Weekly Infosec News Brief June 15-21

Snapchat Adding Two-Factor Authentication

Popular video-chat service Snapchat has been plagued by security issues for some time, and one measure they are taking to remedy that is introducing two-factor authentication. Users will have the option of enabling this feature, which requires the user to enter a verification code sent by text message any time they log on using a new device.

"Passwords are dead" is a common saying in information security circles today, and it is true that the use of passwords as a sole authentication mechanism is rapidly falling out of favor. But what is the most common place that most people still use just a password to prove their identity when logging on? Work. As more consumer-oriented email apps, banking services, and the like start using two-factor authentication, workplace users are become more familiar with the concept and more understanding of the need for it. Is your organization applying multi-factor authentication for your systems?
http://gizmodo.com/snapchat-is-adding-two-factor-authentication-finally-1711311443


Serious Flaws Revealed in Both Samsung and Apple Phones

As mobile devices have become more powerful, and as more work activities and data have moved to these devices, security experts have been predicting the rise of attacks on smartphones similar to those we've seen on PCs for so long. Widespread smartphone-based attacks on corporate data have been few so far, but the cycle of vulnerabilities disclosures and patches on mobile devices is definitely here. The serious vulnerabilities announced last week in both Samsung's Android-based devices and Apple's iOS devices are simply the latest example. Samsung says they are pushing out a fix to most of their affected devices now, whereas for the time being, Apple users are advised simply to use caution in installing new applications.
http://krebsonsecurity.com/2015/06/critical-flaws-in-apple-samsung-devices/


New Malware Families Hiding Malicious Code in Images

Dell SecureWorks' Counter-Threat Unit has published information on another new family of malware, dubbed Stegoloader, that hides malicious code in an image file. The concept of hiding information inside of image files is not new, and researchers have talked about the possibility of attackers doing this for a long time; however, the technique was not known to have been used in earnest until recently. The examples cited still require other malicious code to uncover and un-encrypt the code hidden in the image(s), but do make it much harder for antivirus software and other techniques to spot the malicious code. This is yet another example of why traditional antivirus software is inadequate for the challenges of the modern security environment.
http://www.darkreading.com/endpoint/new-malware-found-hiding-inside-image-files/d/d-id/1320895


FBI Investigating Allegations of Cyber Spying Between Major League Baseball Teams

Last Tuesday a story came to light suggesting that the St Louis Cardinals baseball team had been found to be in possession of information that had apparently been stolen from the Houston Astros. The information includes internal discussions, statistics, and analysis regarding specific players and potential trades. The data appears to have come from an internal Astros database, "Ground Control," fueling allegations that Cardinals employees may have "hacked" into the Astros' database. The controversy is further fueled by the fact that the Astros' general manager, Jeff Lunhow, was previously an executive with the Cardinals, having moved between the two teams in 2011. Some have speculated that Cardinals' staff could have used their familiarity with Lunhow and his habits to guess his password. How does your organization handle the issue of departing employees and ensuring their access isn't retained or leveraged against you?
http://www.darkreading.com/application-security/houston-astros-breach-a-wake-up-call-on-industrial-cyber-espionage/d/d-id/1320947
http://www.eweek.com/security/fbi-investigates-baseball-rival-in-houston-astros-breach-reports.html


LastPass Discloses Breach, Advises Users to Change Master Passwords

LastPass, a popular, web-based password manager, announced Monday that they had suffered a breach and that the hashed master passwords for some or all users had been obtained by attackers. LastPass is recommending that users update their master passwords, and has implemented extra checks for when any user logs in from a new device or computer. They are also recommending that users who haven't done so enable 2-factor authentication for their accounts (this is a great option for any service that offers it). For more, see our detailed blog post on this story from last week:
http://www.anchortechnologies.com/blog/lastpass-hacked-hashed-master-passwords-taken

Comments

Post a Comment

Popular posts from this blog

Weekly Infosec News Brief: 14-20 March

Image
Major Media Websites Caught up inNew Malicious Advertising Attacks Last week multiple major advertising networks, including Google's DoubleClick, AppNexus, Rubicon, and AOL were abused by attackers to serve up malicious advertisements on major media sites. These malicious advertisements were redirecting to the "Angler" exploit kit, which uses multiple means to attempt to compromise a browser and install malware. While such malicious ads are common on smaller websites, they are not unheard-of on major media sites. This outbreak, however, was unusually large and long-lived, lasting at least the better part of two days. Given how common malicious web ads are, some security experts are recommending the use of ad blocking technology in web browsers. http://www.computerworld.com/article/3044565/security/advertising-based-cyberattacks-hit-bbc-new-york-times-msn.html Malicious Macros in Word Documents Used to Install Malware with No Files Needed Everything old is new a
Read more

Weekly Infosec News Brief 20-26 July

Image
FBI Sees Massive Increase in Espionage, Including Industrial Espionage, Against the US The FBI on Thursday issued a press release discussing what they believe is an increasing threat of economic espionage against US companies. They estimate that such espionage may cost the US as much as "hundreds of billions" of dollars a year. This espionage is not just directed against large industrial companies, but any place where trade secrets and innovations might be found, including third-party organizations (e.g. business partners, vendors, consultants, lawyers, etc.) affiliated with targeted companies. A key take-away is that the threat is more widespread than most people think, and that few organizations are immune. https://www.fbi.gov/news/pressrel/press-releases/fbi-announces-economic-espionage-awareness-campaign http://www.cnn.com/2015/07/24/politics/fbi-economic-espionage/ Microsoft Releases Out-of-Cycle Patch for Critical Font Driver Bug A flaw uncovered in connecti
Read more

Critical Vulnerability Discovered in IIS 6.0 Web Services

Image
IIS 6, the version that runs on Windows 2003 Server, was revealed this week to have a serious vulnerability that could allow an attacker to run malicious code on the server. The vulnerability has apparently been known to some malicious groups for some time, as attacks exploiting this vulnerability have been observed as far back as summer of 2016. But last week a proof-of-concept exploit for the vulnerability was posted to GitHub, bringing public attention to the problems and providing potential attackers with a head start on developing their own exploit code.  That is likely to take this from a secretive exploit used by a few actors to one that will be widely used by many attackers, meaning anyone running a vulnerable server is a likely victim. Vulnerability announcements are common, but this one is especially problematic for several reasons: IIS 6.0 is a part of the Windows 2003 Server operating system, which aged out of support from Microsoft almost two years ago. There are an
Read more