Week in review: Dangerous Bluetooth, EU cybersecurity certification, how Equifax hackers got in

Here’s an overview of some of last week’s most interesting news, articles and podcasts:

Equifax breach happened because of a missed patch
The attackers who breached Equifax managed to do so by exploiting a vulnerability in its US website, the company has finally confirmed. The vulnerability – CVE-2017-5638 – affects Apache Struts 2.

Organizations struggle to maximize the value of threat intelligence
Amidst growing concerns of large-scale cyber attacks, 84 percent of organizations participating in a Ponemon Institute survey indicated threat intelligence is “essential to a strong security posture.” However, many organizations struggle with an overwhelming amount of threat data and lack of staff expertise, which diminish the effectiveness of their threat intelligence programs.

Unsecured Elasticsearch servers turned into PoS malware C&Cs
Security researchers have discovered over 4,000 Elasticsearch servers compromised to distribute and control PoS malware. 99 percent of them are hosted by Amazon.

European Commission wants ENISA to introduce EU-wide cybersecurity certification scheme
The European Union needs a strong cybersecurity agency, and the Commission has submitted a proposal for a regulation aimed at strengthening the role of ENISA, the Union’s Greece-based Agency for Network and Information Security.

Phishers targeting LinkedIn users via hijacked accounts
A new phishing campaign has been spotted hitting LinkedIn users via direct messages and the LinkedIn InMail feature.

Why end-to-end encryption is about more than just privacy
End-to-end encryption is about more than just privacy – it is also critical for protecting business data, and our very lives and limbs as the Internet of Things becomes the norm.

iPhone X gets facial authentication, is the enterprise next?
While immediate reactions to Apple’s iPhone X announcement on social media have ranged from excitement to distrust and concern, it appears that widespread biometric authentication is here to stay for consumers. But when will facial recognition technology start being used in the enterprise?

Billions of Bluetooth-enabled devices vulnerable to new airborne attacks
Eight zero-day vulnerabilities affecting the Android, Windows, Linux and iOS implementations of Bluetooth can be exploited by attackers to extract information from, execute malicious code on, or perform a MitM attack against vulnerable devices.

Using behavior analysis to solve API security problems
Within many large organizations, tens to hundreds of millions of API requests are served daily, each with valid credentials, just like those of airport passengers. Each request carries different payloads, just like each passenger’s unique set of luggage.

KPN CISO paints a greater security picture
Being the CISO of such a huge and diverse company as KPN, the Netherlands’ largest telecom and ISP provider, requires great determination, and the current holder of the position fits the bill on that score.

Visual network and file forensics with Rudra
n this podcast recorded at Black Hat USA 2017, Ankur Tyagi, senior malware research engineer at Qualys, talks about visual network and file forensics.

Insurers increasingly concerned about silent cyber exposure
Around half of industry practitioners see the risk of silent cyber exposure – potential cyber-related losses due to silent coverage from insurance policies not specifically designed to cover cyber risk.

Patch Tuesday: 80+ vulnerabilities fixed, one exploited in the wild
As part of its regular, monthly Patch Tuesday update, Microsoft has released patches for 81 new vulnerabilities, including a zero-day in the .NET Framework.

Organizations are uncovering a cloud security paradox
The characteristics of modern applications in the cloud are changing, requiring software and IT architects to shift priorities. Businesses of all sizes are transforming in order to compete in the digital era, but are bogged down by legacy technologies and inefficient siloed processes and tools that are ill-equipped to handle today’s volume of data.

DOE invests $50 million to improve critical energy infrastructure security
The US Department of Energy (DOE) announced awards of up to $50 million to DOE’s National Laboratories to support early stage research and development of next-generation tools and technologies to further improve the resilience of the Nation’s critical energy infrastructure, including the electric grid and oil and natural gas infrastructure.

Most infosec pros believe election hacks are acts of cyber war
IT security professionals believe the effects of cyber attacks on elections go beyond diminishing confidence in the democratic process, according to a Venafi survey of 296 IT security professionals at Black Hat USA 2017.

Chrome will tag FTP sites as “Not secure”
This change is part of Google’s continuous effort to “accurately communicate the transport security status of a given page.”

New infosec products of the week​: September 15, 2017
A rundown of infosec products released last week.

More about

Don't miss