Week in review: Blocking compromised passwords, removing personal data from connected cars

Here’s an overview of some of last week’s most interesting news and articles:

0patch releases micropatch for Windows Task Scheduler zero-day
Acros Security, the company behind 0patch, has released a micropatch for the flaw that can be applied to fully updated 64bit Windows 10 version 1803 and 64bit Windows Server 2016.

Air Canada confirms mobile app data breach, passport numbers were accessed
Air Canada has suffered a data breach and is forcing a password reset on all 1.7 million users of its mobile app, though apparently only 20,000 of the mobile app accounts were accessed by the attackers.

Healthcare CISOs: Manage infosec risks and safeguard patient safety
Prominent CISOs from leading health systems and providers throughout the country have come together to establish the Provider Third Party Risk Management Council to develop, recommend and promote a series of practices to manage their information security-related risks in their supply chain and to safeguard patient safety and information.

The anatomy of fake news: Rise of the bots
Spreading misinformation has become a mainstream topic to the extent that even the term ‘Twitter bot’ is a well-recognised term establishing itself into the modern lexicon. Whilst the term is well known, it can be argued that the development and inner workings of Twitter bots are less well understood.

Old “Misfortune Cookie” flaw opens medical gateway and devices to attack
A vulnerability in Qualcomm Life Capsule Datacaptor Terminal Server (DTS) can be easily exploited to allow attackers to execute unauthorized code to obtain administrator-level privileges on the device.

Blocking compromised passwords: How and why to do it
Passwords are beginning to feel like the zombie that just won’t die. Even after Bill Gates famously called for their demise in 2004, this antiquated form of user verification is still alive and kicking.

Incorporating sensitive asset data into your vulnerability and compliance program
In this podcast recorded at Black Hat USA 2018, Tim White, Director of Product Management, Policy Compliance at Qualys, talks about the importance of incorporating inaccessible or sensitive asset data into your overall vulnerability and compliance program.

WhatsApp warns that Google Drive backups are not encrypted
Facebook-owned WhatsApp has recently announced that, starting on November 12, 2018, Android users will be able to store their WhatsApp backups on Google Drive without the backup being counted toward Google Drive’s storage quota. But, the company warns, those backups won’t be encrypted.

Why pushback on the CCPA is wrong
Since GDPR was implemented on May 25th, 2018 one big question has been lurking in the U.S.: When will the U.S. Federal Government follow suit?

Half of Alexa Top 1 Million sites now use HTTPS
Slowly but surely, the Internet is on its way to being 100% encrypted.

Cybercriminals shift tools, tactics and procedures to improve infection rates
Trend Micro released its Midyear Security Roundup 2018, revealing that cybercriminals are moving away from attention-grabbing ransomware attacks to more covert methods intended to steal money and valuable computing resources.

Emerging consensus for an ICS security approach
This difference in priorities drives important differences between IT and OT security programs. IT risk assessment methodologies are inadequate when applied to reliability-critical or safety-critical networks. IT security programs are equally inadequate.

Wireshark can be crashed via malicious packet trace files
The Wireshark team has plugged three serious vulnerabilities that could allow an unauthenticated, remote attacker to crash vulnerable installations.

Your data center’s IT is lock-tight, are the facility’s operations?
Even if data center operators think their security operation is lock-tight, there still are several important considerations to ensure a holistic plan is in place. The bottom line? If these important measures haven’t been incorporated as part of a data center’s security plan and ongoing upgrades, there is risk to the entire operation.

How to remove personal data from connected cars
Your car is a computer that stores a lot of information about you. When you sell or donate your car, that personal data might be accessible to the next owner if you don’t take steps to remove it.

PoC exploit for critical Apache Struts flaw found online
As expected, it didn’t take long for a Proof-of-Concept (PoC) exploit for the critical Apache Struts flaw (CVE-2018-11776) to pop up.

Privacy Shield: Should I stay or should I go?
The lead up to the GDPR enforcement date consumed a large swath of media coverage. This essentially buried the news that in early July 2018, the European Union Parliament warned that it would suspend the Privacy Shield agreement with the United States unless the US government took action to meet GDPR requirements.

Tool and resources to help small merchants improve payment card data security
The PCI Data Security Essentials Evaluation Tool was born from the need to create a simpler way for small merchants to evaluate how they are addressing critical security risks for their specific payment environment.

New infosec products of the week​: August 31, 2018
A rundown of infosec products released last week.