Week in review: Facebook data breach fallout, BEC-as-a-Service, true password behaviors
Here’s an overview of some of last week’s most interesting news and articles:
APTs are targeting IT service providers
Managed service providers (MSPs) and cloud service providers (CSPs) are under attack by advanced persistent threat (APT) groups, the U.S. Department of Homeland Security warns.
Regularly updating your wireless router is not enough to ward off attacks
The non-profit American Consumer Institute Center for Citizen Research (ACI) has tested the latest available versions of the firmware of 186 Wi-Fi routers present in the U.S. market, and found that 155 (83%) of them contain known open source vulnerabilities.
How to minimize the negative effect of mobile device loss or theft
Have you, like me, become inordinately obsessed with the security of your smartphone? And are you forever checking your pockets to make sure you haven’t left it behind in a coffee shop, your car, office, the airport lounge, the hotel you left for good three hours ago? It’s sad to admit, but too often I’m left panicking by my phone not being in the place I expect it to be.
The ultimate fallout from the Facebook data breach could be massive
The stolen tokens allowed the attackers to take over victims’ Facebook accounts but could also have been used to log into accounts the victims opened on other websites and apps by using Facebook Login (i.e., using Facebook as an identity provider).
Heading into October Patch Tuesday on the heels of big announcements from Microsoft
October is here and Patch Tuesday is next week, followed quickly by Halloween. Don’t be scared (unless you are a Facebook user)! The winds of change are blowing this fall season, starting with several new announcements from Microsoft.
Vulnerable Android password managers make phishing attacks easier
Android password managers can be tricked into entering valid login credentials into phishing apps, a group of researchers has discovered.
California Governor signs strong net neutrality protections into law
California Governor Jerry Brown signed into law SB 822, the strongest and most comprehensive state-level net neutrality bill in the country. He also signed into law a new IoT legislation that should make it harder for bots to take over the myriad of connected devices sold in California.
Safe IT/OT integration with unidirectional security gateways
The reason SCADA security is so controversial stems primarily from the intense consequences that come from a compromise in this area. In this podcast, Andrew Ginter, VP of Industrial Security at Waterfall Security Solutions, and Edward Amoroso, CEO of TAG Cyber, talk about how unidirectional security gateways enable safe IT/OT integration.
China allegedly infiltrated US companies through implanted hardware backdoors
Many US companies, including Amazon and Apple, have been the victims of a clever supply chain attack that resulted in compromised hardware (servers) being installed at some of their facilities, an explosive report by Bloomberg claims.
BEC-as-a-Service: Hacked accounts available from $150
While phishing is a common means of attack, the research reveals criminals are resorting to a wide variety of methods to access business email accounts. But in many cases, companies are inadvertently making it easy for cybercriminals.
Popular TP-Link wireless home router open to remote hijacking
By concatenating a known improper authentication flaw with a newly discovered CSRF vulnerability, remote unauthenticated attackers can obtain full control over TP-Link TL-WR841N, a popular wireless consumer router used worldwide.
Bridging the priority gap between IT and security in DevOps
For DevOps teams to address this priority gap between IT and security teams during DevOps, the best strategy involves optimizing automated solutions to support the governance, risk, and compliance activities that are now considered essential to any modern software process.
For some cloud services more than 75% of accounts are utilized by hackers
Malicious accounts are eight times more likely to originate via cloud services than normal users.
True password behaviors in the workplace revealed
LastPass released the “2018 Global Password Security Report,” revealing true password behaviors in the workplace and creating a benchmark that businesses can use to measure progress when investing in password security tools.
WWW inventor announces Solid, a push to create a decentralized web users can trust
Solid is a platform that’s built using the existing web (it relies on existing W3C standards and protocols), as well as a proposed set of conventions and tools for building decentralized social applications based on Linked Data principles.
You gotta fight, for your right, to erasure
There are a several reasons why a data subject may request their private information be erased, such as: the original purpose for which that data was obtained has been fulfilled and there is no need to hold onto it any longer, the data was collected unlawfully, or the data subject is withdrawing their consent to use of their private information.
Python-based attack tools are the most common vector for launching exploit attempts
Python is extensively used in the information security industry and is particularly helpful for exploit development (it’s versatile and requires minimal coding skills), so it shouldn’t come as a surprise that bad actors like it, too.
It only takes one data point to blow open a threat investigation
The most important thing you need to remember is that hackers are creatures of habit. Once you know how to connect the dots between the activity you’re seeing, you’ll be able to spot suspicious patterns.
Adobe fixes 47 critical flaws in Acrobat and Reader
Adobe has released security updates for Adobe Acrobat and Reader, and they fix a prodigious amount of critical (47) and important (39) vulnerabilities affecting both software packages.
A final call for replacing security certificates using Symantec roots
Help Net Security sat down with Jeremy Rowley, Executive Vice President of Product at DigiCert. He leads the company’s product development teams serving its TLS and digital certificate clients for web communications and emerging markets clients that require security solutions for the Internet of Things, U.S. federal healthcare exchange, advanced Wi-Fi and other innovative technology sectors.
New infosec products of the week: October 5, 2018
A rundown of infosec products released last week.