It’s Friday and time for our Weekly News Roundup.
CNet’s Zero Day Blog features an article authored by Ryan Naraine that covers the outcome of Google’s Pwnium hacker contest that was won by teenage hacker “Pinkie Pie”. The teen, who’s true identity could not be reveled because he was not authorized by his employer to participate in the contest, employed three different zero-day vulnerabilities in the browser to evade its protective sandbox. It is further reported here that Google has already repaired the vulnerability and shipped the solution as a critical update.
In the headlines this week, NATO and Facebook were involved in a scam, where military officers and government officials in the USA, Britain, and other allied countries “friended” the well-crafted, but false Facebook profile of Supreme Allied Commander, Admiral James Stavridis. Possible concerns include issues such as blackmail and hacks based on personal information. Further information can be found in the TechEYE.net article by Nick Farrell.
Nick also featured CA Veracode’s own Chris Wysopal, detailing his talk this week at Black Hat Europe about the issues surrounding the extreme vulnerabilities that are being found in the US Government’s coding habits. CA Veracode’s research shows that when measured against OWASP standards, only sixteen percent of government web applications were secure, lower than both the finance industry and commercial software. Even more frightening, further research divulged that 75 percent of government written applications were XSS vulnerable.
Docurated, whose document management platform instantly transforms file storage solutions such as Box, Dropbox, SharePoint, Google Drive and file servers into searchable and actionable content, has closed a $3.75 million Series A financing round.
Kelly Jackson Higgins at Dark Reading, provides a more in depth and detailed examination of the use of advanced persistent threat (APT) methods in financially driven attacks. It appears the main goal behind the employment of APT practices is to increase stay time to increase their payoff. Along with the Chinese cyberspies usually associated with APT attacks, new threats are being seen from criminals and spies in Russia. Interestingly, only slightly above half of these attacks employed some sort of malware, on other occasions attackers used legitimate, albeit stolen user connections to gain access the network. Of the malware that has been used, it has further been uncovered that 77 percent of it is known and publicly available.