Week in review: Vulnerable web-based password managers, Mayhem malware, and Google’s Project Zero

Here’s an overview of some of last week’s most interesting news, interviews and articles:

Endpoint security myths and why they persist
In this interview, Roman Foeckl, CEO of CoSoSys, illustrates the most prominent endpoint security myths and explains why they persist. Furthermore, he talks about the hurdles with protecting endpoint clients in the enterprise and offers advice on what organizations can do in order to stay ahead of the threats.

Amazon-hosted malware triples in 6 months
Solutionary analyzed the threat landscape and identified the top 10 global ISPs and hosting providers that hosted malware out of more than 21,000 ISPs.

IoT privacy tech working group announced
TRUSTe formed a multi-stakeholder IoT Privacy Tech Working Group to identify the technical standards and best practices necessary to help enhance consumer privacy in the Internet of Things (IoT).

Keyloggers found at hotel business centers
In the wake of the arrest of a group of people suspected of having compromised computers in hotel business centers in Texas, the US Secret Service and the DHS have sent out an advisory to hospitality industry firms urging them to secure their public computers.

How hackers get in: Lessons from a network security audit
Third-party network security audits can help organizations understand just how well their security holds up to attacks and data breaches.

Critical vulnerabilities in web-based password managers found
A group of researchers from University of California, Berkeley, have analyzed five popular web-based password managers and have discovered – and then responsibly reported – vulnerabilities that could allow attackers to learn a user’s credentials for arbitrary websites.

First aid kit for people who face digital threats
A group of NGOs that includes the EFF, Global Voices, and Internews, has launched the Digital First Aid Kit, an open source self-assessment tool for people who face digital threats.

eBook: Linux Patch Management
Linux Patch Management offers Linux professionals start-to-finish solutions, strategies, and examples for every environment, from single computers to enterprise-class networks.

Active Directory flaw impacts 95% of Fortune 1000 companies
Aorato identified a new threatening flaw within Active Directory that enables attackers to change a victim’s password, despite current security and identity theft protection measures.

CNET attacked by Russian hackers, user database stolen
Russian hacker group W0rm has apparently managed to breach servers belonging to media website CNET, and make off with databases containing usernames, emails, and encrypted passwords of more than a million registered users.

PittyTiger APT group sells its services to companies
APT attackers thought to be operating from China often seem financed by the government, but there are other groups that work for the highest bidder, which is usually a private sector company looking for information that will squash their competition.

Google goes to war against zero-days
Google has announced the launch of Project Zero, a dedicated internal team that will concentrate on finding zero-day vulnerabilities in Google’s and third-party software so that they can be patched before malicious actors have a chance of misusing them.

Selectively re-using bad passwords is not a bad idea, researchers say
A trio of researchers from Microsoft Researcher and Carleton University, Ottawa, Canada are challenging the long-held belief that every account needs a strong and unique password.

Government-grade malware used for ransomware attacks
It was only a matter of time until cyber criminals got their hands on a piece of government-made malware and repurposed it for their own criminal needs.

New IP-based wireless networking protocol created
Recognizing the need for a better way to connect products in the home, seven companies announced that they’ve joined forces to develop Thread, a new IP-based wireless networking protocol.

Cisco fixes critical flaw in modems and wireless gateways
The vulnerability, which was awarded the maximum severity score even though there isn’t evidence it is currently being used in attacks, “could allow an unauthenticated, remote attacker to exploit a buffer overflow and cause arbitrary code execution.”

Exposing the insecurity of hotel safes
When looking at one popular safe model, G DATA SecurityLabs experts found serious security deficiencies. With a little technical effort, the safe can be hacked and cleared out in a very short time. If the safe has a magnetic card reader, it offers criminals the option of using skimming to access the data on the card and offering it for sale on the Internet or in special underground forums.

vBulletin releases patches for critical SQL injection flaw
The vBulletin team has issued emergency patches for the critical SQL injection vulnerability responsibly reported by the Romanian Security Team.

Fake Flash Player steals credit card information
A new trojan that’s after credit card details is targeting Android users. It comes in the guise of Adobe Flash Player and, once installed and run, it immediately tries to gain administrator privileges on the device.

Acunetix offers free network security scan
Acunetix is offering 10,000 free network security scans with Acunetix Online Vulnerability Scanner in a bid to make it easier for businesses to take control of their network security.

40% of IT security teams keep executives in the dark
A survey of nearly 5,000 global IT security professionals reveals a knowledge and resource gap in the enterprise.

Mayhem malware ropes Linux, UNIX servers into botnets
A new malware that researchers have dubbed Mayhem is being used to target Linux and Unix web servers and has so far compromised over 1,400 Linux and FreeBSD servers around the world.