Week in review: Hardware Trojans, Office 365 compromise prevention, getting the most out of pentesting

HITBSecConf2019 - The 10the annual HITB Security Conference in The Netherlands - Trainings, Conference track and Haxpo exhibition. Register now.

Here’s an overview of some of last week’s most interesting news and articles:

Deception technology: Authenticity and why it matters
An overview of the central role that authenticity plays in the establishment of deception as a practical defense and cyber risk reduction measure.

Mitigating the risk of Office 365 account hijacking
Once an actor has obtained credentials for an O365 account, not only can the account access be used to access documents across a user’s O365 surface (SharePoint, OneNote etc.) but it can also be used as a launchpad to carry out further compromises within an organisation.

Supply chain compromise: Adding undetectable hardware Trojans to integrated circuits
Is it possible for attackers to equip integrated circuits with hardware Trojans that will not change the area or power consumption of the IC, making them thus indiscernible through power-based post fabrication analysis?

Android Trojan steals money from victims’ PayPal account
ESET researchers have unearthed a new Android Trojan that tricks users into logging into PayPal, then takes over and mimics the user’s clicks to send money to the attacker’s PayPal address.

How can businesses get the most out of pentesting?
For organizations not knowing where to start when it comes to selecting a pentester, let’s take a look at a few guidelines to follow when starting a project.

CISO challenges and the path to cutting edge security
Zane Lackey is the co-founder and CSO at Signal Sciences. He serves on multiple Advisory Boards including the National Technology Security Coalition, the Internet Bug Bounty Program, and the US State Department-backed Open Technology Fund. Prior to co-founding Signal Sciences, Zane lead a security team at the forefront of the DevOps/Cloud shift as CISO of Etsy. In this interview with Help Net Security he discusses CISO challenges, cloud security strategies, next-gen security, and much more.

Attackers increasingly exploiting vulnerabilities to enlarge their IoT botnets
Attackers looking to add IoT devices to their botnets are increasingly adding vulnerability exploitation to their attack arsenal, Netscout researchers warn. Instead on just relying on a list of common or default passwords or brute-forcing attacks, they are taking advantage of the fact that IoT devices are rarely updated and manufacturers take a lot of time to push out fixes for known flaws.

Most concerning security controls for cyberattackers? Deception and IDS
Attivo Networks surveyed more than 450 cybersecurity professionals and executives globally to gain insights into detection trends, top threat concerns, attack surface concerns, and what’s on their 2019 security wish list.

Worst password offenders of 2018 exposed
Kanye West is the worst password offender of 2018, according to Dashlane. When visiting the White House, the famous rapper was sprotted unlocking his iPhone with the passcode “000000”.

Not all data collection is evil: Don’t let privacy scandals stall cybersecurity
The privacy violations, deception and cybercrime taking place are creating new challenges that public and private sector organizations face. They are now operating in a world where all data collection and analysis practices are increasingly portrayed as evil. Despite this, business and government leaders can’t lose sight of the fact that it is absolutely necessary to continue to collect and analyze information in order to remain secure and to mitigate risk.

December 2018 Patch Tuesday: Microsoft patches Windows zero-day exploited in the wild
Microsoft’s December 2018 Patch Tuesday release is pretty lightweight: the company has plugged 38 CVE-numbered security holes, nine of which are considered to be Critical.

Securing and managing the enterprise Internet of Things
Paul Calatayud, Palo Alto Networks’ CSO for the Americas, sees the IoT evolving into a new form of distributed computing powered by 5G and ever-increasing bandwidth speeds. The result will be intelligent, programmable devices that operate without human interaction or input.

6.8% of the top 100,000 websites still accept old, insecure SSL versions
Mac-based malware has appeared on the list of the top ten most common types of malware for the first time in WatchGuard’s quarterly Internet security report. Researchers also found that 6.8 percent of the world’s top 100,000 websites still accept old, insecure versions of the SSL encryption protocol.

Will sophisticated attacks dominate in 2019?
Trend Micro released its 2019 predictions report, warning that attackers will increase the effectiveness of proven attack methods by adding more sophisticated elements to take advantage of the changing technology landscape.

November 2018: Most wanted malware exposed
Check Point has published its latest Global Threat Index for November 2018. The index reveals that the Emotet botnet has entered the Index’s top 10 ranking after researchers saw it spread through several campaigns, including a Thanksgiving-themed campaign.

Product showcase: iStorage diskAshur PRO² SSD
The diskAshur PRO² SSD is an ultra-secure, PIN authenticated, portable USB 3.1 hard drive with real-time AES-XTS 256-bit hardware encryption. It doesn’t require any software – the keypad enables you to securely access the drive by entering a PIN code.

30% of healthcare databases are exposed online
Despite the fact that electronic health records (EHR) contain extremely sensitive information about individuals, it is shockingly easy for malicious actors to get their hands on them, Intsights security researchers have discovered.

High profile incidents and new technologies drive cybersecurity M&A to record highs
The Cybersecurity M&A Market Report from international technology mergers and acquisitions advisors, Hampleton Partners, outlines how high profile hacks, the global digitisation of business and new regulations are driving record transaction volumes and valuations, with 141 completed transactions by October this year, surpassing 2016 and 2017 levels.