Week in review: BlueKeep, GitHub automated security fixes, reducing the threat of legacy apps

Here’s an overview of some of last week’s most interesting news, articles and podcasts:

Attackers are exploiting WordPress plugin flaw to inject malicious scripts
Attackers are leveraging an easily exploitable bug in the popular WP Live Chat Support plugin to inject a malicious JavaScript in vulnerable sites, Zscaler warns. The company has discovered 47 affected sites (some have been cleaned up in the meantime) but that number is unlikely to be final.

Researchers fight ransomware attacks by leveraging properties of flash-based storage
Ransomware continues to pose a serious threat to organizations of all sizes. In a new paper, “Project Almanac: A Time-Traveling Solid State Drive,” University of Illinois students Chance Coats and Xiaohao Wang and Assistant Professor Jian Huang from the Coordinated Science Laboratory look at how they can use the commodity storage devices already in a computer, to save the files without having to pay the ransom.

Siemens LOGO!, a PLC for small automation projects, open to attack
LOGO!, a programmable logic controller (PLC) manufactured by Siemens, sports three vulnerabilities that could allow remote attackers to reconfigure the device, access project files, decrypt files, and access passwords.

Chrome extension devs must drop deceptive installation tactics
After announcing its intention to limit third-party developers’ access to Chrome’s webRequest API, which is used by many ad-blocking extensions to filter out content, Google has followed up with announcements for a few more changes meant “to create stronger security, privacy, and performance guarantees.”

A veteran’s look at the cybersecurity industry and the problems that need solving
Apart from effectively curating and summarizing content produced by others, Daniel Miessler is also the source of interesting ideas and occasionally unorthodox opinions such as, for example, that we have exactly the right amount of software security given how high we prioritize it compared to building features and expanding business.

What mechanisms can help address today’s biggest cybersecurity challenges?
In this Help Net Security podcast, Syed Abdur Rahman, Director of Products with unified risk management provider Brinqa, talks about their risk centric knowledge-driven approach to cybersecurity problems like vulnerability management, application security and cloud and container security.

G Suite to get Gmail confidential mode, on by default
Confidential emails are self-destructing and/or protected by passwords, and impossible to forward, copy, download or print. They can also be revoked.

When it comes to email-based threats, Emotet dominates
Emotet displaced credential stealers, stand-alone downloaders and RATs and became the most prominent threat delivered via email.

BlueKeep RDP flaw: Nearly a million Internet-facing systems are vulnerable
A recent scanning effort by Robert Graham, head of offensive security research firm Errata Security, has revealed that there are still nearly a million of vulnerable systems out there – and that’s just the ones that are on the public Internet: there are likely many, many more if we count systems inside organizations.

GitHub introduces Dependabot-powered automated security fixes
GitHub, the largest code-hosting site in the world, has announced many new features and changes at the 2019 GitHub Satellite conference.

Handle personal data: What we forget is as important as what we remember
Proper data compliance regulations aren’t just a fad, and companies need to get serious about cooperating, or else pay the price in terms of fines and customer trust.

Majority of CISOs plan to ask for an increase in cybersecurity investment
Most CISOs of financial institutions (73 percent) plan to ask their organization’s CFO for an increase in cybersecurity investments in the next year, according to the Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry consortium dedicated to reducing cyber-risk in the global financial system.

How to diminish the great threat of legacy apps
Mitigating the risk that legacy apps represent is no easy task – it requires work and planning. Here are a few best practices for ensuring a sound application security posture.

Security overconfidence and immaturity continue to endanger organizations
The majority of organizations are ill-prepared to protect themselves against privileged access abuse, the leading cyber-attack vector.

Many are seeing the damage of cybercrime and identity theft firsthand
As massive data breaches continue to make international headlines and the Internet is an integral part of our daily lives, consumers are now grasping the risks they face. In a new F-Secure survey, 71% of respondents say they feel that they will become a victim of cybercrime or identity theft, while 73% expressed similar fears about their kids.

IoT cyberattacks are the new normal, the security mindset isn’t
Eight in ten organizations have experienced a cyberattack on their IoT devices in the past 12 months, according to new research by Irdeto. Of those organizations, 90% experienced an impact as a result of the cyberattack, including operational downtime and compromised customer data or end-user safety.

Structural integrity: Quantifying risk with security measurement
Mike Burg, Director of Strategic Advisory, Alagen, explains how a winning security metrics strategy aligns with the business’ goals and objectives and lay out the framework to develop the metrics strategy.

New infosec products of the week: May 31, 2019
A rundown of infosec products released last week.