Week in review: Backdoors in Barracuda appliances, and what makes a good information security professional?

Here’s an overview of some of last week’s most interesting news, reviews, videos, interviews and articles:

Newest Java update doesn’t fix fresh critical vulnerabilities
A little after the latest Java update was released, Adam Gowdiak, CEO of Polish firm Security Explorations had piped up to say that it left a number of critical security flaws unpatched – a claim that he reiterated last Friday on the Full Disclosure mailing list.

What makes a good information security professional?
Information security is a very competitive industry, and one of the very few that kept doing fine even during the recession. It’s also a dynamic field that promises a lot of fascinating work, so it’s no wonder that so many individuals want to break into it.

Polish CERT hits Virut botnet
The Polish Research and Academic Computer Network (NASK), the national registry of the .pl domain and founder of CERT Polska, has announced that they took over 23 domains that served as C&C servers for the Virut botnet.

Cyber security needs to be a board level issue
As part of the much talked about Cyber Security Strategy, the UK Government is “committed to helping reduce vulnerability to attack and ensure that the UK is the safest place to do business”. One strand of the strategy was an executive briefing, which targeted the most senior levels in the UK’s largest companies and provided them with advice on how to safeguard their most valuable assets, such as personal data, online services and intellectual property.

Skype becomes a malware minefield
Skype users should be careful when using the service these days. First CSIS researchers unearthed a campaign misusing Skype to replicate and spread the Shylock banking Trojan, then Trend Micro researchers discovered highly dangerous worms also being propagated via Skype messages containing malicious links.

Investigating clever scamming techniques and their evolution
Christopher Boyd is a Senior Threat Researcher for GFI Software. Chris has been credited for finding the first instance of a rogue Web browser installing without permission, the first Twitter DIY botnet kit, and the first rootkit in an IM bundle. In this interview he talks about cunning scamming techniques and their evolution.

Google searching for hardware alternatives to passwords
Passwords are on the way out, it seems. With current boom – and obvious success – of phishing, it’s time to see what could be a better alternative to this flawed solution. Despite having considerable success with the two-step login authentication option made available to its customers, Google is looking in the direction of hardware authentication.

How to spot APT attacks
With the proliferation of Advanced Persistent Threats (APTs), it’s paramount for those who are charged with defending the systems and networks of likely targets to know that these attackers often utilize legal and common tools whose use is more difficult to spot by forensic investigations.

Twitter bug gives 3rd-party apps access to users’ Direct Messages
A Twitter bug allowed third-party applications to access Direct Messages of users who signed in to the apps by using their Twitter account, reported IOActive researcher Cesar Cerrudo.

Augmented Reality: An Emerging Technologies Guide to AR
ugmented Reality is not the stuff of science fiction any more, and we should all be at least familiar with its current and likely future uses. This book aims to be an easy-to-digest guide on the subject matter.

Employees targeted with fake DocuSign “confidential message”
An email purportedly sent by the DocuSign Electronic Signature Service on behalf of the administrative departments of a wide variety of organizations and businesses is hitting the inboxes of their employees, Bitdefender warns.

DNS attacks increase by 170%
Radware identified a number of new attack methods representative of today’s increasingly sophisticated and severe DDoS threat. Their latest report highlights server-based botnets and encrypted layer attacks as just two of the new attack tools challenging organizations during DDoS attacks.

Most exploit kits originated in Russia, say researchers
58 percent of the vulnerabilities targeted by the most popular exploit kits in Q4 were more than two years old and 70 percent of exploit kits reviewed were released or developed in Russia, reveals Solutionary SERT’s Q4 2012 Quarterly Research Report.

Jobs offered to student kicked out of college for discovering security flaw
Ahmed Al-Khabaz, the student that has been expelled from Dawson College because of an unauthorized intrusion in the college’s systems to check whether a flaw he recently discovered in its student web portal was fixed, has not been reinstated.

The arrival of the post-PC threat era
Trend Micro’s Annual Security Roundup shows that most of our predictions for 2012 have come true, and we encapsulate 2012 as the year where threats launched the beginning of the post-PC era. Threats have now escalated past the desktop environment.

People need help controlling personal info online
Microsoft released new data reflecting consumers’ perceptions about how their information is used online and a new series of short videos to help people better manage their online privacy.

Video: Practical exploitation of embedded systems
This video from Hack in The Box conference is an in-depth exploration of the reverse engineering and exploitation of embedded systems.

Barracuda Networks confirms exploitable backdoors in its appliances
The backdoor accounts are present on in all available versions of Barracuda Spam and Virus Firewall, Web Filter, Message Archiver, Web Application Firewall, Link Balancer, Load Balancer, and SSL VPN appliances.

Watering hole campaign targeting “Reporters without Borders” visitors
Watering hole attacks continue unabated and, according to Avast’s Director of Threat Intelligence Jindrich Kubec, the finger could be safely pointed to China once again.

Top five hurdles to security and compliance in industrial control systems
For many decades, Industrial Control Systems (ICS) have been the operational systems relied upon to safely and reliably deliver the essentials of daily life. Sometimes referred to as a Critical Infrastructure, they are the backbone of a modern economy. With these systems generally working well, there has been little need to make major changes to them. There has been innovation and some incremental changes, but in the ICS world, it has largely been “business as usual.’

SCADA password cracking code available
ICS-CERT has issued an alert about the existence and general availability of the proof-of-concept exploit code for a tool that can brute force passwords and thus gain access and control of programmable logic controllers (PLCs).

How to avoid Facebook scams and limit the damage they make
What should users who have fallen for Facebook scams do to minimize the danger to themselves and others, and what they can do to stop falling for similar ones in the future – or at all.

GitHub’s new search reveals passwords and private keys
GitHub has unveiled a new search infrastructure that should help coders find specific code within the millions of the individual repositories GitHub hosts. But, as helpful as this tool promises to be, it can still be misused. And unfortunately, it didn’t take long to prove that, as only hours later a number of individuals realized that quite a few careless coders inadvertently published their private encryption keys or their passwords in their repository.

More about

Don't miss