More low-level cyber vandalism on the Subcontinent: this time India's Bharatiya Janata Party's the target.
Ars Technica calls checking certificate revocation in browsers post-Heartbleed "futile". (ZDNet gives Chrome a lonely good grade, however, in handling revocation.) Heartbleed may require what some observers call "rehab" as opposed to simple fixing. One surprising comparison is with Y2K—ComputerWeekly forecasts a similar squeeze on available IT labor. One hopes Heartbleed is approached more realistically than was Y2K.
Automated credential-stealing malware, "Subterfuge," is enabling man-in-the-middle attacks. A DSL router backdoor was apparently only hidden, not closed, by the patch issued to fix it. Zeus's peer-to-peer versions evolve. The Feely Android app JavaScript zero-day seems closed, with some credit going to responsible disclosure. Unflod Panda remains a threat to jailbroken iPhones.
As businesses continue to receive warnings of their cyber risks, Verizon's Data Breach Investigations Report notes some trends. Positive: point-of-sale data breaches are trending downward. Not-so-positive: cyber espionage is up (emanating particularly from Russian-speaking regions, now more than from China), stolen passwords remain a big problem, and cyber criminals are inside businesses' defensive decision cycles.
Information sharing remains more aspirational than one would like to see, but positive signs include financial sector leadership from the Bank of England and US retailers' firm plans to stand up a threat information exchange this summer. The CyberRX attack exercise, on the other hand, shows how healthcare IT lags (unsurprisingly, given that sector's particular sensitivity to privacy).
In industry news, Parsons buys Secure Mission Solutions; Sysorex acquires AirPatrol.