Week in review: Top GDPR compliance risks, DDE attack mitigations, Node.js security

Here’s an overview of some of last week’s most interesting news and articles:

Infosec expert viewpoint: Vulnerability patching
Vulnerability patching is one of the most useful and cost-effective methods to mitigate a plethora of security threats. Here’s what infosec experts think about the challenges related to patching systems, and how they see vulnerability patching evolve in the near future. They also give advice to enterprises looking to deploy a solution that makes vulnerability patching easier.

Top GDPR compliance risks: Breach notification, data mapping, managing consent
The International Association of Privacy Professionals (IAPP) conducted a survey that gauges the perceived risks among privacy professionals of not complying with various aspects of the General Data Protection Regulation (GDPR).

Tor Browser flaw leaks users’ real IP address
The Tor Project has issued an emergency security bugfix release of Tor Browser, to prevent user IP address leakage due to a still unpatched Firefox bug.

Chrome to start blocking unwanted redirects
By early 2018, Chrome will be blocking several types of unwanted and annoying redirects.

Microsoft offers mitigation advice for DDE attacks scenarios
Microsoft has published a security advisorty containing DDE attack mitigation instructions for both users and admins.

Node.js security: Are developers confident in the quality of their code?
A NodeSource and Sqreen joint developer survey of nearly 300 CTOs, CIOs and developers revealed that, while the developer community fully understands the risks of operating in the open Internet and the complexities of building secure code, developers are not taking advantage of tools that can identify and mitigate threats.

Data exfiltration tool PTP-RAT encodes data in pixel colour values
How to exfiltrate data from a machine that doesn’t have file transfer capabilities or whose Remote Desktop Protocol (RDP) connection has been locked down, making it impossible to send files?

Digital business is turning CIOs into leaders
For 82 percent of EMEA CIOs digital business has led to a greater capacity for change and a more open mindset in their IT organization, according to Gartner‘s annual survey of CIOs.

Eavesdropper vulnerability exposes sensitive corporate communications data
Appthority published research on its discovery of the Eavesdropper vulnerability, caused by developers carelessly hard coding their credentials in mobile applications that use the Twilio Rest API or SDK, despite best practices the company clearly outlines in its documentation.

Phishing is a greater threat to users than keyloggers and third-party breaches
Credential leaks and phishing largely affect victims in the US and Europe, while keyloggers disproportionately affect victims in Turkey, the Philippines, Malaysia, Thailand, and Iran.

Extortion-based cyber attacks: The next evolution in profit-motivated attack strategies
Since there is so much personally identifiable information (PII) available on the dark web already, hackers don’t receive the same return on exposing or selling it as they once did. Now, hackers will go after even more valuable information and confidential corporate data or threaten complete destruction to receive a bigger pay out.

Vault 8: WikiLeaks starts releasing source code of alleged CIA cyber weapons
The Vault 8 leaks will ostensibly cover “source code and analysis for CIA software projects including those described in the Vault 7 series,” released to “enable investigative journalists, forensic experts and the general public to better identify and understand covert CIA infrastructure components.”

The Wild West of drive-by cryptocurrency mining
As more and more Coinhive clones continue popping up, chances of users’ CPU power being hijacked for cryptocurrency mining are rising.

1 in 5 IT security pros still use paper to track accounts and passwords
Dimensional Research recently surveyed 913 IT security professionals on challenges, habits and trends related to managing access to corporate data.

Modernizing cybersecurity training for the next generation
Training and workforce development must also be approached with a team perspective in mind.

New Amazon S3 encryption and security features introduced
Amazon Web Services has announced the availability of five new encryption and security features for the Amazon S3 cloud storage service.

Have you heard about Bitcoin multipliers?
Professedly, they are services that multiply any Bitcoin amount you send them by several times, and return to you the total amount in a mere hours.

Is trading resilience for business growth a smart strategy?
Even companies with a strong belief in resilience planning may be stuck in an old-fashioned mindset and neglecting to plan for the possibility of corporate data loss through the most vulnerable attack vector, end-user behaviors via laptops and desktops.

Top 10 ways to fund the shift to digital business
To fund digital initiatives, CEOs indicate that the largest bulk of money comes from self-funding, rather than existing budgets, as they see the primary purpose of digital initiatives to win revenue rather than to save costs.

Security, privacy issues we need to solve before non-medical implants become pervasive
The cybernetic revolution is happening, and it’s imperative that civil liberties and privacy issues are addressed by system designers, innovators, regulators, and legislators, says James Scott, a Senior Fellow at cybersecurity think tank ICIT (Institute for Critical Infrastructure Technology).

New infosec products of the week​: November 10, 2017
A rundown of infosec products released last week.