Weekly Security Roundup #39: How Long Can We Tolerate Vulnerable Software for?
What sets apart companies in terms of cyber security challenges is one thing:
The ability to manage, contain and mitigate the consequences of a cyber attack.
And this is becoming a crucial capability that companies all over the world need to integrate in their portfolio.
Of course, this applies to all users as well. Cyber security literacy should become part of our educations, since babies are using technology and the Internet at tender ages.
And the reason I’m saying this is that, for lack of better security awareness, around 180 million people around the world continue to use an operating system that is a fast and easy target for cyber criminals. Or software that lacks adequate security measures.
I’m talking about Windows XP, of course, which was completely cut loose from Microsoft support this week. With no anti-malware defenses left, XP users should ditch the OS in favour of a safer platform. We provided the data-backed reasons in this week’s blogpost.
But more evidence in favor of stronger cyber security awareness continue to pop up. Just look at the reading list below put together for the Weekly Security Roundup:
Security articles of the week
Telegram, the beloved messaging platform focused on privacy, was his this week by a strong DDoS attack, whose objective is still unclear.
However, Telegram disclosed as much as possible in a blogpost earlier this week, sharing details about the infected servers involved in the flooding:
The garbage traffic came from about a hundred thousand infected servers, most noticeably, in LeaseWeb B.V., Hetzner Online AG, PlusServer AG, NFOrce Entertainment BV, Amazon and Comcast networks.
FBI, the Europol and various other agencies across the world joined forces to take down Darkode forum, a central place for the cyber criminal community.
What this shows is that cyber criminals hubs can be penetrated and taken down, in spite of the strong evasion tactics used.
3. The Flash loathing continues
A new week, a new Zero Day vulnerability for Flash makes the headlines. The uproar that Flash has caused in the past couple of weeks had led to Mozilla blocking the Flash plug-in in its browser and Facebook’s Security Chief to call for Flash to be killed.
We’re waiting to see what happens next.
4. Java, you’re not forgotten!
With all this attention focused on Flash, you’d think that Java is doing better – given that it used to be in Flash’s place not too long ago. But not quite.
Oracle published a Critical Patch Update Advisory containing fixes for 193 vulnerabilities!
That was probably also triggered by the fact that the cyberespionage group Pawn Storm was exploiting an unpatched Java flaw.
5. How long can we go on with software as vulnerable as this?
This is the question that everyone is asking, of course. And since companies don’t seem to be able to contain vulnerabilities and release more secure software, regulators are looking into the problem (as well as planning to curb software exports).
Since cyber attacks have affected companies not only in terms of technology, but also financially, CFOs are starting to look close to cyber security strategies.
Deloitte surveyed 100 CFOs at large North American firms for this poll and found that 97% of them considered cyberattacks to be a major threat to their companies.
This is great news, since decision managers from all crucial sectors of a company can now work together to direct the appropriate resources for cyber security and implement adequate measures to protect the company’s assets.
A very interesting read on Dark Reading offers some perspective on the lasting impact of the Hacking Team leaks. They go far beyond exposing data and touch the subject of government interference and more. Highly recommended!
It’s not just that research says so, it’s also because there is no such thing as 100% security. Not in the case of apps, websites or browsers.
A new Acunetix report on 5,500 companies comprising 15,000 website and network scans, performed on over 1.9 million files, finds nearly half of the web applications scanned contained a high security vulnerability such as XSS or SQL Injection, while almost 4 in 5 web applications were affected by a ‘medium security’ vulnerability.
Kids nowadays – the ones with a knack for technology – sometimes use their skills for malicious purposes. So did Seth Nolan Mcdonagh, who coordinated the attack described below:
The massive DDoS attack targeted junk mail tracker Spamhaus on 15 March 2013, knocking it offline. The company requested help from anti-DDoS specialist Cloudflare, which escalated the attacks. At its peak the attack was channeling 300 gigabits of traffic every second to Spamhaus servers, and the sheer scale of it began to impact on LINX – the London Internet Exchange. This in turn began to slow international internet traffic due to the volume of requests.
His sentence is detailed in the article on WeLiveSecurity.
Google let users know that they’re taking additional measures to enhance Google Safe Browsing and protect its Chrome users from malicious software.
In the coming weeks, these detection improvements will become more noticeable in Chrome: users will see more warnings (like the one below) about unwanted software than ever before.
What security news caught your eye this week?