Information Security News
by Peter Bright
Windows Update can't be readily disabled in Windows 10 Home, and the license terms that all users must agree to allow Microsoft to install updates automatically.
The Insider Preview releases of Windows 10 didn't include any way to prevent Windows Update from downloading and installing updates, but it wasn't clear if this was just some quirk of the previews, or the long-term plan; Microsoft's previews often have special rules for things like providing automated feedback and hooking up online services, and so this could have been part of that.
Build 10240, released to insiders on Wednesday, changes that. This build is believed to be the release-to-manufacturing build that OEMs will preinstall on hardware, and as such, it contains the finalized settings, license text, and so on.
by Sean Gallagher
Security researchers at Trend Micro's Trend Labs have uncovered a trick in a sample of a fake news application for Android created by the network exploitation tool provider HackingTeam that may have allowed the company's customers to sneak spyware through the Google Play store's code review. While the application in question may have only been downloaded fewer than 50 times from Google Play, the technique may have been used in other Android apps developed for Hacking Team customers—and may now be copied by others trying to get malware onto Android devices.
The sample app, called "BeNews", is designed as a Trojan horse for Hacking Team's RCSAndroid "backdoor" malware. It used the name of a defunct news site to make it seem like a legitimate Android application. Wish Wu of Trend Labs wrote in a blog post that Trend Labs team found the source code for the app within the leaked Hacking Team files, along with documentation "that teaches customers how to use it," he wrote. "Based on these, we believe that the Hacking Team provided the app to customers to bus used as a lure to download RCSAndroid malware on a target's Android device."
The app exploits a local privilege escalation vulnerability in Android which has been determined to affect all versions of the mobile operating system from Android 2.2 ("Froyo") to 4.4.4 ("KitKat"). Other versions may be vulnerable as well, according to Wish. The exploit, which also affected other Linux operating systems, was documented last summer.
2015's Top 5 Higher Ed Infosec Issues [#Infographic] | EdTech Magazine
EdTech Magazine: Focus on Higher Education
Ensuring that members of the institutional community (students, faculty, and staff) receive information security education and training. Developing security policies for mobile, cloud, and digital resources (includes issues of data handling/protection ...
10 Trends In Infosec Careers And Staffing - Dark Reading
It's a reflection of the overall infosec job market, where employers struggle to find enough qualified candidates and opportunities abound for the right candidates. We've put together the results from the Black Hat survey, along with a few other ...
Smartphone apps from Walmart, CNN, ESPN, and dozens of other organizations put user accounts at risk of compromise because they allow attackers to make an unlimited number of login attempts, according to recently published research.
Security experts have long recognized the benefit of limiting the number of unsuccessful login attempts that users can make to online accounts. While such limits make it possible for attackers to lock out legitimate users, such denial-of-service drawbacks are generally outweighed by the protection they provide against online password cracking attempts, in which attackers make huge numbers of password guesses against specific user accounts in the hopes of trying the right one. Until last September, Apple's iCloud service failed to limit the number of login attempts to that service, a shortcoming that may have contributed to last year's mass celebrity hack and nude photo thefts.
Despite Apple mending its ways, many smartphone apps still allow users to make an unlimited number of login attempts. That failure allows attackers to cycle through long lists of the most commonly used passwords. Given the difficulty of entering strong passwords on smartphone keyboards, it's a likely bet that it wouldn't be hard to compromise a statistically significant number of accounts over a period of weeks.
Infosec firms oppose 'misguided' exploit export controls
A group of IT security vendors have joined forces in an effort to stop the US government from instituting new export regulations that aim to restrict the trade and operation of intrusion software used by hackers. High-profile infosec companies Mandiant ...
Infosec bigwigs rally against US cyber export control rule
Analysis: InfoSec Workforce Growth Stalls - BankInfoSecurity
An Information Security Media Group analysis of Bureau of Labor Statistics employment data - culled from the same household surveys the government uses to determine the monthly unemployment rate - shows that 73,800 people identified themselves as ...
Posted by InfoSec News on Jul 16http://www.nextgov.com/cybersecurity/2015/07/after-dodging-bullet-hit-opm-interior-owns-cyber-problem/117904/
Posted by InfoSec News on Jul 16http://www.businessinsider.com/we-found-out-how-much-money-hackers-actually-make-2015-7
Posted by InfoSec News on Jul 16http://www.wired.com/2015/07/united-airlines-pays-man-million-miles-reporting-bug/
Posted by InfoSec News on Jul 16http://www.techworld.com/news/security/symantec-incubate-security-startups-with-new-vc-partnership-3619807/
Posted by InfoSec News on Jul 16http://www.computerworld.com/article/2947760/security/oracle-fixes-zeroday-java-flaw-and-over-190-other-vulnerabilities.html