Friday, December 4, 2015

Be careful with who do you accept in Linkedin

New advice coming from Symantec this time, it´s about fake profiles in Linkedin used to get access to your contacts and gather intelligence for different attacks. Today we´ll talk about bugs on most of the mobile apps, of a new ransomware campaign which steals passwords too and about the kick off  of the new Let´s Encrypt initiative, welcomed by the infosec community.

Be careful wit beautiful women assuring to be recruiters from many employment companies. They could be fake profiles created by cyber criminals who what to access our professional contacts in order to gather intelligence. Their objective could be spearphising attacks to inject blackmailing malware or spying in their victims computers. Symantec warns that this fake profiles can be found on every professional sector and not in infosec only, as it was detected on the first wave.

Unsecure apps
We are now getting into a territory we had not visited in the last 48 hours at least, such a strange thing because it´s actually one of the top topics on infosec. We are talking about mobile apps. According to a Veracode research, 80% of iOS and Android apps have serious encrypting failures which expose them to SQL injection attacks. The most affected are those created using PHP, ColdFusion and Classic ASP, being the more secure those created with Java and .NET.

Malware cocktail
Other insecure territory is the one created by those viruses generically called ransomware. Today we know the attack against Reader´s Digest magazine, active at least from the first days of November, was not a normal ransomware attack but it was installing a "malware cocktail" on the victim´s computers: first of all, Pony malware, which steals the user names and all passwords it finds and sends them to the attackers. Later, the Angler exploit kit, designed to find security breaches on the system. When it has identified them, it uses them to install the CryptoWall ransomware.

Let's Encrypt!
Certainly, it´s scary an even more when we realize we have not many defenses. One of them are the digital certificates, which assure our connections are encrypted. To end the week in a good way, nothing better tan announcing the beginning of the beta phase of the Let´s Encrypt initiative today and it´s possible to ask for our own certificates, totally free.

We end in this hopeful way our Friday´s report, encouraging our readers to have a look to our web this Sunday, because we´ll publish a recent talk we had with a cybersecurity expert: David Barroso.


Post a Comment