Security News for Wednesday, April 23 2014

According to this article, and based upon the recently released Akamai Technologies’ State of the Internet report for Q4 2013, hacker attacks on websites increased 75% in the last quarter. From the article:

Most of the targets were enterprises, and Akamai said that the likelihood of a repeat hack is one in three — a 35 percent bump over last year. Such numbers have no doubt fueled demand for services like Google’s Project Shield, which shelter businesses behind massive cloud servers that can easily absorb an onslaught. As for the countries of origin? The dubious winner of that prize (by far) was China with 43 percent of all attacks, followed by the US and Canada. The latter nation saw a not-very-polite 2500 percent bump in DDoS attacks over last year — hopefully not a trend.


Posted in Security News | Leave a comment

Security News for Tuesday, April 22 2014

According to this article, and based on a recently released report by Verizon, web-based applications and point-of-sale systems were the leading targets for malicious hackers in 2013.  From the article:

The leakiest industry by far, in terms of confirmed incidents where data was exposed, was finance with 465 breaches. But the public sector suffered 175 such incidents, retail had 148 and accommodation dealt with 137 breaches.

The vast majority of breaches were driven by financial motivations, even though they represent a smaller portion of the total caseload compared to previous years. Meanwhile, the number of breaches attributed to cyber-espionage has been on the rise over the past few years, the report shows.

This post is warning Facebook users of a new scam seen in the wild that attempts to trick users into entering their mobile phone number and for those who do and have Android devices, they will then be prompted to install an app on their phone. The app is actually malware that can be used to spy on the phone’s activities. From the post:

The message you have seen pop up while you are logged in to Facebook isn’t from Facebook itself, but it’s not the case that Facebook’s website has been hacked either.

Hackers are using a notorious banking Trojan horse called Win32/Qadars to display the bogus message from Facebook, in an aggressive attempt to infect Android smartphones.

Posted in Security News | Leave a comment

Security News for Monday, April 21 2014

This post looks at some of the security issues associated with the popular texting application WhatsApp (recently purchased by Facebook for 19 billion dollars). The application allows users to send text messages to one another without incurring SMS messaging fees from their cellular provider. From the post:

WhatsApp, indeed, has made various worrying privacy blunders in its brief history.

One blunder involved using non-secret information to construct secret encryption keys, which is a bit like using your pet’s name as a login password.

Another blunder involved the two-time use of a one-time pad – a cryptographic technique requiring, as its name suggests, that you never re-use its key material.

This blog post makes some recommendations for keeping yourself secure if you are still using Microsoft Windows XP (Microsoft support for the operating system reached end-of-life April 8th of this year).

Disclaimer: The above link is posted as a resource for users to protect their home computers. Please obtain proper permission before installing any tools on University resources.

Posted in Security News | Leave a comment

Security News for Friday, April 18 2014

Happy Friday!

Another day another major breach. According to this article, Michaels Arts and Crafts stores have suffered a breach that saw the release of 2.6 million credit/debit cards. From the article:

The nation’s largest arts and crafts chain said its subsidiary Aaron Brothers was also attacked, with about 400,000 cards potentially affected.

Irving, Texas-based Michaels said that it has contained the incident, which began last year. It has received “limited” reports of fraud from banks and the payment card brands that are potentially connected to the breach.

When the iPhone 5s was released, it didn’t take long for security researchers to bypass the fingerprint reader on the device that was used for authentication. This post is reporting that the newly released Samsung Galaxy S5′s fingerprint reader also suffering bypass flaws. From the post:

Samsung’s positive buzz over the Galaxy S5 didn’t last long – security researchers from SRLabs soon posted a video on YouTube demonstrating how they were able to trick the scanner with a fake fingerprint made of wood glue.

Posted in Security News | Leave a comment

Security News for Thursday, April 17 2014

OK this is probably the last article we will post on the Heartbleed flaw. The article examines the fallout created by this vulnerability which has been rated an 11 on a scale of 1-10 in terms of how serious it is. From the article:

The Heartbleed flaw has impacted various prominent websites and services, most of which you probably use every day, such as Flickr, Pinterest, and Yahoo. It has also affected search engines, banks and online shopping sites; sites where protection of personal data is paramount.

Not surprisingly, scammers are taking advantage of the missing Malaysian Airlines plane in order to install malware on victim’s computers. This article discusses some of teh scams seen in the wild since the place has gone missing. From the article:

Mark Nunnikhoven, vice-president of cloud and emerging technologies at global security firm Trend Micro, says current events scams have emerged only in the last couple of years and are actually a variation on old-fashioned phishing attacks, like the old “Nigerian prince” money scam, which proliferated largely through email.

There are also many smaller campaigns, where hackers might, for example, pose as your bank in order to solicit personal and financial information.

Posted in Security News | Leave a comment

Security News for Tuesday, April 15 2014

Everyone is probably familiar with the OpenSSL Heartbleed flaw as it has been in the news so frequently for the last week. LWG Consulting has put together a nice infographic here that depicts popular sites that are vulnerable to the flaw as well as sites that have already taken measures to mitigate the vulnerability.

And for some more Heartbleed news. This post is reporting that up to 50 million Android devices could be vulnerable to the vulnerability. The post also describes how you can check if your Android device is vulnerable.

Posted in Security News | Leave a comment

Security News for Monday, April 14 2014

This post discusses proposed legislation that will make retailers financially responsible for data breaches. From the post:

The bill, AB 1710, would make retailers responsible for notifying customers of any data breach incident, as well as hold them liable for reimbursing customers’ financial damages.

The bill would require the business that maintains the data to notify affected people within 15 days of the breach. As it now stands, banks and credit card companies are also liable for consumer losses caused by data breaches.

Posted in Security News | Leave a comment

Security News for Friday, April 11 2014

Happy Friday.

Most companies today expend vast resources in order to protect their network perimeters from intrusion. This article is reporting on a clever intrusion that recently took place on the network of a large oil company. From the article:

Unable to breach the computer network at a big oil company, hackers infected with malware the online menu of a Chinese restaurant that was popular with employees. When the workers browsed the menu, they inadvertently downloaded code that gave the attackers a foothold in the business’s vast computer network.

More new on the OpenSSl heartbleed vulnerability that has been discussed on this blog the last couple days.  The programmer who wrote the code that is vulnerable to this flaw has spoken out in this post. From the post:

The German software developer denies that the security flaw was included deliberately, and told the publication that which the error introduced into OpenSLL was “trivial,” the impact was “severe.”

Posted in Security News | Leave a comment

Security News for Thursday, April 10 2014

Yesterday the OpenSSL heartbleed vulnerability was discussed here. Many security professionals have been warning users to change all of their passwords to online sites in case their credentials may have already been compromised. This article offers a list of sites that were known to be vulnerable to the heartbleed flaw and makes recommendations on what passwords should be changed.

This post also discusses the need for changing your online passwords due to the OpenSSL heartbleed vulnerability but makes a good case for holding off on changing them for now:

If you need to change your password on a server that is at risk due to heartbleed, then the new password you choose may be at risk due to heartbleed.

And it’s fair to say that there are a lot more people ready to heartbleed your new password right now than there were a week, a month or a year ago when you set the old password up.

We suggest you wait until you know that a site is not vulnerable, for example because it makes a clear statement to that effect, or use a public testing service that connects to a website to estimate whether it’s safe or not first.

Posted in Security News | Leave a comment

Security News for Wednesday, April 9 2014

This post discusses the recently released OpenSSl heartbleed vulnerability. In a nutshell, OpenSSL is an application that encrypts web-based traffic, such as when you connect to your bank online. The vulnerability lies in an extension called heartbeat that is used to keep a session alive. If the payload of the “heartbeat” is manipulated by an attacker, the server could return information that is stored in memory.

Posted in Security News | Leave a comment