Week in review: Social media-enabled cybercrime, fighting credential stuffing, digital signature spoofing

Here’s an overview of some of last week’s most interesting news and articles:

How WebAuthn aims to solve the password problem
Rather than tasking users with tracking dozens of separate passwords or requiring them to perform increasingly elaborate tasks to prove their identity, WebAuthn aims to create a standardized approach to authentication that will enable users to securely access web-based applications using their own unique authenticators (and without the additional need for a password).

Bug in Cobalt Strike pentesting tool used to identify malicious servers
An extraneous space in the HTTP responses of webservers run by a variety of malicious actors allowed Fox-IT researchers to identify them pretty easily for the past year and a half.

Sessions and events to check out at RSA Conference 2019
RSA Conference 2019 takes place next week in San Francisco. Here’s a brief overview of what to check out while you’re at the conference.

Most IoT devices are being compromised by exploiting rudimentary vulnerabilities
Cybercriminals are looking for ways to use trusted devices to gain control of Internet of Things (IoT) devices via password cracking and exploiting other vulnerabilities, such as through the exploitation via voice assistants, according to the latest Mobile Threat Report unveiled by McAfee.

New privacy-breaking attacks against phones on 4G and 5G cellular networks
Three new attacks can be used to track the location and intercept calls of phone users connected to 4G and 5G cellular networks, researchers from Purdue University and The University of Iowa have revealed.

Enterprises are blind to over half of malware sent to their employees
As the use of SSL grows to the point where it’s the standard protocol, cybercriminals are increasingly using encryption to conceal and launch attacks. This has become possible because SSL certificates, which used to be difficult to obtain, are now readily available at no charge.

How to combat delivery ramifications after a data breach
The legal ramifications of a data breach and the notifications that might need to be sent to past unsubscribed users could be significant. While laws like CAN-SPAM and CASL allow for notification-type emails to be sent in this scenario, the content requirements need to be carefully considered to avoid a potential violation.

40% of malicious URLs were found on good domains
While tried-and-true attack methods are still going strong, new threats emerge daily, and new vectors are being tested by cybercriminals, according to the 2019 Webroot Threat Report.

Phishing, software supply chain attacks greatest threats for businesses
Phishing attacks have become increasingly polymorphic, which means attackers don’t use a single URL, domain, or IP address to send mail, but make use of a varied infrastructure with multiple points of attack.

Cisco SOHO wireless VPN firewalls and routers open to attack
Cisco has released security fixes for several models of wireless VPN firewalls and routers, plugging a remote code execution flaw (CVE-2019-1663) that can be triggered via a malicious HTTP request.

ICANN calls for wholesale DNSSEC deployment
In light of the recent DNS hijacking attacks, the Internet Corporation for Assigned Names and Numbers (ICANN) is urging domain owners and DNS services to implement DNSSEC post-haste.

Fighting credential stuffing attacks is an uphill battle
Hackers directed credential abuse attempts at retail sites more than 10 billion times from May to December last year, making retail the most targeted segment studied, according to the Akamai 2019 State of the Internet / Security: Retail Attacks and API Traffic report.

Social media-enabled cybercrime is generating $3.25 billion a year
One in five organizations have been infected with malware distributed via social media.

Increasing security measures are driving cybercriminals to alter their techniques
As a result, two major shifts occured, including decreased reliance on malware and a decline in ransomware.

PDF viewers, online validation services vulnerable to digital signature spoofing attacks
Academics from Ruhr University Bochum have proven that the majority of popular PDF viewer apps and online digital signature validation services can be tricked into validating invalid signatures or validating signatures on documents that have been modified after having been signed.

Latest WinRAR, Drupal flaws under active exploitation
CVE-2018-20250, a WinRAR vulnerability that allows attackers to extract a malicious executable to one of the Windows Startup folder to be executed every time the system is booted, and CVE-2019-6340, the remote execution flaw affecting the popular Drupal CMS, have been spotted being exploited by attackers.

Many computers are vulnerable to hacking through common plug-in devices
Attackers can compromise an unattended machine in a matter of seconds through devices such as chargers and docking stations.

Healthcare industry: Key trends and cybersecurity challenges
Each year, Bitglass analyzes data from the U.S. Department of Health and Human Services’ “Wall of Shame,” a database containing information about breaches of protected health information (PHI) that affected 500 or more individuals.

Blocking compromised passwords from the Collection leak
It all started with Collection #1, a monster breach dubbed as the biggest data dump in history with its 773 million unique email addresses, and 22 million unique passwords. Next came Collection #2-5 with three times as many unique records. How does the Collection leak put your organization at risk?

Accidental data breaches are often compounded by a failure to encrypt
Accidental data breaches are often compounded by an organizational failure to encrypt data prior to it being shared – both internally and externally – putting their organizations at risk of non-compliance with major data privacy regulations, such as NYDFS Cybersecurity Regulation 23 NYCRR 500, GDPR, HIPAA and the emerging California Privacy Act (AB375).

New infosec products of the week: March 1, 2019
A rundown of infosec products released last week.