720-891-1663

 

CLIENT ALERTS

Brokers Sell Location of Military and Intelligence Assets – And You and Me

Wired did an investigation about the data broker business and the sale of location data.  There are lots of different reasons why this is problematic, but they focused on national security.  Other reasons include political and religious persecution and harassment and revenge.  Learn more here.

Apple Wants Websites to Replace Security Certificates Every 45 Days

Yes, that is real and not a typo.  There are a lot of reasons why, over the years, the allowed life of a certificate has been reduced from 10 years to 3 years to the current 1 year and soon, likely, 45 days.  If you are not ready for this, learn more here.  The good news is that while there is some short term pain for this, the fix is free and once implemented, it will totally eliminate you ever having to deal with this. EVER! 

Cybersecurity Challenges for the Next President

The next president is going to have a lot of challenges.  The world is not simple.  Among those many challenges is cybersecurity.  Here are ten important cybersecurity topics which the president can deal with or hope they go away.  I don’t think they are going to go away, but where does that fit in his priorities – unclear.  See the list here.

Beware of Hackers Pretending to be Your Bank

Hackers are pretty creative.  We continue to hear stories about people getting calls, texts and emails from someone pretending to be their bank, telling them that there was fraud on their account and that they would help them fix it.  Assume that is a scam.  Learn more about the scam and the steps you SHOULD and SHOULD NOT take if you get targeted, here.

New York’s DFS Releases AI “Guidance” to Regulated Entities

New York’s Department of Financial Services, the regulator for financial service providers from car dealers to mortgage companies that do business in New York, just released “guidance” on AI and what they expect you to be doing to understand and mitigate risk created by the widespread use of AI.  When regulators say guidance they really mean mandate, so this is not optional and there is nothing in the guidance to object to.  Expect this guidance to be folded into your next NY DFS examination.  Learn more here.

Confessions of a Company Infiltrator – The Last Person You’d Ever Suspect

The number of insider incidents reported in the last five years is up over 75 percent.  Is your company one of them?  Would you know if you were?  Sometimes attackers are splashy; those you will find out about when THEY are ready, but others, totally stealth.  Are YOU ready?  Would you detect this kind of attack?  Learn more here.

Quantum Computers Cracking Encryption May Have Come Way Sooner Than Expected

If a peer reviewed paper out of China is to be believed, some Chinese researchers claim to have developed a way to crack the classical encryption used by most of the world and they did it using off the shelf quantum computers.  I would be wary of immediately discarding the claim.  Learn more here.

Senate Foreign Relations Chair Fooled by Deepfake of Ukrainian Official

Earlier this week the Senate security team sent out a memo that a Senator was fooled into a video call with a former Ukrainian official.  It wasn’t until deep into the call, when the likely Russian hacker started asking very odd questions that they got suspicious.  Are you prepared?  Learn more here.

US, Allies Release Guidance on Securing OT

Operational Technology systems are those computer systems that manage, monitor and control the physical universe.  From a security standpoint, they are at least ten years behind the computer on your desk at work or at home.  Hackers know this and know that shutting down an industrial operation like Colonial Pipeline likely generates a payoff.  The governments of 8 countries, including all of the “Five Eyes” countries, released guidance on protecting that technology.  And before you say you don’t care about OT, you might want to rethink that.  Learn more here.

WordPress.Org Blocks WP Engine From Updates Over Money

WordPress.Org, the non-profit that maintains and operates the WordPress infrastructure has gotten into a fight with WP Engine, a for-profit company that hosts WordPress sites for a monthly fee.  WordPress.Org wants WP Engine to pay a fee to use its trademark and WP Engine, at least so far, is saying no.  WordPress.Org has countered by blocking access to its resources to WP Engine, which is putting companies and users who host there at risk.  Read the details here.

China Continues to Silently Loiter Inside Networks of US Companies, Waiting to Attack

The feds and private cybersecurity experts continue to ramp up the warnings that China is at cyber war with us and have burrowed their way unseen into US businesses’ networks.  A report came out this week of one aerospace company supplier who was compromised by the Chinese.  Lucky for them, they were detected before they detonated an attack but, unfortunately, after they were inside stealing stuff.  Read the details here.

Texas Continues to Waste Tax Dollars on Restricting Speech

Texas Attorney General Ken Paxton continues to try to enforce laws that his legislature creates.  Texas HB 18 is another one of these, which requires websites that allow user generated content to verify the age of visitors and restrict access to certain content.  Stay tuned as this runs the appeals process up to the Supreme Court.  It’s predecessor, TX HB 1181, is already pending there.  Read the details here.

Is Your Phone Listening to You? Maybe!

For years people have said that they were sure that their phone was listening in the room where they were talking and not talking on the phone.  I said, no, that can’t be.  It appears that I may have been too optimistic.  Read the details here.

Can You Reason+Type Faster Than an AI?

Assuming (and this is a given) that hackers are going to use AIs to attack you, do you plan to defend using humans?  If you plan to defend using AIs, what kind of problems does that present?  Learn more here.

AMD Computers Vulnerable to 18 Year Old Bug 

For some CPUs that are still supported AMD has released a kludgy fix.  For many other CPUs, there is no fix and never will be one.  If your system is or becomes compromised, that compromise is undetectable and the compromise is, realistically, not removable – take the computer out to your driveway and run it over with your car.  Read the details here.

North Korea Infiltrates 100+ Companies Via Fake Remote IT Workers

Security firm CrowdStrike wrote in their 2024 Threat Hunting Report that more than 100 US companies hired North Korean hackers as remote IT workers.  These workers performed well enough to stay employed while stealing data and installing remote control software.  Would you detect this?  Read the details here.

R.R. Donnelley Fined $2 Million for Not Responding to Security Alerts

The SEC said that they did not have  effective controls in place to report relevant cybersecurity information to management and failed to carefully assess and respond to alerts in a timely manner. They also did not have effective controls in place to protect their assets.  What about your company?  Read the details here.

Hackers Move to Exploit PHP Bug One Day After Announced

Since PHP is at the core of, probably, close to half of the websites on the planet, it is not surprising that hackers jumped on exploiting the bug so quickly, knowing that some websites won’t get patched for months, if ever.  Read the details here.

China’s State Sponsored Hackers Can Exploit New Bug Patches in Hours

The intelligence agencies of multiple countries released an alert this week warning that China’s state sponsored hackers can convert bug patches into weapons in hours.  If you are waiting 30 days to deploy patches, that may be 29 days too late.  Learn more here.

Almost Every Apple Device Vulnerable Due to Supply Chain Bug – And Apple Can’t Fix it

This is NOT the result of a cyber attack.  It is a problem with open source software and supply chain risk and the root problem affects every organization doing software development or paying someone else to do software development on their behalf.  Learn more here.

Deepfake Apps Explode – Along with Multimillion Dollar Corporate Losses

As deepfake apps get better at an amazing velocity so are corporate losses.  One company recently lost $25 million in a deepfake video conference with the CEO – except the entire call was a deepfake except for the mark.  Get prepared; it is coming your way.  Read the details here.

Microsoft Patches Zero-Interaction WiFi Bug That Affects All Versions of Windows

All the attacker needs is WiFi proximity – no credentials, no access to the system or any files and most importantly, no user interaction to completely take over the system.  Read the details here.

Adobe’s New Terms of Service May Get You Sued – But Not By Them

Adobe says these new terms have been in effect for years, but they are being more “transparent” about them and adding them to their agreement.  You can opt out if you know how, but educating your employees is critical.  Not understanding what Adobe is doing could cause you to violate the terms of contracts with your customers or even break the law.  Learn more here.

Ticketmaster Breach Showcases SaaS Data Security Risks

Ticketmaster recently admitted that they were breached.  Reports are that data on 560 million customers was stolen. Santander Bank also was hacked and data for about 30 million customers was stolen.  Both companies used one particular cloud provider and while we have not sorted out whose fault the breach was, both companies are being sued.  This only serves to emphasize that you can outsource the tech, but not the liability.  The liability stays with you. Learn more here and contact us if you need assistance.

Cloud Services Are Not Responsible for Recovering Your Data – Even if Losing it is Their Fault

Google this month followed in the steps of other cloud providers and accidentally deleted all of the data and all of the backups of a $125 billion pension fund.  What did they say afterwards?  We have taken steps to ensure this doesn’t happen again.  Need a more robust data backup and recovery strategy?  Contact us.  Details here.

Too Many Industrial Control System Assets Are Exposed to the Public Internet

Just because you can connect something to the Internet doesn’t mean that you should.  Rockwell Automation, who makes a living selling automation devices, is telling customers to disconnect anything that should not be connected to the Internet.  This is an odd statement from a company like Rockwell.  You may be surprised how many of these “dark matter” devices are connected to your network.  Learn more here.

Tech Companies Have an Achilles Heel and that is AI

I am going to make you read the post to learn why, but suffice it to say that people who are a lot smarter than I am think this is a problem for AI.  Since everyone is just going crazy over integrating AI into their products or creating new AI based products, you need to pay attention to this.  Some uses of AI are not problematic, but others definitely are.  And if Congress passes the bills that they are considering, it will get much worse.  Learn more here.

Android Bug Affects Apps With More Than 4 Billion Downloads

The bug is an example of bad software development practices on the part of developers and does not represent a flaw in the Android OS.  That means the only people who can “fix” this are the many, many developers of apps, both corporate developers and independent ones.  That also means that this problem is likely to be with us for a long time.  Read the details here.

Large Language Models vs. The Law: It Is Gonna be Messy

OpenAI, maker of ChatGPT, is being sued for violating GDPR.  And, it appears, their is no simple solution.  While this case was filed in Europe, a similar lawsuit would likely work in the U.S. for those states with new privacy laws (more than a dozen states).  Companies need to understand the risks and work to mitigate them.  And see if their insurance will cover them.  Details here.

CISA Adds Cisco and CrushFTP to Known EXPLOITED Vulnerabilities List

The Known Exploited Vulnerabilities (KEV) catalog is a list that CISA maintains of vulnerabilities that they have seen being exploited. If you use Cisco ASAs or Firepower or the CrushFTP software, read on and patch now.  Details here.

Colorado’s Universal Opt-Out Law Goes Into Effect July 1

Universal Opt-Out is a mechanism (UOOM) for a browser user to tell a web site operator whether the user can be “tracked” or not.   Colorado’s UOOM goes into effect on July 1 and affects a large percentage of websites.  If you don’t have any tracking mechanisms on your website (like Google or Facebook analytics) then you probably don’t have to comply, but most commercial websites do have that.  Learn the details here.

DoJ Announces New WhistleBlower Rewards Program

Likely in light of the new False Claims Act prosecution initiative, the DoJ has announced a new rewards program for people who rat out people who are breaking the law, including cybersecurity regulations because there are gaps in the current incentive programs.  While the details have not been announced, one recent whistleblower who was entitled to a reward received more than $70 million, while others receive nothing.  Read the details here.

Google Proposes Method to Stop MFA Bypass

Hackers and software developers have been playing security cat vs. mouse for a long time.  This is, potentially, the next step.  Using public key encryption and the PC’s trusted platform module, Google is proposing an open standard.  If they pull it off, it definitely make things harder for the crooks.  Read the details here.

Unpatchable Apple Flaw

At least for now, there is no fix for this.  For M3-based Apple computers, there is a feature that you can turn on that helps as long as developers also fix their software.  For users of M1 and M2-based computers, there currently is no fix.  Learn more here.

Microsoft Warns Breach was Worse Than They Thought

In a filing with the SEC and also a public warning, Microsoft admitted that the attack by Russia-backed Midnight Blizzard was worse than they expected.  What are you doing to protect yourself?  Learn more here.

he House Has Passed a TikTok Ban

As the Mark Twain quote goes “when congress is in session, no American is safe”.  Which may explain the TikTok ban.   The ban is a legally questionable alternative to a strong national privacy law, which Congress is unlikely to pass.  This dance is far from over.  Learn more about what is going on here.

Record $12.5 Billion in Online Scams Reported to FBI Last Year

Online scams reported to the FBI last year reached a record $12.5 billion.  Estimates are that this represents only 10-20 percent of the total online crime losses.  Are you prepared?  Can you survive an attack?  Read the details here.

How Fast Are You Deploying Patches?

Many companies wait a while to deploy patches.  They are often concerned that patches will break things.  On the other hand, it appears that not patching allowed hackers to attack and shut down one of the largest healthcare payment management networks in the country, affecting patients’ ability to get their prescriptions in a timely manner.  Now would be a good time to review your patch strategy.  Read the details here.

California Appeals Court Says CPPA Privacy Rules Can Go Into Effect Immediately

Just in case you thought you could delay implementing the requirements of California’s privacy laws for a few years, the appeals court just shot that idea down.  They say that rules can go into effect immediately, even new rules.  If you do business in California, you need to read this.  Details here.

Microsoft Patches Critical Outlook Remote Code Execution (RCE) Bug

The bug allows hackers to trivially bypass some of Outlook’s protections and remotely and without authentication attack user’s computers.  Now that the bug and how to trivially exploit it are public, expect attacks to go up exponentially.   Read the details here.

Is the Apple Vision Pro a $3500 Privacy Nightmare?

The vision pro has two depth sensors, 12 cameras and six microphones.  Is it a privacy nightmare?  Apple, of course, is working hard to convince you that it is not.  Before you allow them into your enterprise, you need to have a lot more answers.  Learn more here.

Senate Goes After Tech CEOs

At a hearing today, the Senate Judiciary Committee tried to get tech CEOs to admit that their platforms harm kids and that they should support new laws.  Laws that will likely have a more broad impact than a few social media companies.  Read the details here and stay tuned for what comes next.

Swatting is Out of Control and People Famous and Not Are Getting Swatted

Swatting, the act of causing the police to respond with extreme force to an event that they believe to be real but which doesn’t even exist, is happening across the country.  Occasionally people get hurt or killed when these events occur.  Sometimes the targets are high profile, but more often  they are just average people.  Learn more here.

FBI-CISA Warn of National Security Threat Posed by Chinese Drones

The FBI and CISA have issued an alert about the national security risks associated with the use of Chinese made drones such as DJI.  They have issued recommendations on how to reduce that risk, but the only way to eliminate it would be to stop using Chinese drones.  The federal government has banned the use of Chinese drones by agencies.  Read the details here.

Microsoft Issues Urgent Patches for Remote Code Execution Bugs in Kerberos and Hyper-V

Another month and more bugs.  In this case, among this month’s patch fest are two bugs that Microsoft says you should prioritize.  The Kerberos Bug ranks 9 out of 10.  Details here.

SMTP Smuggling – a New EMail Attack Vector

This is a new way to use email to launch a malicious attack.  The attack works due to a bug in multiple implementations in email servers like Microsoft Exchange.  Some email vendors have patched this protocol implementation flaw; others have not implemented a fix.  Learn more here.

Cyber Attackers Using New Tactics to Extort Money from Breach Victims

As companies choose not to pay ransoms after a cyber attack, hackers are going directly to victims to both extort money from them and ruin the reputation of the organization that got hacked – after all, customers are not going to take kindly to a company that loses control of their data and then allows them to be extorted.  Read the details here.

All Versions of SSH Likely Vulnerable to this Attack

Admins everywhere use SSH to manage all sorts of devices.  Researchers have devised an attack that they estimate 77 percent of the SSH servers on the Internet are vulnerable to.  If you use SSH but limit it to VPNed in users you are better off, but just one user clicking on a malicious link away from being vulnerable.  Read the details here.

China Targets Texas Power Grid, Water, Critical Infrastructure

We have detected about two dozen attacks on critical infrastructure over the last year.  What we don’t know is how many other penetrations have been successful and which we have not detected.  The thought is that China wants to be able to disable our critical infrastructure in case they want to.  They certainly have the technical skills.  Read the details here.

Another Side Channel CPU Attack Steals Secrets

This attack affects AMD, Intel and ARM, so it doesn’t seem to matter what chip you are using.  Worse yet, none of the chip makers seem willing or eager to fix it – likely because it will have negative performance or functionality effects on users, therefore affecting sales.  Read the details here.

Former Uber CISO Speaks Out

Former Uber CISO Joe Sullivan is speaking out 6 years after the Uber breach that affected 50 million people.  While he is undoubtedly trying to rehabilitate himself, there are useful lessons to be learned.  Now that the SEC is going after another CISO (SolarWinds CISO), it is probably a good time to review what they did and what they did not do and see if you need to change any of your policies.  Read the details here.

GPS Attacks Against Commercial Airliners Are Increasing

Legislators have been being warning about these attacks which could potentially cause loss of life and business disruption for more than a decade.  And have done nothing about it.  Since September, pilots have reported more than 50 attacks against commercial airliners.  Oh, yeah, commercial GPS receivers have NO signal authentication.  Gee, that is a surprise.  Read the details here.

Chipmaker Patch Tuesday

As if you didn’t already have enough patching challenges, here is another one.  Intel and AMD released patches for their processor chips fixing around 130 bugs.  Sometimes Microsoft is able to bundle processor chip patches in their releases, but often, you have to manage those patches yourself.  Learn more here.

Congress Tries to Breathe Some Life into FISA 702

FISA section 702, which allows the government to do warrantless bulk data collection, expires in about 7 weeks.  There is a lot of distrust of 702 on both sides of Capitol Hill.  This week a draft of a bill extending 702 with new restrictions was introduced and the White House doesn’t like it (even though they have not read the bill, they say).  This could get down to a game of chicken around December 31st.  Learn what is in this new bill here.

New Executive Order Tries to Place Some Guardrails on AI

Executive Orders have limited power because they don’t carry the force of law.  But, they likely do impact the billions of dollars that the Feds spend on IT, so that can have a strong impact on what vendors do.  The AI executive order gets the executive branch moving in the direction of guardrails, which is a good thing.  Learn more about what it aims to do, here.

White House to Invite 50 Countries Next Week for Counter Ransomware Initiative

The White House announced a 50 country meeting next week to fight ransomware.  While we will learn more next week, some details are already being announced.  Learn more here.

How Brave Are You? Passkeys Entering Mainstream Slowly

Passkeys are a real security win for end users and IT, but it is not ready for prime time.  Still, now is the time for IT to learn more about it.  Read about it here.

New Proposed Federal Acquisition Rules Proposed to Up Cybersecurity Requirements for ALL government contractors

Rumor has it that the DoD, in their work to get CMMC approved correctly, has been working with the FAR Council to update the cybersecurity rules for all government purchases, not just military.  While we don’t know the extent of that, it certainly looks like cybersecurity 2.0 is a very significant upgrade.  Learn more here.

The MOVEit Breach is a Wake-Up Call to All Businesses

The risk represented by the hundreds of “vendors” that you likely share data with is really being brought to the spotlight by this breach.  The breach has affected over 2,200 companies and 62 million people so far – and growing every week.  And the breach is not just affecting your third party vendors, but also their vendors and their vendors’ vendors.  Are you prepared for that?  Learn more here.

Sony Hacked (Again) – the New Hacking Model

Hackers claim to have stolen a lot of Sony’s source code.  While Sony is trying to verify this, the hackers said they didn’t bother encrypting the data.  Here is why.  This is the new hacking model.

Penn State Hit With False Claims Act Lawsuit Over Lying About NIST SP 800-171 Compliance

NIST SP 800-171 is a standard that many government contractors are required to comply with, especially, but not limited to, defense contractors and their subs.  It appears that Penn State did not take this responsibility seriously, hence the lawsuit, which could cost the University tens of millions and net the whistle blower possibly as much as 60 percent of that fine.  If you are required to comply with NIST SP 800-171, this is required reading, here.

Deepfakes Are Coming for your Brand – and Bank Account

The FBI, NSA and CISA just issued a warning to businesses that deepfakes or what they call synthetic media are coming after your brand and your money.  In the end, you will wind up being sued and paying the bill.  And, given the rate of improvement of the technology, at this time next year, what we are seeing today will look like child’s play.  Learn more here.

Modern Cars are a Privacy Nightmare

While this may not be a total surprise, the extent to which car makers go to sell your data  – AKA make money from your data will likely even surprise you.  Read the details here.

Cloud Host Loses All Customer Data – Says Sorry

Are you adequately backing up your cloud hosted data?  Your provider is not responsible for your data and won’t even pay you if they lose all of your data.  It happens time and again that something happens with a cloud provider and your data is gone.  And, it is your problem, not theirs. Read the details here.

Another Attack Uses Unsuspecting Home Users (Your Employees) to Launch Attacks

AT&T’s Alien Labs says that there is a rapidly growing proxy network that is using your employee’s home computers to launch attacks, possibly against you.  While the attack network owners claim that the employees and others who own the computers agreed to participate in illegal cyberattacks, that is highly unlikely.  Read the details here.

LinkedIn Account Takeovers Have Increased 5,000% in Recent Months

Reports are that account takeovers on LinkedIn have increased 5,000% in the recent months and LinkedIn has been of no help in recovering access to stolen accounts.  Are you prepared? Learn more here.

Intel Releases Patch That Affects Billions of Processor Chips

Potentially, it is hard to abuse this flaw and it may cause a major performance hit; companies need to assess the risk and decide for themselves where and if they should deploy the fix. Read the details here.

Canadian Gov’s Game of Chicken with Social Media Ends with Citizens Losing

Facebook and Instagram have announced that they are banning news from their apps in Canada as a result of a new law.  They said that users don’t come to their apps to get news anyway.  We will see whether this expands to other social media brands and the laws expand to other countries.  If Canada is a market for you, you should watch what is happening.  Read the details here.

SEC Releases New Rules Regarding Cyber Breach Incident Disclosure

Starting in December SEC regulated companies will have four days to disclose cybersecurity breaches to the SEC.  They will also need to explain what their Board is doing to manage the risk and disclose all of this in their annual report.  Even if YOU are not regulated by the SEC, if your customers are, expect good news to trickle down to you in your contracts.  Read more here.

White House Releases National Cybersecurity Strategy Implementation Plan

The five major objectives of the strategy are massive.  The plan, which is still high level, is almost 60 pages and assigns specific tasks to specific agencies.  If the administration follows through on at least some of these tasks, this will be a major step forward for the security of the country.  Learn more here.

Microsoft Patch Tuesday Patches 132 Bugs But Leaves Actively Exploited Zero-Day Unpatched

CISA and the FBI released an alert today about a Chinese attack that compromised users’ email mailboxes, including some at the State Department.  CISA released details on how they detected the attack; things that you may be able to do.  Microsoft did NOT release a patch for the attack in today’s Patch Tuesday patch fest.  Read the details here.

A New Strategy For Ransomware Operators

Businesses evolve and the business of ransomware is no different.  As we have seen in the last several months, the Russian ransomware group Cl0p is doing very well using their new business model (which we have been predicting for a year, so it is not really that novel).  Learn what they are doing that is different here.

White House Wants to Make Ransomware Unprofitable

Without regard to any other possible solutions, this is something that needs to happen.  Ransomware only works because it is effective.  Effective may mean disabling an adversary or it may mean extracting money from that adversary.  The feds plan to protect themselves, but protecting you – that is your problem.  Are you ready?  If it becomes harder to attack the feds, guess who the hackers are going to go after?  Learn more here.

What Lessons Can Be Learned from the MOVEit Hacks?

Hundreds and potentially thousands of organizations have been breached as a result of the Progress Software MOVEit vulnerability.  Smart organizations will learn from this event and make changes to their processes as a result.  Here are our observations;  if you need assistance, please contact us.

Feds Say: Secure Internet Exposed Network Devices

We always like it when CISA tells people that they have 14 days to do what we have been telling them to do for years.  CISA says federal agencies have two weeks to do it – but they are not saying what attack caused them to do this.  Clearly, there is something very serious going on.  If you have not already followed our advice about this, now would be a good time.  Read the details here.

When Attacks go From Bad to Worse – For Barracuda Email Gateway Users

Usually, when companies find a bug they patch it and move on.  Sometimes you have to decontaminate as well.  Sometimes that is not enough.  For some Barracuda users. this time it is a matter of a total replacement and checking the rest of your network for malware.  Read the details here.

Who Owns Your Company’s Social Media Accounts?

Apparently there is not a clear-cut answer to this question and the courts have been wrestling with it for the better part of a decade.  In case you don’t want to be in court for a decade, there is a step you might want to consider taking.  Learn what that is here.

Microsoft Says China Has Hacked US Critical Infrastructure and is Working to Increase its Beachhead

Microsoft,  multiple US government agencies and the rest of the “Five Eyes” countries announced today that China had infiltrated U.S. critical infrastructure and is trying to obtain a further beachhead into other infrastructure both to conduct espionage and also to stealthily lie in silence to be able to detonate an attack at a moment’s notice.  Are you prepared to detect and respond?  Learn more here.

DoJ Strike Force Working Hard to Stop China and Others From Stealing Our Stuff

Last week China raided the offices of a U.S. company and accused them of stealing China’s IP.  This week the DoJ indicted a number of Chinese and other nationals, accusing them of the same thing.  Only one has been arrested, but they are working hard to improve that.  They need your  help.  Read the details here.

Do NOT Assume That Your Infrastructure is Secure After a Breach

Remember, I always say learn from mistakes others make so you don’t have to make the same ones.  Western Digital discovered a breach last month and the hackers, apparently, were monitoring the company’s response because of one major mistake the company made.  Read the details here.

Many Salesforce Community Websites are Leaking Sensitive Data

Researchers have discovered a flaw in Salesforce Community websites lets people see data that they should not – AKA the websites leak sometimes very sensitive data.  Salesforce says this is not a bug, just developers not configuring things correctly.  Whatever the excuse, people’s sensitive data is being leaked.  Read the details here.

And Now There are Eight – States with Second-Generation Privacy Laws

By the end of this year there could be a dozen states, or more.  Each with their own nuances.  Are you prepared?  See who joined the club this year and who is still working on new legislation – it may not be whom you think, here.

Generative AI is Facing the Long Arm of the Law and it Won’t be Pretty, but it will be Interesting

OpenAI’s ChatGPT is facing a new threat that demands that the model is fatally flawed and the demander is saying that they have to delete the model completely and start over.  That probably is not going to happen without a large fight. If your company joins the large-language-model fray, even just using it, you could get sucked into a lawsuit yourself.  Learn what is happening this week, here.

Security Pros Say They’ve Been Told to Hide Breaches

A survey by Bitdefender says that 75 percent of US companies say they have experienced a breach in the last year and 70 percent of US company IT security pros say they have been told not to report a breach.  Read the details here.

A New Attack Vector Using Siri, Alexa +

Researchers have demonstrated an attack vector using anything with a speaker and a microphone.  There does not appear to be a “fix” other than turning off any smart devices you might have at home or at work.  That is unlikely to happen.  That means that users – businesses and personal – need to understand the risk and understand their own risk tolerance.  Read the details here.

Legal Attack on Generative AI is Just Starting

Generative AI such as Bard and ChatGPT are advancing at warp speed.  But they are leaving the law in the dust.  Fortunately or unfortunately, the law is nipping at their heels and the lawsuits have just begun.  Depending on which side of the AI game you are on, that should be very concerning.  Actually, no matter which side you are on, you should be concerned.  Learn why, here.

2023 It’s Bug – Microsoft Outlook

Microsoft recently patched a bug in Outlook that can be exploited not only without the user clicking on anything, but it could compromise the system before the user even sees the message in their inbox.  Read the details here and patch now.

The Spy Who Loved You (or Claimed to)

Spies have used sex as a lure since time began and still do.  Now they just have different tools to do it with.  Here is a real world example – in this the lure was love – of money -, but the love scams are still very popular.  Are you sure your team won’t get hooked by one of these scams.  Learn more, here.

Surge in Swatting Attacks Target Execs and Board Members

An executive protection firm says that they are seeing a precision, targeted attack against high level staff, using data from the dark web, prior breaches and even company websites.  There are things that you can do to protect yourself and your family, but it is not simple.  Learn more, here.

It’s The People Folks

While the politicians and “govies” seem to make the news about having documents they should not have, the real problem is at every company in America.  Half of your employees will take your documents with them if they leave and most of them don’t see a problem with this.  Read the details here.

Supremes Say They Don’t Understand While Determining the Future of the Internet

The Supreme Court is being asked to determine whether Google and Twitter are protected from being sued out of business over user generated content.  We won’t know until this summer how badly they will damage it, however.  This could affect all businesses that use social media, YouTube and search engines as part of their customer engagement strategy.  Read the details here.

Intel’s SGX Security Feature Not So Secure

To say that Intel’s Software Guard Extension instructions have been a problem for Intel is an understatement.  Intel’s solution is to get rid of them.  Which is fine if the software you use doesn’t require them.  Intel released 5 new SGX patches this month alone.  Read the details here.

Hard Coded Passwords in Routers, Firewalls and Modems are Back in the News – Again

The news of these seems to come in waves although Cisco seems to have a perennial problem with it.  Manufacturers often create a secret, invisible password that Internet providers (and hackers) can use to get into your network devices, especially those in the homes of your work from home employees, putting your systems, data and networks at risk of ransomware attacks and breaches.  Read the details here.

15 Vendors Impacted by Remote Management Controller Flaws, Including Dell and HP

The discovery of firmware flaws in remote management controllers, sometimes called baseboard management controllers (BMCs), goes on.  This time it is AMI’s RAC that is buggy and it affects every major server vendor and many others.  Learn more here.

Hackers Using Legit Remote Desktop Tools to Hack

CISA, the NSA and MS-ISAC issued a joint alert warning of an attack that is actively being exploited on government networks, but we should assume it will expand now.  Learn what is happening and what you should do, here.

Not a Good Time for Firewall Vendors

Sophos, Cisco and Fortinet, three of the biggest firewall vendors, recently announced bugs/patches/attacks in the wild against their firewalls.  That makes this a good time to talk about network cyber hygiene.  That includes those networks in employees homes.  Hackers know that coming in via the back door (your employee’s home Internet connection) is likely way easier and highly unlikely to be detected when compared to your office network.  Read the details and our list of firewall/router security tips, here.

Lawsuit Claims “What Happens on your IPhone, Does Not Stay on Your iPhone”

Apple is facing yet another lawsuit claiming that even if users tell Apple not to track them, Apple still tracks them.  This is not the first lawsuit claiming that and this one is seeking class-action status.  Apple has always differentiated itself in its ads by claiming that Apple is privacy focused.  If it turns out that Apple was lying, well, that makes them no different from Google and Facebook, maybe just a little more subtle.  Read the details here.

Chinese Claim to Have Broken RSA Encryption with a Quantum Computer

Whether the current Chinese claim of having broken RSA 2048 encryption with a quantum computer is slightly exaggerated or not, it is not far away.  That means planning for a complete overhaul of your encryption architecture should start now because it will take years to implement.  Read the details here.

The Top Security Operations Center Challenge for 2023 Is:

Unfortunately, it is nothing we are good at right now and the SOC software and service vendors are not good at it either.  The hackers know this, which is, in part, why they are cleaning our clocks.  And, I don’t anticipate it getting better any time soon.  That is probably why Google bought Mandiant.  They know that breach response is going to be an exponentially growing business.  Read the details here.

New macOS Gatekeeper Security Bypass

macOS is supposed to detect when you download a program from the Internet and flag it to make sure that it is signed by an approved signer.  Note that this isn’t failproof because sometimes developers don’t protect their signing certificates, but it is pretty good.  Except that Microsoft researchers found a weak spot in how Apple implemented the feature, completely neutering it.  They call it Achilles.  Read the details here.

Fortinet Urges Customers to Patch Their Firewalls NOW

Fortinet urges all of their customers to patch their firewalls now as hackers scan the entire Internet looking for vulnerable firewalls.  Read the details here.

New Multivendor Supply Chain Attack that Compromises Many Popular Servers

One vendor of BMC firmware that more than a dozen manufacturers use has several vulnerabilities, the highest rated one coming in at 9.9 out of 10.  Each computer hardware maker will need to release their own patches for this.  The highest rated bug allows arbitrary code execution and since this runs in the BMC, even if you have the best, super-dooper, newest zero-trust endpoint protection, that protection won’t even detect the attack. Read the details here.

New Complex Ransomware Technique

Microoft has discovered a new ransomware technique that is pretty hard for end users to detect and should be worrisome to IT staff.  There are some techniques to block it, but many companies are not using them yet.  Read the details here.

90% of Organizations have Microsoft 365 Security Gaps

That is a scary statistic.  This was a study of over a million and a half users; not one of those studies that talked to 200 people and extrapolated the data.  Are you part of the 90 percent or the 10 percent?  Are you using the tools that Microsoft provides?  Do you have a security to-do list (called a PoAM)?  If not, you are putting your company at risk.  Learn more here.

Russia Tricks Companies to Install Infected Apps

A U.S. front company to disguise real ownership and a lack of due diligence on the part of developers allowed Russia to install software on 2+ billion devices.  The tracking software gives Russia access to a huge amount of user data.  This is just another example of how our adversaries use our supply chain against us.  Read the details here.

Microsoft Hit by a Six-Pack of Zero Days 

Microsoft says that they saw these being exploited by a nation state actor in August, but now that the patches are out, expect China to have a lot of company exploiting these bugs.  Consider patching these six bugs very soon.  Reports say that it only takes hackers 1-3 days to start exploiting high priority vulnerabilities, maybe less.  Read the details here.

Yet Another Supply Chain Attack Causes Hundreds of News Sites to Distribute Malware

An unnamed supply chain vendor that feeds news and ads to hundreds of news websites was compromised and is now also distributing malware.  While this particular campaign uses a vendor to news web sites, this attack could use any vendor.  The key is to compromise a vendor that a lot of other sites use.  If you are not already prepared, get prepared.  Read the details here.

Microsoft Cannot Get Away from the Ghost of Internet Explorer

Microsoft made a decision decades ago to foil many countries’ attempts to make them remove Internet Explorer as a way to dominate the browser market (which ultimately failed). But even though they stopped supporting IE last June, the ghost of IE is still haunting Windows users and will until they migrate to an operating system that does not have IE in it’s guts.  Two new bugs allow a hacker that has gained very limited access to the domain to crash the Windows logging service, making security blind or even crash the entire computer.  Any computer in the domain.  Read the details here.

Microsoft Says Their Implementation of Encryption is Not a Security Tool

You did not misread that.  When a researcher announced that Microsoft is using a weak form of AES to encrypt files and messages, Microsoft’s reply was that their implementation of encryption was not a security feature, just designed to reduce accidents.  That means that if you are using Microsoft encryption, you might want to reconsider that decision.  Read the details here.

Hackers Poison Open Source Software to Steal Data

Researchers Have discovered hundreds of “poisoned” open source libraries, known as packages, as a way to steal credentials and data.  While this has been an occasional problem in the past, hackers have figured out that this is relatively easy to implement and the odds of getting caught are low.  Read the details here.

Fake LinkedIn Profiles are an HR Headache and More

Apparently, LinkedIn has turned into as big a dumpster fire as Twitter is and it seems to be getting worse.  And, like Twitter, they either are unable or uninterested in controlling it.  Read the details here.

Russia Blows Up Pipeline – Are You Prepared?

Someone, likely Russia, blew up the Nordstream pipeline, shutting off the flow of gas.  This is an escalation of the war in Ukraine, but it would wise for U.S. businesses to consider that Russian aligned terrorists might think that doing the same against Ukraine’s primary proxy – us – might be a good thing.  Are you prepared for that?  Read the details here.

Prez Signs EO Telling CFIUS to Watch for Cyber, IP Risks from Foreign Investments

The feds are working to make it harder for Chinese investors to get their hooks into U.S. companies in a way that could harm national interests by undermining security or stealing our intellectual property.  If you have foreign investments, remember that they can not only veto new investment, but also unwind old investment.  Read the details here.

Former Uber Security Chief Faces Criminal Charges Over Breach Coverup

Uber’s former security chief is now on trial on criminal charges related to Uber’s 2016 breach.  Uber is not paying his legal expenses.  This trial is being carefully watched as a precedent on handling breaches.  Read the details here.

A Lesson to Learn from the LA School District Cyber Attack

As the FBI, Department of Education, Homeland Security, CISA and local law enforcement swarm the LA Unified School District in the wake of a cyberattack just days before school started, it is coming out that there is something that, if they had been doing, probably would have stopped the attack. Learn what they – and you – should be doing, here.

Researchers Say More Than Half of the Apps They Tested Leak Hard Coded Secrets

With only 30 days and limited infrastructure researchers evaluated 30,000 Android apps and found that over 18,000 of those apps hard-coded secrets like API keys and data buckets.  While this tested Android apps, there is no reason to believe this practice is limited to them.  Read the details here and if need assistance, please contact us.

Twitter Security is a New Level of Dumpster Fire

Former head of Twitter security Mudge filed a whistleblower complaint with the feds alleging that Twitter’s security is a large scale dumpster fire.  The result of this is a large scale federal investigation plus media coverage in every blog and magazine in the country.  In fact, some are saying this is a national security issue. Read the details here.

This IoT Bug Could Get You Killed

People love IoT devices.  Whether it is Siri, Alexa or something that lets you tell if you need more milk in your refrigerator, the software and hardware is sometimes impressive.  But, as we have seen with a lot of these devices, they are rushed to market and are often buggy.  We have seen that with cryptocurrency apps which have lost companies and investors hundreds of millions of dollars.  These bugs are very visible.  Today’s bug could get you killed.  If, after reading this, you need help, please contact us.  Read the details here.

New York to Enhance Cyber Regs for Regulated Companies

If you are regulated by New York’s DFS, the regs are going to get tougher if what they want to do becomes the law.  Read what they want to do here.

Are You Ready for Your MSP’s Cyber Attack?

Yet another Managed Service Provider was hit by a cyber attack and shut down their servers.  In the meantime, their customers don’t have access to their data.  How long it will take them to recover and for their customers to get access to their data again is unknown.  While we anticipate that this vendor will eventually recover, are you prepared to run your business for a few months without access to your data?   Read the details here.

New UEFI Rootkit Likely Linked to Chinese Government

Russian security firm Kaspersky has dissected a new rootkit that will persist even if you reinstall Windows or even replace the hard drive.  Read the details here.

Are You Really, Really Ready for What to Say After a Breach?

Time and again, companies seem to badly butcher the after-breach crisis communications process.  I can think of at least two this year so far.  Some companies just go dark.  Hoping the problem will just go away never turns out well.  See who has been butchering it this year and then give us a call.  Read the details here.

Microsoft Warns About AiTM Attack

Microsoft is warning of a large scale man in the middle attack that has targeted at least 10,000 companies in the last 10 months and that only counts what Microsoft sees, not other companies like Google.  The best defense is aggressive  user training plus some additional tools.  Read the details here.

Get Ready to Replace ALL of Your Cryptography

As expected, NIST has released the algorithms to replace AES and SHA-2 in a post quantum computing world.  That is expected to be around two years from now.  Remember, it is not when YOU get post quantum computing, it is when the other guys (like China or North Korea) get it.  If they have it, that will allow them to decrypt anything that they have saved in preparation for that happening – all of your personal data, financial data, security data and anything else sensitive.  Learn what NIST has done and what you need to do, starting now, here.

Dozens of Crypto Libraries Vulnerable to Private Key Theft

Researchers have discovered dozens of libraries of a popular digital signature algorithm are vulnerable to  leaking the user’s private key.  These libraries are used in cryptocurrency and financial services platforms.  Learn more about the problem and what to do both short and long term here.

You’ve Been Hacked – Do You Know What Was Taken?

Ambulance billing service Comstar discovered they were hacked in March.  A month later they discovered that hackers may have accessed sensitive patient data.  Last week they issued a press release announcing that some customers, number unknown, some data, amount unknown, may have been compromised.  Is this what you want to do when you are hacked?  Learn more here.

Water Treatment Plants are Ripe for Attack

Water may be the greatest vulnerability in our national infrastructure, said Samantha Ravich, chair of CCTI. Much of the problem lies in just how decentralized water systems are, she explained.  50,000 drinking water plants; 15,000 waste water plants – all different and underfunded.  Read the details here.

FBI, NSA and CISA Warn of Chinese Attack Hitting Critical Infrastructure

The agencies have issued a follow on alert to ones that they issued in 2020 and 2021 alerting ISPs, network service providers, private companies and home uses about an apparently successful attack method used by the Chinese.  Unlike ransomware, which makes a lot of noise and so is discovered quickly, these attacks are quiet and remain installed and active for years.  Read the details here.

New Office Zero-Day Works With Macros Disabled and is Under Active Exploit

A new Microsoft Office Exploit, dubbed Follina, works in all versions of Office released in the last 10 years and does not have a released fix.  It is trivial to exploit and is being actively used by the Chinese to attack users.  Read the details here.

Executives’ Personal Digital Lives Are The Soft Underbelly of Corporate Cybersecurity

Hackers have figured out that it is easier to go after the target company’s executives personal digital world than their company’s network and devices.  In general, executive’s security practices at home – along with those of other family members – is not nearly as good as when they are at work.  Which is sometimes not so great either.  Look at the stats and read the details here.  If you need help, contact us.

CISA Issues Emergency Directive to Patch VMware

CISA issued emergency directive 22-03 to patch all instances of VMware, public facing or not, within five days or pull the plug.  There is proof of concept code available and CISA has been working on this for a month.  Read the details here.

California Says Inferences You Make Are PII

As more states create privacy laws, there are going to be a lot of Attorneys General filling in the blanks that the legislatures left.  Here is one from California.  While it is the first, it is definitely not the last.  If you collect personal information, you need to pay attention to these interpretations.  Read the details here.

Popular Library’s Bugs Make Multiple Hardware Vendors Vulnerable to Remote Attacks

Once again, a popular software library embedded in many vendors’ hardware has bugs that make that hardware vulnerable to remote, unauthenticated attacks.  The vulnerabilities not only allow an attacker to compromise the networks those devices are on but also steal data from the network owners.  Read the details here.

AWS Hot Fix for Log4Shell is a Hot Mess

Because of the severity of Log4Shell, Amazon AWS decided to help their customers and develop a hot fix while they were working on the final fix.  Only problem is that the hot fix can be compromised and let hackers escape the virtual environment completely.  Read the details here.

NSA to Microsoft: Fix Your Zero-Day

The NSA doesn’t publicly acknowledge that they are the source of bug reports very often.  In fact, if you believe rumors, they don’t report bugs hardly ever (although they would say that is not true).  In this case, the bug, patched yesterday (along with 10 critical bugs and three that are wormable), is being exploited in the wild.  Does that mean that the NSA saw that say, Russia or China, is using it.  They are not going to say.  But there are hundreds of bugs patched yesterday from a dozen vendors.  Happy Patch Tuesday.  You are probably going to have to prioritize your patch process.  Read the details here

TSA Can’t Secure Pipelines Either

Everyone’s whipping boy, TSA, is doing it again.  After the Colonial Pipeline hack they were directed to step up pipeline security.  Now!  Unfortunately, an organization who’s main goal is to pat people down for guns at airports doesn’t have a lot of cyber expertise or industrial IoT expertise and that is showing up in the regulations they are trying to push on pipeline operators.  According to the industry, it is a total cluster.  Read the details here.

Google Says Update 3.2 Billion Copies of Chrome Now-Microsoft Says do the Same for Edge

Google released a patch for a high severity bug in Chrome that is being exploited in the wild.  Right after that Microsoft said the exploit affects Edge too.  Likely all other Chromium-based browsers are affected too since the bug is in the JavaScript engine.  Remember that browsers only update when all browser windows are closed.  Read more details and get the fixed version numbers here.

Dell Joins Others in Discovering High Risk UEFI Security Flaws

Dell has patched 5 high severity bugs in the UEFI code of millions of Dell computers.  Dell now joins other vendors like HP in having buggy security software.  The bugs appear to be around six years old and affect multiple Dell product lines. Read the details here.

Russia’s Invasion of Ukraine Just Made the Chip Shortage Worse

Whether accidental or intentional, Russia’s invasion just made our chip shortage worse.  Ukraine is a key supplier of this one mineral used in semiconductor production and while some of the bigger chip fabs might be okay for a few months, if Putin takes over Ukraine, it puts him in the driver’s seat.  Read the details here.

100 Million Samsung Phones Vulnerable to Decryption Attack

Due to a software bug inside Samsung’s Trusted Execution Environment, hackers could obtain a user’s encryption keys and trivially decrypt all of the user’s data.  The bug was patched last fall, but the Android patching environment is convoluted and dependent on carriers testing and pushing patches forward and on users actually installing them.  Of course, any phone that is no longer being supported by their carrier will be vulnerable forever.  Read the details here.

Senate Passes the Strengthening American Cybersecurity Act

As the Russia-Ukraine war continues, there is significant concern that it will extend to countries friendly to Ukraine.  As a result, a bill that got booted out of the NDAA last year was passed unanimously yesterday.  While the House still needs to pass it, it is very likely that will happen quickly. Learn some of the key pieces of the package here.

9339