A roundup of the top news stories in information security this week, including the UK warning its government agencies to steer clear of Kaspersky Lab products, PayPal dealing with a data breach, and NIST's latest Cybersecurity Framework draft.
UK Government Agencies Warned Off Kaspersky Lab Software
The controversy surrounding Kaspersky Lab products continues as the UK is warning its government agencies to steer clear of the Russian company’s products. The UK’s National Cyber Security Centre issued new guidance on risks presented by “cloud-enabled products.” However, in a separate letter penned by NCSC CEO Ciaran Martin, he warned of “Russian antivirus companies” and how the agencies must be “vigilant to the risk that an [antivirus] product under the control of a hostile actor could extract sensitive data.”
Company Acquired by PayPal May Have Experienced Breach Impacting 1.6 Million
A payment processing firm acquired by PayPal in July has disclosed a security incident that may have resulted in the compromised personal information of up to 1.6 million of its customers. TIO Networks announced in November that operations would be suspended after PayPal discovered security flaws on its platform and data security issues that didn’t meet PayPal’s information security standards. Last week the company, which was acquired by PayPal for $238 million, admitted to the security event.
Former NSA Employee Pleads Guilty to Exposing Classified Data to Russian Hackers
An ex-NSA employee pleaded guilty to illegally removing sensitive government data from his former employer. Nghia Hoang Pho, 67, pleaded guilty on Friday to a charge of willful retention of national defense information in connection with an NSA leak. Pho stored the information in his home over a period of five years.
‘Parsedroid’ PoC Attack Targets Developers
A proof of concept (PoC) attack developed by researchers at Check Point Security could impact users of integrated development environments like Intellij, Eclipse and Android Studio. Dubbed ParseDroid, researchers said, “the vulnerabilities in question are the developer tools, both downloadable and cloud-bred, that the Android application ecosystem, the largest application community in the world, is using.”
Virtual Keyboard App Leaks Personal Data on 31 Million Users
Thanks to an unprotected database, the personal information belonging to 31 million users of a virtual keyboard app may have been compromised. The app’s developer failed to secure the database’s server, allowing anyone to access the company’s database of user records. The database only contains records on the app’s Android users.
Flaws Found in Email Client Applications Allow for Spoofed Emails to Bypass DMARC
Hackers can bypass anti-spoofing mechanisms such as DMARC if they leverage a collection of flaws recently discovered in email client applications. German security expert Sabri Haddouche found the group of vulnerabilities, dubbed Mailspoit. To bypass DMARC, the exploit takes advantage of how the email sender’s name is displayed.
New Cybersecurity Framework Draft Released
This week the National Institute of Standards and Technology (NIST) released the second draft of its proposed national Cybersecurity Framework of 2014. The continuously evolving document includes some significant changes to its existing guidelines which impact self-assessment of cybersecurity risk and also features new guidelines tied to authorization, authentication, identity proofing, and more.
Security Fix Issued for Popular Desktop Sharing Software
An emergency security fix was issued by TeamViewer to address a vulnerability that allowed attackers to compromise PCs through its desktop sessions. The popular desktop sharing software is used by organizations to host online meetings and conferences. Discovered by Reddit user xployt, the user warned other Redditors of the flaw on Monday.