Week in review: API security, keyloggers disguised as USB device chargers, online tracking
Here’s an overview of some of last week’s most interesting news and articles:
Faulty TLS implementation opens VISA sites, users to attack
A group of researchers has discovered 184 HTTPS servers that are wide open to attackers looking to inject seemingly valid content into encrypted sessions. Some of these servers belong to the credit card company VISA, the Polish banking association ZBP, and the German stock exchange.
Review: ProtonMail
ProtonMail is an email service developed by a team of scientists who met while working at the European Organization for Nuclear Research (CERN) in Switzerland. The idea behind ProtonMail is to provide an easy to use email service with built-in end-to-end encryption and state-of-the-art security features.
ZCryptor ransomware spreads via removable drives
Once it infects a system, it also copies itself on removable drives, in the hopes that the same drives will end up plugged into another system and spread the infection.
Strengthen security during production and development
In an ideal world, applications would always be coded securely, pass all vulnerability scans and penetration tests, and never encounter zero-day attacks in production. However, vulnerabilities are often inevitable, and in a world of rapid software release cycles, remediation is often regarded as a burdensome task that slows down the pace of DevOps and business innovation.
FBI warns about keyloggers disguised as USB device chargers
A private industry notification issued by the FBI in late April may indicate that keyloggers disguised as USB device chargers have been fund being used in the wild.
ICS-CERT warns about vulnerable SCADA system that can’t be updated
A web-based SCADA system deployed mainly in the US energy sector sports vulnerabilities that may allow attackers to perform configuration changes and administrative operations remotely. What’s worse is that these holes can’t be plugged because the device has nowhere to put an update.
Behavior is the new authentication: A look into the future
Traditional pattern-based perimeter defense tools, password-based authentication, user access control solutions are necessary but missing a trick when it comes to the detection of privileged account misuse or hijacked credentials. Once the attackers are inside the network (using legitimate user accounts to access sensitive data), their behavior is the missing link in detecting and – with real-time intervention – preventing breaches.
WPAD name collision bug opens door for MitM attackers
A vulnerability in Web Proxy Auto-Discovery (WPAD), a protocol used to ensure all systems in an organization utilize the same web proxy configuration, can be exploited to mount MitM attacks from anywhere on the Internet, US-CERT warns.
OWASP set to address API security risks
The goal of the OWASP API Security Project is to provide software developers and security assessors with information about the risks brought on by insecure APIs (both public and private), and advice on how they can be mitigated.
Who’s tracking you online, and how?
Armed with a tool that mimics a consumer browser but is actually bent on discovering all the ways websites are tracking visitors, Princeton University researchers have discovered several device fingerprinting techniques never before seen in the wild.
WhatsApp Gold doesn’t exist, it’s a scam that spreads malware
WhatsApp users are once again targeted by malware peddlers, via messages that offer WhatsApp Gold, supposedly an enhanced version of the popular messaging app previously used only by “big celebrities.”
Microsoft bans common passwords
If you’re using the Microsoft Account service to sign into the various services offered by the company, and you tried to set up a too commonly used password, you have already witnessed Microsoft’s dynamical banning of common passwords in action.
1 in 10 banking CEOs don’t know if they’ve been hacked
Twelve percent of banking CEOs say they do not have insight into whether their institution’s security has been compromised by a cyber attack in the past two years, according to KPMG. Their survey also shows that there is a clear disconnect between how the C-Suite views cyber security versus the next tier of executives.
Review: Signal for iOS
Open Whisper Systems’ Signal is an encrypted voice and text communication application available for Android and iOS. The technology is built upon the organization’s open source Signal Protocol, which has recently been implemented by messaging heavy-hitters such as WhatsApp and Google Allo.
DNS provider NS1 hit with multi-faceted DDoS attacks
DNS and traffic management provider NS1 was hit with a series of DDoS attacks that lasted several days, and managed to impact DNS delivery in the European, American and Asian region.
Phishing attacks rise to highest level since 2004
The Anti-Phishing Working Group (APWG) observed more phishing attacks in the first quarter of 2016 than at any other time in history.
Reputation damage and brand integrity: Top reasons for protecting data
IT security leaders in European organisations detail IT security spending plans, perceptions of threats to data, rates of data breach failures and data security stances.
Consumers have no idea what ransomware is
A new study reveals almost half (43%) of connected consumers today do not know what ransomware is, despite the recent aggressive spread of this type of cyber threat. In addition, a similar amount (44%) confessed that they did not know what data or information could be stolen in a ransomware attack.
Tips for evolving your office’s security culture
Regardless of the size of the organization and your position in it, if you can persevere in finding the right way, you can change its security culture.
Cybercriminals add DDoS component to ransomware payloads
Instead of just encrypting data files on a workstation (plus any network drive it can find) and locking the machine, a new variant of the Cerber ransomware is now adding a DDoS bot that can quietly blast spoofed network traffic at various IPs, according to KnowBe4.
Criminals stole $12.7 million from ATMs in Japan
In the early morning hours of May 15, 2016, a group of over 100 people executed coordinated, fraudulent ATM withdrawals that netted them about 1.44 billion yen.
Jaku: Analysis of a botnet
In May 2016, the Special Investigations team at Forcepoint revealed the existence of a botnet campaign that is unique in targeting a very small number of individuals while in tandem, herding thousands of victims into general groups.