Posted January 21, 2016
We publish this weekly threat intelligence brief keep you informed on the latest security incidents and threats. For security news throughout the day, follow us on Twitter. Subscribe to our blog to stay up-to-date on findings from our analyst research reports!
“A new report shows 84 percent of U.S. FDA-approved health apps tested by IT security vendor Arxan Technologies did not adequately address at least two of the Open Web Application Security Project top 10 risks. Most health apps are susceptible to code tampering and reverse-engineering, two of the most common hacking techniques, the report found. Ninety-five percent of the FDA-approved apps lack binary protection and have insufficient transport layer protection, leaving them open to hacks that could result in privacy violations, theft of personal health information, as well as device tampering and patient safety issues.”
“The European police have arrested a key member of a criminal group involved in Bitcoin extortion. One suspect has also been detained in a global operation against the criminal organisation. The cybercriminal group for Distributed Denial of Service – DDoS – for Bitcoin, or DD4BC has been in action for quite a long time. It has carried out several Bitcoin extortions since the middle of 2014. The primary targets of the group are the online gambling industry, financial services and entertainment sector and other high-profile companies — basically businesses that can pay a ransom.”
– IB Times
Legal and Regulations
Addressing cybersecurity as an important issue for financial markets as cyber-attacks emerge as top threats, the U.S. Commodity Futures Trading Commission (CFTC) approved proposed enhanced rules on cybersecurity for derivatives clearing house organizations, trading platforms, and swap data repositories. The proposals, published in separate Federal Register Notices as Part IV and Part V of Vol. 80 No. 246, identify fives types of cybersecurity testing as essential to a sound system safeguards program: (1) vulnerability testing, (2) penetration testing, (3) controls testing, (4) security incident response plan testing, and (5) enterprise technology risk assessments.
– Workplace Privacy Report, Part IV & V
“An XSS (cross-site scripting) bug on eBay’s main domain (ebay.com) would have made phishing campaign operators’ life a lot easier if they had known about it. The bug, discovered by a hacker known as MLT, is a simple reflected XSS attack that would allow an attacker to append special parameters at the end of a ULR and trigger the eBay site to execute malicious code in the user’s browser.”
“European data center services giant Interxion is informing customers that it has suffered a security breach, which has seen hackers access contact information stored in its CRM about corporate clients and prospects. In an email seen by this website, and sent to affected customers this weekend, the company explained that it became aware of the security incident in December that saw a hacker access Interxion’s CRM system and run a report that contained information on as many as 23,200 contacts.”
“The White House intensified efforts Friday to fight propaganda and recruitment by extremist groups such as the Islamic State, announcing a new task force and pressing Silicon Valley to help out. The renewed push comes in response to frustration that the IS group has managed to lure and recruit followers in Europe and the United States to launch deadly attacks without detection by intelligence services.”
– Security Week