Week in review: Malicious Python packages, FaceApp panic, and how to avoid a biometric dystopia

Here’s an overview of some of last week’s most interesting news, articles and podcasts:

Do you have what it takes to be a hardware hacker?
If you ask Yago Hansen, a hacker specialized in Wi-Fi and RF security, curiosity and a willingness to learn and improve your skills are the two things that you absolutely must have to embark on a (white hat) hacking career.

Malicious Python packages found on PyPI
Researchers have uncovered another batch of malicious Python libraries hosted on Python Package Index (PyPI).

Multi-stage attack techniques are making network defense difficult
Cybercriminals are evolving their attack methods and often use multiple payloads to maximize profits.

FaceApp privacy panic: Be careful which apps you use
The privacy panic over FaceApp, the selfie-editing mobile app that makes photo subjects younger, older or turns them into members of the opposite sex, has been overblown.

CVSS 3.1: Refined and updated for easier adoption by the security community
The Forum of Incident Response and Security Teams (FIRST) has published an update of its internationally recognized Common Vulnerability Scoring System (CVSS).

True passwordless authentication is still quite a while away
During the last decade or so, many IT and IT security professionals have foretold the death of the password, but that prophecy has yet to be fulfilled. Despite the many security drawbacks, the password continues to be an inexpensive authentication solution that works and is convenient in many scenarios.

The importance of IT asset management within digital transformation processes
In this Help Net Security podcast, Marco Rottigni, Chief Technical Security Officer for Qualys across EMEA, talks about the importance of IT asset management within digital transformation processes. He illustrates why it’s crucially important to understand what you have, and how to build security in versus bolting it on.

IIoT risks of relying heavily on edge computing
The sheer volume of data created by the Internet of Things (IoT) is increasing dramatically as the world is becoming progressively more connected. There is projected to be a mind-boggling 75 billion IoT devices in the world by 2025. Meanwhile, edge computing is set to be adopted into the mainstream by as early as 2020.

4 years after data breach, Slack resets 100,000 users’ passwords
Roughly 100,000 Slack users are getting their password reset and will have to choose a new one. The reason? During the data breach the company suffered in 2015, the attackers have apparently not only accessed a database with user profile information and “irreversibly encrypted” passwords, but have also “inserted code that allowed them to capture plaintext passwords as they were entered by users at the time.”

How well are healthcare organizations protecting patient information?
Healthcare organizations have high levels of confidence in their cybersecurity preparedness despite most of them using only basic user authentication methods in the face of an increasing number of patient identity theft and fraud instances in the marketplace, according to LexisNexis Risk Solutions.

NSS Labs test exposes weaknesses in NGFW products
NSS Labs announced the results of its 2019 NGFW Group Test. Twelve of the industry’s NGFW products were tested to compare NGFW product capabilities across multiple use cases. Products were assessed for security effectiveness, total cost of ownership (TCO), and performance.

Avoiding a biometric dystopia
In part one of our two-part series, we explored how biometric authentication methods are being defeated. In the second part, we’ll explore how manipulating biometrics can alter society, and what can be done to avoid a biometric dystopia.

The importance of hardening firmware security
It’s no secret that attackers traditionally go after low-hanging fruit when hacking a system. Historically, this has meant targeting user applications, and, for deeper persistence, the operating system (OS) kernel to gain control. But, as OS security has advanced, it’s become more difficult to compromise an OS with any kind of persistent kernel rootkit.

The true potential of 5G for businesses
There are many unanswered questions about 5G but businesses with the imagination and ingenuity to seek the answers for themselves will reap the benefits.

How can attackers abuse artificial intelligence?
Artificial intelligence (AI) is rapidly finding applications in nearly every walk of life. Self-driving cars, social media networks, cybersecurity companies, and everything in between uses it.

Researcher releases PoC code for critical Atlassian Crowd RCE flaw
A researcher has released proof-of-concept code for a critical code execution vulnerability (CVE-2019-11580) in Atlassian Crowd, a centralized identity management solution providing single sign-on and user identity.

Companies still don’t understand the importance of DMARC adoption
By implementing DMARC, brands lower the odds of their domains being spoofed and used for phishing attacks on recipients. Still, 79.7% of all domains analyzed have no DMARC policy in place, according to 250ok.

Over 80% of network teams play a role in security efforts
More than 4 in 5 IT teams are involved in security efforts, and a majority of them report an increase of at least 25 percent in time spent on these efforts over the past 12 months, according to Viavi.

Flaw in Iomega, LenovoEMC NAS devices exposes millions of files on the Internet
A vulnerability in legacy Iomega and LenovoEMC network-attached storage (NAS) devices has led to many terabytes of potentially sensitive data being accessible to anyone via the Internet.

Adoption rates of basic cloud security tools and practices still far too low
As organizations migrate more of their data and operations to the cloud, they must maintain a robust cybersecurity posture, a Bitglass report reveals.

Skills gap remains a top barrier to SD-WAN adoption
SD-WAN security drives selection, skills gaps remain a primary obstacle to adoption, and adoption continues to rise, according to Masergy.

Business owners prioritize investment in technology over upskilling
Business owners say their strategy is to prioritize investing in technology (52%) over upskilling (24%) their workforce, according to Adecco.

New infosec products of the week: July 19, 2019
A rundown of infosec products released last week.

More about

Don't miss