Monthly News Roundup - October 2014 (TL;DR)

img_2014-10-10_PopSci

NEWS

Happy November! October was Cybersecurity Awareness Month, and, perhaps fittingly, it was a busy one. As security experts continued to grapple with the fallout from Shellshock, a new infrastructural vulnerability surfaced. We also saw reports of new breaches affecting everything from Dropbox to Snapchat. Here’s the TL;DR on a few stories we found interesting:

  1. Fallout from Shellshock continues: ArsTechnica has a great write up about the ongoing challenges presented by Shellshock. As security researchers rush to push out patches and proof of concept attacks, bad guys find holes and even pick up the researchers’ work and apply it. With Shellshock, Heartbleed, POODLE and other infrastructure exploits sure to come, security professionals should operate in the mindset of a world where their systems have been partially breached all the time.
  2. Leading title firm breached by phishing attack: On October 30, Fidelity National Financial notified an unspecified number of users that their personal information may have been compromised after an employee fell victim to a phishing attack. The stolen information may have been used in an attempt to reroute money transfers. The compromise raised questions about the firm’s security procedures: with appropriately layered security including elements like two-factor authentication (2FA), the breach would have had negligible effect.
  3. SnapChat images compromised by third-party app: Earlier in the month, up to 13gb of SnapChat data was stolen and released online. The app subsequently reported that its systems were secure and the breach was a result of a compromise of a defunct third party app users had downloaded to save SnapChat images. In a similar scenario, hackers claimed to have stolen as many at 7 million Dropbox credentials. According to Dropbox, the credentials had been stolen from other related sites and services, then used in attempts to access Dropbox. The lesson: third party apps are dangerous and duplicated passwords across sites or cross authenticating is a bad idea.
  4. Google endorses USB security key to streamline 2FA: Two-factor authentication can be effective, but it also puts additional burden on the user. Google has endorsed a low-cost USB security key to introduce 2fa with the push of a button. The user inserts the key into their device and pushes a button when prompted. In addition to authenticating the user’s credentials, the key prevents logins to fake Google sites. Currently, the key only works with version 38 or above of the Chrome browser.
  5. It’s never too early to learn about cybersecurity: The next generation is getting a head start when it comes to learning about what it takes to stay safe online. This interactive game by NovaLabs puts players in the role of CTO for a growing company. Solving challenges like creating strong passwords or detecting phishing scams helps stave off attacks. Fun for kids of all ages!