Week in review: The lessons of Conficker, holiday season cybercrime, IoT vulnerability discovery

Here’s an overview of some of last week’s most interesting news and articles:

Don’t accept risk with a pocket veto
No security professional wants to accept risk. If we had our way, the organization would mitigate or avoid all risks. But that’s almost never the case in the real world. Risks often must be accepted.

Adobe plugs critical RCE Flash Player flaw, update ASAP! Exploitation may be imminent
The flaw affects Flash Player 31.0.0.148 and earlier versions on Windows, macOS, Linux and Chrome OS, and details about it are already publicly available, Adobe warned.

Helping researchers with IoT firmware vulnerability discovery
John Toterhi and his colleagues have analyzed over 200,000 firmware images from 76 unique manufacturers across many different products.

Review: Specops Password Policy
Some 17 years ago Specops Software took on the challenge of developing authentication tools for the Microsoft ecosystem. This review focuses on Specops Password Policy, their flagship tool for preventing Active Directory users from choosing weak passwords.

Should government officials complete basic cyber security training?
Venafi announced the results of a survey of 515 IT security professionals’ views on the cyber security literacy of government officials. The survey was conducted August 4-9, 2018, at the Black Hat conference in Las Vegas.

66.1% of vulnerabilities published through Q3 2018 have a documented solution
There have been 16,172 vulnerabilities disclosed through October 29th, which is a 7% decrease from the high record reported last year at this time.

Conficker: A 10-year retrospective on a legendary worm
This November marked the 10-year anniversary of Conficker, a fast-spreading worm targeting Microsoft systems that went on to claim one of the highest levels of infection in history. The outbreak helped to elevate the security industry and shape many of the security practices we now take for granted.

New security feature to prevent Amazon S3 bucket misconfiguration and data leaks
AWS has rolled out Amazon S3 Block Public Access, a new feature that allows account owners/administrators to centrally block existing public access and to make sure that newly created items aren’t inadvertently granted public access.

The holiday season and cybercrime: 8 ways to protect yourself
There are ways to help reduce digital risk during this holiday shopping season.

Remote working may boost productivity, but also leave you vulnerable to attack
New flexible working practices could pose a security risk to small businesses, with one in five of employees (21%) stating they are most productive when working in public spaces like a cafe or library, but only 18% concerned with the security implications this could have.

Make-A-Wish website compromised to serve cryptojacking script
Visitors of the international website of the US-based non-profit Make-A-Wish Foundation have had their computing power misused to covertly mine cryptocurrency, Trustwave researchers have found.

“Classic” bugs open TP-Link’s SafeStream Gigabit Broadband VPN Router to attack
Cisco Talos researchers have flagged four serious vulnerabilities in TP-Link’s SafeStream Gigabit Broadband VPN Router (TL-R600VPN). All four affect the device’s HTTP server, and can lead to denial of service, information disclosure, and remote code execution.

Privacy laws do not understand human error
In a world of increasingly punitive regulations like GDPR, the combination of unstructured data and human error represents one of the greatest risks an organization faces. Understanding the differences between unstructured and structured data – and the different approaches needed to secure it – is critical to achieve compliance with the many data privacy regulations that businesses in the U.S. now face.

Third parties: Fast-growing risk to an organization’s sensitive data
The Ponemon Institute surveyed more than 1,000 CISOs and other security and risk professionals across the US and UK to understand the challenges companies face in protecting sensitive and confidential information shared with third-party vendors and partners.

Only 14% have complete organizational awareness of IoT threats
A poll of 1,150 IT and security leaders reveals a worrying lack of cybersecurity maturity in many organizations around the world as they deploy IoT projects to drive innovation, agility and digital transformation.

In a post-EMV world, fraud is shifting from in-person to ecommerce channels
Three years after the switch to new chip-based credit and debit cards, a study by the National Retail Federation and Forrester says payment card fraud is still a top concern for large U.S. retailers as criminals move their activities online.