strong interest in harmonizing privacy laws towards a universal set of principles.
Mitigations for Spike DDoS toolkit-powered attacks
With this toolkit, malicious actors are building bigger DDoS botnets by targeting a wider range Internet-capable devices.
Microsoft launches bug bounty program for Online Services
Bug hunters are urged to submit vulnerabilities affecting the following services: Office 365, Outlook (only as it regards Office 365 business services), Microsoft Online Services, Sharepoint, Lync, Yammer, and several others.
Kali NetHunter turns Nexus devices into portable hacking tools
NetHunter is a Android penetration testing platform for Nexus devices built on top of Kali Linux.
How threats shape cloud usage
In this interview, Ravi Ithal, Chief Architect at Netskope, discusses the top threats to cloud security and how they are changing the way we’re using the cloud. He also talks about how the power of the cloud influences the agility of a modern security architecture and offers insight about who is ultimately responsible for data security in the cloud.
Consumers increasingly blame companies for data breaches
Moving forward, every company involved in a major data breach is going to pay an even higher price when customers’ information is compromised. In fact, each high-profile hack will take its toll on the executive suite and the bottom line alike, say the results of a poll conducted by HyTrust.
Training for CISSP and other (ISC)2 certifications
(ISC)2’s CISSP Live OnLine CBK Training Seminar gives you the same award-winning course content as the classroom-based seminars and the benefit of an (ISC)2 Authorised Instructor, from your very own desktop.
FBI warns of malicious insider threats increase
The exploitation of business networks and servers by disgruntled and/or former employees has resulted in several significant FBI investigations in which individuals used their access to destroy data, steal proprietary software, obtain customer information, purchase unauthorized goods and services using customer accounts, and gain a competitive edge at a new company.
Critical SSL flaw patched in Firefox, Thunderbird, Chrome
If you are a Mozilla Firefox, Thunderbird or Seamonkey user, you should implement the latest patches issued by the company as soon as possible, as they fix a critical bug whose exploitation can lead to successful Man-in-the-Middle attacks.