Week in review: OpenBSD team forks OpenSSL, tech giants to fund open source projects, VPN users endangered by Heartbleed
Posted on 28 April 2014.
Here's an overview of some of last week's most interesting news, reviews, articles and interviews:


Supposedly patched router backdoor was simply hidden
When security systems' engineer and researcher Eloi Vanderbeken discovered the existence of a backdoor in his own Linksys router last Christmas, he spurred other hackers to check what other routers have the same backdoor. The results of this investigation was that 24 DSL router models from Cisco, Linksys, Netgear, and Diamond were confirmed to be vulnerable. A month after the discovery, those companies have pushed out a new version of the firmware that apparently closed the backdoor. Only it didn't - it merely hid it.

Insights from attack trends in the cloud
Drawing on data obtained from a customer base of 2,200, Alert Logic found a significant increase in activity across cloud and hosting environments compared to last year's findings—brute force attacks climbed from 30% to 44% of customers, and vulnerability scans increased from 27% to 44%.

OpenBSD team forks OpenSSL to create safer SSL/TLS library
Members of the OpenBSD project, which develops the well-known OpenBSD operating system, OpenBSD Secure Shell, and other popular open-source software packages, have announced they have begun working on a free version of the SSL/TLS protocol.

Heartbleed attacker hijacked VPN active user sessions
As the number of the most popular websites that still haven't patched their servers against the Heartbleed exploit continues to diminish, researchers from cybersecurity firm Mandiant have reported that have identified successful attacks in the wild by targeted threat actors exploiting the Heartbleed bug.

A guide to cloud encryption and tokenization
In order to achieve the best cloud information protection strategy, enterprises must understand what information they use to run their enterprise and what sensitive data should needs protection in the cloud. Businesses migrating to the cloud are being advised to lock down any sensitive data before it leaves their premises, which is why more companies are deploying encryption.

How can we create a culture of secure behavior?
Phishing impacts thousands of companies each year, but it's not the only issue they face: malware attacks; physical attacks on company data by workers posing as service personnel; and attacks aimed specifically at mobile devices are on the rise, and are just a few examples of the many threat vectors.

Free guide: WordPress Security Checklist
WordPress is not only easy to use, it also comes with many plugins and themes for you to choose from, making it extremely customizable. However, like all other popular platforms, it is also more prone to hacking. For those who are not sure how to beef up your WordPress security, download the checklist to follow how to keep your site safe.

Nine patterns make up 92 percent of security incidents
Verizon security researchers have found that 92 percent of the 100,000 security incidents analyzed over the past ten years can be traced to nine basic attack patterns that vary from industry to industry.

NIST drops NSA-backed algorithm from encryption recommendations
he cryptographic algorithm in question is the Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG), the trustworthiness of which was put into question by last year's revelation that the NSA has influenced the NIST and the International Organization for Standardization to adopt it as part of an encryption standard.

Researcher proposes alert tool for managing online privacy risks
Arvind Narayanan, Assistant Professor of Computer Science at Princeton, proposes a "privacy alert" system that would know the users' usual privacy choices and notify them of appropriate measures they should take to tackle potential privacy pitfalls.

Learning from others
When an organization becomes the victim of a security breach, its misfortune should be viewed as an opportunity for the rest of us to learn how to improve the security of our own systems.

Europe's most significant information security event
Joy-Fleur Brettschneider is the Group Marketing Manager at Reed Exhibitions - Infosecurity Group. In this interview she talks about the most significant European IT security event taking place this week in London - Infosecurity Europe.

Researchers spot SMS Trojan active in the US
For the first time ever, Kaspersky Lab researchers have detected an active SMS Trojan in the United States. The malware in question is an SMS-sending Android Trojan dubbed "FakeInst", and was first spotted in February 2013 targeting Russian users.

DrDoS attacks to reach 800 Gbps in 2015
While the network time protocol (NTP) DrDoS threats that became prevalent in early 2014 have been contained, new distributed reflected denial of service threats will lead to attacks in excess of 800 Gbps during the next 12 to 18 months.

How cybercriminals profit from money laundering through gambling sites
A new report by McAfee sheds light on the underground world of online gambling. It identifies the proliferation of online casinos, an industry set to grow nearly 30% over the next three years, and how their use is fuelling cybercrime by making it easy to “cash in” on illegal activities.

Tech giants back initiative for funding crucial open source projects
The nonprofit Linux Foundation has announced the Core Infrastructure Initiative, a multi-million dollar project aimed to fund open source projects critical for the global information infrastructure, and a dozen of big tech companies have joined it and will be providing the funds.

FBI informant Sabu directed hacking of foreign govt sites
Hector Xavier Monsegur (aka "Sabu"), the infamous hacker and leader of the Lulzsec hacktivist group, has directed his associates to attack and compromise the websites and computers belonging to the Iranian, Syrian, Turkish, Brazilian, Pakistani and other governments.

Hands on fun at HacKid 2014
Last weekend, families and tech industry leaders descended on The Tech Museum of innovation in San Jose, California, for HacKid 2014.

Working to accomplish compliance and security
This article discusses strategies that can help organizations more easily achieve and maintain PCI compliance.

Thecus N5550 NAS Server inside and out
Having a backup drive has become essential. Those serious about their storage needs turn to Network Attached Storage (NAS) devices. Like most tech available today, those range from introductory models with a modest set of features, to complex powerhouses with a myriad of options. The Thecus N5550 is a fairly complex device whose feature list is anything but basic.

US DOJ asks Supreme Court to allow warrantless cell phone search
"Kill switches" for mobile phones seems like a great idea for discouraging rampant mobile phone theft going on in the US, and one that was backed at the federal level by a number of law enforcement officials.

Passwords: Real-world issues, tips and alternatives
Per Thorsheim is an independent information security adviser based in Norway. He is the founder and main organizer of PasswordsCon, the first and only international conference on passwords. In this interview, Thorsheim talks about the complexities involved in keeping strong passwords, offers practical advice for organizations and explores alternatives.

IoT is inevitable, but security and privacy is a top concern
In a recent survey, youth marketing group Voxburner polled 1,244 16-to-24-year-olds in the UK, and 67 percent said they are most worried about whether an internet-connected product is secure - this compared to the 45 percent who are concerned about whether it's reliable, 43 percent about whether it's expensive, and 22 percent about whether it's easy to use.





Spotlight

Biggest ever cyber security exercise in Europe is underway

Posted on 30 October 2014.  |  More than 200 organisations and 400 cyber-security professionals from 29 European countries are testing their readiness to counter cyber-attacks in a day-long simulation, organised by the European Network and Information Security Agency (ENISA).


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Thu, Oct 30th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //