Week in review 12 September 2014
Most of the daily news updates this week revolved around either phishing attempts or the aftermath of phishing. If ever you wanted proof that phishing is effective, this week’s news provided it. The one deviation on the phishing theme was the release of the new Apple Pay this week. Two other items were not included on the daily list, but are mentioned here.
One was the eventually patched vulnerability of traffic light systems; the second was the leak of five million Gmail user credentials during the week. Phishing is a low level form of attack, but is often effective. SC Magazine reported on the findings from a quiz conducted by McAfee labs. 80% of the respondents were tricked by at least one of seven different types of phishing email. The respondents covered the full range of staff, from IT experts to HR professionals. The Dyre malware first surfaced in June 2014. It can slip under the SSL mechanisms of browsers and can also modify and redirect network traffic. This week Salesforce notified its account Administrators that customers were targeted by Dyre.
At the time of writing, none of the Salesforce customers have been infected. The number of this week is 15 million. That is the number of malware infected mobiles worldwide at any given point in time, according to Alcatel-Lucent (via The Register). But this is a conservative estimate, as mobiles from Russia and China are not included. Apple released the iPhone 6 this week. They also announced “Apple Pay”. It’s timely to speculate on what could happen with Apple Pay, given last week’s very high profile hack of Jennifer Lawrence’s iCloud account (though it doesn’t look like Apple iCloud security was at fault in this case). Gizmodo published an article on Apple Pay, which sets out the good, the bad and the unknown.
The saga of the Home Depot breach continues to simmer. Now banks are seeing an increase in debit card PIN fraud. The cause of the breach is still being investigated, but the same malware that caused the Target breach looks to be responsible. The Target breach shows that you only need one successful phish to cause a breach. The Gmail usernames and passwords for five million Gmail users were published online this week, but it looks like many of them are old. It became clear within a few hours that most users were unaffected by the breach. It’s better late than never in our final item. Sensys Networks produce sensors used by traffic control systems.
A vulnerability in the software meant that changes could be made to the software without any checks being made. What this meant was that an attacker could potentially upload malicious code, and possibly cause traffic chaos. Fortunately the software was patched this week. The sensors in question are used in the USA, France, Britain and Australia.