Week in review: CAPTCHA-breaking AI, Australian anti-encryption bill, new issue of (IN)SECURE

HITBSecConf2019 - The 10the annual HITB Security Conference in The Netherlands - Trainings, Conference track and Haxpo exhibition. Register now.

Here’s an overview of some of last week’s most interesting news and articles:

Old and new OpenSSH backdoors threaten Linux servers
OpenSSH, a suite of networking software that allows secure communications over an unsecured network, is the most common tool for system administrators to manage rented Linux servers. And given that over one-third of public-facing internet servers run Linux, it shouldn’t come as a surprise that threat actors would exploit OpenSSH’s popularity to gain control of them.

What cloud platforms are DevOps professionals being asked to understand?
Cloud Academy released its November 2018 Data Report revealing trends and shifts in the cloud computing industry.

(IN)SECURE Magazine issue 60 released
(IN)SECURE Magazine is a free digital security publication discussing some of the hottest information security topics. Issue 60 has been released this week.

December Patch Tuesday forecast: Let it snow, let it snow, let it snow
We have a lot of accumulation leading up to Patch Tuesday that you will want to be aware of before the big storm hits.

Why hospitals are the next frontier of cybersecurity
Security solutions built for the typical business enterprise fall short when they’re applied to the complex world of hospital IT, leaving an urgent, unfilled need for industry-specific innovation.

Australia: Parliament passes anti-encryption bill
The Parliament of Australia has passed the Assistance and Access Bill 2018, which allows Australian authorities to pressure communication providers and tech companies into giving them access to encrypted electronic communications, all in the name of fighting crime and terrorism.

Half of management teams lack awareness about BPC despite increased attacks
Trend Micro revealed that 43 percent of surveyed organizations have been impacted by a Business Process Compromise (BPC).

Adobe patches newly exploited Flash zero-day
Adobe has released an out-of-band security update for Flash Player that fixes two vulnerabilities, one of which is a zero-day (CVE-2018-15982) that has been spotted being exploited in the wild.

Report: Pioneering Privileged Access Management
Gartner released the first-ever Magic Quadrant for Privileged Access Management – a significant milestone for the industry. It spotlights the critical importance of protecting privileged credentials amidst digital transformation initiatives and the ever-changing threat landscape.

An introduction to deception technology
This article is first in a five-part series being developed by Dr. Edward Amoroso in conjunction with the deception technology team from Attivo Networks. The article provides an overview of the evolution of deception, including its use in the enterprise, with emphasis on the practical requirements that have emerged in recent years to counter the growing number and nature of malicious threats.

Researchers create AI that could spell the end for website security captchas
The new algorithm, based on deep learning methods, is the most effective solver of captcha security and authentication systems to date and is able to defeat versions of text captcha schemes used to defend the majority of the world’s most popular websites.

Post-exploitation scanning tool scavenges for useful information
Philip Pieterse, Principal Consultant for Trustwave’s SpiderLabs, has demonstrated at Black Hat Arsenal Europe 2018 a new tool for penetration testers called Scavenger.

Chrome 71 is out, with several security changes
The newest version of the popular browser comes with 43 security fixes and many new features, including several ones that aim to help users avoid security pitfalls.

Detecting malicious behavior blended with business-justified activity
Organizations have tried to address this challenge with solutions ranging from the traditional network forensic vendors like RSA NetWitness as well some of the first-generation network traffic analysis (NTA) tools like Darktrace. The buyer trend is moving towards a combination of these two technologies and that is where Awake Security comes in.

Hardware is on its way out as the demand for SD-WAN climbs
The technology enables enterprises to smoothly transition from hub-and-spoke to a direct-to-internet architecture.

Best practice methodology for industrial network security: SEC-OT
SEC-OT does not seek primarily to “protect the information” as information security does. SEC-OT observes that all cyber attacks are information and concludes that it is not information that needs protection, but physical operations that need protection from information – more specifically from cyber attacks that may be embedded in information.

Critical Kubernetes privilege escalation flaw patched, update ASAP!
The project maintainers are urging users to update their installations as soon as possible, since the flaw can be easily exploited remotely by unauthenticated attackers to gain access to vulnerable Kubernetes clusters and the applications and data within them.

Major flaws uncovered in leading IoT protocols
Trend Micro warned organizations to revisit their operational technology (OT) security after finding major design flaws and vulnerable implementations related to two popular machine-to-machine (M2M) protocols, Message Queuing Telemetry Transport (MQTT) and Constrained Application Protocol (CoAP).

Quora data breach: 100 million users affected
The investigation is still ongoing, but for the time being, they believe that account information, public content and actions, and non-public content and actions for some 100 million users may have been compromised.

Vulnerability discovered in safety controller configuration software
Gjoko Krstic, an Applied Risk researcher, has discovered a vulnerability in Pilz PNOZmulti Configurator software that allows a local attacker to read sensitive data in clear-text.

Making it harder for attackers to know when a system begins to deceive a bad actor
Can you deceive a deceiver? That’s the question that computer scientists at Binghamton University, State University of New York have recently been exploring.

10 trends impacting infrastructure and operations for 2019
Gartner highlighted the key technologies and trends that infrastructure and operations (I&O) leaders must start preparing for to support digital infrastructure in 2019.

Find out what your peers are saying about Office 365 MFA
Specops Software ran a global survey that gauged satisfaction with Office 365 MFA among other O365 adoption initiatives.

New infosec products of the week: December 7, 2018
A rundown of infosec products released last week.