Relatively busy news week this week. Got a number of pretty significant happenings, so let’s get to it!
- First story of the week takes a look at the newly discovered “Sandworm” APT campaign, which seems to be attributed to attackers from Russia. What makes this particular campaign interesting is the use of two Windows “Zero-Day” exploits. Microsoft already has a patch out, so as long as your system is up to date, you are protected. Sophos provides a good summary of the campaign and the associated malware.
- Read More @ nakedsecurity.sophos.com/2014/10/15/the-sandworm-malware-what-you-need-to-know
- Next, another article by Naked Security, we have a new attack on SSL, dubbed “POODLE”. The root of the problem is in the flaw contained within SSL 3.0 and the way it handles “padding” process. By taking advantage of this flaw an attacker can cause an information leak that will provide insight into the plaintext that is suppose to be protected by the encryption process.
- Read More @ nakedsecurity.sophos.com/2014/10/16/poodle-attack-takes-bytes-out-of-your-data-heres-what-to-do
- For those of you who are aware of Kickstarter, the crowd-funding service, a recent project called “Annonabox” was announced, and attempted to raise money for a piece of hardware that would “anonymize” your traffic by running it through this device. However, as time went on a lot of inconsistencies, and suspicions surfaced in regards to the promises made, false advertising, etc.. This eventually turned into exposing the project as a fraud attempt, and Kickstarter has now officially canceled the funding. This is another reminder to not trust everything on Kickstarter, as this is not the first, nor will it be the last, attempt at something like this.
- Read More @ tech.slashdot.org/story/14/10/17/2136212/kickstarter-cancels-anonabox-funding-campaign
- This next one is an interesting article by BBC News. Europol’s Cybercrime Center is claiming that most of cybercrime is really controlled by only about a 100 or so “cybercriminal kingpins”. Not sure if I entirely believe that number, but it’s an interesting observation to make. Seems a bit on the low side though.
- Read More @ http://www.bbc.com/news/technology-29567782
- We brought a number of privacy related stories in recent weeks, and more recently a few examples of federal agencies openly criticizing moves by Google and Apple to strengthen the security of their products. This story is another one of that ilk. This time around the FBI director is making some interesting claims as to why he feels these moves by Google and Apple are bad for all involved. Do you agree or disagree with his stance?
- Read More @ http://threatpost.com/mobile-device-encryption-could-lead-to-a-very-very-dark-place-fbi-director-says/108877
- Next story is another “malvertising” related one. We seem to be getting more and more of these, on high profile sites. This time, TrendMicro found evidence of YouTube ads leading to “Sweet Orange” Exploit Kit pages.
- Read More @ http://blog.trendmicro.com/trendlabs-security-intelligence/youtube-ads-lead-to-exploit-kits-hit-us-victims/
- Last, but not least, a potential new development in the Home Depot breach. Apparently, two arrests have been made that could potentially be linked with the Home Depot breach. Two were arrested during a routine traffic stop as officers discovered card reading devices in their possession.
- Read More @ http://www.scmagazine.com/police-in-texas-arrested-two-men-find-card-readers/article/377853/