Week in review: Bluetooth flaw, ERP applications under attack, advancing security with machine learning

Here’s an overview of some of last week’s most interesting news and articles:

SCADA vulnerabilities in ICS architectures
A major challenge in industrial control system architecture involves the dual nature of its underlying technologies.

Vulnerability research and responsible disclosure: Advice from an industry veteran
“Everything changes once you have to supervise and mentor and schedule and coordinate and keep in mind all the things others don’t. You often have to hold back your own wish to research a certain thing yourself or crack things open, because people rely on you to take a second look on their work. You kind of become the invisible ‘I’ in ‘Team’,” says Johannes Greil, Head of the SEC Consult Vulnerability Lab.

Samsung SmartThings Hub vulnerabilities allow attackers inside your home
Cisco Talos researchers have unearthed 20 vulnerabilities in the Samsung SmartThings Hub that could be leveraged by attackers to monitor, control and interfere with devices within the home.

Securing healthcare organizations: The challenges CISOs face
Healthcare organizations are ideal targets for criminals looking to steal personal and other sensitive information, as the industry is lagging behind when it comes to cybersecurity. Healthcare breaches involving ransomware increase year-over-year, but this is just one of the problems information security professionals in the healthcare need to face, minimize or, better yet, head off.

Advancing security and ensuring privacy with machine learning
The Internet has many issues: lack of encryption and its governance, questionable marketing techniques, a misinformed average user. These issues are as old as the Internet itself. And machine learning algorithms can become the right tool to solve them.

ERP applications under attack: How criminals target the crown jewels
Business-critical applications running the biggest organizations in the world are under attack, according to research from Digital Shadows and Onapsis. The report shows a rise in cyberattacks on widely-used enterprise resource planning (ERP) applications such as SAP and Oracle — which currently have a combined 9,000 known security vulnerabilities.

Bluetooth vulnerability allows snooping of traffic between paired devices
Researchers Eli Biham and Lior Neumann have discovered a vulnerability in two Bluetooth features that could be exploited by attackers to gain a man-in-the-middle position and to monitor and fiddle with the traffic between two devices connected via that wireless technology.

Attackers playing into users’ commitment to security continue to sail through defenses
KnowBe4 shared its Top 10 Global Phishing Email Subject Lines for Q2 2018. The messages in the report are based on simulated phishing tests users received or real-world emails sent to users who then reported them to their IT departments.

Not many organizations scale their digital initiatives beyond the piloting stage
A recent Gartner, Inc. survey found that only a small number of organizations have been able to successfully scale their digital initiatives beyond the experimentation and piloting stages.

How SOAR can increase the value of your security team
The majority of cybersecurity professionals claim their organization is impacted by the skills shortage. Securities teams are being faced with hundreds of thousands of potential threats daily, and most security teams spend most of their time dealing with whatever vulnerability pops up that day, leaving little time for training, planning, strategy, etc.

After extensive testing, Google introduces the Titan Security Key
Google recently shared that since it made employees use physical security keys instead of passwords and one-time codes none of them – and there are over 85,000 – have been successfully phished. Then, on Wednesday, the company announced that they have created their own line of security keys – the Titan Security Key – and that they’ve been testing it in-house for over a year.

ZDI offers hefty bounties for zero-days in popular web servers, CMSes
The Trend Micro-backed Zero Day Initiative is asking bug hunters to look for zero-day RCE vulnerabilities in several open source server-side products and is ready to pay up to $200,000 for some of them.

72% of CEOs admit they’ve taken intellectual property from a former employer
93 percent of CEOs say they keep a copy of their work on a personal device, outside the relative safety of company servers or cloud applications.

Adopting a Zero Trust approach is the best strategy to control access
A new study conducted by Forrester Consulting found that organizations powering Zero Trust Security with next-gen access solutions reported twice the confidence to accelerate new business models and customer experiences.

Exploring the dynamics of the attacker economy
Global software companies are increasingly turning to attackers for help identifying security vulnerabilities in their offerings – and they’re not the only ones.

Chrome starts marking all HTTP sites as “Not secure”
The “Not secure” mark is currently in grey, but Chrome 70 (scheduled to be released in October 2018) will start showing the red “Not secure” warning when users enter data on HTTP pages.

The evolution of email fraud: Risks and protection tips
Marc Chouinard is Email Security Operations Lead at Vircom, an email security vendor based in Montreal, Canada. He has established a reputation as a no-nonsense leader in understanding and acting against threats on a daily basis, and in this interview he talks about email fraud, BEC scams, and the evolution of email threats.

Securing the supply chain: Organizations need best practices in proactive security
CrowdStrike announced the results of its global supply chain survey, Securing the Supply Chain, produced by research firm Vanson Bourne. The study surveyed 1,300 senior IT decision-makers and IT security professionals in the US, Canada, UK, Mexico, Australia, Germany, Japan, and Singapore across major industry sectors.

Privacy pros gaining control of technology decision-making over IT
TrustArc and IAPP announced the results of new research that examined how privacy technology is bought and deployed to address privacy and data protection challenges.

Hackers stole personal, medication data of a quarter of Singaporeans
Hackers have breached Singapore’s health service and have stolen personal information of some 1.5 million patients. They have also compromised outpatient medication data of 160,000 individuals, including Singapore’s Prime Minister Lee Hsien Loong.

New infosec products of the week​: July 27, 2018
A rundown of infosec products released last week.