Week in review: Critical flaw in Cisco switches, Saks breach, closing the security update gap

Here’s an overview of some of last week’s most interesting news and articles:

Establishing covert communication channels by abusing GSM AT commands
Security research often starts as a hobby project, and Alfonso Muñoz’s and Jorge Cuadrado’s probe into mobile privacy is no exception. The duo, who’s scheduled to reveal the results of their research at the Hack in the Box Conference in Amsterdam, ended up finding a way to establishing covert communication channels over GSM by abusing GSM AT commands.

Intel will not provide Spectre/Meltdown microcode updates for some processor families
Intel has decided not to provide microcode updates to plug Spectre and Meltdown vulnerabilities in a number of older processors.

Malicious actors used Facebook’s own tools to scrape most users’ public info
Facebook has disabled a search tool that allowed anyone to enter a person’s phone number or email address into Facebook and find their account, along with all the information that user did not choose to hide from others.

ShiftLeft: Fully automated runtime security solution for cloud applications
When talking about data loss prevention, the first thing that comes to mind are solutions aimed at stopping users from moving sensitive documents/data out of a network. But there is a different type of data loss that app developers should be conscious and worry about: cloud applications inadvertently sending critical data to unencrypted/public databases/services.

Cyber attacks are becoming more organized and structured
Trustwave released the 2018 Trustwave Global Security Report which reveals the top security threats, breaches by industry, and cybercrime trends from 2017. The report is derived from the analysis of billions of logged security and compromise events worldwide, hundreds of hands-on data-beach investigations and internal research.

Critical vulnerability opens Cisco switches to remote attack
A critical vulnerability affecting many of Cisco’s networking devices could be exploited by unauthenticated, remote attackers to take over vulnerable devices or trigger a reload and crash.

IT audit best practices: Technological changes give rise to new risks
IT security and privacy, IT governance and risk management, regulatory compliance, emerging technology and cloud computing are the key issues impacting IT audit plans in 2018.

Would automation lead to improved cybersecurity?
Concerted efforts to increase job satisfaction, automation in the Security Operations Center (SOC) and gamification in the workplace are key to beating cybercriminals at their own game, according to McAfee.

Cloudflare launches privacy-protecting DNS service
Cloudflare announcing a new privacy-oriented consumer DNS service, hosted at the following IP addresses: 1.1.1.1 and 1.0.0.1.

Report: What two years of real pen testing findings will tell you
The information included in this report (Time to Fix, Vulnerability Types, Findings Criticality, Issues Fixed) is summary data from all of the penetration tests Cobalt performed in 2017.

Security teams are under resourced, overwhelmed by attackers
A new report conducted by the Ponemon Institute uncovered security’s “patching paradox” – hiring more people does not equal better security. While security teams plan to hire more staffing resources for vulnerability response – and may need to do so – they won’t improve their security posture if they don’t fix broken patching processes.

How to close the security update gap
Security patching is hard and patch fatigue is real. So what can be done to make the process more simple, less disruptive, and more likely to be performed in a timely manner?

Delta and Sears suffer data breach, credit card information compromised
US-based Delta Air Lines and Sears Holdings, the owners of Sears and Kmart, have announced that the breach suffered by chatbot company [24]7.ai has resulted in the compromise of credit card information of its customers.

Using biometrics to protect crypto currency
With the boom of crypto currencies and blockchains for asset holdings, currency exchange, retail purchases, and even our digital identity documents, companies will need to require the highest possible authentication and authorization technologies with rock-solid key recovery methods due to recent heists which have rocked the market.

Easily exploited flaw in Microsoft Malware Protection Engine allows total system compromise
A critical and extremely easily exploitable vulnerability in the Microsoft Malware Protection Engine (MMPE) has been patched through an out-of-band security update pushed out by Microsoft on Tuesday.

Hackers steal payment card data of 5 million Saks, Lord & Taylor customers
Hackers have apparently managed to compromise the cash register systems at Saks Fifth Avenue and Lord & Taylor stores in the US and Canada, and have stolen payment card data of some five million customers, a cybersecurity research firm has revealed on Sunday.