Week in review: Vulnerability tracking, GDPR quick guide, tackling the insider threat

Here’s an overview of some of last week’s most interesting news and articles:

Intel offers to pay for Spectre-like side channel vulnerabilities
Intel is expanding the bug bounty program it started last March, and is raising considerably the awards it plans to give out for helpful vulnerability information. The company is, simultaneously, starting a new bug bounty program focused specifically on side channel vulnerabilities, i.e., vulnerabilities that are rooted in Intel hardware but can be exploited through software.

Scanned IDs of 119,000 FedEx customers exposed online
An unsecured Amazon Web Services bucket holding personal information and scans of IDs of some 119,000 US and international citizens has been found sitting online by Kromtech security researchers earlier this month.

Worldwide spending on blockchain services to reach $8.1 billion in 2021
Interest and investment in blockchain as an emerging technology is accelerating as firms seek secure, sequential, and immutable solutions to improve business processes, enable new services, and reduce service costs.

Polisis: AI-based framework for analyzing privacy policies in real time
A group of researchers from École Polytechnique Fédérale de Lausanne (EPFL), the University of Wisconsin and the University of Michigan have created Polisis, an AI-powered automated framework for privacy policies analysis, and PriBot, a free-form Question Answering system for privacy policies.

Still relying solely on CVE and NVD for vulnerability tracking? Bad idea
2017 broke the previous all-time record for the highest number of reported vulnerabilities. The 20,832 vulnerabilities cataloged during 2017 by Risk Based Security (VulnDB) eclipsed the total covered by MITRE’s Common Vulnerability Enumeration (CVE) and the National Vulnerability Database (NVD) by more than 7,900.

7 steps security leaders can take to deal with Spectre and Meltdown
Security and risk management leaders must take a pragmatic and risk-based approach to the ongoing threats posed by an entirely new class of vulnerabilities.

Thousands of government, orgs’ websites found serving crypto mining script
Among the compromised websites were that of UK’s Information Commissioner’s Office and the Financial Ombudsman Service, the US Courts information portal, Manchester’s city council, the City University of New York, the Indiana state government, the Swedish Police, and so on.

Why do we need a risk-based approach to authentication?
The biggest challenge for an enterprise seeking to adopt a more nuanced approach to authentication is the sheer number of variables that must be accounted for in each and every request.

GDPR quick guide: Why non-compliance could cost you big
While the breadth of GDPR’s impact and information on audits and best practices will be known only when it goes into effect May 2018, it’s clear that enterprises already needed to have started to take steps to strengthen network security to prevent data loss and meet compliance requirements.

IoT botnet bypasses firewalls to get to ZyXEL modems
NewSky Security’s honeypots have detected a new IoT botnet in the making. The botnet was named DoubleDoor, as it leverages two distinct backdoors to get to the target: ZyXEL PK5001Z modems.

How cybercriminals exploited Telegram flaw to deliver malware
A “vulnerability” in Telegram’s desktop instant messaging client for Windows was exploited for months by Russian cybercriminals to deliver malware to users.

How to ensure your IT and security teams stay aligned amid digital transformation
The migration to more agile products are occuring in nearly every department and physical security is no exception. New technologies make it possible for video surveillance data to shift from on-premise to the cloud, and provide additional insights to support larger digital transformation goals. In order to succeed, however, CIOs will need to unify the previously disparate physical security and IT teams to support a common business goal.

A five-year analysis of reported Windows vulnerabilities
Based on analysis of all disclosed Microsoft vulnerabilities in 2017, a new Avecto report shows a significant rise in the number of reported vulnerabilities.

Millions of Android devices forced to mine Monero for crooks
The researchers identified several identical domains all using the same CAPTCHA code but using different Coinhive site keys in the mining script.

Microsoft boosts Windows Analytics to help squash Meltdown and Spectre bugs
A day after Microsoft announced it will be adding Windows Defender ATP down-level support for older OSes comes the news that its Windows Analytics service is getting new capabilities aimed at helping businesses tackle Meltdown and Spectre vulnerabilities on machines in their fleet.

Most CIOs plan to deploy artificial Iintelligence
As with most emerging or unfamiliar technologies, early adopters are facing many obstacles to the progress of AI in their organizations. Gartner analysts have identified the following four lessons that have emerged from these early AI projects.

German court says Facebook use of personal data is illegal
Facebook’s default privacy settings and some of its terms of service fall afoul of the German Federal Data Protection Act, the Berlin Regional Court has found.

Tackling the insider threat: Where to start?
Many organizations still believe the definition of an insider threat is limited to a rogue employee purposefully leaking embarrassing information, or nuking a couple of systems when he or she quits and walks out the door with internal or customer data to take to a new job. But not all insider threats have to be malicious to cause an incident.

What CISOs prioritize in order to improve cybersecurity practices
In a new study by the Financial Services Information Sharing and Analysis Center (FS-ISAC), CISOs weighed in on the most critical cyber-defense methods, frequency of cyber-preparedness reporting to their respective boards of directors as well as the current cyber chain of command within their respective financial organizations.

Consumers want more IoT regulation
A demand for more regulation may seem counterintuitive in today’s world and yet that’s exactly what consumers who understand IoT technologies want, according to a new study from Market Strategies International.

Download: The 2017 State of Endpoint Security Risk Report
To determine the cost and impact of evolving threats, the Ponemon Institute, a preeminent research center dedicated to data privacy and protection, surveyed 665 IT and security leaders. Their responses indicate today’s organizations are struggling to secure their endpoints, and paying a steep cost for each successful attack — $5 million for a large organization or an average of $301 per employee.

New infosec products of the week​: February 16, 2018
A rundown of infosec products released last week.