Week in review: Black Hat, the future of AppSec, the value of cyber insurrance

Here’s an overview of some of last week’s most interesting news and articles:

Review: Pwnie Express Pulse
Pwnie Express Pulse is a SaaS offering that uses custom hardware sensors to provide continuous network discovery, threat detection, risk assessment, and critical information about all security issues that should be resolved.

Is cyber insurance worth the paper it’s written on?
Is there any point spending good money on cyber insurance when you could put that money into robust protection instead?

Lippizan: Sophisticated, targeted spyware on Google Play
Google has discovered targeted spyware on Google Play that is likely the work of Equus Technologies, an Israeli cyber surveillance technology dealer.

Addressing the deficit in cyber security workforce and national policy
Whether they like it or not, in this day and age nearly all organizations have to think about their cybersecurity posture and find a way to minimize cybersecurity risk. But the main problem about doing the latter is that nobody can effectively assess the cybersecurity risk of organizations.

UK govt urges teenagers to apply for cyber security training programme
Students will be selected for the programme via a pre-entry assessment, and the scheme will provide them with clear pathways into the cyber security industry via direct contact with industry experts.

Custom code accounts for 93% of application vulnerabilities
Although third-party software libraries represent a majority of an application’s code, they account for less than seven percent of application vulnerabilities.

Hackable smart car wash systems can hurt people
Two years after researchers Billi Rios and Terry McCorkle first flagged serious vulnerabilities in automatic, smart car wash systems by US manufacturer PDQ, the company is finally acknowledging the danger.

An internet-connected fish tank let hackers into a casino’s network
A high-tech, internet-connected fish tank in a North American casino has been used to exfiltrate data from the company’s network.

Google Groups misconfiguration leads to sensitive data leaks
By searching for publicly exposed Google Groups within the top 1,000 most visited websites on Alexa, researchers found hundreds of them, containing information such as PII, employee salary details, customer passwords, and so on.

22% of SMBs hit by ransomware had to cease business operations
More than one-third of small and medium-sized businesses have experienced a ransomware attack in the last year, a new Malwarebytes report claims, and 22 percent of these impacted businesses had to cease operations immediately.

Phishers’ techniques and behaviours, and what to do if you’ve been phished
Once a user has been phished, how long does it takes for the phishers to misuse the stolen credentials?

Most companies fail to measure cybersecurity effectiveness
With global companies and governments spending more than $100 billion a year on cybersecurity defenses, a substantial number of companies are making business decisions and purchasing cyber security technology blindly.

MacOS malware used to spy on home users in the US
A new variant of the macOS malware Fruitfly has been found by security researcher Patrick Wardle on some 400 machines of (mostly) home users located in the US.

The future of AppSec: Stop fighting the last war
It’s a cornerstone of military doctrine: when you focus too much on the last battle you faced, you miss signs of the new battleground taking shape. The principle holds as true for cybersecurity as it does for cavalries and tanks.

How to protect the power grid from low-budget cyberattacks
Cyberattacks against power grids and other critical infrastructure systems have long been considered a threat limited to nation-states due to the sophistication and resources necessary to mount them. At the Black Hat USA 2017 conference in Las Vegas, a team of New York University researchers challenged that notion by disclosing vulnerabilities in a component that, combined with publicly available information, provide sufficient information to model an advanced, persistent threat to the electrical grid.

Russian arrested, indicted for laundering funds from Mt. Gox hack
Alexander Vinnik, a Russian man arrested on Tuesday in Greece, is allegedly the operator of digital currency exchange BTC-e, through which funds from the Mt. Gox bitcoin exchange hack have been laundered.

Security vulnerabilities in radiation monitoring devices
If the vulnerabilities identified are exploited, an attacker could wreak havoc on critical systems used for monitoring radiation levels, such as falsifying measurement readings to simulate a radiation leak, tricking authorities to give incorrect evacuation directions, or increasing the time an attack against a nuclear facility or an attack involving a radioactive material remains undetected.

Secrets of successful threat hunters and SOCs
Successful cybersecurity teams are three times as likely to automate threat investigation.

UniCredit breach: Data of 400,000 customers exposed
Italian global banking and financial services company UniCredit has revealed that it has suffered two security breaches in less than a year.

Only 2% of “GDPR-ready” organizations are actually compliant
Organizations across the globe mistakenly believe they are in compliance with the upcoming GDPR, Veritas claims, after polling over 900 business decision makers from the US, the UK, France, Germany, Australia, Singapore, Japan and the Republic of Korea.

Expected cyber threats over the next six months
The 2017 Cyber Threatscape Report examines key trends during the first half of 2017 and explores how cyber incidents may evolve over the next six months.

6+ billion records exposed in data breaches in first half of 2017
There have been 2,227 publicly disclosed data compromise events since the beginning of the year through June 30th.