Week in review: VirtualBox 0day, GPU side channel attacks, vulnerable self-encrypting SSDs

Here’s an overview of some of last week’s most interesting news and articles:

Five key considerations when developing a Security Operations Center
Organizations should start with the following five key considerations if they are to get the most out of their SOC.

How financial institutions can change the economics of fraud
The volume of data breaches has bolstered fraudster’s ability to waltz through the front doors of businesses using synthetic identities.

VirtualBox Guest-to-Host escape 0day and exploit released online
Independent vulnerability researcher Sergey Zelenyuk has made public a zero-day vulnerability he discovered in VirtualBox, the popular open source virtualization software developed by Oracle.

Vulnerabilities’ CVSS scores soon to be assigned by AI
The National Institute of Standards and Technology (NIST) is planning to use IBM’s Watson to evaluate how critical publicly reported computer vulnerabilities are and assign an appropriate severity score.

Round two: Microsoft prepares to release Windows 10 October 2018 Update… again!
Thanksgiving comes early this year, but the Microsoft Windows 10 October 2018 Update is coming late. Should we be thankful?

HITB partners with BSides Dubai for free CommSec Track at HITB2018DXB
The HITB CommSec (community + security) track is a free-to-attend session with 30 and 60 minutes talks held during the 27th and 28th alongside the HITB2018DXB’s Exhibition.

Self-encrypting SSDs vulnerable to encryption bypass attacks
Researchers have discovered security holes in the hardware encryption implementation of several solid state disks (SSDs) manufactured by Crucial (owned by Micron) and Samsung, which could allow attackers to bypass the disk encryption feature and access the data on them without having to know the user’s password.

Apache Struts 2.3.x vulnerable to two year old RCE flaw
The Apache Software Foundation is urging users that run Apache Struts 2.3.x to update the Commons FileUpload library to close a serious vulnerability that could be exploited for remote code execution attacks.

GPU side channel attacks can enable spying on web activity, password stealing
Computer scientists at the University of California, Riverside have revealed for the first time how easily attackers can use a computer’s graphics processing unit, or GPU, to spy on web activity, steal passwords, and break into cloud-based applications.

DevOps and security: How to make disjointed security and DevOps teams work effectively
The problem with the DevOps methodology has been the fact that InfoSec is typically not part of the DevOps team and thus exposing a risk is this critical function could be left out entirely of application development.

Countering threats: Steps to take when developing APIs
High profile data breaches resulting from faulty APIs continue to make headlines. To counter this threat, businesses need to follow these three steps when developing APIs.

The building blocks of blockchain-based digital identity
In order for a blockchain-based digital identity solution to be successful, it needs meet a number of objectives for broad enterprise adoption.

How email fraud tactics continue to find new life
Losses due to BEC scams are escalating, and criminals are targeting organizations with emails that, more often than not, foil conventional email security solutions because they do not carry malicious payloads or links.

Demand for cybersecurity professionals continues to accelerate
U.S. employers in the private and public sectors posted an estimated 313,735 job openings for cybersecurity workers between September 2017 and August 2018. That’s in addition to the 715,000-plus cybersecurity workers currently employed around the country.

Attackers breached Statcounter to steal cryptocurrency from gate.io users
Web analytics company Statcounter and cryptocurrency exchange gate.io have been compromised in another supply-chain attack.

Post implementation, GDPR costs higher than expected
A Versasec survey examining the global impact of the General Data Protection Regulation (GDPR) nearly six months after its roll-out shows the privacy regulation costs more to implement than many had anticipated, and that non-EU companies are adopting similar regulations in anticipation of stronger customer privacy rules in their own locations.

Netflix releases desktop versions of device security app Stethoscope
In early 2017, the Netflix team open sourced Stethoscope, an web-based application that collects information about users’ devices and provides them with recommendations for securing them. Windows 10 and macOS users now have the option of installing a desktop app.

Beagle free visual analytics tool helps bring cybercriminals to justice
A team of researchers is helping law enforcement crack down on email scammers, thanks to a new visual analytics tool that speeds up forensic email investigations and highlights critical links within email data.

New infosec products of the week: November 9, 2018
A rundown of infosec products released last week.