Week in review: IIS zero-day, iOS scareware, new issue of (IN)SECURE

Here’s an overview of some of last week’s most interesting news and articles:

Like it or not, “cyber” is a shorthand for all things infosec
We have lost the cyber war. No, not that cyber war. Maybe war of words is a better way to put it. Whether we like it or not, cyber has become the default way for everyone else to talk about what we do.

Used devices are a treasure trove of personally identifiable information
40 percent of hard drives, mobile phones and tablets resold in publicly-available resale channels contain personally identifiable information (PII), according to an analysis by CPR Tools.

(IN)SECURE Magazine issue 53 released
(IN)SECURE Magazine is a free digital security publication discussing some of the hottest information security topics.

US Congress votes for ISPs to be able to sell customers’ info and browsing history
Such a resolution, if signed by the US President Donald Trump, will mean that ISPs and mobile data carriers will be able to sell or share its customers’ Web browsing and app usage history and other private information to advertisers and other third parties, without having to ask those customers for permission.

Why we should define our right to privacy now, before it’s too late
All this talk of snooping, eavesdropping, and hacking is a red herring. It’s a distraction. The central question in all of this, one that few are actually talking about, is whether privacy is a human right and what should be done to protect and cherish it.

Review: Data Breach Preparation and Response
IT security specialists have already internalized and made peace with the fact that data breaches are almost inevitable, and this book will be a welcome addition to their shelf.

Scareware scammers target iOS users
A bug in the way that Mobile Safari handles pop-up dialogs has been abused to scare iOS users into paying a “fine” in the form of an iTunes pre-paid card.

Actively exploited zero-day in IIS 6.0 affects 60,000+ servers
It is a buffer overflow flaw in a function in the WebDAV service in IIS 6.0 in Microsoft Windows Server 2003 R2, and can be triggered by attackers sending a overlong IF header in a PROPFIND request.

Medical washer-disinfector appliance’s web server open to attack
Here’s a string of words that you probably never thought you’ll hear: An Internet-connected washer-disinfector appliance by German manufacturer Miele sports a vulnerable embedded web server.

How CIOs are shaping the future of work
IT leaders are poised to make radical changes in the workplace, but boardrooms are holding back progress by continuing to place too much emphasis on reducing costs and keeping the lights on.

With iOS 10.3, iDevices get new Apple File System with native encryption support
APFS is engineered with encryption as a primary feature (it has native encryption support), and is optimized for Flash/SSD storage.

Modern security programs: Artificial intelligence and machine learning
A new research report by Carbon Black aggregates insight from more than 400 interviews with leading cybersecurity researchers who discussed non-malware attacks, artificial intelligence (AI) and machine learning (ML), among other topics.

A new approach is needed in the battle against cyber attacks
In the battle to fight cybercrime, discovering the undetectable is a challenge CISOs face every day. With this in mind, organisations must turn to new and innovative methods of discovery such as threat hunting, the process of proactively searching networks to detect and isolate sophisticated threats.

Docs.com’s “public by default” setting to blame for users publishing sensitive info?
The search option on Docs.com, Microsoft’s publishing and file sharing service, has been temporarily disabled as it could be used to trawl published documents for sensitive user information (social security numbers, dates of birth, phone numbers, etc.).

New infosec products of the week​: March 31, 2017
A rundown of infosec products released last week.

More about

Don't miss