Indian government websites are attacked by Algerian hacktivists thought to be affiliated with al Qaeda. The campaign apparently goes back to last January.
Several vulnerabilities make the news at week's end. VUPEN (a "controversial" bug-hunting exploit-seller) claims it has a zero-day exploit for Windows 8: it appears to be a sandbox bypass for IE10 with ASLR, DEP and anti-ROP mitigations enabled. Apache server status pages, when unprotected, expose hosted websites to exploitation. Security through isolation within public clouds is undermined by a new side-channel attack against virtual machines.
A ransomware campaign brandishes the Anonymous name in extortion threats. A leading British CCTV supplier suffers an SQL injection attack. Japanese banking customers continue to fall for phishing. More investigations of the cyber criminal underground appear, and the sophistication of the criminal-to-criminal marketplace is surprising. (One report includes an exploit price list.)
As South Carolina works to mitigate the effects of its Revenue Department breach, more observers accuse its IT managers of negligence. (Fiscal liability is capped at merely $600k.) Reactions of individuals and communities affected by the breach should interest policy-makers.
F-Secure expects governments to do more cyberwar muscle-flexing in the coming year. The US intelligence budget drops for the second year. Industry and government continue to find cyber talent scarce (US Homeland Security chief Napolitano moots formation of a "cyber reserve" to help).
Dark Reading offers advice on communicating risk to executives. NC State and IBM develop a natural-language processing tool that ensures developers meet users' needs for security policies.