Week in review: 250,000 hacker conversations analyzed, making a cheap mobile malware jail and Stuxnet’s successor Duqu
Here’s an overview of some of last week’s most interesting news, articles, interviews and podcasts:
Testing web applications for security flaws
David Hoelzer is the Director of Research, Enclave Forensics and a SANS Trainer. In this interview he discusses web application testing, offers advice for those on the hunt for web application vulnerabilities and introduces his training course at SANS London 2011.
Simple online protection steps for seniors
Older Americans, who grew up in the era of rotary-dial phones and black and white TV programming, may still be in the minority among Internet users, but they are a rapidly growing presence on the Web and are making their mark on social networking websites. As a result they are potential targets of cybercriminals – and need to learn how to best protect themselves online.
Analysis of 250,000 hacker conversations
Imperva released a report analyzing the content and activities of an online hacker forum with nearly 220,000 registered members, although many are dormant. This forum is used by hackers for training, communications, collaboration, recruitment, commerce and even social interaction.
Engineer jailed for turning PIN Entry Devices into skimmers
Thomas Beeckmann, a 26-year old German electronics engineer, has been sentenced to three years in a UK prison for having modified a number of PIN Entry Devices to record the information used to clone credit and debit cards on behest of organized crime networks.
Mitigating the BEAST attack on TLS
During the summer, rumours about a new attack against SSL started circulating. Then Opera released a patch, but made no comment about what it was patching. Eventually enough information leaked out that some smart people figured what the attack was about.
Beware of bogus Gmail Hacker software
Passwords can be forgotten or lost and the users stumped on how to gain access to their email accounts again. Here is where tools such as the Gmail Hacker Pro could come in hand – if they actually worked.
Password misuse at root of hacking
A survey paints a vivid picture of password chaos amongst IT staff and apathy about password security amongst their senior management.
Hardened Android kernel to be used by U.S. Army, government
The U.S. government is looking at replacing radio communication between federal, state and local law enforcement and response agencies with communication with smartphones, and to that end it has showed interest into a new project whose goal is to create a hardened kernel for the Android OS.
Twitter protects freedom of speech and privacy of users
When LulzSec member Sabu recently answered a lot of questions on an impromptu Q&A session on Reddit by posting the answers on his Twitter account, he was asked why he trusted Twitter more than Reddit. “Because believe it or not Twitter has not been sleeping in bed with LEAs (law enforcement agencies). In fact its a process to get account info,” he replied. “And that is a major difference between Twitter and other social mediums. They respect privacy.”
U.S. DHS expects Anonymous to attack infrastructure
Anonymous is eyeing industrial control systems for future attacks, says the U.S. Department of Homeland Security, but its members have yet to demonstrate a capability to inflict damage to these systems.
How to make a cheap mobile malware jail
Axelle Apvrille, senior mobile anti-virus analyst and researcher at Fortinet, talks about an effective and cheap solution to this problem: creating your own GSM carrier whose signal won’t extend beyond the confines of your lab.
Duqu: The next tale in the Stuxnet files
McAfee Labs received a kit from an independent team of researchers that is closely related to the original Stuxnet worm, but with a different goal-to be used for espionage and targeted attacks against sites such as Certificate Authorities (CAs).
Mac Trojan disrupts automatic updating of XProtect
A variant of the recently discovered Flashback Trojan for Mac OS X has acquired the capability to disrupt the automatic updating of XProtect, the operating system’s built-in anti-malware application.
Explore what ISO 27001 documentation looks like
Documentation is the core of your ISO 27001 implementation. A good set of documents will enable your employees to understand their obligations better while poorly written documents or missing documents will cause confusion and resentment towards information security. Not to mention failing the certification audit.
SANS virtualization security course returns to London
The SANS Institute has added Security 577 Virtualization Security Fundamentals to the line-up for SANS 2011 London following popular demand. On its European début last year, the course completely sold out in record time and received some of the highest feedback scores across the event.
Flash bug allows spying of website visitors through webcam
A slight variation of a previously designed clickjacking attack that used a Adobe Flash vulnerability has once again made it possible for website administrators to surreptitiously spy on their visitors by turning on the user’s computer webcam and microphone.
Which mobile OS is most hit by malware?
As most mobile phone users still don’t have a mobile AV solution installed on their devices, it can be rather hard to gauge just how many of them have been hit by mobile malware.
Divorce is less stressful than safeguarding confidential data
How are IT managers coping with today’s threat landscape? Are they properly protected against the latest data-stealing malware? And would employees report if they compromised corporate data?
Nasdaq attackers spied on companies
Sources familiar with the investigation have revealed that the attackers have installed malicious software that allowed them to spy on communications between executives and board members of publicly held companies and peek into documents exchanged via Directors Desk, a Web-based management suite for Boards of Directors.
Skype can be used to tie users to illegal download activity
A team of researchers has proved that it is possible to determine the IP address of a user and tie it with his Internet use, and even correlate this information to his file-sharing activity with high accuracy, by taking advantage of a privacy hole in Skype.