Week in review: Windows DoS zero-day, uncloaking Tor Browser users

Here’s an overview of some of last week’s most interesting news and articles:

Half of IT pros don’t know how to improve their security posture
Mid-market enterprises have high confidence in their cybersecurity defenses, but they struggle to defend against malicious activity that has become more sophisticated and targeted.

Uncloaking Tor Browser users with DRM-protected files
Digital Rights Management (DRM)-protected media files can be used to reveal Tor Browser users’ actual IP address and therefore possibly reveal their identity, HackerHouse researchers have demonstrated.

Recommendations to help the security of ICS-SCADA systems
ENISA’s study on communication network dependencies aims to help asset owners defend their critical infrastructures from emerging cyber threats. The main objective is to provide insight into the communication network interdependencies currently present in industrial infrastructures and environments, mapping critical assets, assessing possible attacks and identifying potential good practices and security measures to apply.

Six best practices for managing cyber alerts
Ignoring alerts is not an option, so how can busy professionals help their staff members manage the increasing volume without jeopardizing the security of the organization?

Exploit for Windows DoS zero-day published, patch out on Tuesday?
A zero-day bug affecting Windows 10, 8.1, Windows Server 2012 and 2016 can be exploited to crash a vulnerable system and possibly even to compromise it.

Cisco Prime Home flaw allows hackers to reach into people’s homes
Cisco has patched a critical authentication bypass vulnerability that could allow attackers to completely take over Cisco Prime Home installations, and through them mess with subscribers’ home network and devices.

WordPress kept users and hackers in the dark while secretly fixing critical zero-day
On January 26 WordPress released the newest version (4.7.2) of the popular CMS, ostensibly fixing three security issues affecting versions 4.7.1 and earlier. What the WordPress team didn’t share at that time is that the update also secretly fixes a bug that allows unauthenticated users to modify the content of any post or page within a WordPress site.

Corporate insiders sell secrets and access on dark web
Dark web marketplaces have witnessed an increase of employees offering insider traders, fraudsters and hackers information, help or outright access to their company’s networks – for a fee, of course.

Is it time to call an MSSP? Five signs that it can’t wait
How do SMBs know when to consider getting outside support for their security needs?

Identity fraud hits record high
Despite the efforts of the industry, fraudsters successfully adapted to net two million more victims this year with the amount fraudsters took rising by nearly one billion dollars to $16 billion.

PCI SSC publishes best practices for securing e-commerce
The information supplement will educate merchants on accepting payments securely online and is an update to existing guidance previously published in 2013.

Hacker Phineas Fisher arrested in Spain?
Has Phineas Fisher, the person (or group) behind the Gamma International and Hacking Team breaches and data leaks, been caught?

91% of phishing attacks are display name spoofs
Display name spoofs impersonate a person familiar to a business user in order to fool the recipient into thinking that the message came from a trusted source.

SSD security challenges: Which data sanitization methods are effective?
SSDs contain a myriad of sensitive personal and business information.

Facebook and GitHub test new account recovery option
This so-called delegated account recovery option should be a safer alternative to security questions.

Can your Netgear router be hijacked? Check now!
Trustwave found over 10,000 remotely accessible vulnerable devices, and estimates that there are many more non-remotely accessible affected devices in use – possibly even a million.

Google launches its own Root Certificate Authority
Google is known for slipping fingers in many pies, so it should not come as a surprise that it has opted for starting its own Root Certificate Authority.

New infosec products of the week​: February 3, 2017
A rundown of infosec products released last week.




Share this