Week in review: WhatsApp data collection, roadblocks to implementing CISA, and how US law enforcement uses Stingrays

Here’s an overview of some of last week’s most interesting news and articles:


European Parliament members want member states to protect Edward Snowden
Too little has been done to safeguard citizens’ fundamental rights following revelations of electronic mass surveillance, members of the European Parliament have stated in a resolution voted on Thursday. They urged the EU Commission to ensure that all data transfers to the US are subject to an “effective level of protection” and asked EU member states to grant protection to Edward Snowden, as a “human rights defender”.

What should companies do after a wide-scale data breach?
Good first steps would be communicating breaches as soon as they are found and providing help for customers to safeguard their money and identities in the face of compromise. Further on, a credible and public initiative to secure systems and data should be implemented. Companies suspecting to have been breached should act quickly and strategically.

US DOJ admits that Stingrays can be used to intercept call and SMS content
After a battling the US Department of Justice in a court for two and a half years, the American Civil Liberties Union of Northern California has emerged victorious and has been given access to documents that spell out the details about the US federal government’s use of Stingrays surveillance devices.

Review: Google Earth Forensics
Learn how to use Google Earth geo-location in your digital forensic investigations.

Attackers are turning MySQL servers into DDoS bots
Someone has been compromising MySQL servers around the world and using them to mount DDoS attacks. The latest targets of these attacks are an (unnamed) US hosting provider and a Chinese IP address.

Real-world roadblocks to implementing CISA
The recent approval of CISA (the Cybersecurity Information Sharing Act) by the US Congress and Senate is paving the way for broader security collaboration.

The top 6 scariest cloud security mistakes and how to avoid them
One slip-up could not only be detrimental to your organization, but also place your peers, clients and business partners at risk.

Domain name holders hit with personalized, malware-laden suspension notices
The email is likely to fool some recipients, as it contains the valid domain registration and the recipient’s full name, which the attackers must have harvested online, via the whois query.

CoinVault and Bitcryptor ransomware victims don’t need to pay the ransom
Kaspersky Lab has added an additional 14,031 decryption keys to their free repository, enabling all those who have fallen victim to CoinVault and Bitcryptor ransomware to retrieve their encrypted data without having to pay a ransom to cybercriminals.

Creating a secure network for the Internet of Things
The long-term success of the trend and many of the new gadgets it introduces will depend largely on the community’s ability to deliver a secure platform for the IoT.

Cloud-based vulnerability management: Top vendors in the field
With an increasingly fast-paced threat landscape threatening even the most complex network security infrastructures, vulnerability management has become essential.

SHA-2 encryption will make many sites inaccessible to users who can’t afford newer tech
A group of security researchers has recently announced that it’s highly likely that effective collision attacks that would break SHA-1 encryption will be revealed by the end of 2015.

TalkTalk breach: Attackers demand £80,000 for stolen data
The Metropolitan Police’s Cyber Crime Unit was called in to investigate, and the company continues with its internal one.

WhatsApp collects phone numbers, call duration, and more!
A recent network forensic examination of popular messaging service WhatsApp is offering new details on the data that can be collected from the app’s network from its new calling feature: such as phone numbers and phone call duration, and highlights areas for future research and study.

How can we decide on surveillance and privacy when we can’t see the whole picture?
The legitimacy of surveillance efforts should be dependent on whether the country’s citizens support them. In order to do that, they have to know what’s being done and how. Unfortunately, in most cases they don’t know.

Social experiment: 200 USB flash drives left in public locations
Nearly one in five people who found a random USB stick in a public setting proceeded to use the drive in ways that posed cybersecurity risks to their personal devices and information and potentially, that of their employer, a recent experiment conducted on behalf of CompTIA revealed.

Europe’s new “net neutrality” regulation is full of loopholes
The European Parliament voted on Tuesday for a Regulation on a Single Market for Electronic Communications. The new regulation brings a complete ban on roaming charges for using mobile phones abroad in the EU, and will force internet providers to provide users the download and upload speeds they signed up for, or if not, allows them to terminate the contract or choose to get compensated for the discrepancy. But the part of the regulation that is heavily disputed is the one dealing with the issue of net neutrality.

The security community’s reaction as CISA passes US Senate
On Tuesday, the US Senate has passed the Cybersecurity Information Sharing Act (CISA), a legislation that will allow companies to share information about the cyber attacks they suffered with government agencies, without having to worry about getting sued by users for breach of privacy.

US Library of Congress makes tinkering with your car software legal
The US Digital Millennium Copyright Act (DMCA) makes it illegal to circumvent technological measures used to prevent unauthorized access to copyrighted works. But, there are exceptions to the rule, and they are decided by the Librarian of Congress every three years.

New DDoS attacks misuse NetBIOS name server, RPC portmap, and Sentinel licensing servers
Akamai has observed three new reflection DDoS attacks in recent months: NetBIOS name server reflection, RPC portmap reflection, and Sentinel reflection.

Hackers put up for sale 13 million plaintext passwords stolen from 000webhost
000webhost, a popular free web hosting service, has suffered a data breach that resulted in the compromise of the name, email address and plaintext password of some 13 million of its customers.

Online Trust Alliance releases new Internet of Things Trust Framework
The Online Trust Alliance (OTA) updated the IoT Trust Framework, a comprehensive global initiative that provides guidance for device manufacturers and developers to enhance the security, privacy and sustainability of connected home devices, wearable fitness and health technologies, and the data they collect.

Xen Project plugs critical host hijacking flaw, patch ASAP
The latest security update (XSA-145 through 153) for the popular Xen virtualization software fixes nine issues. Eight of them can lead to Denial of Service, but the ninth is much more serious than that, and could be exploited by a malicious para-virtualized guest administrator to escalate privilege and gain control of the whole system.

More about

Don't miss