Week in review: Intel chip flaw, shedding light on hidden root CAs, Emotet stages a comeback

Here’s an overview of some of last week’s most interesting news, articles and interviews:

Researchers shed light on hidden root CAs
How common is the use of hidden root CAs and the certificates they sign? To answer these and other questions, a team of researchers from a number of Chinese and U.S. universities and Qihoo 360, the company that develops the 360-secure browser, collected 5-month certificate data from volunteer users and analyzed certificate chains and authentication statuses on Internet visits.

Intel chip defect could allow attacks on laptops, cars, medical devices (CVE-2021-0146)
Researchers have revealed vulnerabilities in Intel processors that could affect laptops, cars and embedded systems. The defect (CVE-2021-0146) enables debugging or debugging modes on several Intel CPU lines, which could allow an unauthorized user with physical access to obtain enhanced system privileges.

Emotet makes a comeback using Trickbot and spam
According to the researchers, anyone trying to get Emotet’s botnet back into the network started using the Trickbot botnet to drop the malware, and then added the tried and tested method of sending spam with attachments and links to it.

GitHub has fixed a serious npm registry vulnerability, requiring the use of 2FA for certain accounts
GitHub has fixed a serious vulnerability that would allow attackers to post new and malicious versions of any existing package in the npm registry.

How to achieve permanent server hardening through automation
Information security standards such as PCI DSS and ISO 27001 and regulations such as HIPAA and CMMC require hardening systems as one of the most basic protections against cyber hacking. The reason for this should be clear to everyone: what is the point of implementing more advanced security and protection measures if you do not first screw up all the unnecessary “doors” through which attackers can enter your systems and networks?

The future of digital infrastructure: the top 10 forecasts
IDC’s top 10 forecasts for the future of digital infrastructure point to a digital infrastructure strategy that addresses resilience and trust; Operational-driven data complexity; And sources of business result terms and autonomous actions.

How do I choose a policy automation solution for my business?
To choose a suitable solution for policy automation for your business, you need to think about a variety of factors. We spoke to some industry professionals to get their insight on the subject.

Leading risk auditors should cover in their audit plans for 2022
COVID-19 ransomware and the long-term impact of COVID-19 on markets and organizations are key items to be covered in audit plans for 2022, according to Gartner’s report. The report also identified evolving social expectations for organizations, such as environmental, social and governance (ESG) , And operational resilience as leading risk areas for 2022.

Cloud Compatibility: Falling from it can be doomed
In this Help Net Security interview, Bill Tolson, VP of Global Compatibility and eDiscovery at Archive360, talks about the importance of cloud compatibility and what companies can do to meet the requirements when moving to the cloud.

Health organizations at risk: The attack surface is expanding
Armis has released data showing the increased security risk facing healthcare organizations and patients, with an increase in connected devices creating an expanded attack surface, and putting the patient’s journey at risk.

The latest trends in online cyber security learning and training
In this interview with Help Net Security, Mike Hendrickson, VP of Technology and Developer at Educational Technology Company Skillsoft, talks about the trends in online cyber security learning and training that have emerged in recent years.

Digital Life After Death: Do You Have a Password Sharing Program?
COVID-19 has caused many American millennials to finally start planning an estate, according to a new study, which found 72% of those respondents with wills created or updated in the past year. What’s more, 34% of millennials have come up with their parents on digital delivery in the past year.

How to improve your security position in SaaS and reduce risks
In this Help Net Security interview, Maor Bin, CEO of Adaptive Shield, talks about SaaS’s security space and how Adaptive Shield helps security teams gain control of their SaaS security landscape.

More than 10,000 sites and apps are vulnerable to Magecart
Some of the world’s largest companies in retail, banking, healthcare, energy and many other sectors, including Fortune 500, Global 500 and governments are failing to prevent Magecart attacks, a Cyberpion study has revealed.

How to handle third-party security risk management
In this Help Net Security interview, Demi Ben-Ari, CTO at Panorays, talks about third-party security risk management and the consequences of third-party breach. It also discusses the Panorays platform that mechanizes, accelerates and expands the third-party security assessment and management process.

A cultural gap between IT and OT teams leaves 65% of organizations unable to secure both environments
Only 21% of organizations have reached the full maturity of their cyber security program ICS / OT, ​​where emerging threats motivate priority actions and C-level executives and the board receive regular information on their OT security status, a Phonmon Institute report reveals.

When it comes to securing systems against quantum computers, there is no one-size-fits-all solution
Quantum computers will quickly solve complex mathematical problems. This includes the ability to break the RSA and ECC encryption in seconds. In response, NIST led an effort to set up new cryptographic algorithms that would withstand attacks from quantum computers.

Zoom fixes vulnerabilities in its variety of conference apps
Zoom has fixed vulnerabilities in its range of local solutions for conferences, negotiations and recordings – visit Zoom Connector Connector, Zoom Virtual Room Connector, Zoom Recording Connector and others.

When cyber security becomes scary
Some cyber security horror stories are not your typical horror stories: there is no danger from a maniac with a chain saw hiding behind a server rack, the Candyman will not show up if you say his name three times while staring at your 4K monitor, and it’s not like a vampire or werewolf can bite In a firewall.

Operational technology and zero trust
The latest push for cross-industry trust focuses primarily on information technology (IT) and remote manpower, rather than the entire organization, including any operational technology (OT) in use. This leaves a significant portion of the organization unprotected and at risk.

We need a hundred cyber ads
For a generation of people who panic whether they leave home without their phone or in the event of a social media outage, we are still very much unwilling to handle internet options securely.

Fighting Cybercrime: Lessons from a Veteran CIO
The fight against cybercrime is exponentially more difficult than the fight against traditional criminal activities, as technologies and techniques make it very easy for cybercriminals to hide their true identity, location and loyalty. It is a sober situation, one that has resulted in extensive intellectual property theft, huge financial losses and disruption of supply chains that supply vital goods.

Illuminates the path: Compatibility as a key to security by design
Like taxes or going to the dentist, obedience is one of the topics that people often do not like to ponder. There are many reasons for disgust, but this mindset of “everything but obedience” can lead to problems.

The six most common threats against the device that knows you best
What is the most intimate relationship in your life – apart from your spouse, children or parents? For many of us, this is our cell phone. This is the last thing we see before bed, and it is usually the first thing that is in our hands every morning.

Bots lurk in the zombie and shadow APIs
Without a doubt the biggest trend of the year we have seen in the API country is that every organization has APIs of shadows and zombies and they are a much bigger issue than most people would like to believe. Maybe they take the “if I’ve never seen it, then it does not exist” API security approach.

API invisibility undermines the basic principle of security
One of the oldest principles of security is that you can not secure what you can not see. Visibility has always been the starting point for monitoring and protecting the attack surface and valuable resources.

Ebook: Biometric Verification for Dolls
Online biometric authentication enables governments, banks and other organizations to securely authenticate user identities. At Biometric Authentication For Dummies, iProov explains everything you need to know about how it works and why it offers the highest levels of security, usability and privacy.

Report: Modern Pentesting 2021 ROI
Does your intruder plan bring enough value? Discover in this exclusive in-depth report a comparison between Pentest as a Service (PtaaS) versus traditional consulting commitments, and review our ROI calculator to learn how PtaaS can double your pentesting impact.

Infosec’s new products of the week: November 19, 2021
Here’s a look at the most interesting product releases from the past week, which include editions from 1 Password, Fortanix, Jetico, Palo Alto Networks, Saviynt, StorONE, Viavi Solutions and WatchGuard.

Here’s an overview of some of last week’s most interesting news, articles and interviews:

Researchers shed light on hidden root CAs
How common is the use of hidden root CAs and the certificates they sign? To answer these and other questions, a team of researchers from a number of Chinese and U.S. universities and Qihoo 360, the company that develops the 360-secure browser, collected 5-month certificate data from volunteer users and analyzed certificate chains and authentication statuses on Internet visits.

Intel chip defect could allow attacks on laptops, cars, medical devices (CVE-2021-0146)
Researchers have revealed vulnerabilities in Intel processors that could affect laptops, cars and embedded systems. The defect (CVE-2021-0146) enables debugging or debugging modes on several Intel CPU lines, which could allow an unauthorized user with physical access to obtain enhanced system privileges.

Emotet makes a comeback using Trickbot and spam
According to the researchers, anyone trying to get Emotet’s botnet back into the network started using the Trickbot botnet to drop the malware, and then added the tried and tested method of sending spam with attachments and links to it.

GitHub has fixed a serious npm registry vulnerability, requiring the use of 2FA for certain accounts
GitHub has fixed a serious vulnerability that would allow attackers to post new and malicious versions of any existing package in the npm registry.

How to achieve permanent server hardening through automation
Information security standards such as PCI DSS and ISO 27001 and regulations such as HIPAA and CMMC require hardening systems as one of the most basic protections against cyber hacking. The reason for this should be clear to everyone: what is the point of implementing more advanced security and protection measures if you do not first screw up all the unnecessary “doors” through which attackers can enter your systems and networks?

The future of digital infrastructure: the top 10 forecasts
IDC’s top 10 forecasts for the future of digital infrastructure point to a digital infrastructure strategy that addresses resilience and trust; Operational-driven data complexity; And sources of business result terms and autonomous actions.

How do I choose a policy automation solution for my business?
To choose a suitable solution for policy automation for your business, you need to think about a variety of factors. We spoke to some industry professionals to get their insight on the subject.

Leading risk auditors should cover in their audit plans for 2022
COVID-19 ransomware and the long-term impact of COVID-19 on markets and organizations are key items to be covered in audit plans for 2022, according to Gartner’s report. The report also identified evolving social expectations for organizations, such as environmental, social and governance (ESG) , And operational resilience as leading risk areas for 2022.

Cloud Compatibility: Falling from it can be doomed
In this Help Net Security interview, Bill Tolson, VP of Global Compatibility and eDiscovery at Archive360, talks about the importance of cloud compatibility and what companies can do to meet the requirements when moving to the cloud.

Health organizations at risk: The attack surface is expanding
Armis has released data showing the increased security risk facing healthcare organizations and patients, with an increase in connected devices creating an expanded attack surface, and putting the patient’s journey at risk.

The latest trends in online cyber security learning and training
In this interview with Help Net Security, Mike Hendrickson, VP of Technology and Developer at Educational Technology Company Skillsoft, talks about the trends in online cyber security learning and training that have emerged in recent years.

Digital Life After Death: Do You Have a Password Sharing Program?
COVID-19 has caused many American millennials to finally start planning an estate, according to a new study, which found 72% of those respondents with wills created or updated in the past year. What’s more, 34% of millennials have come up with their parents on digital delivery in the past year.

How to improve your security position in SaaS and reduce risks
In this Help Net Security interview, Maor Bin, CEO of Adaptive Shield, talks about SaaS’s security space and how Adaptive Shield helps security teams gain control of their SaaS security landscape.

More than 10,000 sites and apps are vulnerable to Magecart
Some of the world’s largest companies in retail, banking, healthcare, energy and many other sectors, including Fortune 500, Global 500 and governments are failing to prevent Magecart attacks, a Cyberpion study has revealed.

How to handle third-party security risk management
In this Help Net Security interview, Demi Ben-Ari, CTO at Panorays, talks about third-party security risk management and the consequences of third-party breach. It also discusses the Panorays platform that mechanizes, accelerates and expands the third-party security assessment and management process.

A cultural gap between IT and OT teams leaves 65% of organizations unable to secure both environments
Only 21% of organizations have reached the full maturity of their cyber security program ICS / OT, ​​where emerging threats motivate priority actions and C-level executives and the board receive regular information on their OT security status, a Phonmon Institute report reveals.

When it comes to securing systems against quantum computers, there is no one-size-fits-all solution
Quantum computers will quickly solve complex mathematical problems. This includes the ability to break the RSA and ECC encryption in seconds. In response, NIST led an effort to set up new cryptographic algorithms that would withstand attacks from quantum computers.

Zoom fixes vulnerabilities in its variety of conference apps
Zoom has fixed vulnerabilities in its range of local solutions for conferences, negotiations and recordings – visit Zoom Connector Connector, Zoom Virtual Room Connector, Zoom Recording Connector and others.

When cyber security becomes scary
Some cyber security horror stories are not your typical horror stories: there is no danger from a maniac with a chain saw hiding behind a server rack, the Candyman will not show up if you say his name three times while staring at your 4K monitor, and it’s not like a vampire or werewolf can bite In a firewall.

Operational technology and zero trust
The latest push for cross-industry trust focuses primarily on information technology (IT) and remote manpower, rather than the entire organization, including any operational technology (OT) in use. This leaves a significant portion of the organization unprotected and at risk.

We need a hundred cyber ads
For a generation of people who panic whether they leave home without their phone or in the event of a social media outage, we are still very much unwilling to handle internet options securely.

Fighting Cybercrime: Lessons from a Veteran CIO
The fight against cybercrime is exponentially more difficult than the fight against traditional criminal activities, as technologies and techniques make it very easy for cybercriminals to hide their true identity, location and loyalty. It is a sober situation, one that has resulted in extensive intellectual property theft, huge financial losses and disruption of supply chains that supply vital goods.

Illuminates the path: Compatibility as a key to security by design
Like taxes or going to the dentist, obedience is one of the topics that people often do not like to ponder. There are many reasons for disgust, but this mindset of “everything but obedience” can lead to problems.

The six most common threats against the device that knows you best
What is the most intimate relationship in your life – apart from your spouse, children or parents? For many of us, this is our cell phone. This is the last thing we see before bed, and it is usually the first thing that is in our hands every morning.

Bots lurk in the zombie and shadow APIs
Without a doubt the biggest trend of the year we have seen in the API country is that every organization has APIs of shadows and zombies and they are a much bigger issue than most people would like to believe. Maybe they take the “if I’ve never seen it, then it does not exist” API security approach.

API invisibility undermines the basic principle of security
One of the oldest principles of security is that you can not secure what you can not see. Visibility has always been the starting point for monitoring and protecting the attack surface and valuable resources.

Ebook: Biometric Verification for Dolls
Online biometric authentication enables governments, banks and other organizations to securely authenticate user identities. At Biometric Authentication For Dummies, iProov explains everything you need to know about how it works and why it offers the highest levels of security, usability and privacy.

Report: Modern Pentesting 2021 ROI
Does your intruder plan bring enough value? Discover in this exclusive in-depth report a comparison between Pentest as a Service (PtaaS) versus traditional consulting commitments, and review our ROI calculator to learn how PtaaS can double your pentesting impact.

Infosec’s new products of the week: November 19, 2021
Here’s a look at the most interesting product releases from the past week, which include editions from 1 Password, Fortanix, Jetico, Palo Alto Networks, Saviynt, StorONE, Viavi Solutions and WatchGuard.