Information Security News
A low-tech but cunning malware program is worrying security researchers after it started spreading rapidly in the past week through a new attack vector: by forcibly exploiting vulnerabilities in Facebook and LinkedIn.
According to the Israeli security firm Check Point, security flaws in the two social networks allow a maliciously coded image file to download itself to a user's computer. Users who notice the download, and who then access the file, cause malicious code to install "Locky" ransomware onto their computers.
Locky has been around since early this year, and works by encrypting victims' files and demands a payment of around half a bitcoin (currently £294; $365) for the key. Previously, it had relied on a malicious macro in Word documents and spam e-mails, but Check Point says that in the past week there has been a "massive spread of the Locky ransomware via social media, particularly in its Facebook-based campaign."
Bletchley Park—the home of codebreakers whose pioneering work helped Britain and its allies win the Second World—could be the site for a College of National Security, with plans for it to open in 2018.
The new sixth-form boarding school will, we're told, be run by a private non-profit consortium of tech firms, venture capitalists, and entrepreneurs, with rumoured input from GCHQ. It will enrol 500 teenagers (aged 16 to 19) who will be taught cybersecurity skills—which could, it's hoped, go some way to addressing the shortfall in UK talent.
The outfit behind the college, which would apparently be free for its pupils to attend, says at least part of the syllabus would be set by infosec experts focusing mostly on cybersecurity (roughly 40 percent of the curriculum), with additional modules on maths, computer science, economics, and physics also taught over a three-year period of study. Applicants won't be selected on the basis of specific academic qualifications, so much as through aptitude tests set by the college, or even on the basis of previously demonstrated skills, such as self-taught coding.
Free software (open source or not) is interesting for many reasons. It can be adapted to your own needs, it can be easily integrated within complex architectures but the most important remains, of course, the price. Even if they are many hidden costs related to free software. In case of issues, a lot of time may be spent in searching for a solution or diving into the source code (and everybody knows that time is money!).
Today, more and more organisationsare not afraid anymore to deployfree software in their infrastructure butare those solutions really secure? A customer came to me with an interesting question about performing asecurity audit of free software. The idea is to validate the software before deploying it in his (very sensitive) infrastructure. This could be seen as a kind of quality insurance.
The idea is not to perform a deep source code review or to pentest the tool but more to establisha checklist of key points. I already compiled a rough list of questions that Id like to share with you:
As a final remark, there is no specific reason not to perform the same for commercial products. Mostcommercial products either use or depend on open source libraries/software.Alsokeep in mind that a commercial product doesnt mean a secure one.
Do you have other controls that could be added to the list? Feel free to share your comments!
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant