Week in review: Reactions to PRISM, and the question of whether or not to hack back
Here’s an overview of some of last week’s most interesting news, articles and reviews:
The future of online authentication
Recently, Twitter has introduced 2-factor authentication – the latest in a long list of large-scale web services that have taken this step including Google, Microsoft and Dropbox. Why have these organizations all added complexity to their login experiences? Because the current state of online authentication isn’t meeting the needs of either businesses or consumers.
Microsoft Citadel takedown ultimately counterproductive
According to Swiss security expert Roman H??ssy who runs the Zeus, SpyEye and Palevo Trackers, the action effected by Microsoft in conjunction with the FBI and several industry partners has inflicted considerable damage to his and other researchers’ efforts.
EU to vote on stiffer penalties for hackers
Last week, the European Parliament committee on Civil Liberties, Justice and Home Affairs has approved a draft for a directive whose objective is to “approximate rules on criminal law in the Member States in the area of attacks against information systems, and improve cooperation between judicial and other competent authorities.”
Potential privacy problems for companies accepting Bitcoins
Businesses accepting Bitcoin payments might want to consider the privacy implications that such an option creates for its customers and for themselves.
NSA whistleblower reveals himself, world reacts
In an in-depth interview given to The Guardian’s journalists, 29-year-old Edward Snowden, a former CIA and Booz Allen Hamilton employee who worked on several contracts for the NSA, explained his reasons for becoming a whistleblower.
Most enterprises have no information strategy
Recent research by Gartner has found that, just as business model thinking wasn’t mainstream or well rehearsed a decade ago, management thinking at an “information as strategy” level is still evolving.
Reactions from the security community to the NSA spying scandal
The leaked documents about PRISM, a surveillance program by the NSA, have created quite a stir. A variety of security professionals and analysts have commented on the situation for Help Net Security.
Obama, Verizon, NSA sued for collecting U.S. citizens’ phone call data
Three individuals have filed the first lawsuit aimed at disputing the constitutionality of NSA’s collection of metadata on phone calls made by or to U.S. citizens.
Researchers find self-propagating Zeus variant
The Zeus / Zbot Trojan is usually spread via exploit kits (drive-by-downloads), phishing schemes, and social media, but Trend Micro researchers have recently spotted a variant that employs another propagation vector: removable drives.
To hack back or not to hack back?
If you think of cyberspace as a resource for you and your organization, it makes sense to protect your part of it as best you can. You build your defenses and train employees to recognize attacks, and you accept the fact that your government is the one that will pursue and prosecute those who try to hack you. But the challenge arises when you (possibly rightfully so) perceive that your government is not able do so, and you demand to be allowed to ‘hack back.
Vulnerability scanning with PureCloud
nCircle PureCloud is a cloud-based network security scanning product built upon the companies’ vulnerability and risk management system IP360.
Researches test resilience of P2P botnets
While acknowledging that estimating a P2P botnet’s size is difficult and that there is currently no systematic way to analyze their resilience against takedown attempts, they have nevertheless managed to apply their methods to real-world P2P botnets and come up with quality information.
Oppose PRISM-like programs today or lose you privacy tomorrow
There is a saying that the power drives those holding it to want more power. Same is true with the governments and their information hunger, which despite being smoke screened in the name of anti-terrorism activities, presents great danger to unsuspecting citizens. Just because they can, does not mean they should.
How orgs should handle personal data on IT systems that they don’t control
Organizations should create a privacy program that keeps personal data at arm’s length, but under control, according to Gartner, which predicts that by 2019, 90 percent of organizations will have personal data on IT systems that they don’t own or control.
OWASP top 10 web application risks for 2013
Since 2003, application security researchers and experts from all over the world at the Open Web Application Security Project (OWASP) have carefully monitored the state of web application security and produced an awareness document that is acknowledged and relied on by organizations worldwide, including the PCI Council, DoD, FTC, and countless others.
Google warns Iranian users of politically-motivated phishing
The campaign originates from within Iran, stated Eric Grosse, Google’s VP of Security Engineering, and has been going on for the last three weeks.
Why does the public now listen to an U.S. government whistleblower?
This is not the first time that a government whistleblower has come forward and tried to warn the U.S. public about the surveillance overreach of government agencies, but it was the first time that such revelations had such a global impact and response.
Asia-wide targeted campaign drops backdoor, RAT
Telecoms, oil and gas companies, media companies and government organizations in India, Malaysia, Singapore, and Vietnam have been receiving spear-phishing emails related to diplomatic discussions in the Asia-Pacific region and containing a specially crafted RTF document.
ISC-CERT warns about medical devices with hard-coded passwords
Approximately 300 different surgical and anesthesia devices, ventilators, drug infusion pumps, external defibrillators, patient monitors, and laboratory and analysis equipment have been found to have hard-coded passwords – a fact that can be taken advantage of by malicious actors to change devices’ critical settings or even modify their firmware.
Japan aims to monitor Internet-based communications
After having agreed on a draft of an official cybersecurity strategy earlier this month, Japan’s National Information Security Center (NISC) is looking to establish a Cyber Security Center – an agency equivalent to the U.S. NSA – and allow it to monitor Internet-based communications.