Weekly Infosec News Brief: 01-07 May 2017

Clever and Widespread Google Phishing Campaign Raises Concerns

Last week a new worm spread rapidly through the Internet. It used a very convincing (because it was partly genuine) Google Docs invitation to lure Google users into giving access to their Gmail accounts, then copied itself to addresses in the victim's contacts. Repeating this process led to a rapid storm of emails. Google took action within an hour to remove the rogue app from users' account permissions and stem the tide of emails, but the success of the tactic shows the risk inherent in cloud-based accounts like this -- a quieter version of the same tactic could easily compromise a handful of people without attracting much attention. Selecting and authorizing specific file-sharing services for your organizational data is a good idea, as is ensuring users are trained in how to use them (and what NOT to do).

Google Research Team Hints at a Serious Windows Vulnerability They May Have Found

Tavis Ormandy, the head of Google's "Project Zero" research team, tweeted over the weekend about an extremely serious Windows vulnerability The Project Zero team has faced criticism in the past for releasing details of vulnerabilities before the software maker in question has released a patch; they adhere to a strict policy of providing 90 days' notice to companies, and if a patch is not available by then they generally disclose the vulnerability publicly anyway.

Comments

Post a Comment

Popular posts from this blog

Weekly Infosec News Brief: 14-20 March

Image
Major Media Websites Caught up inNew Malicious Advertising Attacks Last week multiple major advertising networks, including Google's DoubleClick, AppNexus, Rubicon, and AOL were abused by attackers to serve up malicious advertisements on major media sites. These malicious advertisements were redirecting to the "Angler" exploit kit, which uses multiple means to attempt to compromise a browser and install malware. While such malicious ads are common on smaller websites, they are not unheard-of on major media sites. This outbreak, however, was unusually large and long-lived, lasting at least the better part of two days. Given how common malicious web ads are, some security experts are recommending the use of ad blocking technology in web browsers. http://www.computerworld.com/article/3044565/security/advertising-based-cyberattacks-hit-bbc-new-york-times-msn.html Malicious Macros in Word Documents Used to Install Malware with No Files Needed Everything old is new a
Read more

Weekly Infosec News Brief 20-26 July

Image
FBI Sees Massive Increase in Espionage, Including Industrial Espionage, Against the US The FBI on Thursday issued a press release discussing what they believe is an increasing threat of economic espionage against US companies. They estimate that such espionage may cost the US as much as "hundreds of billions" of dollars a year. This espionage is not just directed against large industrial companies, but any place where trade secrets and innovations might be found, including third-party organizations (e.g. business partners, vendors, consultants, lawyers, etc.) affiliated with targeted companies. A key take-away is that the threat is more widespread than most people think, and that few organizations are immune. https://www.fbi.gov/news/pressrel/press-releases/fbi-announces-economic-espionage-awareness-campaign http://www.cnn.com/2015/07/24/politics/fbi-economic-espionage/ Microsoft Releases Out-of-Cycle Patch for Critical Font Driver Bug A flaw uncovered in connecti
Read more

Weekly Infosec News Brief - Oct 12-18

Image
New Flash Zero-Day Vulnerability Being Actively Exploited Last Tuesday, the same day that Adobe released their regular monthly patches, Trend Micro disclosed their discovery of a new zero-day vulnerability being exploited by the “Pawn Storm” hacking group. The observed activity is directed primarily against various nations’ foreign affairs ministries, but the vulnerability (CVE-2015-7645) is not publicly disclosed and may be subject to further exploitation. Adobe released a new out-of-cycle patch for the issue on Friday evening. http://www.cnet.com/news/another-security-flaw-affects-all-versions-of-adobe-flash/ http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/ https://helpx.adobe.com/security/products/flash-player/apsa15-05.html Microsoft Releases Six Patches for IE/Edge, Office, Windows Last Tuesday, Microsoft released six updates that fix about 33 security issues in their browsers, in Windows, and in Office.
Read more