Week in review: TrueCrypt’s public security audit, new MS 0-day exploited, new bug bounty programs
Posted on 11 November 2013.
Here's an overview of some of last week's most interesting news, videos, reviews and articles:


ENISA issues recommendations for securing data using cryptography
ENISA, the European Union’s “cyber security” Agency, launched a report recommending that all authorities should better promote cryptographic measure to safeguard personal data. The report addresses ways to protect sensitive and/or personal data that has been acquired legitimately.

US agency employees let invented woman expert into the network
Once again, and more spectacularly, security researchers have proved that attackers wielding a fake LinkedIn account sporting the image of an attractive woman claiming to be an expert in the cyber security business can trick even security-aware IT employees into letting their guard down.

How to address the main concerns with ISO 27001 implementation
Recently Dejan Kosutic delivered two webinars on the topic of ISO 27001, and he has asked the attendees to send him their top concerns regarding ISO 27001 implementation before those webinars. He has summarized the most common concerns into the following five areas and this a detailed explanation on how he feels they should be addressed.

Cryptolocker crooks offer victims a second chance
The criminals behind Cryptolocker, the destructive ransomware that has lately been targeting mostly US and UK PC users, are trying to earn more money by offering users who have initially decided not to pay to have their files decrypted a chance to change their mind.

Google tests new Chrome feature for thwarting rogue plugins
The “Restore browser settings” button will easily and quickly restore browser settings to their original defaults, and will be great for the instances when the malware in question prevents users from changing the settings.

Fake LinkedIn profile gathering info for targeted attacks
An ongoing social engineering campaign targeting LinkedIn users has been using the “professional” social network to popularise a specific dating site but, according to Websense researchers, the final aim of the campaign is likely more sinister.

What happens when a scammer tries to scam a security researcher?
I just got off the phone with a very nice gentleman from the "service center for the Windows operating system computers." During the call, he informed me that they had received numerous warnings that my computer was infected.

The dangers of weakening cybersecurity to facilitate surveillance
In response to the controversy over the alleged surveillance practices of the NSA, the White House established the Review Group on Intelligence and Communication Technologies, which is expected to provide recommendations to the president next week. In comments to the Review Group, Carnegie Mellon University's Jon Peha recommended a re-evaluation of those practices that weaken commercial products and services. T

Microsoft widens pool of submitters to its bug bounty programs
Microsoft might have been a late starter when it comes to bug bounties, but they are continually making changes aimed at making its bug bounty program as accessible, as rewarding, and as successful it can be.

Can a Swiss cloud give users complete privacy?
Telecom provider Swisscom has announced its plans to set up a “Swiss cloud” that would give both Swiss and later foreign users some peace of mind regarding whether the information put into it could be accessed by foreign intelligence agencies.

Most users don't trust app developers with their data
Research by ISACA shows that, of 1,000 employed consumers surveyed in the UK, only 4% named the makers of their mobile phone apps as the entity they most trust with their personal data. Yet, 90% don't always read privacy policies before downloading apps to their devices.

The Circle
It’s been difficult not to be exposed to the power of The Circle and its omnipresence in the news. I’m one of those people that opt not to watch a trailer before seeing a movie and so I didn’t want to read a single review before getting the book. You are probably not like that since you’re reading these words, so let’s move further.

Malware peddlers testing new infection techniques
An ongoing malicious spam campaign impersonating UPS has shown that malware peddlers are experimenting with different approaches for infecting hapless users, and additional recent spam campaigns have proved that one of them is particularly effective: embedding malware into RTF or DOC files.

New Microsoft 0-day vulnerability under attack
Microsoft has released security advisory KB2896666 informing of a vulnerability (CVE-2013-3906) in the TIFF graphics format that is seeing limited attacks in the Middle East and South Asia.

Apple releases cleverly framed report on government data requests
Apple has released what will be the first of many biannual reports on government information requests it receives, and has included a statement saying that “Apple has never received an order under Section 215 of the USA Patriot Act,” and adding that they would expect to challenge such an order if served on them.

TrueCrypt to go through a crowdfunded, public security audit
After all the revelations about NSA’s spying efforts, and especially after the disclosure of details about its Bullrun program aimed at subverting encryption standards and efforts around the world, the question has been raised of whether any encryption software can be trusted.

Cybercrime gangs seek victims in untapped markets
The trend indicates that cybercrime gangs are spending time looking for new companies and Internet users to victimize.

Whitepaper: Planning a career path in cybersecurity
The field of cybersecurity is growing quickly; so quickly that there are positions sitting open waiting to be filled by qualified individuals. As a society, we have all become heavily dependent on computers, network, and data stores. This in turn has exposed us to the risk of loss or compromise of those data systems. The need for personnel knowledgeable and experienced in security implementation and management has never been greater, and the need is growing. Get this whitepaper and learn more.

Another Android “master key” bug revealed
The existence of another “master key” bug that can be used to push malware onto Android users has been publicly disclosed by Jay Freeman (a.k.a Saurik), the technology consultant and security researcher who unearthed the bug around the same time as the previous two were found and disclosed in July.

PCI DSS 3.0 is now available
Version 3.0 becomes effective on 01 January 2014. Version 2.0 will remain active until 31 December 2014 to ensure adequate time for organizations to make the transition.

Microsoft and Facebook start Internet-wide bug bounty program
Dubbed The Internet Bug Bounty, it is sponsored by the two Internet giants and is aimed at anyone who discovers vulnerabilities in a series of open source programming languages, web apps, software, app frameworks, HTTP servers, as well as the OpenSSL implementation, Chrome, IE, Adobe Reader and Flash sandboxes, and the “Internet” in general.

Silk Road 2.0 goes online
As announced by well-known Silk Road user named "The Godfather”, who has been doing business on the infamous underground market for the last few years, another Silk Road has been resurrected from the ashes of the old one.

Mikko Hypponen: How the NSA betrayed the world's trust
Recent events have highlighted, underlined and bolded the fact that the United States is performing blanket surveillance on any foreigner whose data passes through an American entity -- whether they are suspected of wrongdoing or not. This means that, essentially, every international user of the internet is being watched, says Mikko Hypponen. An important rant, wrapped with a plea: to find alternative solutions to using American companies for the world's information needs.

Cyber threats organisations will deal with in 2014
The threat landscape is constantly evolving, and it’s an enterprise’s job and duty to keep up with the changes and do the best it can to protect its data, employees and networks.

Inkblots could solve problem of compromised passwords
Carnegie Mellon University computer scientists have developed a new password system that incorporates inkblots to provide an extra measure of protection when, as so often occurs, lists of passwords get stolen from websites.





Spotlight

Using Hollywood to improve your security program

Posted on 29 July 2014.  |  Tripwire CTO Dwayne Melancon spends a lot of time on airplanes, and ends up watching a lot of movies. Some of his favorite movies are adventures, spy stuff, and cunning heist movies. A lot of these movies provide great lessons that we can apply to information security.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Wed, Jul 30th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //