Newsletter sécurité Semaine 18

Découvrez l’actualité Sécurité de la semaine avec la newsletter Adacis:

Au menu:

« 2014 saw a shift from a balanced targeting of Java and Flash to over 90 per cent focus on Flash,” the team told delegates to RSA San Francisco last week. “The drop in Java exploits corresponds to a new Internet Explorer feature which blocks the use of out-of-date Java. »

« Security expert and penetration tester Marcus Murray discovered a way to use a malicious JPEG to compromise modern Windows servers and elevate privileges over targeted networks. The researcher has demonstrated the attack a few days ago in a live hack for the RSA conference in San Francisco, the hacker used a malicious JPEG to violate the system at an unnamed US Government agency that ran a flawed website that allows photo upload. »

« Many Antivirus applications and other security products use similar techniques to intercept HTTPS traffic. I had a closer look at three of them: Avast, Kaspersky and ESET. Avast enables TLS interception by default. By default Kaspersky intercepts connections to certain web pages (e. g. banking), there is an option to enable interception by default. In ESET TLS interception is generally disabled by default and can be enabled with an option. »

« Several thousand computers running the Linux and FreeBSD operating systems have been infected over the past seven months with sophisticated malware that surreptitiously makes them part of a renegade network blasting the Internet with spam, researchers said Wednesday. The malware likely infected many more machines during the five years it’s known to have existed. »

« Less than 24 hours after Google unveiled a Chrome extension that warns when user account passwords get phished, a security researcher has devised a drop-dead simple exploit that bypasses it. »

« The FISMA report states that U.S. Computer Emergency Readiness Team incident reports ‘indicate that in FY 2013, 65 percent of federal civilian cybersecurity incidents were related to or could have been prevented by strong authentication implementation. This figure decreased 13 percent in FY 2014 to 52 percent of cyberincidents reported to US-CERT.' »

« The debate over whether companies should be forced to build in ways for law enforcement to access communications protected by encryption took a tense turn this week in a congressional hearing.
On one side were law enforcement officials, including a high-ranking FBI official. On the other were tech-savvy members of the House Government Oversight and Reform Committee’s Information Technology subcommittee — two with computer science degrees. »


  • Dans l’actualité cette semaine on retrouve également :

Support de présentation sur les tendances actuelles pour les failles de sécurité Microsoft (RSA 2015)

Des hackers russes ont pu avoir accès aux mails non confidentiels du Président Barack Obama