List: 5 essential patches, cyber-scams and industry events that you need to know about.
Every week brings a new wave of threats and fixes in the cybersecurity world. There are new bugs and vulnerabilities emerging all of the time and it is important to keep up to date. CBR rounds up the biggest news from the last five days.
1. US and UK students spar on cybersecurity
Students from the University of Cambridge and the Massachussetts Institute of Technology (MIT) took part in a 48-hour transatlantic hackathon in the latest collaboration between the US and UK in cybersecurity.
Called the Cambridge-2-Cambridge challenge, the hackathon saw participants developing attacks and defences for ongoing challenges, as well as competing in exercises around web security, reverse engineering, cryptography, binary exploitation and forensics.
There were prizes for the best hackers, with MIT student Julian Fuchs taking the Top Hacker and Top Hacking Team prizes respectively.
Last year, during UK Prime Minister David Cameron’s visit to the US he had discussions with President Barack Obama about how the two allies can work together.
2. 8MAN launches cybersecurity consultancy led by CPS expert
8MAN, a security company which specialises in access management, launched a consultancy service to help organisations protect themselves from insider threats and help companies bring criminals to justice.
The initiative will be headed up by Esther George, who has formerly worked at the Crown Prosecution Service, specialising in cybercrime and digital evidence.
The service aims to help medium-to-large corporations which deal with high-risk data, particularly financial services and retail organisations.
The approach will have three main prongs, prevention, detection and response. The consultants will identify vulnerabilities in the company, while advising on policy and technology that can close the security gaps.
3. GCHQ seeks cooperative relationship with tech industry
The head of GCHQ called for a new relationship with technology companies at an MIT event.
Robert Hannigan, in charge of the security agency in November 2014, told the audience that "pragmatic responses" were needed in the privacy debate, and that a "less heated" atmosphere would be required.
Hannigan wished to dispel beliefs that he was at odds with the tech industry, that arose after he wrote a letter to the Financial Times saying that US tech company services had become "the command-and-control networks of choice for terrorists and criminals".
He denied that this was an attack on the industry and argued that he wanted to start a dialogue with tech companies.
4. Microsoft’s Patch Tuesday shores up Internet Explorer, while Adobe follows two days later
According to Russ Ernst, senior director of product management at HEAT Software, five of the thirteen bulletins released on Patch Tuesday are critical.
There were 39 unique vulnerabilities, including 13 vulnerabilities in Internet Explorer which could have could have caused a remote code execution. This could have allowed attackers to take over a user’s machine when they visited a malicious website, according to Ernst.
There were also security updates for Windows PDF Library, which had remote code execution vulnerabilities that could be exploited when a user opened a malicious PDF file.
Two days later, Adobe updated an update fixing three critical vulnerabilities in Adobe Reader and Acrobat.
5. 2013 Trojan Marchers again
Zscaler discovered new instances of the Android Marcher Trojan disguised as a flash player app for watching pornography.
The Trojan has been known since 2013, when it scammed users for credit card information. It has also targeted banking applications by presenting fake login pages to steal user credentials.
A malicious Adobe flash file that arrives via an email or SMS message, which once opened prompts the user to download and install an ‘X-VIDEO’ app. The page claims it has been downloaded over 100,000 times to date, on the official Google Play store.
Marcher will then display a fake Google Play payment screen which asks for the user’s credit card information. The promised app never materialises.