A roundup of the top news stories in information security this week, including Equifax stalling on installing a patch that ultimately resulted in its data breach, Yahoo revealing that their 2013 data breach was much bigger than expected, and updates to Netgear products.
DATA BREACHES
Equifax Stalled on Patching Vulnerability That Led to Data Breach
In testimony delivered to Congress on Tuesday, former Equifax CEO Richard Smith disclosed that the company was alerted to a software security vulnerability in March, but failed to address it immediately. Ultimately, the vulnerability led to the recent data breach that impacted more than 140 million Americans. “It appears that the breach occurred because of both human error and technology failures,” Smith said.
SECURITY PATCHES
Netgear Update Addresses 50 Flaws in its Products
A total of 50 patches were issued to address vulnerabilities in Netgear products which include routers, switches, NAS devices, and wireless access points. Of the total number of vulnerabilities, 20 were deemed as “high” security risks, with the remaining receiving a “medium” score. The advisories tied to the vulnerabilities were posted over the last two weeks.
DATA BREACH
Yahoo Breach Much Bigger Than Expected
This week, Yahoo shared that the massive 2013 data breach that impacted more than one billion user accounts is much bigger than it previously reported. A total of three billion accounts existing in 2013 “had likely been affected,” the company said in a statement. Following a forensic investigation, the company now believes that all of its Yahoo user accounts at the time were compromised.
CYBER THREAT
Attackers Follow-Up in Office 365 Phishing Campaign
While many attackers opt to stick to the success of the original phishing emails sent out to their targets, cyber miscreants have been especially persistent in a recent campaign. CSO Online’s Salted Hash reported on an Office 365 phishing campaign occurring since late 2016, and have indicated that attackers sent a follow-up email just two weeks following their initial message, with a third email arriving shortly after that.
FINANCE
BoA’s Chief Tech Officer Says Company to Spend $600M on Infosec This Year
The larger the enterprise, the more the security spend. While that’s a commonly accepted assumption, one technology leaders shared just how much her organization was spending on security this year. Bank of America Corp’s chief operations and technology officer Cathy Bessant said in a recent interview with CNBC that when all is said and done, the company would be spending a total of $600 million on information security this year.
PRIVACY
Russia’s Anti-Privacy Laws Kick In
On October 1, new anti-privacy laws went into effect in Russia. The lawns allow for faster blocking of all proxies and mirror of banned websites. Additionally, search engines are not allowed to advertise on sites. Additional anti-privacy laws will go into effect after November 1, when Russia plans to block VPN services.
STANDARDS
New BGP System Standards Aim to Support Internet Router Security
New standards have been released that are aimed at bolstering the security of the system the internet’s core routers use to direct traffic. The Border Gateway Protocol (BGP) Path Validation draft standards are designed to ensure that Internet traffic is coming from a safe and reliable source.
ESPIONAGE
Russia Hacks Phones of NATO Soldiers
Officials believe that Russia’s digital warfare campaign has spread to individual soldiers. According to a report by The Wall Street Journal, individual NATO soldiers - specifically those deployed to Poland and the Baltic states - are having their mobile phones compromised by Russian state-sponsored attackers. In addition to comprising phones, intruders are also taking over their Facebook accounts.
