Allegations surface of a Pakistani government cyber campaign directed against Indian targets.
Kaspersky continues to admire the Equation Group's work, today marveling at its stealth.
Also from Kaspersky comes a description of "Podec," an Android Trojan that can induce CAPTCHA to pass it as a human. Podec is crimeware: it subscribes its victims to unwanted premium services.
IBM's X-Force discovers a remotely exploitable vulnerability in Dropbox SDK for Android.
A researcher at Sakurity releases a proof-of-concept exploit that uses cross-site request forgery to hijack Facebook logins. The researcher disclosed the flaw in January, and chides Facebook for not having addressed it then. Facebook declined to do so, reports say, because it was unwilling to disrupt compatibility with sites that use the login feature.
Vulnerabilities in Nextep point-of-sale systems are said to show the importance of updating or replacing legacy systems.
Microsoft's Patch Tuesday fixes addressed, as expected, FREAK and universal cross-site-scripting vulnerabilities. More surprising is a patch for the .LNK vulnerability — a hole Stuxnet exploited — which had been thought fixed by updates in 2010. Microsoft is also teaming with Lenovo to mop up Superfish contamination in Lenovo devices.
Yahoo patches its eCommerce services.
Experts worry, again, about the greatly expanded attack surface the Internet-of-things and its associated "smart cities" present. (Kaspersky is in a particularly apocalyptic mood.)
Cyber insurance providers and their customers continue to grope toward improved risk assessment.
Bain Capital buys Blue Coat, and PayPal confirms its acquisition of CyActive.
State Department emails and "homebrew servers" raise eyebrows.