Week in review: How GitHub is redefining software development, Glibc bug, drone-hijacking malware
Here’s an overview of some of last week’s most interesting news, interviews and articles:
VPN services blocked by China’s Great Firewall
A number of popular VPN services are the latest target of China’s Great Firewall, including Astrill, StrongVPN and Golden Frog’s VyprVPN.
What makes phishing emails so successful?
According to the results of a study performed by researchers from the University at Buffalo, “information-rich” emails that alter the recipients’ cognitive processes are mostly to blame for the success of phishing scams.
Adobe updates Flash Player again, plugs 0-day exploited by Angler
Adobe made good on its promise to make available a fix for the recently discovered critical zero-day Flash Player vulnerability (CVE-2015-0311) preyed on by the Angler exploit kit.
4 tips to make data protection everyone’s business
You don’t necessarily need to memorize a litany of IT mandates in order to reduce the risk of losing or compromising your work data.
How GitHub is redefining software development
The security industry is slowly realizing what the developer community knew for years – collaboration is the key to and likely the future of innovation.
Police ransomware scam drives UK teen to suicide
For most people, a ransomware infection is not a huge tragedy: they pay the bogus fine (or not), and ultimately get their computer back either because the criminals unlock it or because they clean up the machine themselves. But for 17-year-old UK schoolboy Joseph Edwards it was the end of the world.
Evidence shows Regin spy malware is used by Five Eyes intelligence
Kaspersky Lab researchers who have recently analyzed a copy of the malicious QWERTY module have discovered that the malware is identical in functionality to a Regin malware plugin, and are convinced that the developers of both pieces of malware are either the same or are working closely together.
The impact of new EU security legislation
The report assesses respondents’ understanding and expectations of the proposed Network and Information Security (NIS) and General Data Protection Regulation (GDPR) legislation. The GDPR is currently set to be finalized in early 2015, with compliance becoming mandatory in 2017.
Why Google won’t be updating pre-KitKat WebKit anymore
Rapid 7 researchers discovered that Google will no longer be providing security patches for WebView used in pre-KitKat (v4.4) Android versions, meaning that over 60 percent of all Android users will be placed in danger by every new bug affecting the core component that displays web pages on an Android device without the user needing to open another app.
High severity vulnerability found in Linux GNU C library
The Qualys security research team has found a critical vulnerability in the Linux GNU C Library (glibc), that allows attackers to remotely take control of an entire system without having any prior knowledge of system credentials. Here are infosec pros’ reactions to the discovery.
Companies need to be custodians of customer data, not owners
The DNA of business is profit and profit enhancement. The extraordinary possibilities of monetizing the data they possess about their customers is too great for them to pass up.
Critical BlackPhone bug allows attackers to spy on users
BlackPhone, a mobile phone aimed at users who want to keep their communications secure from mass surveillance attempts, is affected by a critical security vulnerability that can be exploited to reveal users’ contacts, the content of their (encrypted) messages, and their location information, as well as to load additional code that can lead to the attacker having complete control over the handset.
Threats and technologies of a shifting data security landscape
With every email now a target and every piece of data at risk, the need for data protection maturity has never been higher. According a new study released by Lumension, IT security departments are responding with better policies, improved technology approaches and financial commitment.
IoT security and privacy best practices
In a report on the Internet of Things (IoT), the staff of the Federal Trade Commission recommend a series of concrete steps that businesses can take to enhance and protect consumers’ privacy and security, as Americans start to reap the benefits from a growing world of Internet-connected devices.
Identity theft prevention tips and assistance
Eva Casey-Velasquez is the CEO of the Identity Theft Resource Center, which provides victim assistance at no charge to consumers throughout the United States. They also educate consumers, corporations, government agencies, and other organizations on best practices for fraud and identity theft detection, reduction and mitigation.
Hijacking drones with malware
A recent incident at the White House showed that small aerial vehicles (drones) present a specific security problem. While in this particular case the actual danger turned out to be non-existent, the fact that these devices can be hijacked and misused for malicious purposes is something that the manufacturers will have to think about very soon.
D-Link routers vulnerable to DNS hijacking
At least one and likely more D-Link routers as well as those of other manufacturers using the same firmware are vulnerable to remote changing of DNS settings and, effectively, traffic hijacking, a Bulgarian security researcher has discovered.
How much can a DDoS attack cost your organization?
For many organizations, these expenses have a serious impact on the balance sheet as well as harming the company’s reputation due to loss of access to online resources for partners and customers.
Email scammers stole $215M from businesses in 14 months
The Business E-mail Compromise scam is alive and well, and expected to rise both when it comes to the number of victims and the total money loss sustained by them.
Canada’s spy agency monitors file downloads around the world
Canadian spies, in partnership with British intelligence agents, have been collecting sensitive data on smartphone users around the world, and the agency is also tapping Internet cables to collect and analyze HTTP metadata of daily uploads and downloads to and from 102 popular file-sharing websites.
How to determine if insiders should be your primary concern
It is more likely for a company to be hacked if employees are not educated and passwords are being shared with no guilt feelings. It is also highly probable for data to be leaked if employees do not know what files are confidential, which are not and if Content-Aware Data Loss Prevention (DLP) is not in place.
Researchers show how easy it is to de-anonymize shoppers
They analyzed 3 months of credit card records (stripped of names and account numbers) for 1.1 million people, and concluded that they could uniquely reidentify 90% of individuals if they also had four pieces of information that showed their movements on particular days – the type of information that is often easily deducible from posts made on Instagram, Facebook, Twitter and other social networks.