Monthly News Roundup - November 2014 (TL;DR)

img_2014-11-12_Ars-Technica

NEWS

Happy Thanksgiving! This month has been typically busy in the world of cyber-security. As we head towards the end of the year, and the holiday shopping season, experts are warning retailers to increase their vigilance. In a year that has seen widespread hacking of companies including Home Depot and Target, it stands to reason that we’ll see an uptick in attacks as shoppers get ready for the holidays. Here are some of the stories that piqued our interest in November:

  1. Bad Guys Using Charities to Verify Stolen Info: In an especially scummy move, criminals have developed an automated bot that steals credit card information and uses charitable giving websites to verify it. Because charities rely on online donations from strangers, particularly towards the end of the year, they rarely challenge online transactions. Experts says that this scheme stands apart from similar efforts both in its exploitation of charity websites and in the volume of information that has been processed.
  2. Password Managers Being Targeted: A new variant of Citadel malware, itself an offshoot of the Zeus banking trojan, has been configured to compromise users’ master passwords for two free, open-source password managers. Although there has been no evidence of successful exploits to date, we can expect to see more efforts to breach password managers as their use becomes more widespread.
  3. Darkhotel Targets Business Travelers: We’ve written about the dangers of using free public WiFi networks. Now Kaspersky Lab has revealed that hackers have been targeting executives staying at high end hotels in Japan, China, Korea and other destinations since at least 2009. The Darkhotel attack prompts visitors to download a ‘software update’ upon logging into the hotel’s network. As soon as the update is accepted, the malware is downloaded to the target’s computer giving the bad guys full access to install keyloggers and other applications.
  4. Nonprofits Partnering to Encrypt the Web: Partners including the Electronic Frontier Foundation, Mozilla and Cisco have come together to create a new initiative called Let’s Encrypt. Launching in 2015, Let’s Encrypt aims to create the tools and infrastructure to allow all websites to offer secure browsing to customers and visitors. By removing technical and financial hurdles, the service will make HTTPS encryption available to all users.
  5. Top Cybercriminal Tripped Up By Weak Password: Back in 2012, the FBI apprehended its most wanted cybercriminal. Until now, no one knew how the FBI managed to hack into his computer. As a top criminal, he must have had a top notch encrypted password, right? Wrong. The FBI’s most wanted used his cat’s name followed by the numbers 1, 2, 3.