Week in review: Facebook, Apple hacks, APT1, and mobile phishing

Here’s an overview of some of last week’s most interesting news, reviews and articles:

Facebook employees ambushed by zero-day exploit
Facebook has admitted that they have been targeted with a “sophisticated” attack.

How to successfully submit conference talks
Do you wonder what a particular conference is looking for? How long should your submission be? How formal do you have to be? Will your talk will be accepted even though you have never presented before? Here is some practical advice from leading conferences on things you should pay attention to when submitting a talk.

Freezing Android devices to break disk encryption
Two German computer scientists have proved that it’s possible to access and recover data from an encrypted Android smartphone by performing a set of simple and easily replicable steps that start with putting the phone in a freezer.

Anonymous hacks U.S. State Department and investment firm, leaks data
Anonymous continues with its Operation Last Resort, and its latest targets were the websites of the U.S. Department of State (state.gov) and of investment firm George K. Baum and Company (gkbaum.com).

The sophistication of risky apps, mobile misbehavior and spyware
McAfee released the results of a new report, documenting sophisticated and complex risky apps containing multi-faceted scams, black market crimes, drive-by downloads and near-field communication threats. They identified a new wave of techniques hackers use to steal digital identities, commit financial fraud, and invade users’ privacy on mobile devices.

Chinese Army unit is behind cyber espionage campaigns, researchers claim
Dubbed APT1, this group is one of more than 20 APT groups with origins in China and has conducted cyber espionage campaigns against a “broad range of victims” since at least 2006.

Security pros should listen with their heads, not their hearts
There is a phrase that has become quite popular in information security circles and it goes along the lines of “there are two types of organizations, those that have been breached and those that don’t know they’ve been breached.” One of the main problems with this phrase is that anytime I hear it, the speakers never qualify what they mean by a breach.

Tips to overcome PHI security obstacles
For those responsible for managing privacy and data security at healthcare organizations, industry experts offer six tips to overcome PHI security obstacles

Apple confirms being hit in recent watering hole attack
Apple has become the latest big company to confirm they’ve been affected by the watering hole attacks that resulted in the compromise of Twitter and Facebook networks.

Adobe patches Acrobat and Reader, Mozilla debuts Firefox built-in PDF viewer
Adobe has pushed out the announced update for Acrobat and Reader that patches the two vulnerabilities that were recently exploited in attacks in the wild.

Rogue Chrome extension hijacks Facebook accounts
The extension by the name of “Business Flash Player” is capable of doing many things, and they are all bad.

NBC website serving malware
NBC’s website has been compromised, and has been found redirecting users to malicious sites.

Advanced Persistent Threat
As more and more information becomes available and is stored in electronic form, the logical consequence is that APT actors will focus on breaching networks and systems on which it can be found. The goal of these attacks is simple, but the techniques the attackers use and the speed and determination with which they come up with new ones are enough to demoralize many infosec experts. This book aims to change their prospective and the rules by which the defense is playing.

Security is top reason why IT adopts single sign-on
70% of respondents said security was the primary reason for adopting IAM and SSO, ahead of user convenience and supporting mobile access

Google account hijacking dramatically reduced
Google employs many security measures to thwart would-be Google account hijackers, and not all are highly visible as the two-factor authentication option.

Mandiant APT1 report used as a lure in phishing campaigns
Mandiant is warning that two malicious versions of their recently released APT1 report have been detected being used as lures in two distinct email phishing campaigns.

Zendesk hack endangers Tumblr, Twitter and Pinterest users
“We’ve become aware that a hacker accessed our system this week. As soon as we learned of the attack, we patched the vulnerability and closed the access that the hacker had,” Zendesk CEO Mikkel Svane wrote on the company blog.

OAuth flaw allowed researcher full access to any Facebook account
A flaw in Facebook’s OAuth system that allows the communication between applications and users has enabled web application security specialist Nir Goldshlager to gain full control of any Facebook account.

Mobile phishing geared towards online banking users
In the past year, 75 percent of mobile phishing URLs were rogue versions of well-known banking or financial sites, warns Trend Micro, while only 4 percent were designed to trick online shoppers and 2 percent to target users of social networks.