Our security roundup series covers the previous week’s trending topics in the world of InfoSec. In this quick-read compilation, we’ll let you know of the latest news and controversies that the industry has been talking about.
Here’s what you don’t want to miss from the week of October 26, 2015:
- Two arrests have been made to date regarding the massive breach at UK telecommunications company TalkTalk that occurred last week. London law enforcement announced the separate arrests of two teenagers in connection with the incident. Both suspects were taken into custody for suspicion of having violated the Computer Misuse Act, and have since been bailed. The investigation is ongoing and it is still unclear how many of TalkTalk’s customers may have been affected by the alleged data theft.
- Tor launched its first beta version of Tor Messenger – “a cross-platform chat program that aims to be secure by default and sends all of its traffic over the Tor network,” the anonymity network announced in a blog post. The app automatically enables the Off-the-Record (OTR) protocol to encrypt messages and is compatible with various transport networks, including Jabber (XMPP), Google Talk, Facebook Chat, Twitter, and others.
- The NSA has warned about the increasing danger of destructive cyber-attacks by nation states. According to a report by BBC News, NSA Deputy Director Richard Ledgett stated that nations need to do more to identify clear read lines that, if crossed, will lead to consequences. He added that the U.S. would look at how to respond to attacks on corporations by other states – such as the alleged attack by Sony – on a case-by-case basis.
- Security researcher Yan Zhu recently revealed two vulnerabilities that allow websites to learn the web histories of visitors by targeting HTTP Strict Transport Security (HSTS). Ars Technica explained:
“Taken together, the attacks allow websites to compile a list of previously visited domains, even when users have flushed their browsing history, and to tag visitors with a tracking cookie that will persist even after users have deleted all normal cookies.”
Zhu demonstrated the twin attacks on Firefox and Chrome at the Toorcon security conference last week. She also created a proof-of-concept site to showcase the exploit, which she dubbed “Sniffly.”
- A recent network forensic examination of the popular messaging service WhatsApp has revealed details on the data that can be collected from the application’s new calling feature. Researchers from the University of New Haven and Brono University of Technology found that the Facebook owned company gathers users’ phone numbers, as well as details on call duration. Nonetheless, the researchers noted that decrypting the network traffic isn’t simple, as both access to the data on the device and the full network traffic are needed.
- Adobe has patched a critical vulnerability in Shockwave Player, which could potentially allow an attacker to take control of the affected Windows or Mac system. According to The Register, an estimated 450 million users run the vulnerable platform and are urged to manually update their systems through the Adobe website.
- The biggest free hosting company – 000Webhost – suffered a huge breach, exposing the personal records of more than 13 million customers, including usernames, passwords in plain text, email addresses, IP addresses and last names. The company acknowledged the breach in a post on its official Facebook page, stating:
“A hacker used an exploit in old PHP version to upload some files, gaining access to our systems. Although the whole database has been compromised, we are mostly concerned about the leaked client information.”
The company goes on to urge customers to reset their passwords, adding that it will be upgrading its system step by step and “will be aiming to be super-careful in the future.”
Title image courtesy of Shutterstock.com