Issue 21

Microsoft releases phone-based login mechanism

When logging in to a Microsoft account you'll get a prompt on your mobile device. No password is needed, you just need to tap 'Approve'.

threatpost.com

 

Chrome, Firefox, and Opera users vulnerable to Unicode domain phishing attacks

A rather old-school attack resurfaced where phishing sites seem to be on a valid and secured domain, like apple.com, but actually the domain name is a set of Unicode characters that just look a lot like our regular alphabet.
For a more elaborate explanation of the PunyCode mechanism that the article mentions and how browsers fight it off, check out this blogpost from Sophos.

grahamcluley.com

 

New breed of DDOS attack on the rise

Akamai has released an advisory on a new type of amplification DDOS attacks, based on Connectionless LDAP. Their original report can be found here.

darkreading.com

 

Signal spoof set off Dallas emergency sirens, not network hack

It turns out that the siren hack in Dallas wasn't a network-based intrusion, but rather a spoof of radio signals used to control the alarm system.

arstechnica.com

 

NSA's CDX: a high-tech competition pitting cadets against elite attackers

Interesting article on a yearly 'tournament', where students of various military academies need to defend their network against experienced hackers.

cyberscoop.com

 

Researchers develop synthetic keys for fingerprint sensors

Researchers have released their findings on creating a set of 'master keys' for fingerprints, based on the fact that we often only need partial fingerprints to authenticate successfully.

sophos.com

 

Microsoft outlines proposal for cyber-version of the Geneva convention

Microsoft continues on its crusade for a 'digital Geneva convention' to regulate cyber warfare. It published three documents outlining the rules and framework.

nextgov.com

 

Prisoners built two PCs from parts, hid them in ceiling, connected to the state's network and did cybershenanigans

Built from spare parts of a computer recycling program, some Ohio inmates built a couple of hidden computers to go online with and perform various acts of mischief.

theregister.co.uk

 

Lessons to learn as McAfee's LinkedIn page is hijacked

Rather embarrassingly, the LinkedIn page of McAfee was hacked this week. Turns out someone re-used their password, and didn't enable two-factor authentication.

grahamcluley.com

 

What is HTTP Strict Transport Security (HSTS)

A well written technical article by O'Reilly on what HSTS is and why it is useful from a security and performance perspective.

oreilly.com