Highlights from the past seven days in information security include an analysis of the BlackEnergy trojan and Microsoft’s decision to end support for older versions of Internet Explorer.
Expert insight into BlackEnergy attacks in Ukraine, thoughts on Microsoft ending support for older versions of Internet Explorer and the implications of the third-party Fitbit hack on the Internet of Things … we’ve got you covered for all the important security stories from the past seven days.
Insight into the BlackEnergy attack on Ukrainian energy companies
“Another important aspect of this case is that the attack on the Ukrainian power sector may indicate how future complex attacks could look.”
In an interview with We Live Security, Robert Lipovsky, a senior malware researcher at ESET, offered his expert insight into this fascinating story, stating that it is presently difficult to attribute the recent power outage in Ukraine solely to the BlackEnergy trojan. However, the malware was nevertheless detected in several electricity distribution companies within the country. He stated: “Another important aspect of this case is that the attack on the Ukrainian power sector may indicate how future complex attacks could look. Power is an achilles heel for any organization. A serious blackout is every enemy’s dream.”
Analysis of Microsoft’s decision to end support for older versions of Internet Explorer
Expertly put by Aryeh Goretsky, a distinguished researcher at ESET, Microsoft’s follow up to its 2014 promise to end support for older versions of Internet Explorer went with “more of a whimper than a bang”. It announced that as of January 12th, versions 8, 9, and 10 will no longer be supported on Windows 7, Windows 8.1 and Windows 10. “The reason for these changes is simple,” he explained. “Reducing the number of computers running older versions of Internet Explorer, and getting as many computers as possible running the latest version of Internet Explorer available to them, greatly improves the security of the Windows ecosystem.”
Discussion on the implications of the third-party Fitbit hack for wearables and IoT
Stephen Cobb, a senior security researcher at ESET, looked into the implications of the recent third-party hack that resulted in Fitbit users being compromised, noting that activity trackers “need a secure ecosystem in which to operate”. As things presently stand, the security measures that govern these devices – fundamentally a username and password combination – are somewhat lacking he argued. Mr. Cobb added that part of the security burden falls on consumers – they need to take some responsibility by “observing the rules of cyber hygiene”.
Security holes found in Windows, Office, Internet Explorer and Adobe products
Security analyst Graham Cluley detailed the raft of recent security updates announced by Microsoft and Adobe. In short, if you own any of their products, it’s vital you patch up these identified vulnerabilities. For example, six of the nine security bulletins issued by Microsoft are critical, Mr. Cluley expanded, meaning that if they are not addressed, they could be ripe for exploitation. In his article he also predicted that 2016 is “bound to be a bumpy ride” from a security point of view.
Online predator busted after being intercepted by tech-savvy mom
“With the help of modern and increasingly widespread technology, you can get a feel for what your youngsters are up to when they surf the web.”
Excellent cyber parenting skills from a New York mom lead to the arrest of an online predator, reported Ondrej Kubovič, a security evangelist at ESET. The 33-year-old convicted sex offender had been grooming the anonymous mother’s 15-year-old daughter via Facebook. However, as a result of having in place an ‘internet monitoring agreement’ with her daughter, the mom was able to alert the authorities. “With the help of modern and increasingly widespread technology, such as parental control tools, you can also get a feel for what your youngsters are up to when they surf the web, whom they are talking to, and how much time they spend online,” Mr. Kubovič highlighted.
Employees face penalties for ‘misinterpreting security policies’
A new study by Nuix revealed that corporations are looking to take a much tougher stance on insider threats, with more firms indicating that they will penalize employees who “invite a data breach”. The paper, titled Defending Data, indicated that executives are increasingly less likely to be tolerant of cybersecurity gaffes among their workforce. As such, corporations will start to discipline people who “misunderstand, misinterpret, or miscalculate longstanding security policies and procedures”.