A Review of the Best News of the Week on Cyber Threats & Defense
UPnP vulnerability lets attackers steal data, scan internal networks (Help Net Security, Jun 09 2020)
A vulnerability (CVE-2020-12695) in Universal Plug and Play (UPnP), which is implemented in billions of networked and IoT devices – personal computers, printers, mobile devices, routers, gaming consoles, Wi-Fi access points, and so on – may allow unauthenticated, remote attackers to exfiltrate data, scan internal networks or make the devices participate in DDoS attacks.
Another Intel Speculative Execution Vulnerability (Schneier on Security, Jun 11 2020)
“That has turned out to be true. Here’s a new vulnerability: On Tuesday, two separate academic teams disclosed two new and distinctive exploits that pierce Intel’s Software Guard eXtension, by far the most sensitive region of the company’s processors.”
Alarm sounded over security risks in online voting system (WeLiveSecurity, Jun 09 2020)
Bad actors could tamper with ballots cast via OmniBallot without being detected by voters, election officials or the tool’s developer, a study finds
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~14,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
DHS Warns on New Exploit of Windows 10 Vulnerability (Dark Reading, Jun 09 2020)
The vulnerability was patched in March, but a new proof of concept raises the stakes for organizations that haven’t yet updated their software.
The Telehealth Attack Surface (Dark Reading, Jun 10 2020)
Amid the surge in digital healthcare stemming from the coronavirus pandemic, security is taking a backseat to usability.
2019 was a record year for OSS vulnerabilities (Help Net Security, Jun 09 2020)
Total vulnerabilities in OSS more than doubled in 2019 from 421 Common Vulnerabilities and Exposures (CVEs) in 2018 to 968 last year, according to a RiskSense report. Top 10 weaponized CWEs
Microsoft Predicts Escalation of Zero Trust in Lockdown Environments (Infosecurity Magazine, Jun 09 2020)
Speaking during a Microsoft webinar, the company’s EMEA chief security advisor Cyril Voisin said he does not expect companies to “fully revert to the IT state that they were in before” COVID-19 lockdown, predicting more cloud usage in the future.
German phishing scheme preyed on high-level execs needing PPE (SC Media, Jun 08 2020)
One hundred German companies in need of personal protective equipment (PPE) such as facemasks and medical gear were targeted in a COVID-19 phishing scheme steal and exfiltrate user credentials. IBM X-Force IRIS discovered unknown hackers erected a fake Microsoft login page connected to different Yandex email accounts…
Microsoft Identifies Attack Targeting Kubeflow Environments (SecurityWeek, Jun 11 2020)
Microsoft’s Azure Security Center (ASC) recently identified an attack campaign that targets Kubeflow, a machine learning toolkit for Kubernetes.
Inside Stealthworker: How It Compromises WordPress, Step-by-Step (Dark Reading, Jun 12 2020)
A new wave of attacks using old malware is threatening WordPress sites that don’t have strong password policies.
What is the true extent of the modern corporate digital attack surface? (Help Net Security, Jun 12 2020)
RiskIQ released a report analyzing the company’s internet-wide telemetry and massive internet data collection to reveal the true extent of the modern corporate digital attack surface. Digital attack surface challenges “Today, organizations are responsible for defending not only their internal network but also their digital presence across the internet and the cloud,” said Lou Manousos, CEO, RiskIQ.
Intel patches chip flaw that could leak your cryptographic secrets (Naked Security – Sophos, Jun 12 2020)
Intel chip features that were intended to help you do cryptography better could have leaked your inner secrets.
Google Sees Increase in COVID-19 Phishing in Brazil, India, UK (SecurityWeek, Jun 12 2020)
Cyber-threats taking advantage of the COVID-19 pandemic are evolving, and Google is seeing an increase in related phishing attempts in countries such as Brazil, India, and the UK.
Hacker Bypasses GE’s Ridiculous Refrigerator DRM (VICE, Jun 12 2020)
The technique allows you to use ‘unauthorized’ water filters, which cost a quarter as much as GE’s official filters.
Spies Can Eavesdrop by Watching a Light Bulb’s Vibrations (Wired, Jun 12 2020)
The so-called lamphone technique allows for real-time listening in on a room that’s hundreds of feet away.
Magecart attackers hit Claire’s, Intersport web shops (Help Net Security, Jun 15 2020)
Magecart attackers have compromised web shops belonging to large retail chains Claire’s and Intersport and equipped them with payment card skimmers. Claire’s The compromise of Claire’s online store and that of its sister brand Icing has been flagged by Sansec researchers.
Complexity and size of DDoS attacks have increased (Help Net Security, Jun 15 2020)
The complexity and size of DDoS attacks in 2019 has increased significantly compared to 2018. A report published by NaWas by NBIP concludes that despite the number of attacks has decreased slightly over 2019, their complexity and size has increased significantly.
There is a direct correlation between AI adoption and superior business outcomes (Help Net Security, Jun 14 2020)
Adoption of artificial intelligence (AI) is growing worldwide, according to an IDC survey of more than 2,000 IT and line of business (LoB) decision makers. Over a quarter of all AI initiatives are already in production and more than one third are in advanced development stages.
Twitter Shutters 32,000 State-Linked Accounts (Infosecurity Magazine, Jun 15 2020)
Social network accuses Russia, China and Turkey of pushing propaganda
SASE could bolster security for remote workers (Network World Security, Jun 13 2020)
The coronavirus pandemic has accelerated some companies’ plans to adopt secure access service edge (SASE). Last summer, Gartner estimated SASE adoption at less than 1% of enterprises and said it would take five to 10 years before the technology reaches mainstream. But today, SASE is one of the main topics of client interest, according to Gartner analyst John Wheeler.