Ministry of Home Affairs Needs to Go Beyond Security Basics

Suparna Goswami • July 18, 2019

The Ministry of Home Affairs recently released a document on information security best practices for government officials. While emphasizing the basics is a good move, much more needs to be done.

3rd Party Risk Management

Marriott Faces $125 Million GDPR Fine Over Mega-Breach

Latest

Endpoint Security

Researchers Trick Cylance Into Giving Malware a Pass

Jeremy Kirk • July 19, 2019

An Australian cybersecurity company says it tricked BlackBerry's Cylance Protect anti-virus product into believing that some of the most pernicious types of malware, including WannaCry and the SamSam ransomware, were benign programs.

Governance

Security Solutions Planning: Right-Sizing Your Stack

Varun Haran • July 19, 2019

Planning your security programs to incorporate the right digital context - the IT environment, the business processes and the risks - is essential for success, says Avinash Prasad, vice president and head of the managed services business at Tata Communications.

Application Security

Tesla Vulnerability: A Bounty Hunter's Tale

Nick Holland • July 19, 2019

The latest edition of the ISMG Security Report describes the accidental discovery of a Tesla software vulnerability. Also featured: an analysis of the latest ransomware trends and insights from former federal advisers Richard Clarke and Robert Knake on cyber resilience.

Phishing Scheme Targets Amex Cardholders

Akshaya Asokan • July 18, 2019

Researchers have uncovered a new type of phishing campaign that is targeting American Express card users. In these incidents, attackers are sending a hyperlink as part of a phony account update to access the victim's credentials and other account details, according to researchers at the security firm Cofense.

Governance

Despite BlueKeep Warnings, Many Organizations Fail to Patch

Jeffrey Burt • July 18, 2019

Weeks after Microsoft issued a patch for the BlueKeep vulnerability, which threatens devices running older versions of Windows, many organizations worldwide have yet to install patches despite alerts from the software giant, government agencies and cybersecurity companies, according to researchers at BitSight.

Cybercrime as-a-service

Suspected Rubella Toolkit Mastermind Arrested

Scott Ferguson • July 17, 2019

A 20-year-old Dutch man suspected of creating the Rubella Macro Builder toolkit and distributing it on underground forums has been arrested by the Dutch National Police, which received assistance from McAfee. Rubella and other toolkits enable attackers to distribute malware through weaponized Office documents.

Business Continuity Management / Disaster Recovery

Ransomware: As GandCrab Retires, Sodinokibi Rises

Mathew J. Schwartz • July 17, 2019

With the GandCrab ransomware-as-service gang promising to retire - and free decryptors now aiding victims - rival Sodinokibi has already stepped into the void, security experts warn. Driven also by attackers wielding Ryuk, Dharma and Phobos, ransom payments by victims have been surging.

Active Defense & Deception

How Deception Technology Is Evolving

Nick Holland • July 17, 2019

Deception technology is becoming more sophisticated, enabling organizations to battle against emerging threats, says Alissa Knight, senior analyst at Aite Group, a research and advisory company.

Blockchain & Cryptocurrency

Senators Scrutinize Facebook's Cryptocurrency Plans

Scott Ferguson • July 16, 2019

At a Senate committee hearing on Tuesday, lawmakers grilled a Facebook executive about the company's plans to launch a cryptocurrency. One Democratic senator said Facebook "does not respect the power of the technologies they are playing with - like a toddler who has gotten his hands on a book of matches."

Application Security

Security Flaw Exposed Valid Airline Boarding Passes

Mathew J. Schwartz • July 16, 2019

A vulnerability in global airline check-in software used by 500 airlines could have been exploited to download other individuals' valid boarding passes, potentially giving them access to restricted airport spaces, warns security expert David Stubley. The flaw in Amadeus travel software has now been fixed.

Geo Focus: Asia

Vehicle Information Is for Sale; Is Privacy at Stake?

Suparna Goswami • July 16, 2019

The Ministry of Road Transport and Highways reportedly informed the Parliament that it has earned around INR 65 crore, or about $9.5 million, by providing restricted access to a database of registered vehicles and drivers to private-sector companies. Is citizens' privacy at stake?

Application Security

How a Big Rock Revealed a Tesla XSS Vulnerability

Jeremy Kirk • July 16, 2019

Software vulnerabilities sometimes have an uncanny knack of revealing themselves, even when a bug hunter is looking someplace else. Sam Curry's probing eventually revealed a cross-site scripting flaw in a Tesla service, which netted him a $10,000 bounty.