WannaCry rears its ugly head again. Reddit gets hacked, despite using two-factor authentication. A cryptojacking campaign targets carrier-grade routers. Here are some recent security industry news that have caught our attention.

WannaCry hits Taiwan Semi

The notorious WannaCry ransomware re-appeared recently, when Taiwan Semiconductor Manufacturing, a chip supplier to Apple and other smartphone makers, suffered an infection that dented its operations.

Specifically, the ransomware disrupted chip production to a point that will delay shipments and cut revenue in the third quarter, although no confidential data was compromised, the company said.

According to Sophos’ Naked Security blog, the chip maker, which is Taiwan’s largest company, blamed the incident on a careless supplier that installed software infected with a WannaCry variant on its network. “When the virus hit, it spread quickly, affecting production at semiconductor plants in Tainan, Hsinchu and Taichung,” Naked Security’s Lisa Vaas wrote.

Of course, WannaCry can be avoided altogether by patching vulnerable systems, as Ben Lovejoy reminds us in 9to5Mac.

That’s the major lesson from last year’s WannaCry global rampage, which infected 300,000-plus systems, disrupting critical operations globally. Long before WannaCry erupted in May of last year, organizations should have patched the vulnerability that the ransomware exploited. Now they’ve had more than a year to fix it.

Continue reading …

A scary Bluetooth bug. A crippling ransomware attack. A cyber threat to the U.S. electrical grid. A data leak of trade secrets from major car makers such as Tesla and GM. These were some of the security industry news that caught our eye last week.

Bluetooth vulnerability rattles vendors, end users

The disclosure of a major flaw in Bluetooth last week has sent vendors of all shapes and sizes scrambling to patch their products, including cell phones and computers.

The bug, found by researchers at the Israel Institute of Technology, affects the elliptic curve Diffie-Hellman key exchange mechanism employed by Bluetooth. “The authentication provided by the Bluetooth pairing protocols is insufficient,” they wrote.

The CERT advisory explains that an unauthenticated, remote attacker within range could use a “man-in-the-middle” network position to find out the cryptographic keys used by the device. “The attacker can then intercept and decrypt and/or forge and inject device messages,” it reads.

Continue reading …

As cloud computing adoption accelerates among businesses, InfoSec teams are struggling to fully protect cloud workloads due to a lack of visibility into these environments, and to hackers’ increasingly effective attacks.

That’s the main finding from SANS Institute’s “Cloud Security: Defense in Detail if Not in Depth” report, which surveyed IT and security pros from organizations of all sizes representing many industries.

“We’re seeing more organizations moving to the cloud. They’re definitely moving quickly. And security teams aren’t wholly comfortable with the way cloud providers are giving us details about what’s going on in the environments,” report author Dave Shackleford, a SANS Institute analyst and instructor, said during a webcast to discuss the study findings.

Continue reading …

Qualys Product Management Director Tim White and SANS Institute Analyst John Pescatore did a deep dive into the Center for Internet Security’s Critical Security Controls during a recent webcast, and answered questions from audience members about these 20 foundational security practices, and about the importance of maintaining basic security hygiene.

In this blog post, we’re providing edited transcripts of their answers to all the questions, including those that they didn’t have time to address during the one-hour webcast, which was titled “Automating CIS Critical Security Controls for Threat Remediation and Enhanced Compliance.” We hope you find their explanations insightful and useful.

In addition, if you didn’t catch the webcast live, we invite you to listen to the CIS controls webcast recording. We also encourage you to download a copy of a highly detailed guide that maps the CIS controls and sub-controls directly to specific features in Qualys apps.

Continue reading …

It’s a well-known fact that most successful cyber attacks are easily preventable. That’s because the majority are neither highly sophisticated nor carefully customized.

Instead, they are of the “spray and pray” sort. They try to exploit known vulnerabilities for which patches are available, or to take advantage of weak configuration settings that IT departments could have handily and quickly hardened.

One recent and infamous example was the WannaCry ransomware, which infected 300,000-plus systems and disrupted critical operations globally in May. It spread using the EternalBlue exploit for a Windows vulnerability Microsoft had patched in March.

So why do many businesses, non-profit organizations and government agencies — including those with substantial cybersecurity resources and knowledge — continue falling prey to these largely unrefined and easy to deflect strikes?

In most cases, the main reason can be traced back to hygiene — of the cybersecurity type, of course. Just as personal hygiene practices reduce the risk of getting sick, applying cybersecurity hygiene principles goes a long way towards preventing security incidents.

That was the key message Qualys Product Management Director Tim White and SANS Institute Analyst John Pescatore delivered during the recent webcast “Automating CIS Critical Security Controls for Threat Remediation and Enhanced Compliance.”

Continue reading …

From the first page, the EU’s General Data Protection Regulation stresses the importance it places on the security and privacy of EU residents’ private information. The 88-page document opens by referring to the protection of this personal data as a “fundamental right” essential for “freedom, security and justice” and for creating the “trust” needed for the “digital economy” to flourish.

The stakes are sky-high for EU regulators tasked with enforcing GDPR, and for organisations that must comply with it. The requirements outlined in the document amount to what some have called “zero-tolerance” on mishandling EU residents’ personal data and apply to any organisation doing business in the EU, regardless of where they are based.

Both data “controllers” — those who collect the data — and data “processors” — those with whom it’s shared — must implement “appropriate technical and organisational measures” and their IT networks and systems must “resist, at a given level of confidence, accidental events or unlawful or malicious actions.”

Bottom line: Organisations are expected to have technology and processes in place to prevent accidental or malicious incidents that compromise the “availability, authenticity, integrity and confidentiality of stored or transmitted personal data.” Continue reading …

Considering that database systems hold extremely valuable and sensitive information, one would assume that most organizations would fiercely protect these “crown jewels” with great care. Unfortunately, that is not the case.

Throngs of databases in organizations worldwide are unsafe, at high risk of being breached by malicious hackers, rogue employees and crooked partners. This sorry state of database security puts financial data, customer information, health records, intellectual property treasures and more in grave danger.

Below we’ll discuss the two main causes for database security breakdowns — unpatched vulnerabilities and configuration errors — along with helpful tips for reducing the risk of database breaches.

Continue reading …