Week in review: Car hacking and hijacking, critical Windows flaws, and Forbes.com compromise

Here’s an overview of some of last week’s most interesting news, interviews and articles:

Which kind of security professional are you?
Since I became a part of the industry, I had to decide what kind of a security professional I wanted to be – humble or arrogant.

New multi-purpose backdoor targets Linux servers
A new multi-purpose Linux Trojan that opens a backdoor on the target machine and can make it participate in DDoS attacks has been discovered and analyzed by Dr. Web researchers, who believe that the Chinese hacker group ChinaZ might be behind it.

Are smart homes security smart?
A new ENISA study aims to identify both the security risks and challenges as well as the countermeasures required for emerging technologies in smart homes, providing a specific and focused approach, with an overview of the current state of cyber security in this emerging domain.

Be careful when talking in front of a Samsung SmartTV
Owners of Samsung SmartTVs that use its Voice Recognition feature to control the device should be aware that everything they say in front of their smart television set may end up in the hands of third parties.

INTERPOL and the fast-paced digital threat landscape
Dr. Madan Oberoi is the Director of Cyber Innovation and Outreach Directorate at the INTERPOL Global Complex for Innovation in Singapore. In this interview he talks about the key developments that allow law enforcement to stay on top the fast-paced digital threat landscape, offers insight on the challenges involved in managing international cyber innovation and research within INTERPOL, and introduces INTERPOL World 2015.

Corporate users hit with fake Microsoft email delivering sneaky malware
A well-crafted and extremely legit-looking spam email campaign is currently targeting corporate users around the world, ultimately leading the victims to difficult-to-detect malware that downloads additional malicious programs on the target’s computer.

Researcher publishes 10 million usernames and passwords to aid future research
Independent IT security analyst Mark Burnett has released a cleaned up cache of 10 million username and password combinations, in order to give researchers a data set that can be analyzed and from which insights into user behavior can be gleaned and used to improve authentication practices.

Car hacking and hijacking is too easy, report says
A report released on Monday by US Senator Edward Markey has confirmed what we already suspected: automobile manufacturers have yet to effectively deal with the threat of hackers penetrating vehicle systems, and the driver and vehicle information they collect and share is not adequately protected.

Microsoft fixes critical remotely exploitable Windows root-level design bug
An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Kill Chain 3.0: Update the cyber kill chain for better defense
Security professionals have differing opinions on the effectiveness of the kill chain as a defense model. Some love it, pointing out how several successful infosec teams use it, while others think it’s lacking crucial details, and only covers certain type of attacks. Corey Nachreiner, Director of Security Strategy and Research at WatchGuard, thinks there is truth to both views.

Improved Simplocker variant hits Android users hard
Mobile crypto-ransomware Simplocker has evolved, and returning the encrypted files to their unencrypted state is no longer easy as it was.

Majority of dating apps are open to hacks
Some of the specific vulnerabilities identified on the at-risk dating apps include cross site scripting via man in the middle, debug flag enabled, weak random number generator and phishing via man in the middle.

Forbes.com compromised by Chinese cyber spies targeting US firms
The compromise lasted from 28 November to 1 December, 2014, and according to both iSight Partners and Invincea researchers, the targeted visitors were those working for US defense contractors and financial services companies.

Dangerous vulnerabilities plague IoT home security systems
Owners of Internet-connected home security systems may not be the only ones monitoring their homes.

Tens of thousands MongoDB databases easily accessible from the Internet
A group of students from Saarland University’s Center for IT-Security, Privacy and Accountability (CISPA) have discovered tens of thousands MongoDB databases accessible to remote attackers, including a couple belonging to big companies and containing personal and financial information of millions of their users.

Jeb Bush dumps emails full of private data online
Jeb Bush, who might end up being a candidate in the next 2016 US presidential election, has made a clumsy misstep in his attempt to provide “transparency” into his two turns as governor of Florida: he published a huge batch of emails he received both from his constituents and other people without redacting sensitive information contained in them.

Google Play flaw opens Android devices to silent malware installation
Android users are in danger of getting malicious apps silently installed on their devices by attackers, warns Rapid7’s Tod Beardsley, technical lead for the Metasploit Framework.

Are organizations ready for the embedded computing takeover?
A recent Pew Research report predicts that by 2025, embedded and wearable computing will dominate the mainstream. While this incursion of wearables in the workplace has already begun, many organizations are ill prepared to secure them.

VirusTotal sets up huge AV whitelist to minimize false positives
One of the worst things that can happen to a software developer, and especially if they are a small firm or a single individual, is for their program to be falsely detected as malicious by popular AV solutions.

RSA Conference 2015: Showcasing the future of information security
Linda Gray is the General Manager of RSA Conferences. In this interview she talks about the growth of RSA Conference, outlines the threats that helped shape this year’s agenda, and highlights sessions, speakers and trainings.

Active spam campaign leads to sophisticated PayPal phishing sites
PayPal-themed phishing campaigns are nothing new, but they are more and more legitimate-looking as time goes by.

A closer look at LepideAuditor Suite
With change configuration auditing of servers, an IT administrator can “save” his organization from unauthorized access or unwanted changes.

Attackers can bypass Windows’ protections by changing a single bit
Among the many vulnerabilities that Microsoft patched on Tuesday is one that can be exploited to bypass all Windows security measures by, curiously enough, modifying a single bit of the Windows operating system.

Facebook unveils platform for exchanging security threat information
The idea of this type of exchange was born a little over a year ago, when Facebook, Pinterest, Tumblr, Twitter, and Yahoo had to collaborate and exchange attack information in order to stop a massive botnet-powered malware-slinging campaign that used all of their services to reach as many users as possible.

IT security training is a top priority for CIOs
CIOs are taking a multipronged approach to protecting sensitive company information, and the majority are currently taking or planning to take steps in the next 12 months to improve IT security at their firms.

Scammers pushing fake AdwCleaner in active scareware campaign
An active scareware campaign pushing a fake version of the popular freeware spyware removal tool AdwCleaner is targeting Windows users and is trying to get them to fork over nearly $60 of their hard earned cash.

More about

Don't miss