Week in review: Critical Flash update, Bamital botnet takedown, and children turning into malware developers

Here’s an overview of some of last week’s most interesting news, reviews, articles and interviews:

Federated single sign-on to dominate by 2016
A well-executed single sign-on (SSO) strategy reduces password-related support incidents and provides users with improved convenience and more-efficient authentication processes, according to Gartner.

Oracle rushes out emergency Java patch
If you’re still among the users who haven’t disabled Java in their browsers or on their computer, be advised that Oracle has released a critical patch update for Java SE (Java 7 Update 13).

The privacy implications of Facebook Graph Search
While Graph Search is described as a way to allow people to make new connections, it’s undeniably a powerful tool for unearthing a wealth information in a highly accessible manner. You could call it stalker’s heaven.

Document shredding: the why and the how
Tim McBride serves as the Vice President and General Manager of Secure Destruction Services for Recall North America. In this interview he talks about the practice and requirements of document shredding, and the risks of doing it wrong.

Citadel Trojan used in unusual targeted attacks
McAfee researchers have spotted a group of cybercrooks that use the Citadel Trojan in targeted attacks aimed at specific individuals in organizations in Europe and Japan.

The rise of mobile advertising malware toolkits
In Q4 2012, FortiGuard Labs has highlighted malware samples that show four typical methods cybercriminals are using today to extract money from their victims. In addition, the report shows increasing activity in mobile malware variants of the Android Plankton ad kit as well as in hacktivist Web server vulnerability scanning.

The privacy cliff and how not to fall off it
Moving in opposite directions on protecting the future of consumer privacy online, the U.S. and Europe nevertheless are both heading toward the same cliff—and dragging with them billions of dollars and Euros in e-commerce along with the confidence of consumers.

Fake Amazon Kindle receipt leads to persistent malware
Amazon customers buying e-books for their Kindle or other mobile devices should be careful with emails that seemingly containing receipts for their purchases, warns Webroot, as malware peddlers have once again started a spam campaign impersonating the e-commerce giant.

Japan holds first hacking contest backed by government
Despite being one of the greater world economies and being technologically advanced as few others, Japan has woken up to the reality of cyber crime relatively late.

None of the 100 largest e-commerce sites have fully implemented DNSSEC
The biggest brands in e-commerce are overlooking a critical security technology that could reduce the risk of identify theft and credit card fraud.

U.S. President to decide on pre-emptive cyberstrikes
As the moment when U.S. President Barack Obama will issue a cybersecurity executive order slowly draws near, other questions that affect the nation’s cyber defense and offense options are discussed and answered in secret by legal review. Among these is the matter of who has the power of deciding whether a pre-emptive strike should be launched when there are indications that a major digital attack is to be unleashed against the nations’ networks and infrastructures and war hasn’t yet been declared.

Wireless Reconnaissance in Penetration Testing
Reconnaissance should always be the first stage of a cyber attack or penetration test, and the success of these attempts is usually closely tied with the quality of information gathered during this phase. This book gives insight into the information that can be gathered from radio traffic between a number of wireless devices used by the target, and how that information can come in handy.

Examining the Nap malicious downloader
FireEye researchers recently encountered a stealthy malware that employs extended sleep calls to evade automated analysis systems capturing its behavior. It further makes use of the fast flux technique in order to hide the identity of the attacker controlling it.

Nearly a third of all computers are infected with malware
PandaLabs released its annual security report which details an extremely interesting year of data theft, social networking attacks and cyber-warfare.

U.S. Federal Reserve admits being breached by Anonymous
U.S. Federal Reserve confirmed the breach of one of its internal websites by the hands of Anonymous hackers, but denied that the file containing personal information of over 4,000 U.S. bank executives the attackers made available for download contained passwords.

Researcher warns about critical flaw in D-Link routers
A security flaw in D-Link’s DIR-300 and DIR-600 routers could allow remote attackers to inject execute arbitrary shell commands via a simple POST request without being authenticated to the device or by tricking the routers’ owners into sending the request themselves, warns security researcher Michael Messner.

Whitehole exploit kit in the spotlight
The Blackhole exploit kit is, by far, the most most used one, and has pretty much cornered the market at the moment, but there are other kits out there looking to challenge its supremacy.

Massive Bamital click-fraud botnet shut down
Symantec and Microsoft have teamed up to take down the Bamital botnet, and are currently in the process of warning users infected with the Trojan on how to remove it from their computers.

EU proposes to make data breach disclosure mandatory
The European Commission has announced the launch of new proposals that include a requirement for EU member states to appoint an independent CERT and pivotally calls for each to create a national authority to whom companies, whose functions are critical to the economy, must report data breaches.

Critical flaw lets attackers control hospital, military buildings’ systems
The vulnerability affects the Tridium Niagara AX Framework, and lets remote attackers access the system’s configuration file that contains login credentials for operator work stations, through which the attackers can gain complete control of electricity and HVAC systems, elevators, surveillance cameras, electronic door locks and more.

Children turning into malicious code developers
AVG has found evidence that pre-teens are writing malware designed to steal login details from online gamers, both young and old.

Bogus cleaning apps on Google Play install backdoor on PCs
Malicious Android apps able to infect and set up a backdoor on PCs running pre-Windows 7 operating systems have been recently spotted by researchers of several security companies.

Learn by doing: Phishing and other online tests
Are you that person to whom everybody turns for advice on how to keep secure online? Point them towards online tests where they can learn and test their knowledge by themselves.

Twitter users hit with typo-squatting phishing campaign
In the wake of last week’s compromise of 250,000 Twitter accounts comes another threat to Twitter users: phishing messages – both DMs and tweets – that lure in the curious by asking “Did you see this pic of you?”

Windows and OS X users under attack, update Flash now!
Adobe has pushed out an emergency Flash update that solves two critical vulnerabilities (CVE-2013-0633 and CVE-2013-0634) that are being actively exploited to target Windows and OS X users, and is urging users to implement it as soon as possible.

More about

Don't miss