Week in review: VPNFilter, hacking BMW cars, verifying data processing for privacy and GDPR

Here’s an overview of some of last week’s most interesting news and articles:

The percentage of open source code in proprietary apps is rising
The number of open source components in the codebase of proprietary applications keeps rising and with it the risk of those apps being compromised by attackers leveraging vulnerabilities in them, a recent report has shown.

VPNFilter malware compromises over 500,000 networking devices around the world
Cisco Talos researchers have flagged a huge botnet of small and home office routers and NAS devices, capable of collecting communications and data and launching cyber attacks.

GDPR: Today is the day
As GDPR becomes enforceable, we sat down with Jerry Caponera, VP Cyber Risk Strategy, Nehemiah Security, to talk about this important regulation and its wide-ranging impact.

Microsoft will extend GDPR rights to customers worldwide
Known as Data Subject Rights, they include the right to know what data we collect about you, to correct that data, to delete it and even to take it somewhere else.

Security spring cleaning: Tidying up messy firewall rules to reduce complexity
Most security teams are waging a daily battle against complex IT infrastructures, advanced malware and a severe skills shortage – a trifecta that has forced them to tackle select “priorities,” while letting other important initiatives fall by the wayside. One such task that usually falls to the bottom of the security “to-do” list is firewall rule cleanup.

Verifying data processing for privacy and GDPR
GDPR is having its moment in the public discourse. However, those who work to protect Identity data have been fretting about the critical components of the regulations for some time. Specifically, the “Article 30 Record-Keeping Requirement,” aims to provide evidentiary proof for how a company processes their personal data. The challenge for organizations in documenting their data processing activities is how do you do that in a data-driven way.

Researchers hack BMW cars, discover 14 vulnerabilities
Keen Security Lab researchers have discovered fourteen vulnerabilities affecting a variety of BMW car models. The flaws could be exploited to gain local and remote access to infotainment (a.k.a head unit), the Telematics Control Unit (TCU or TCB) and UDS communication, as well as to gain control of the vehicles’ CAN bus.

How a URL shortener allows malicious actors to hijack visitors’ CPU power
URL shorteners are often used by malware peddlers and attackers to trick users into following a link they otherwise wouldn’t. But Coinhive’s URL shortener carries an added danger: your CPU power can be surreptitiously hijacked to mine Monero.

Fortnite is coming to Android, but malicious fake apps are already there
Android users eager to play the increasingly popular Fortnite survival game on their mobile devices are being targeted left and right with malicious apps masquerading as the game or apps related to it.

European users can request a copy of the data Apple keeps on them
Apple has set up a Data and Privacy portal where users can make a request to download all the data Apple has on them, correct their personal information, deactivate or delete their account.

Fraud data shows 680% spike in fraudulent mobile app transactions
The number of fraudulent transactions originating from a mobile app during the first quarter has increased by 200 per cent since 2015, according to RSA Security. Analysis from the team also indicated that abuse of social media platforms is a growing problem, with social media replacing the dark web as the top hacker marketplace.

Fighting ransomware with network segmentation as a path to resiliency
Recent cybersecurity events involving the use of ransomware (WannaCry and similar variants) represent the latest examples highlighting the need for organizations to not only take an initial hit, but survive, adapt, and endure. In other words, be resilient.

Whitepaper: Future-proofing your password policy
This whitepaper weighs conventional best practices against the new Digital Identity Guidelines from NIST.

Crypto Me0wing attacks: Kitty cashes in on Monero
It’s been a month since the first Drupalgeddon 2.0 RCE (SA-CORE-2018-002/CVE-2018-7600) exploit was first published, unleashing its destruction into the wild… and through our cloud monitoring systems. As expected, since then we’ve been picking up various attack variants piggybacking on the Drupalgeddon 2.0 exploit, including remote scanners and backdoor attempts. In accordance with the latest dark web app hype, it wasn’t long until we started picking up cryptojacking exploit attempts directed at remote servers as well.

New Spectre-like flaw found in CPUs using speculative execution
CVE-2018-3639, discovered by independently by Google Project Zero and Microsoft Security Response Center researchers and dubbed “Variant 4,” is a Speculative Store Bypass (SSB) vulnerability, and is considered to be a new variant of the previously revealed Spectre Variant 1 vulnerability.

America’s most cyber insecure cities exposed
Coronet researchers identified Las Vegas, Memphis and Charlotte as America’s most cyber insecure cities.

The ethical and legal dilemmas of threat researchers
Threat intelligence is mainstreaming into a de-facto everyday tool of cyber-defense. But all that intelligence must be collected, analyzed, and prepared by someone. Enter threat researchers, the advanced scouts of cybersecurity.

PCI Security Standards Council publishes PCI DSS 3.2.1
PCI DSS version 3.2.1 replaces version 3.2 to account for effective dates and SSL/early TLS migration deadlines that have passed.

New infosec products of the week​: May 25, 2018
A rundown of infosec products released last week.

More about

Don't miss