Week in review: DDoS attack trends, WannaCry lessons, new issue of (IN)SECURE

Here’s an overview of some of last week’s most interesting news and articles:

Zero-day flaws in widespread TCP/IP library open millions of IoT devices to remote attack
19 vulnerabilities – some of them allowing remote code execution – have been discovered in a TCP/IP stack/library used in hundreds of millions of IoT and OT devices deployed by organizations in a wide variety of industries and sectors.

Data Protection Officer independence: Ethical and practical considerations
In light of recent regulator action regarding Data Protection Officer (DPO) independence, this article considers the ethical and practical considerations surrounding the appointment of a DPO.

The FBI expects a surge of mobile banking threats
The increased use of mobile banking apps due to the COVID-19 pandemic is sure to be followed by an increased prevalence of mobile banking threats: fake banking apps and banking Trojans disguised as those apps, the FBI has warned.

Cybercriminals banking on finance: Mitigating escalation
When it comes to cyber attacks, no industry is safe. But according to Boston Consulting Group research, financial service firms experience up to 300 times as many cyber attacks per year compared to companies in other industries. No financial firm is ever safe, especially as cybercriminals become more determined and sophisticated in their attack methods.

Complexity and size of DDoS attacks have increased
The complexity and size of DDoS attacks in 2019 has increased significantly compared to 2018. A report published by NaWas by NBIP concludes that despite the number of attacks has decreased slightly over 2019, their complexity and size has increased significantly.

End-to-end encryption will be offered to all Zoom users
Zoom Video Communications has decided to extend the benefits of end-to-end encryption (E2EE) not only to paying Zoom customers, but to those who create free accounts, as well.

Vulnerable platform used in power plants enables attackers to run malicious code on user browsers
Otorio’s incident response team identified a high-score vulnerability in OSISoft’s PI System. They immediately notified OSIsoft Software of the vulnerability, which OSIsoft filed with ICS-CERT (ICSA-20-163-01).

How much is your data worth on the dark web?
Credit card details, online banking logins, and social media credentials are available on the dark web at worryingly low prices, according to Privacy Affairs.

How do I select a security awareness solution for my business?
In order to select the right security awareness solution for your business, you need to think about a number of factors. We’ve talked to several industry professionals to get their insight on the topic.

Building relationships: The key to becoming a true cybersecurity leader
Slowly but surely, organizations are starting to view information security as a business problem, not an IT problem, and as everybody’s responsibility.

Most COVID-19 contact-tracing apps are not adequately secured
Security researchers have analyzed contact-tracing mobile apps from around the globe and found that their developers have generally failed to implement suitable security and privacy protections.

Companies still struggle with SOC staff shortages, security skills gap
Exabeam’s 2020 State of the SOC Report reveals that 82% of SOCs are confident in the ability to detect cyberthreats, despite just 22% of frontline workers tracking mean time to detection (MTTD), which helps determine hacker dwell time.

Magecart attackers hit Claire’s, Intersport web shops
Magecart attackers have compromised web shops belonging to large retail chains Claire’s and Intersport and equipped them with payment card skimmers.

Running ConnectWise Automate on-prem? Fix this high-risk API vulnerability
ConnectWise has fixed a high-severity vulnerability affecting a ConnectWise Automate API and is urging users who run the solution on their premises to implement the provided hotfixes.

Three years after WannaCry, what have we learned?
Three years ago, the WannaCry ransomware worm wreaked havoc on hundreds of thousands of organizations worldwide, ranging from hospitals that had to pause urgent operations to multinational delivery services that were forced to halt the transportation of goods. In fact, experts claim business interruption costs from the notorious ransomware attack topped off at about $8 billion.

A look inside privacy enhancing technologies
There is a growing global recognition of the value of data and the importance of prioritizing data privacy and security as critical cornerstones of business operations. While many events and developments could be viewed as contributing to this trend, it would be difficult to argue that the increased discussion generated by today’s accelerating regulatory environment has not played a significant role.

Drupal fixes three vulnerabilities, including one RCE
Drupal’s security team has fixed three vulnerabilities in the popular content management system’s core, one of which (CVE-2020-13663) could be exploited to achieve remote code execution.

Work from home, work from anywhere: Are you secure everywhere?
As millions of employees continue to work from home for the foreseeable future and in some cases perhaps indefinitely, balancing the ongoing demands of employee productivity and information security will be paramount.

Using Cisco Webex for your video conferencing needs? Go patch!
Cisco has released security updates for Cisco Webex Meetings and Cisco Webex Meetings Server that fix several remotely exploitable vulnerabilities, as well as one less severe one that could allow hackers to gain access to a target’s Webex account.

(IN)SECURE Magazine issue 66 released
(IN)SECURE Magazine is a free digital security publication discussing some of the hottest information security topics. Issue 66 has been released today. It’s a free download, no registration required.

Share this
You are reading
vectors

Week in review: DDoS attack trends, WannaCry lessons, new issue of (IN)SECURE