The most noteworthy story for this edition is the hack at Tesco, a British financial institution. Adversaries were able to conduct fraudulent transactions on thousands of current accounts, stealing about £2.5 million pounds. When the attack was discovered, the bank froze all online transactions to prevent additional damages, while downplaying the issue by stating that only 20,000 of its 8 million customers were affected.
Unfortunately, the stories about large IoT botnets are not going away. While Bruce Schneier draws a few excellent lessons from the major attack on Dyn’s DNS infrastructure, a new botnet is on the rise. The new malware combines code snippets from various predecessors, and was capable of infecting about 3500 devices in just five days.
Remember the allegedly state-sponsored attack on Yahoo! in 2014, that only came to light a few weeks ago? In an official report about the incident, Yahoo! admitted that some of their staff members already knew about the attack when it happened in 2014. Why it was not reported back then remains a mystery. In the meantime, Yahoo! has already spent over a $1 million on the fallout of the megabreach, and more losses are expected in the reports of the final quarter of 2016.
Last edition, we pointed out that Firefox users loaded more than 50% of their pages over HTTPS. In this edition, the same can be said about Chrome users. This is an important result of Google’s strong push for an encrypted web, which includes limiting certain features in Chrome to Secure Contexts only.
There are two upcoming opportunities to get hands-on training on the latest security technologies:
- On December 6 and 7, you can attend the Web Security Essentials training course, which will show you where your applications are vulnerable, how you can protect them, and which best practices you should be applying today!
- On November 24th, I’ll be giving a one-day training on A+ grade TLS for the OWASP BeNeLux Day 2016
As usual, you can find the full list of events on my speaking page.