Buggy ransomware, more China hacking, innovation in Android security, social media acceptable use, and a lesson in phishing URL composition are this week's top infosec reads.
Hot on the heels of newGOZ is ZeroLocker, the latest incarnation of cryptolocker. This nasty variant will infect and encrypt personal data on your C: \. To make matters worse, ZeroLocker’s developers made a particularly devastating bungle that can leave you without a decryption key, regardless of whether you pay the ransom (which can be paid in bitcoin!). While ZeroLocker has disastrous implications, we should focus on the insights that this design snafu offers us. Popular media often paints hackers as hyper-intelligent, sometimes megalomaniac, masterminds of the web, able to outsmart their law enforcement antagonists at every turn. Events like this present security experts with yet another example to debunk that misconception.
A state-sponsored Chinese group may be attacking medical and pharmaceutical companies for intellectual property. This is the first reported incident of China’s activity with consumer data. According to the article, the healthcare sector is well known for underinvesting in security, which makes it an easy target for criminals that appear to be organized, well funded and sophisticated. Security experts quoted in the aritlcle point out that that China is unlikely to be the only country operating like this (cyber criminals concerned with personal information usually originate in Eastern Europe), that SMBs have no real way to stop state-funded cyber-attacks through conventional means, and that less democratic countries engage in this kind cyber espionage to protect their country’s corporations.
North Carolina State University and Germany’s Darmstadt Technical University have developed the Android Security Modules (ASM), a software that creates a way for developers to “plug-in” security features to make the Android market safer for users. Researchers say it will be a small effort to keep the ASM updated alongside the Android OS changes, and could make Android a viable option for BYOD projects. The only hitch is that Google needs to get on board. ASM also faces the uphill task of making over Android’s reputation for poor security. ASM has stiff competition with existing BYOD products, and people can be insufferably resistant to changes when it comes to security, regardless of how innovative and promising the changes are. Consultants speculate that while ASM may not see immediate integration with the current Android model, there’s hope that it will find its niche in the future.
This list is chiefly concerned with acceptable use for professional social media, and most of these guidelines are good practice and etiquette for personal accounts as well. Recommendation 11, however applies universally: “Google has a long memory. Be smart about what you post.” The article also points at the lack of clear laws relating to social media use, leaving grey areas for employees, employers, or individuals to interpret. In addition to the consequences listed in the article, there are other ramifications that may not immediately be apparent. Social media companies are also big data collectors or companies that monetize private information, so it’s no stretch to imagine that future employers include social media activity in a background check. Check out The Security Skeptic’s STH blog post for more social media AUP insights.
Visual deception remains an important weapon in a phisher’s arsenal. In this Security Skeptic post, Dave uses data from the APWG’s eCrime eXchange to illustrate the many ways that phishers attempt to convince recipients that the hyperlinks they “see” are legitimate. Sleight of hand? You bet.