Issue 12

1.5M unpatched WordPress sites hacked following vulnerability disclosure

In last week's newsletter we reported on usage of the critical Wordpress exploit that allows to edit any page at will. Where last week the biggest campaign had defaced 66.000 sites, the total is now estimated to be at 1.5 million, with the largest campaign seen at 800.000 websites being defaced in 48 hours. The latter was possible because attackers found a way around the firewall rules that the Wordfence plugin used to previously block this attack.

threatpost.com

 

Inferring your mobile phone password via WiFi signals

This is a paper describing amazing research in determining one's password based on how your fingers' movements impact the Wifi properties. I recommend reading the abstract for a less crude explanation though. There are limitations, but they were able to infer the numeric password for a number of Alipay users with a high success rate, as one use case example. Hackernews discussion here.

fermatslibrary.com

 

IBM brings Watson cognitive computing to security teams

An interesting update on how IBM's Watson is now being used to digest security events and analyse them.

darkreading.com

 

Getting Google employees access from anywhere without firewall borders

An internal project at Google called 'BeyondCorp' had the goal to enable every employee to work from untrusted networks without the use of a VPN. They wanted to get rid of traditional firewall setups and instead implemented an access decision engine based on what they know of the user trying to connect and the device being used to connect with. Seven years later the project has been successfully completed.

threatpost.com

 

For the US Army, 'Cyber War' Is Quickly Becoming Just 'War'

An interesting piece on the current role of "Cyber Warfare" in the US Army, which apparently has already 30 cyber teams fully operational, with 11 more being put into action by the end of the year.

defenseone.com

 

Google touts progress in Android security in 2016

High level writeup of an RSA Conference talk by Adrian Ludwig, director of Android security at Google. He talks about what progress has been made, mainly in the areas of device encryption, device management, Play Store control and update cycles. It can't be an easy job to do, with 5.033 different variations of Android devices since 2015 and 351 wireless carriers around the world to work with.

threatpost.com

 

Most mobile VPNs have major security concerns

An article by Wired highlighting a recent in-depth analysis of 283 mobile VPN applications in the Play Store. Most of the VPN's were found horribly lacking or even straight up malicious. The best one to come out of it is F-Secure's Freedome VPN.

wired.com

 

The need for a Digital Geneva Convention (Microsoft)

Microsoft is arguing for an Internet version of the Geneva convention. Where the regular version protects civilians from harsh treatment during war time, they feel the same needs to be agreed on cyber warfare now that nation-state hacking is becoming a regular thing.

microsoft.com

 

Schneier brings campaign for IoT regulation to RSA

Bruce Schneier argues for the creation of institutional regulation of IoT devices. We are still in the honeymoon period, he says, and it will take a few disasters, but when real lives are at risk there must be a regulation framework.

threatpost.com

 

A rash of invisible, fileless malware is infecting banks around the globe

A closer look at 'fileless malware', where the malware in question has no files on the hard drive but exists only in RAM, making detection a lot more difficult. According to Kaspersky Lab this type of malware has already infected over 140 banks, governments and telecom companies in 40 countries.

arstechnica.com

 

How to better protect your WhatsApp account with two-step verification (2SV)

WhatsApp has enabled a form of two-factor authentication, to prevent your user account being moved to another device without your consent. It uses a code that you choose yourself and have to remember in between installs, and an optional e-mail that can be used as a backup.

grahamcluley.com