A Review of the Best News of the Week on Cyber Threats & Defense

Supply Chain Security 101: An Expert’s View (Krebs on Security, Oct 12 2018)
“Earlier this month I spoke at a cybersecurity conference in Albany, N.Y. alongside Tony Sager, senior vice president and chief evangelist at the Center for Internet Security and a former bug hunter at the U.S. National Security Agency. We talked at length about many issues, including supply chain security, and I asked Sager whether he’d heard anything about rumors that Supermicro — a high tech firm in San Jose, Calif. — had allegedly inserted hardware backdoors in technology sold to a number of American companies.”

Branch.io Flaws Exposed Tinder, Shopify, Yelp Users to XSS Attacks (SecurityWeek, Oct 15 2018)
Hundreds of millions of users may have been exposed to cross-site scripting (XSS) attacks due to a vulnerability present in Branch.io, a service used by Tinder, Shopify, Yelp and many others.

Facebook downgrades victim count, details data accessed in breach (WeLiveSecurity, Oct 15 2018)
While the number of victims is lower than previously thought, the data accessed for millions of them is more sensitive than originally believed.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.

Researchers KRACK Wi-Fi Again, More Efficiently This Time (SecurityWeek, Oct 09 2018)
In a new research paper (PDF) to be presented at the Computer and Communications Security (CCS) conference this month, the researchers detail improved KRACK variants and show how the countermeasures deployed last year can be bypassed. Generalized against the 4-way handshake, the new attacks no longer rely on hard-to-win race conditions and employ a more practical method to obtain a man-in-the-middle (MitM) position.

Security Researchers Struggle with Bot Management Programs (Dark Reading, Oct 10 2018)
This is a serious problem for security researchers. Data collection via Internet crawls is a crucial part of security research. In my own work, I crawled millions of websites and scraped application stores, code repositories, forums, vulnerability databases, and more. Think about it. Researchers meticulously design experiments, build and analyze invaluable data sets in a scientific framework, and (sometimes literally) fight to publish and present their results at prestigious conferences, only to discover that their data set was tainted by a plethora of bot defenses scattered around the Internet.

Pentagon Weapons Systems Are Easy Cyberattack Targets, New Report Finds (Wired, Oct 10 2018)
Specifically, the report concludes that almost all weapons that the DOD tested between 2012 and 2017 have “mission critical” cyber vulnerabilities. “Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications,” the report states.

Hackers steal Pentagon personnel’s PI and credit card data (Help Net Security, Oct 15 2018)
The U.S. Department of Defense confirmed on Friday that personal information and credit card data of some 30,000 U.S. military and civilian personnel has been compromised in a breach affecting a DoD’s third party contractor. Apparently, no classified information was accessed by the attackers.

Threat Hunters & Security Analysts: A Dynamic Duo (Dark Reading, Oct 12 2018)
The bottom line: Organizations need to adopt an aggressive, threat-hunting posture to compete with the proliferating threat universe. No longer is it sufficient to rely solely on incident-response teams that are already stretched thin and approaching problems after the fact. Threat hunters fight spying with spying, which will bring the proactive mindset of network reconnaissance and repair to protect an enterprise’s vital data assets.

ICANN’s internet DNS security upgrade apparently goes off without a glitch (Network World Security, Oct 12 2018)
So far, so good. That’s the report from Internet Corporation for Assigned Names and Numbers (ICANN) as it rolled out the first-ever changing of the cryptographic key that helps protect the internet’s address book – the Domain Name System (DNS) on Oct. 11.

Fake Adobe update really *does* update Flash (while also installing cryptominer) (Graham Cluley, Oct 15 2018)
Online criminals are planting cryptomining code on victims’ Windows computers, using the camouflage of an update to Adobe Flash Player.

Google ramps up G Suite protections against government-backed attacks (Naked Security – Sophos, Oct 09 2018)
Security alerts become opt-out by default from 10 October because so few admins opted in.

Code Execution Flaws Found in WECON Industrial Products (SecurityWeek, Oct 08 2018)
WECON specializes in human-machine interfaces (HMIs), programmable logic controllers (PLCs), and industrial PCs. The company’s products are used all around the world, particularly in the critical manufacturing, energy, and water and wastewater sectors.

IIS Attacks Skyrocket, Hit 1.7M in Q2 (Dark Reading, Oct 10 2018)
Drupal and Oracle WebLogic also were hit with more cyberattacks during same quarter.

Payment skimmers sneaking on to websites via third party code (Naked Security – Sophos, Oct 12 2018)
Whatever Magecart is, it’s been blamed for several high-profile payment card breaches this summer.

No Cookies for CartThief, a New Magecart Variant (Infosecurity Magazine, Oct 12 2018)
New iteration of Magecart malware obfuscates data collection, says The Media Trust.

New Domains: A Wide-Open Playing Field for Cybercrime (Dark Reading, Oct 09 2018)
As bad actors increasingly exploit new domains for financial gain and other nefarious purposes, security teams need to employ policies and practices to neutralize the threat in real time. Here’s why and how.

Lesser Skilled Cybercriminals Adopt Nation-State Hacking Methods (Dark Reading, Oct 09 2018)
One example is cybercriminals increasingly using TeamViewer software to gain remote access to targets. TeamViewer is a legitimate tool for connecting to remote computers for desktop sharing and collaboration and enabling remote support, among other uses.

Many Siemens Products Affected by Foreshadow Vulnerabilities (SecurityWeek, Oct 10 2018)
Siemens informed customers this week that many of its products are affected by the recently disclosed processor vulnerabilities known as Foreshadow and L1 Terminal Fault (L1TF).

Hackers Exploit Drupalgeddon2 to Install Backdoor (SecurityWeek, Oct 11 2018)
A threat actor was observed targeting Drupal vulnerabilities patched earlier this year to install a backdoor on compromised servers, IBM reports.

Literary-minded phishers are trying to pilfer publishers’ manuscripts (Naked Security – Sophos, Oct 15 2018)
In a twist on Business Email Compromise, they’re spoofing literary agents and going after manuscripts at Penguin Random House and Pan Macmillan.