Week in review: Target POS malware, Bitcoin insurance, and the future of net neutrality

Here’s an overview of some of last week’s most interesting news, videos and articles:

The biggest challenge to IT security is marketing
Most companies today are using social media and online marketing channels to tell their customers and prospects about what they do. From company Twitter accounts, LinkedIn profiles through to website CMS or marketing automation platforms, all these tools have two things in common: one, they are essential to running marketing. Two, they are all outside the control of the IT department. How does this have an impact on IT and security?

Mass-scale cleansing of co-opted computing devices
Complimenting advanced security technology, empowering users with facile tools, knowledge and further education is vital for a formulated defense. By analyzing the discovery and remediation methods from four entities – National CERT, NGOs, Trade Associations, and ISPs – a new APWG report examines proven approaches which can be replicated with highly effective results, coupled with minimal deployment cost and end-user effort.

An introduction to firmware analysis
This talk by Stefan Widmann gives an introduction to firmware analysis: It starts with how to retrieve the binary, e.g. get a plain file from manufacturer, extract it from an executable or memory device, or even sniff it out of an update process or internal CPU memory, which can be really tricky. After that it introduces the necessary tools, gives tips on how to detect the processor architecture, and explains some more advanced analysis techniques, including how to figure out the offsets where the firmware is loaded to, and how to start the investigation.

Neiman Marcus, three other US retailers breached
In the wake of the revelations that US retail giant Target has been targeted by cyber thieves comes the news that American luxury department store Neiman Marcus has also suffered a breach during the end of the year holidays, as well as three other unspecified US retailers.

Fake Target breach notification leads to phishing and complex scams
After the initial breach revelation in late December, the company has started sending out breach notices to potentially affected customers, and continued to do so in the wake of the discovery of additional compromised information. But cyber scammers have also started send out notifications in Target’s name, trying to trick users into sharing their personal information, as well as to complete online surveys.

Bitcoin cold storage and insurance services sprout
The pros and cons of using and investing in Bitcoin and crypto currency in general are no longer a mystery, and solutions to some of the problems are being presented almost daily. One of the biggest ones is keeping your Bitcoin stash safe, both from cyber crooks and your own errors of judgement.

Free eBook: Linux From Scratch
This 318 page eBook provides readers with the background and instruction to design and build custom Linux systems, as well as to fully customize Linux systems to their own needs.

Trust but verify: Mozilla execs invite researchers to audit their code
The recent revelations about NSA surveillance efforts, and especially the claims that the agency has been persuading or forcing software developers to put in backdoors into their offerings and has prevented them from talking about it publicly, has left many users wondering how they can be sure that the software they plan to use will not be used against them. According to Mozilla CTO Brendan Eich and VP of mobile and R&D Andreas Gal, the solution is to use open-source software whose source code can and has been audited by independent security experts.

Equation determines the optimal moment for a cyber attack
Two researchers have developed a mathematical model for discovering the optimal moment to deploy specific cyber weapons in their arsenal.

Scammers bypass protection mechanism, offer trojanized Minecraft Android app
Russian Android users who are looking to download the popular Minecraft game app from third-party app markets should be very careful, F-Secure researchers told PC Magazine, as a trojanized version of the app is being offered at half the original app’s price.

When can you trust web services to handle your data?
A new report by the EU’s cyber security agency ENISA analyses the conditions under which online security and privacy seals help users to evaluate the trustworthiness of a web service. The report underlines the need for clear icons, standards, assessment and evaluation methodology.

US Federal Court deals a blow to net neutrality
With a verdict of 3-to-0, judges of the US Court of Appeals for the District of Columbia Circuit have decided to strike down the Federal Communications Commission’s Open Internet Order, and have dealt a serious blow to net neutrality.

Mobile applications being used for DDoS attacks
“The prevalence of mobile devices and the widespread availability of downloadable apps that can be used for DDoS is a game changer,” said Stuart Scholly, president of Prolexic. “Malicious actors now carry a powerful attack tool in the palm of their hands, which requires minimal skill to use.

Blackphone to put privacy and control first
Silent Circle and Geeksphone announced Blackphone, a smartphone placing privacy and control directly in the hands of its users.

Starbucks iOS app stores passwords in clear text
A security researcher has discovered that Starbuck’s iOS mobile application stores users’ usernames, email address and passwords in clear text, and has tried to share this discovery with the company for months.

Microsoft extends support for Win XP’s security solutions to mid-2015
“This does not affect the end-of-support date of Windows XP, or the supportability of Windows XP for other Microsoft products, which deliver and apply those signatures,” Microsoft explained.

Researchers share more details about the Target POS malware
A handful of security companies have been researching the Target breach, and the information they unearthed is slowly trickling out to satisfy the public’s curiosity as the retailer has yet to share any details.

NSA collects 200 million text messages a day
The Guardian disclosed details of yet another NSA bulk data collection program described in a memo of the UK Government Communications Headquarters (GCHQ) and an NSA presentation.

Researcher demonstrates SCADA zero-day, shares PoC
An Italian researcher well known for his exploration of industrial control systems (ICS) has demonstrated the exploitation of a zero-day flaw that can crash or lead to a compromise of Web-based SCADA software that is used in nearly 40 countries all over the world.