In last week's newsletter we reported on usage of the critical Wordpress exploit that allows to edit any page at will. Where last week the biggest campaign had defaced 66.000 sites, the total is now estimated to be at 1.5 million, with the largest campaign seen at 800.000 websites being defaced in 48 hours. The latter was possible because attackers found a way around the firewall rules that the Wordfence plugin used to previously block this attack.
This is a paper describing amazing research in determining one's password based on how your fingers' movements impact the Wifi properties. I recommend reading the abstract for a less crude explanation though. There are limitations, but they were able to infer the numeric password for a number of Alipay users with a high success rate, as one use case example. Hackernews discussion here.
An interesting update on how IBM's Watson is now being used to digest security events and analyse them.
An internal project at Google called 'BeyondCorp' had the goal to enable every employee to work from untrusted networks without the use of a VPN. They wanted to get rid of traditional firewall setups and instead implemented an access decision engine based on what they know of the user trying to connect and the device being used to connect with. Seven years later the project has been successfully completed.
An interesting piece on the current role of "Cyber Warfare" in the US Army, which apparently has already 30 cyber teams fully operational, with 11 more being put into action by the end of the year.
High level writeup of an RSA Conference talk by Adrian Ludwig, director of Android security at Google. He talks about what progress has been made, mainly in the areas of device encryption, device management, Play Store control and update cycles. It can't be an easy job to do, with 5.033 different variations of Android devices since 2015 and 351 wireless carriers around the world to work with.
An article by Wired highlighting a recent in-depth analysis of 283 mobile VPN applications in the Play Store. Most of the VPN's were found horribly lacking or even straight up malicious. The best one to come out of it is F-Secure's Freedome VPN.
Microsoft is arguing for an Internet version of the Geneva convention. Where the regular version protects civilians from harsh treatment during war time, they feel the same needs to be agreed on cyber warfare now that nation-state hacking is becoming a regular thing.
Bruce Schneier argues for the creation of institutional regulation of IoT devices. We are still in the honeymoon period, he says, and it will take a few disasters, but when real lives are at risk there must be a regulation framework.
A closer look at 'fileless malware', where the malware in question has no files on the hard drive but exists only in RAM, making detection a lot more difficult. According to Kaspersky Lab this type of malware has already infected over 140 banks, governments and telecom companies in 40 countries.
WhatsApp has enabled a form of two-factor authentication, to prevent your user account being moved to another device without your consent. It uses a code that you choose yourself and have to remember in between installs, and an optional e-mail that can be used as a backup.