RSA happened last week, and a ton of news—some gloomy, some encouraging—has come from the world’s largest cyber security conference. The Israeli government follows Great Britain, the U.S., and France and moves to open source. TaskRabbit pledges “more security” after a data breach, and nine things you can expect to have an impact on cyber security in the coming year.
Software Integrity Insight is your weekly resource for the cyber security and open source security that made the headlines this week!
via Synopsys Software Integrity: In the “quicksilver law of cyber defense,” cyber security defenders could take a page from the legendary Boston Celtics teams of the 1960s, who said one of the reasons they won was because they anticipated what their opponents would do. The same has to be true in cyber security. “You need to get to the ball before your opponent,” Ghai said.
via Threatpost (video): Researcher Billy Rios, founder of WhiteScope, discusses medical device hacking at RSA Conference 2018 with Threatpost’s Tom Spring. Rios also talks about his work where he demonstrated how an attacker could remotely hack an internet-connected car wash and used it to attack and damage vehicles.
via Government CIO: Microsoft and the Cybersecurity Tech Accord, musings on blockchain, a product hot list, and more.
via EE Times: Hardware design needs to focus more on security and less on performance, according to some experts at the annual RSA Conference in San Francisco. All sides agreed that the number and sophistication of threats are growing in a landscape where tech companies and governments can be both adversaries and partners.
via Haaretz: The move means its software code will be available to anyone to use and modify. The U.S., Britain and France have already taken similar steps.
via Synopsys Software Integrity: The problem is that OEMs and carriers are responsible not only for pushing out the updates but also for displaying the latest month for which Google’s monthly updates have been applied to a device. There may be legitimate reasons why an OEM or carrier may choose not to push out a security update for a particular type of device.
via TechTarget: The open source software-related Equifax data breach was not an isolated incident, and wary businesses have reacted with investments in DevSecOps. A survey of over 2,000 IT pros shows that fear of data breaches is increasing investments in DevSecOps tools, particularly automated security tools and oversight of open source software.
via TechCrunch: TaskRabbit will add several new security measures because of the incident. CEO Stacy Brown-Philpot said they are working on ways to make their login process more secure, reduce the amount of data retained about customers and taskers and “enhance overall network cyber threat detection technology.”
via Forbes: From the Equifax breach this past September to the recent hack of MyFitnessPal data through Under Armour, the number of high-profile cyberattacks has continued to climb in recent months. Every company, regardless of size, must be prepared for the possibility that they’ll be the next victim.
via Synopsys Software Integrity: The story about the casino was widely reported last summer. “Someone used the fish tank to get into the network, and once they were in the fish tank, they scanned and found other vulnerabilities and moved laterally to other places in the network,” Justin Fier, director for cyber intelligence and analysis at Darktrace, explained to CNN Tech in July 2017. He said the attackers then exfiltrated the data to Finland before it was stopped.