Week in review: Evernote breached, Java woes and cloud security
Here’s an overview of some of last week’s most interesting news, videos, reviews and articles:
Evernote breached, forces service-wide password reset
The investigation has shown that the attackers were able to gain access to user information, which includes usernames, email addresses associated with Evernote accounts and encrypted passwords.
Jailed British hacker hacks own prison’s mainframe
The inmate in question is 21-year-old Nicholas Webber, the infamous founder of the GhostMarket online forum on which budding cyber crooks were able to trade stolen card details, tools to commit computer offenses, and knowledge.
Wide Open Privacy: Strategies For The Digital Life
We live in a digital age where it’s become normal to see people post photos of their credit cards online, parents share on Facebook images of their newborns right from the delivery room, and offenders bragging about their crimes by posting videos on YouTube. Not everybody is so extreme, but the fact that a great number of social networking users keep over-sharing personal information points to a global privacy problem that’s can’t be easily solved. Wide Open Privacy aims to inform the reader and arm him with a plan for getting a grip on privacy.
Blackhole outfitted with exploit for recently patched Java flaw
The fact was discovered through the analysis of the latest PayPal-themed spam run that leads to a page hosting the exploit kit.
Oracle releases emergency patch to fix exploited Java flaw
Oracle has released an out-of-band Java patch to fix the CVE-2013-1493 vulnerability that is currently being exploited in attacks in the wild.
Longline phishing attacks rely on mass customization
Proofpoint released a wide-ranging study that identified a new class of sophisticated and effective, large-scale phishing attack dubbed “longlining”. Longlining, which is named after the industrial fishing practice of deploying miles-long fishing lines with thousands of individual hooks, combines successful spear phishing tactics with mass customization.
Open standards are key for security in the cloud
The current divide between proprietary and open approaches to enterprise cloud computing has implications beyond the obvious. More than just issues of cloud interoperability and data portability, open standards have benefits for user identity, authentication and security intelligence that closed or proprietary clouds threaten to compromise.
Older MiniDuke strain found, raises questions about its origins
A version of MiniDuke – the cyberspy malware aimed at governments and agencies in Europe and elsewhere – has been operating for at least 21 months, internet security firm Bitdefender has discovered.
99 percent of web apps vulnerable to attack
A new Cenzic report demonstrates that the overwhelming presence of web application vulnerabilities remains a constant problem, with an astounding 99 percent of applications tested revealing security risks, while additionally shedding light on pressing vulnerabilities within mobile application security.
Malicious Java applet uses stolen certificate to run automatically
A signed but malicious applet that will apparently fool even the latest Java 6 update has been discovered on a German online dictionary website infected by the g01pack exploit kit.
Google reports on non-court ordered FBI data requests
With every new Transparency Report that Google releases biannually since 2009, new information about data requests from government agencies are included. This last report, which spans July to December 2012, contains vague data about National Security Letters.
Samsung Galaxy devices’ lock screen easily bypassed
The past week revealed not one, but two security vulnerabilities that allow anyone to bypass the lock screen on a variety of Samsung Android smatphones.
BitInstant back online following breach, Bitcoin theft
BitInstant, one of the online Bitcoin exchange services, has been down and unaccessible from Thursday evening to Monday due to a “sophisticated attack,” which resulted in a loss of $12,480 in Bitcoins, but luckily no user data compromise.
The Chinese time bomb
Two weeks ago, Mandiant revealed that multiple attacks throughout the recent years are presumably attributed to one group of attackers, unit 61398 in the Chinese PLA. Two days later, Seculert discovered two different spear-phishing attacks which were using a fake Mandiant report to target Japanese and Chinese journalists.
Most interesting products at RSA Conference 2013
Not all of the companies showcasing their offerings on the expo floor have come prepared to release new solutions, but among those who have, here are the ones whose announcements and presentations garnered the most attention.
Software protects passwords via host of dummy cursors
Virtual keyboards have helped thwart keyloggers, but some danger while entering passwords still remained, as some malware is also capable of taking screenshots or even record short videos. To remove that danger, Japanese security researchers have come up with a novel idea for protecting your passwords from screen-grabbing malware and nosy shoulder surfers.
The SCADA security challenge
One of the less well-known aspects of information technology – but arguably one of the most critical to modern businesses – is the SCADA platform.
Secret Contacts+ 1.0 for iOS
Secret Contacts+ is a fresh iOS application that appeared in the App Store a couple of days ago. The developers at Youxel have recently launched a whole set of new security enhanced apps that wrap around standard iOS applications such as Contacts, Notes, Reminders and Photos.
Pwn2Own ends with Adobe Flash, Reader and Oracle Java exploits
Day two of the Pwn2Own competition at CanSecWest was again successful for French Vupen security, as they succeeded in exploiting Adobe Flash on Internet Explorer 9 on Windows 7 by chaining together three zero-days (an overflow, a ASLR bypass technique and a IE9 sandbox memory corruption) and earning themselves another $70,000.
Facebook’s in-house drills were crucial for smooth response to watering hole attack
Ryan McGeehan, security manager for incident response at Facebook, and Chad Greene, manager of the Facebook CERT, shared details about how Facebook prepares its security teams for incidents such as the recent watering hole attack that started with a compromised forum site popular with mobile developers.
Wolfgang Kandek presents new Qualys offerings
In this video, Qualys CTO Wolfgang Kandek discusses the expanded FreeScan service, the QualysGuard connector for Amazon, improvements in QualysGuard WAS 3.0 as well as BrowserCheck Business Edition.