Posted by Kevin on August 22, 2014.
The ITsecurity daily security briefing: Friday, August 22, 2014.
If you find this security briefing useful, please spread the word via social media. If you have any comments or recommendations, please email kevtownsend at gmail dot com.
Draft NIST Technical Considerations for Vetting 3rd Party Mobile Applications
“The purpose of this document is to provide guidance for vetting 3rd party software applications (apps) for mobile devices. Mobile app vetting is intended to assess a mobile app’s operational characteristics of secure behavior and reliability (including performance) so that organizations can determine if the app is acceptable for use in their expected environment.” Open for comments until 11/18/2014.
Comments: (http://csrc.nist.gov/publications/drafts/800-163/sp800_163_ draft_ comment-template-form.xls)
Hackers target information on MH370 probe
The computers of high-ranking officials in agencies involved in the MH370 investigation were hacked and classified information was stolen. The stolen information was allegedly being sent to a computer in China before CyberSecurity Malaysia – a Ministry of Science, Technology and Innovation agency – had the transmissions blocked and the infected machines shut down.
The Straits Times:
Right to be Forgotten makes old news new news and therefore valid news
The Telegraph reports that Google has removed the link to a 2009 article quoting from an email written by Dr Edward Erin. Erin was found guilty of trying to poison his mistress (apparently seeking to make her abort their love child). How is this not a relevant or valid news story even today? Of course, while the link is censored, the story remains on the Telegraph site. Streisand Effect Rules.
U.S. venture firm Kleiner Perkins suffers security breach
The theft may put Kleiner in jeopardy of losing valuable financial data and making the firm the latest in a long list of businesses that have lost sensitive information to thieves. In this case, the information was taken by physical, not electronic, means.
FinCEN Proposes Changes to Anti-Money-Laundering Requirements
“The Financial Crimes Enforcement Network (FinCEN) has announced proposed changes that would amend part of the Bank Secrecy Act (BSA). According to the National Law Review, the changes affect customer due diligence (CDD) requirements for certain covered financial institutions. These include mutual funds, brokers or dealers in securities, future commission merchants and introducing brokers in commodities. Comments and feedback on these proposed changes are due by Oct. 3, 2014.”
Massive Growth in SMTP STARTTLS Deployment
“When we posted in May about the state of STARTTLS deployment, we had no idea that we would see such significant changes to email encryption across the industry in just a few short months. We previously reported that only 28.6% of our outbound notification emails were successfully encrypted and passed strict certificate validation (58% if you count opportunistic encryption). Since STARTTLS encryption requires both sides to deploy it, we encouraged others to take the next step. As a result of recent changes by major providers, most notably Microsoft and Yahoo, 95% of our notification emails are now successfully encrypted with both Perfect Forward Secrecy and strict certificate validation.”
New SSL Features for Amazon CloudFront – Session Tickets, OCSP Stapling, Perfect Forward Secrecy
“You probably know that you can use Amazon CloudFront to distribute your content to users around the world with a high degree of security, low latency and high data transfer speed. CloudFront supports the use of secure HTTPS connections from the origin to the edge and from the edge to the client; if you enable this option data travels from the origin to your end users in a secure, encrypted form. Today we are making some additional improvements to the performance and security of CloudFront’s SSL implementation. These features are enabled automatically and work with the default CloudFront SSL certificate as well as custom (SNI and Dedicated IP) SSL certificates.”
Amazon Web Services:
Get Your Hands Off My Laptop: Physical Side-Channel Key-Extraction Attacks On PCs
Encryption keys can be stolen merely by touching the computer. It’s a bit more complex than that; but effectively that’s it. (It registers measurable changes in the CPU while processing the keys.)
Newly discovered vulnerability on smartphones
“Researchers claims a new piece of malware can steal highly sensitive data from smartphone apps on Android, Windows Phone and iOS with up to a 92% success rate. The researchers have showcased the proof-of-concept malware running on an Android smartphone with the malicious software able to steal information such as login details, credit card numbers and even sensitive pictures taken with the victim’s smartphone camera. The researchers have not shown the attack working on iOS or Windows Phone operating systems, but they believe that the weakness exists in both platforms to carry out similar attacks ‘because they share a key feature researchers exploited in the Android system’.” (IB Times)
Research – Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks:
Operation Arachnophobia: Caught in the Spider’s Web
“While we are not conclusively attributing BITTERBUG activity to Tranchulas or a specific Pakistani entity, we can confidently point to many characteristics of a Pakistan-based cyber exploitation effort that is probably directed against Indian targets and/or those who are involved in India-Pakistan issues.”
The Anatomy of Comment Spam
Comment spam attacks can cripple a website, impacting uptime, and compromise the user experience. Quickly identifying the source of an attack can greatly limit the attack’s effectiveness and minimize its impact on your website.
Date: Wednesday, August 27, 2014
Time: 12:00 PM British Summer Time
Duration: 1 hour
VMWorld 2014 US
“VMWorld US 2014 returns to San Francisco, California this year and again takes place at the Moscone Center. Join other business and technology professionals, and VMware experts and executives as we all come together to share the stories of our successes over the last year, learn from each other and inspire each other to realize greater achievements in virtualization.”
August 24-28; The Moscone Center, 747 Howard Street, San Francisco, CA 94103
JPMorgan customers targeted in email phishing campaign
Fraudsters are targeting JPMorgan Chase & Co customers in an email “phishing” campaign that is unusual because it attempts to collect credentials for that bank and also infect PCs with a virus that steals passwords from other institutions.
FBI warns healthcare firms they are targeted by hackers
“The FBI has observed malicious actors targeting healthcare related systems, perhaps for the purpose of obtaining Protected Healthcare Information (PHI) and/or Personally Identifiable Information (PII),” the agency said in a “Flash” alert obtained by Reuters on Wednesday.