Monday, January 22, 2018

iNews - Around The World This Week

1)     Understanding Supply Chain Cyber Attacks - Today's cybersecurity landscape has changed dramatically due to digitalization and interconnectivity. While the benefits of each push businesses toward adoption, security risks associated with interconnectivity between networks and systems raise major concerns. Everything-as-a-service removes traditional security borders and opens the door to new cyber-attacks that organizations might not be prepared to recognize or even deal with.

2)     Schneider Electric: TRITON/TRISIS Attack Used 0-Day Flaw in its Safety Controller System, and a RAT - Industrial control systems giant Schneider Electric discovered a zero-day privilege-escalation vulnerability in its Triconex Tricon safety-controller firmware which helped allow sophisticated hackers to wrest control of the emergency shutdown system in a targeted attack on one of its customers. Once the malware was inside the controller, it injected the RAT into memory by exploiting a zero-day vulnerability in the firmware, and escalating its privileges.

3)     Ransomware: Why the crooks are ditching bitcoin and where they are going next - The popularity of bitcoin is creating problems for criminals dealing in ransomware -- and some are already casting their gaze towards a less volatile cryptocurrency. While bitcoin has suddenly found itself in the public eye thanks to its rocketing -- and, more recently, plummeting -- value, it hasn't appeared from nowhere. We'll see a progressive shift in 2018 towards criminal use of cryptocurrencies other than bitcoin, making it generally more challenging for law enforcement to counter.

4)     Where to Find Security Holes in Serverless Architecture - Application security is getting a twist with the rise of serverless architectures, which introduce a new way of developing and managing applications - and a new wave of related security risks. Businesses are looking to serverless architectures to drive simplicity and reduce cost. Applications built on these platforms scale as cloud workloads grow, so developers can focus on product functionality without worrying about the operating system, application server, or software runtime environment.

5)     49% Indian companies not likely to secure sensitive data in cloud - While an overwhelming majority of global firms have adopted cloud services, there is still a wide gap in the level of security precautions applied by them, a survey has revealed. Almost half of Indian organizations say they are not likely to secure sensitive data in the cloud. Globally, organizations said only two-fifths of the data stored in the cloud is secured with encryption and key management solutions.

6)     Man pleads guilty to launching DDoS attacks against former employers - A man from New Mexico has admitted to launching distributed denial-of-service (DDoS) attacks against former employers, as well as possessing a firearm illegally. On Wednesday, the US Department of Justice (DoJ) said John Kelsey Gammell has pleaded guilty in a St. Paul, Minnesota court to directing DDoS attacks against former employers, business competitors, companies that refused to hire him and websites for law enforcement and courts, among others. Gammell not only set up the DDoS attacks, which launch traffic in such volumes that online services are disrupted, on his own computers but also paid DDoS-for-hire services to hammer victims further.

7)     Oman's stock exchange was easily hackable for months - The security flaw made the securities market an easy target and was only fixed after a security researcher sent more than half-a-dozen warning emails. A core router for Oman's stock exchange, the Muscat Securities Market, had both its username and password as "admin" for months, even after several attempts by a security researcher to warn the exchange of the security implications.

8)     Uber ignores security bug that makes its two-factor authentication useless - Uber has ignored a security bug that can allow an attacker to hack into user accounts by bypassing two-factor authentication because the ride sharing company says the flaw "isn't a particularly severe" issue. Two-factor authentication (2FA) is a vital part of protecting online accounts. It adds a second layer of security on top of your username and password -- which can be stolen -- by sending a code by text message to your phone, for example, which only you would have access to.

9)     Behavioral biometrics missing from cybersecurity - Recently, there’s been an uptick in the adoption of the NIST Cybersecurity Framework, a set of guidelines aimed at helping organizations improve their overall cybersecurity process. In December 2017, NIST released the second draft of its framework. Among the updates were two critical additions to the Identity Management, Authentication and Access Control guidance. Rather than being shocked by each new data breach, ransomware attack or instance of fraud, companies are increasingly working to improve their cybersecurity posture, and not just internal information security professionals.

Up to 40K Affected in Credit Card Breach at OnePlus - Chinese smartphone manufacturer OnePlus has reported a credit card breach affecting up to 40,000 users at oneplus.net. Users who entered their credit card data on the website between mid-November 2017 and January 11, 2018 could be at risk. The malicious script has been eliminated, the infected server quarantined, and all relevant system structures reinforced. Users who paid using a saved credit card, the "Credit Card via PayPal" option, or PayPal should not be affected, OnePlus reports.


No comments:

Post a Comment