Week in review: Windows crypto flaw, API security risks, exploits for Citrix security hole abound

Here’s an overview of some of last week’s most interesting news and articles:

Cable Haunt: Unknown millions of Broadcom-based cable modems open to hijacking
A vulnerability (CVE-2019-19494) in Broadcom‘s cable modem firmware can open unknown millions of broadband modems by various manufacturers to attackers, a group of Danish researchers has warned.

High-risk Google account owners can now use their iPhone as a security key
Google users who opt for the Advanced Protection Program (APP) to secure their accounts are now able to use their iPhone as a security key.

Exploits for Citrix ADC and Gateway flaw abound, attacks are ongoing
With several exploits targeting CVE-2019-19781 having been released over the weekend and the number of vulnerable endpoints still being over 25,000, attackers are having a field day.

Kubernetes bug bounty program open to anyone, rewards up to $10,000
The Cloud Native Computing Foundation is inviting bug hunters to search for and report vulnerabilities affecting Kubernetes. Offered bug bounties range between $100 to $10,000.

Transact with trust: Improving efficiencies and securing data with APIs
As with any business strategy there are risks, and integration technologies must be used wisely. This rings particularly true when customer data is involved. So, how can organizations reap the rewards of APIs while ensuring consumer data is secure?

Facebook users will be notified when their credentials are used for third-party app logins
Facebook will (finally!) explicitly tell users who use Facebook Login to log into third-party apps what information those apps are harvesting from their FB account.

Security pitfalls to avoid when programming using an API
OWASP’s API Security Project has released the first edition of its top 10 list of API security risks.

A case for establishing a common weakness enumeration for hardware security
As modern computer systems become more complex and interconnected, we are seeing more vulnerabilities than ever before. As attacks become more pervasive and sophisticated, they are often progressing past the software layer and compromising hardware. As a response, the industry has been working to deliver microarchitectural improvements and today, implementing hardware-based security is widely recognized as a best practice.

January 2020 Patch Tuesday: Microsoft nukes Windows crypto flaw flagged by the NSA
As forecasted, January 2020 Patch Tuesday releases by Microsoft and Adobe are pretty light: the “star of the show” is CVE-2020-0601, a Windows flaw flagged by the NSA that could allow attackers to successfully spoof code-signing certificates and use them to sign malicious code or intercept and modify encrypted communications.

Cyber attackers turn to business disruption as primary attack objective
Over the course of 2019, 36% of the incidents that CrowdStrike investigated were most often caused by ransomware, destructive malware or denial of service attacks, revealing that business disruption was often the main attack objective of cybercriminals.

A 101 guide to mobile device management
Extending beyond the traditional company network, mobile connectivity has become an extension of doing business and IT staff need to not just rethink how existing activities, operations, and business models can fit into mobile constructs, but rethink how mobility can fundamentally transform the business itself.

Companies increasingly reporting attacks attributed to foreign governments
More than one in four security managers attribute attacks against their organization to cyberwarfare or nation-state activity, according to Radware.

2020 forecast: Attackers will target non-traditional systems
Here are four predictions of where attackers are headed in 2020 – areas that your technology security team should focus their efforts on.

Fraud prevents a third of businesses from expanding digital capabilities
Kount released a new research report on digital innovation and emerging fraud, which found that the most innovative businesses are also the ones facing the greatest fraud threats.

Embedding security, the right way
As organizations proceed to move their processes from the physical world into the digital, their risk profile changes, too – and this is not a time to take risks. By not including security into DevOps processes, organizations are exposing their business in new and surprising ways.

Emotet remains the dark market leader for delivery-as-a-service
The vast majority of nationally sponsored cybersecurity incidents take the form of espionage through data exfiltration, with frequent employment of remote access tool Plug-X, according to the annual threat report by eSentire.

IoT cybersecurity’s worst kept secret
By improving access to data and taking advantage of them in fundamentally different ways to drive profitability, IT security executives are rapidly changing perceptions of their office.

New infosec products of the week: January 17, 2020
A rundown of infosec products released last week.