Week in review: Capital One breach, Visa payment limit bypass flaw, VxWorks RTOS vulnerabilities

Here’s an overview of some of last week’s most interesting news, interviews and articles:

The dynamic of modern security challenges: Issues security leaders face today
We sat down with Neil Weicher, CTO & Founder, NetLib Security, to discuss encryption technologies, the threat of legacy applications, the complexity of cloud security, medical IoT, and more.

AWDL flaws open Apple users to tracking, MitM, malware planting
Vulnerabilities in Apple Wireless Direct Link (AWDL), the wireless protocol that underpins Apple’s AirPlay and AirDrop services, could allow attackers to track users in spite of MAC randomization, to intercept and modify transmitted files, and to prevent transmission or crash devices altogether.

Security trends to follow at Black Hat USA 2019
Black Hat USA 2019 is just around the corner! Selecting which sessions to attend from among the conference’s jam-packed catalog of training sessions, panels and briefings can be a daunting task without a clear strategy. In the run-up to every conference, we compile a list of the most engaging content and identify the most compelling cybersecurity trends highlighted in the agenda.

200 million enterprise, industrial, and medical devices affected by RCE flaws in VxWorks RTOS
Armis researchers have discovered 11 vulnerabilities (including 6 critical RCE flaws) in Wind River VxWorks, a real-time operating system used by more than two billion devices across industrial, medical and enterprise environments.

Cloud adoption and security are not mutually exclusive
As organizations continue to adopt cloud services to achieve their desired business objectives, many don’t realize that the thing that makes cloud computing great – speed, agility, easy implementation and scalability – also make it a nightmare for many security departments.

Global IaaS market reached $32.4 billion in 2018, total growth was 31.3%
The worldwide infrastructure as a service (IaaS) market grew 31.3% in 2018 to total $32.4 billion, up from $24.7 billion in 2017, according to Gartner. Amazon was once again the No. 1 vendor in the IaaS market in 2018, followed by Microsoft, Alibaba, Google and IBM.

G Suite news: Anomalous alert activity for Google Drive, Advanced Protection for enterprise users
Google is rolling out new security options for G Suite users and admins, aimed at alerting organizations about data exfiltration attempts on Google Drive and helping them protect their high-risk users.

US utilities targeted with spear-phishing emails impersonating engineering licensing board
If you worked in a US company in the utilities sector and received an email notification telling you that you’ve failed your “Fundamentals of Engineering” NCEES exam, would you download the attached Word file to check what’s up? Would you do it even if you know that you took no such exam?

How effective is your security operations center?
While the SOC is considered an essential or important component of business, most security professionals rate their SOC’s effectiveness as low, and 49 percent say it is not fully aligned with business needs, according to a survey conducted by Devo Technology in partnership with the Ponemon Institute.

Solving security problems: Security advice for those with limited resources
In this interview, Mark Sangster, VP & Industry Security Strategist at eSentire, gives SMBs advice on how to minimize the risk of a data breach through better security practices, sets out priorities for a successful data security plan, and opines on the key challenges for the information security industry over the next five years.

Capital One breach: Info on 106 million customers compromised, hacker arrested
Capital One, one of the largest banks in the United States by assets, has announced that it has suffered a massive data breach affecting the personal and financial information of some 106 million individuals in the U.S. and Canada.

The rise of biometrics and passwordless security
Both the credential authentication process and the centralized database of passwords and other shared secrets creates a potential attack surface for malicious hackers to intercept the information. With stolen credentials, cybercriminals can impersonate users or undertake phishing or credential stuffing attacks via Account Take Over (ATO).

Whitepaper: Building a Threat Intelligence Programme (UK)
ThreatConnect surveyed more than 350 cybersecurity decision makers in the UK. The result: Building a Threat Intelligence Programme discusses research findings on best practices and impact of those programmes.

How to secure your data as you go digital
To scale more efficiently and serve customers better, companies are moving more workloads and services to the cloud. According to IDG, 37 percent of companies are increasing their digital business, and 45 percent are in the process of becoming digital-first businesses. In fact, almost half of executives believe the digital sphere will help drive bottom-line revenue growth.

While cybercriminals abuse Twitter, threat researchers use it to boost threat intelligence efforts
Cybercriminals are abusing Twitter via tech support scams, command-and-control (C&C) operations and data exfiltration, according to Trend Micro.

Research shows that devices banned by US government lack basic security practices
As the August 13 deadline looms for the US ban on Chinese surveillance cameras, the news cycle is re-engaged with the issue. The panic about banned cameras still being in operation shines a spotlight on both the severity of the issue and the dire need to find a solution.

Orchestrating security policies across your hybrid cloud with intelligent data virtualization
The proliferation of data is causing a security and governance challenge across the hybrid cloud. Estimates project the global datasphere will grow from 33 zettabytes in 2018 to 175 by 2025. As new, data-intensive systems are spun up to keep pace with business needs, maintaining security and data governance is becoming a top concern. The complexity is such that a report on cloud security asserts that through 2022, 95% of security failures will be the customer’s fault.

Flaws allow attackers to bypass payment limits on Visa contactless cards
Flaws that allow attackers to bypass the payment limits on Visa contactless cards have been discovered by researchers Leigh-Anne Galloway and Tim Yunusov at Positive Technologies.

Microsoft is right, mandatory password changes are obsolete
Microsoft has recently come out and said that mandatory password changing is ancient and obsolete. This goes directly against everything we were trained to think for the last couple of decades, and against most compliance directives including some of the most dominant security standards. And it is correct.

Assessing the efficiency of phishing filters employed by email service providers
Technology companies could be doing much more to protect individuals and organizations from the threats posed by phishing, according to research by the University of Plymouth.

Many companies don’t know the depth of their IoT-related risk exposure
In the digital age, cyber is everywhere. Cyber risk now permeates nearly every aspect of how we live and work. Organizations should better understand how to manage the risks created by known and unknown Internet of Things (IoT) and Industrial IoT (IIoT) devices.

The probability that an EV SSL certificate is associated with a bad domain is 0.013%
New research conducted by the Georgia Institute of Technology Cyber Forensics Innovation (CyFI) Laboratory confirms that a website with a company-branded address bar greatly decreases the chance of internet users falling victim to a malware attack or phishing (fraud) scam.

Passion, ingenuity and hard work: The cybersecurity startup story of Israel
According to Start-Up Nation Central (SNC), there are currently 400 cybersecurity start-ups operating in Israel. In 2018, they raised over $1.2 billion in 96 rounds of funding. That is more money raised than any other vertical market in the Israeli economy. However, as many as 80% of these companies fail to progress from the early stage to mature, high growth companies.

53% of enterprises have no idea if their security tools are working
The majority of organizations don’t know if the security tools they deploy are working, and are not confident they can avoid data breaches, according to AttackIQ.

How to increase the efficiency of your risk and compliance management strategy
The rise of new business processes and the changing government rules and regulations around the globe are posing challenges for small and big companies alike, according to Infiniti Research.

Five examples of user-centered bank fraud
In today’s digital-first world, banks and financial service companies need to allow their customers to easily manage money online in order to compete. Unfortunately, most banking platforms were not designed securely and hackers have been taking advantage of these built-in weaknesses ever since banks first went online.

New infosec products of the week: August 2, 2019
A rundown of infosec products released last week.

More about

Don't miss