Here's a roundup of this week's top information security stories, including Oracle's historic Critical Patch Update, a nasty IoT flaw that could impact millions of devices, and an upgrade to card skimmers that cybercriminals have been leveraging.
Oracle Issues Largest Security Update Ever
In its largest quarterly Critical Patch Update to date, Oracle has addressed 308 vulnerabilities across more than 90 products. Of the flaws addressed by the tech giant, 165 are remotely exploitable. In total, the company has fixed 878 vulnerabilities in 2017. One critical vulnerability found in its E-Business Suite of business applications, could allow an attack to download data without the need for authentication.
Security firm Senrio has discovered a security vulnerability in a piece of code called gSOAP that’s widely used in physical security products. Dubbed “Devil’s Ivy,” attackers leveraging the flaw could fully disable or compromise thousands of internet-connected devices that range from security cameras to access-card readers. Genivia, the company behind gSOAP, have shared that 34 organizations use the code in their IoT products.
Cisco Patches Another Bug in Critical Bug in Webex Extension
Patches have been released by Cisco to address a critical vulnerability in WebEx browser extensions for Chrome and Firefox. Google Project Zero’s Tavis Ormandy and Divergent Security’s Cris Neckar discovered the vulnerability that if leveraged could result in attackers remotely running code on a computer running the extension. Millions of machines have the extension installed.
New Card Skimmers Equipped With Infrared Antenna’s to Thwart Detection
Cybercriminals have upgraded credit card skimmers in order to avoid getting caught. The new equipment features technology that allows them to transmit stolen card data wireless via infrared, according to a report by cybersecurity journalist Brian Krebs. These “wafter-thin” skimmers are using the same technology that powers TV remote controls.
Researchers Build Business Case for Endpoint Protection
Two researchers tested more than 30,000 types of malware in an effort to learn the effectiveness of endpoint security tools. Lidia Giuliano and independent CTO Mike Spaulding will be presenting their findings at the Black Hat security conference in Las Vegas, Nevada next week. Their research lasted five months, with the goal of building a system to evaluate market solutions for security practitioners that face challenges tied to that process.
CoinDash, a cryptocurrency startup, has indicated that during its initial coin offering (ICO) the sale was compromised. The company claims that $7.53 million of ethereum was stolen after the ethereum address used to solicit funds was altered to a fake one by an unidentified hacker. This resulted in the funds going to another source. The company urged investors to not send any additional funds to any address because “transactions sent to any fraudulent address” will not be compensated.
Results based on a new study that surveyed 300 U.S. companies indicate that a majority of organizations favor integrating security with DevOps. Conducted by security firm DigiCert, the report features responses from IT, DevOps, or IT security management. Nearly half (49%) of respondents indicated that they’ve already completed their DevOps and security integration, while the other half is working on it.
In an effort to curb phishing attacks, Sen. Ron Wyden (D-OR) sent a letter to the Department of Homeland Security urging them to adopt the Domain-based Message Authentication, Reporting & Conformance (DMARC) email protocol. “The threat posed by criminals and foreign government impersonating U.S. government agencies is real,” Wyden wrote.