We round up interesting research and reporting about security developments from around the web. This month: the devastation from NotPetya, a sound idea for authentication, help with NIST and cutting-edge security analysis.

The shipping news

If the truly wise learn from the experiences of others, then there are lessons galore from Maersk’s ransomware infection. You know, the one that cost the world’s largest shipping company $300 million. Thanks to an eye-watering account in Wired, you can vicariously experience the eye of a storm during a crippling ransomware outbreak.

The story details Maersk’s troubles during the NotPetya outbreak in 2017, aka “the most devastating cyberattack in history”. Weighing in at more than 6,000 words, it’s a meaty read. The excellent in-the-trenches reporting from Andy Greenberg offers plenty of ‘what-if’ scenarios that security and risk professionals can use for developing response plans.

Listen to this: a wearable solution to 2FA trouble?

Build a better mousetrap and the world will beat a path to your door. In this case, the trap in question is authentication. Researchers at the University of Alabama have developed a wearable device that uses two-factor authentication to foil attackers that are remote or in close proximity. It requires minimal effort on the part of users, who don’t even need to install browser plugins. CSO reports that “the browser would play back a short random code encoded into human speech when a user attempts to login”.

The University’s own summary describes it as “a complete re-design of the sound-based TFA systems to thwart both remote and proximity attacks”, while still being easy to use. Sophos notes that usability has been a sticking point when it comes to 2FA adoption. It cited one 2016 study showing that 28 per cent of users don’t use 2FA, and 60 per cent of those that do only do it because someone makes them.” The original research paper is here.

Plotting a secure path through the NIST

This year, the National Institute of Standards and Technology updated its 2014 framework for improving the security of critical infrastructure. (Here’s the framework as a free PDF.) Now, Mukul Kumar and Anupam Sahai of Cavirin Systems have written a guide to help security professionals turn the framework theory into security reality for their needs. They outline five high-level steps for following the NIST advice, with detailed explanations for each step.

Researchers look to security’s future at Usenix 2018

The 27th Usenix security symposium took place in August, and it often hosts interesting sessions giving a glimpse of where security might be heading. This year was no exception, with the largest event in the conference’s history. Researchers from around the world presented at the three-day event. As part of their commitment to open access to research, the organisers publish links to all 100 papers at Usenix’s publications page.

There’s no shortage of tantalising titles to choose from. Among our favourites are: You can run, but can you hide? (analysing privacy protection in fitness trackers), The Battle for New York: (a case study of enterprise-level digital threat modelling), and O Single Sign-Off, Where Art Thou? (which analyses single sign-on account hijacking).

Possibly the best is Harvard professor James Mickens’ 50-minute keynote called “Q: Why Do Keynote Speakers Keep Suggesting That Improving Security Is Possible? A: Because Keynote Speakers Make Bad Life Decisions and Are Poor Role Models”.

Things we liked

Europol warns that GDPR fears could lead breached companies to do deals with cybercriminals to avoid regulatory fines. MORE

The world is changing. Time to change how security professionals and CISOs approach their roles, argues Joseph DiBiase. MORE

Is two-factor authentication the security panacea some claim it is? Stuart Schechter argues caution before making the leap: “All security measures have trade-offs”, he warns. MORE

Patch, and patch often. This piece asks why does it take so long to install security updates? MORE

As the UK data protection regulator imposes a £500,000 fine on Equifax, the Register describes the company’s security failings as “the gift that keeps on giving”. MORE