Week in review: Supply chain security, Android flaw opens users to advanced SMS phishing

Here’s an overview of some of last week’s most interesting news, articles and podcasts:

How to reduce the attack surface associated with medical devices
As the number of connected medical devices continues to rise, so does healthcare organizations’ attack surface.

Critical vulnerabilities uncovered in Danfoss SCADA product, patch now!
Risk Based Security uncovered multiple vulnerabilities in the AK-EM 800 product from SCADA vendor Danfoss.

Firefox now blocks third-party tracking cookies, cryptomining scripts by default
It took a lot of testing and tweaking, but Mozilla’s Firefox browser is finally being delivered with Enhanced Tracking Protection and a web-based cryptomining blocking feature on by default.

Security hole opens a billion Android users to advanced SMS phishing attacks
Check Point Research has revealed a security flaw in Samsung, Huawei, LG, Sony and other Android-based phones that leaves users vulnerable to advanced phishing attacks.

Google to pay $170 million for violating children’s privacy on YouTube
Google and its subsidiary YouTube will pay a record $170 million to settle allegations by the Federal Trade Commission (FTC) and the New York Attorney General that the YouTube video sharing service illegally collected personal information from children without their parents’ consent.

Google’s differential privacy library can now be used by anyone
Google has open-sourced a differential privacy library that helps power some of its core products.

Security pros need more and better visibility into their cloud networks
In this Help Net Security podcast, Kevin Sheu, VP Product Marketing and Marcus Hartwig, Senior Product Marketing Manager at Vectra AI, discuss the Vectra superhero survey from Black Hat USA 2019, which provides insight into the current cloud adoption and top-of-mind concerns of attendees.

Supply chain security: Five IT strategies for choosing vendors wisely
With the proliferation of SaaS solutions, API integrations and cloud computing, virtually everything in the modern enterprise is connected to untold number of outside entities. In fact, many business processes depend on this connectivity, even when doing so broadens the threat landscape and puts the organization at greater risk.

September 2019 Patch Tuesday forecast: Microsoft security update will be complete
Microsoft began an aggressive six-month campaign in March of this year to switch the digital signature on all operating system and product updates from using Secure Hash Algorithm 1 (SHA-1) to SHA-2. This required installing the current SHA-2 algorithms in all the operating systems so they could read and deploy the newly signed patches.

Whitepaper: Security Orchestration with Threat Intelligence
Understand how you can make smarter decisions to move faster — both blocking an adversary and disrupting them altogether — by using orchestration with intelligence.

Attackers are exploiting vulnerable WP plugins to backdoor sites
A group of attackers that has been injecting WordPress-based sites with a script redirecting visitors to malicious and fraudulent pages has now also started backdooring the vulnerable installations, Wordfence’s Mikey Veenstra warns.

BMC vulnerabilities in Supermicro servers allow remote takeover, data exfiltration attacks
A slew of vulnerabilities affecting the baseboard management controllers (BMCs) of Supermicro servers could be exploited by remote attackers to gain access to corporate networks, Eclypsium researchers have discovered.

A look into the frequency and success of phishing attacks on SMEs
43% of UK SMEs have experienced a phishing attempt through impersonation of staff in the last 12 months. Of those impersonation phishing attempts, it was discovered that two-thirds (66%) had suffered a successful attack, according to CybSafe.

What prevents companies from achieving effective security performance management?
Cybersecurity performance is critical to achieving commercial success, according to a BitSight study.

Quantum computing market revenue to reach $9.1 billion annually by 2030
The global market for quantum computing is being driven largely by the desire to increase the capability of modeling and simulating complex data, improve the efficiency or optimization of systems or processes, and solve problems with more precision.

Researchers develop cheaper, more efficient Internet connectivity for IoT devices
A cheaper and more efficient method for IoT devices to receive high-speed wireless connectivity has been developed by researchers at the University of Waterloo.

Cardholders still dropping the ball when it comes to basic ID theft prevention
Four in 10 people with a credit or debit card have provided their full Social Security number in an online form in the past month, according to a new report from CompareCards, as Americans continue to wrestle with how best to combat identity theft two years after the Equifax data breach.

Business demands have outpaced the ability of IT to deliver services
While enterprises have embraced advanced digital technologies, such as IoT/edge computing (77 percent), big data/analytics (83 percent) and digital customer experience (78 percent), only 36 percent are “very satisfied” that their network currently has the capabilities required to support their business needs. That leaves 64 percent that see room for improvement, according to Accenture.

Most citizens are against local governments paying ransomware attackers
Nearly 80% of US citizens are increasingly worried about ransomware attacks on cities – yet more than half are still hesitant to have city governments put forth the funds to fight off hackers or implement cybersecurity defenses to help protect against attacks in the first place, according to a survey conducted by Morning Consult on behalf of IBM.

New infosec products of the week: September 6, 2019
A rundown of infosec products released last week.