720-891-1663
The next president is going to have a lot of challenges. The world is not simple. Among those many challenges is cybersecurity. Here are ten important cybersecurity topics which the president can deal with or hope they go away. I don’t think they are going to go away, but where does that fit in his priorities – unclear. See the list here.
Hackers are pretty creative. We continue to hear stories about people getting calls, texts and emails from someone pretending to be their bank, telling them that there was fraud on their account and that they would help them fix it. Assume that is a scam. Learn more about the scam and the steps you SHOULD and SHOULD NOT take if you get targeted, here.
New York’s Department of Financial Services, the regulator for financial service providers from car dealers to mortgage companies that do business in New York, just released “guidance” on AI and what they expect you to be doing to understand and mitigate risk created by the widespread use of AI. When regulators say guidance they really mean mandate, so this is not optional and there is nothing in the guidance to object to. Expect this guidance to be folded into your next NY DFS examination. Learn more here.
The number of insider incidents reported in the last five years is up over 75 percent. Is your company one of them? Would you know if you were? Sometimes attackers are splashy; those you will find out about when THEY are ready, but others, totally stealth. Are YOU ready? Would you detect this kind of attack? Learn more here.
If a peer reviewed paper out of China is to be believed, some Chinese researchers claim to have developed a way to crack the classical encryption used by most of the world and they did it using off the shelf quantum computers. I would be wary of immediately discarding the claim. Learn more here.
Earlier this week the Senate security team sent out a memo that a Senator was fooled into a video call with a former Ukrainian official. It wasn’t until deep into the call, when the likely Russian hacker started asking very odd questions that they got suspicious. Are you prepared? Learn more here.
Operational Technology systems are those computer systems that manage, monitor and control the physical universe. From a security standpoint, they are at least ten years behind the computer on your desk at work or at home. Hackers know this and know that shutting down an industrial operation like Colonial Pipeline likely generates a payoff. The governments of 8 countries, including all of the “Five Eyes” countries, released guidance on protecting that technology. And before you say you don’t care about OT, you might want to rethink that. Learn more here.
WordPress.Org, the non-profit that maintains and operates the WordPress infrastructure has gotten into a fight with WP Engine, a for-profit company that hosts WordPress sites for a monthly fee. WordPress.Org wants WP Engine to pay a fee to use its trademark and WP Engine, at least so far, is saying no. WordPress.Org has countered by blocking access to its resources to WP Engine, which is putting companies and users who host there at risk. Read the details here.
The feds and private cybersecurity experts continue to ramp up the warnings that China is at cyber war with us and have burrowed their way unseen into US businesses’ networks. A report came out this week of one aerospace company supplier who was compromised by the Chinese. Lucky for them, they were detected before they detonated an attack but, unfortunately, after they were inside stealing stuff. Read the details here.
Texas Attorney General Ken Paxton continues to try to enforce laws that his legislature creates. Texas HB 18 is another one of these, which requires websites that allow user generated content to verify the age of visitors and restrict access to certain content. Stay tuned as this runs the appeals process up to the Supreme Court. It’s predecessor, TX HB 1181, is already pending there. Read the details here.
For years people have said that they were sure that their phone was listening in the room where they were talking and not talking on the phone. I said, no, that can’t be. It appears that I may have been too optimistic. Read the details here.
Assuming (and this is a given) that hackers are going to use AIs to attack you, do you plan to defend using humans? If you plan to defend using AIs, what kind of problems does that present? Learn more here.
For some CPUs that are still supported AMD has released a kludgy fix. For many other CPUs, there is no fix and never will be one. If your system is or becomes compromised, that compromise is undetectable and the compromise is, realistically, not removable – take the computer out to your driveway and run it over with your car. Read the details here.
Security firm CrowdStrike wrote in their 2024 Threat Hunting Report that more than 100 US companies hired North Korean hackers as remote IT workers. These workers performed well enough to stay employed while stealing data and installing remote control software. Would you detect this? Read the details here.
The SEC said that they did not have effective controls in place to report relevant cybersecurity information to management and failed to carefully assess and respond to alerts in a timely manner. They also did not have effective controls in place to protect their assets. What about your company? Read the details here.
Since PHP is at the core of, probably, close to half of the websites on the planet, it is not surprising that hackers jumped on exploiting the bug so quickly, knowing that some websites won’t get patched for months, if ever. Read the details here.
The intelligence agencies of multiple countries released an alert this week warning that China’s state sponsored hackers can convert bug patches into weapons in hours. If you are waiting 30 days to deploy patches, that may be 29 days too late. Learn more here.
This is NOT the result of a cyber attack. It is a problem with open source software and supply chain risk and the root problem affects every organization doing software development or paying someone else to do software development on their behalf. Learn more here.
As deepfake apps get better at an amazing velocity so are corporate losses. One company recently lost $25 million in a deepfake video conference with the CEO – except the entire call was a deepfake except for the mark. Get prepared; it is coming your way. Read the details here.
All the attacker needs is WiFi proximity – no credentials, no access to the system or any files and most importantly, no user interaction to completely take over the system. Read the details here.
Adobe says these new terms have been in effect for years, but they are being more “transparent” about them and adding them to their agreement. You can opt out if you know how, but educating your employees is critical. Not understanding what Adobe is doing could cause you to violate the terms of contracts with your customers or even break the law. Learn more here.
Ticketmaster recently admitted that they were breached. Reports are that data on 560 million customers was stolen. Santander Bank also was hacked and data for about 30 million customers was stolen. Both companies used one particular cloud provider and while we have not sorted out whose fault the breach was, both companies are being sued. This only serves to emphasize that you can outsource the tech, but not the liability. The liability stays with you. Learn more here and contact us if you need assistance.
Google this month followed in the steps of other cloud providers and accidentally deleted all of the data and all of the backups of a $125 billion pension fund. What did they say afterwards? We have taken steps to ensure this doesn’t happen again. Need a more robust data backup and recovery strategy? Contact us. Details here.
Just because you can connect something to the Internet doesn’t mean that you should. Rockwell Automation, who makes a living selling automation devices, is telling customers to disconnect anything that should not be connected to the Internet. This is an odd statement from a company like Rockwell. You may be surprised how many of these “dark matter” devices are connected to your network. Learn more here.
I am going to make you read the post to learn why, but suffice it to say that people who are a lot smarter than I am think this is a problem for AI. Since everyone is just going crazy over integrating AI into their products or creating new AI based products, you need to pay attention to this. Some uses of AI are not problematic, but others definitely are. And if Congress passes the bills that they are considering, it will get much worse. Learn more here.
The bug is an example of bad software development practices on the part of developers and does not represent a flaw in the Android OS. That means the only people who can “fix” this are the many, many developers of apps, both corporate developers and independent ones. That also means that this problem is likely to be with us for a long time. Read the details here.
OpenAI, maker of ChatGPT, is being sued for violating GDPR. And, it appears, their is no simple solution. While this case was filed in Europe, a similar lawsuit would likely work in the U.S. for those states with new privacy laws (more than a dozen states). Companies need to understand the risks and work to mitigate them. And see if their insurance will cover them. Details here.
The Known Exploited Vulnerabilities (KEV) catalog is a list that CISA maintains of vulnerabilities that they have seen being exploited. If you use Cisco ASAs or Firepower or the CrushFTP software, read on and patch now. Details here.
Universal Opt-Out is a mechanism (UOOM) for a browser user to tell a web site operator whether the user can be “tracked” or not. Colorado’s UOOM goes into effect on July 1 and affects a large percentage of websites. If you don’t have any tracking mechanisms on your website (like Google or Facebook analytics) then you probably don’t have to comply, but most commercial websites do have that. Learn the details here.
Likely in light of the new False Claims Act prosecution initiative, the DoJ has announced a new rewards program for people who rat out people who are breaking the law, including cybersecurity regulations because there are gaps in the current incentive programs. While the details have not been announced, one recent whistleblower who was entitled to a reward received more than $70 million, while others receive nothing. Read the details here.
Hackers and software developers have been playing security cat vs. mouse for a long time. This is, potentially, the next step. Using public key encryption and the PC’s trusted platform module, Google is proposing an open standard. If they pull it off, it definitely make things harder for the crooks. Read the details here.
At least for now, there is no fix for this. For M3-based Apple computers, there is a feature that you can turn on that helps as long as developers also fix their software. For users of M1 and M2-based computers, there currently is no fix. Learn more here.
In a filing with the SEC and also a public warning, Microsoft admitted that the attack by Russia-backed Midnight Blizzard was worse than they expected. What are you doing to protect yourself? Learn more here.
As the Mark Twain quote goes “when congress is in session, no American is safe”. Which may explain the TikTok ban. The ban is a legally questionable alternative to a strong national privacy law, which Congress is unlikely to pass. This dance is far from over. Learn more about what is going on here.
Online scams reported to the FBI last year reached a record $12.5 billion. Estimates are that this represents only 10-20 percent of the total online crime losses. Are you prepared? Can you survive an attack? Read the details here.
Many companies wait a while to deploy patches. They are often concerned that patches will break things. On the other hand, it appears that not patching allowed hackers to attack and shut down one of the largest healthcare payment management networks in the country, affecting patients’ ability to get their prescriptions in a timely manner. Now would be a good time to review your patch strategy. Read the details here.
Just in case you thought you could delay implementing the requirements of California’s privacy laws for a few years, the appeals court just shot that idea down. They say that rules can go into effect immediately, even new rules. If you do business in California, you need to read this. Details here.
The bug allows hackers to trivially bypass some of Outlook’s protections and remotely and without authentication attack user’s computers. Now that the bug and how to trivially exploit it are public, expect attacks to go up exponentially. Read the details here.
The vision pro has two depth sensors, 12 cameras and six microphones. Is it a privacy nightmare? Apple, of course, is working hard to convince you that it is not. Before you allow them into your enterprise, you need to have a lot more answers. Learn more here.
At a hearing today, the Senate Judiciary Committee tried to get tech CEOs to admit that their platforms harm kids and that they should support new laws. Laws that will likely have a more broad impact than a few social media companies. Read the details here and stay tuned for what comes next.
Swatting, the act of causing the police to respond with extreme force to an event that they believe to be real but which doesn’t even exist, is happening across the country. Occasionally people get hurt or killed when these events occur. Sometimes the targets are high profile, but more often they are just average people. Learn more here.
The FBI and CISA have issued an alert about the national security risks associated with the use of Chinese made drones such as DJI. They have issued recommendations on how to reduce that risk, but the only way to eliminate it would be to stop using Chinese drones. The federal government has banned the use of Chinese drones by agencies. Read the details here.
Another month and more bugs. In this case, among this month’s patch fest are two bugs that Microsoft says you should prioritize. The Kerberos Bug ranks 9 out of 10. Details here.
This is a new way to use email to launch a malicious attack. The attack works due to a bug in multiple implementations in email servers like Microsoft Exchange. Some email vendors have patched this protocol implementation flaw; others have not implemented a fix. Learn more here.
As companies choose not to pay ransoms after a cyber attack, hackers are going directly to victims to both extort money from them and ruin the reputation of the organization that got hacked – after all, customers are not going to take kindly to a company that loses control of their data and then allows them to be extorted. Read the details here.
Admins everywhere use SSH to manage all sorts of devices. Researchers have devised an attack that they estimate 77 percent of the SSH servers on the Internet are vulnerable to. If you use SSH but limit it to VPNed in users you are better off, but just one user clicking on a malicious link away from being vulnerable. Read the details here.
We have detected about two dozen attacks on critical infrastructure over the last year. What we don’t know is how many other penetrations have been successful and which we have not detected. The thought is that China wants to be able to disable our critical infrastructure in case they want to. They certainly have the technical skills. Read the details here.
This attack affects AMD, Intel and ARM, so it doesn’t seem to matter what chip you are using. Worse yet, none of the chip makers seem willing or eager to fix it – likely because it will have negative performance or functionality effects on users, therefore affecting sales. Read the details here.
Former Uber CISO Joe Sullivan is speaking out 6 years after the Uber breach that affected 50 million people. While he is undoubtedly trying to rehabilitate himself, there are useful lessons to be learned. Now that the SEC is going after another CISO (SolarWinds CISO), it is probably a good time to review what they did and what they did not do and see if you need to change any of your policies. Read the details here.
Legislators have been being warning about these attacks which could potentially cause loss of life and business disruption for more than a decade. And have done nothing about it. Since September, pilots have reported more than 50 attacks against commercial airliners. Oh, yeah, commercial GPS receivers have NO signal authentication. Gee, that is a surprise. Read the details here.
As if you didn’t already have enough patching challenges, here is another one. Intel and AMD released patches for their processor chips fixing around 130 bugs. Sometimes Microsoft is able to bundle processor chip patches in their releases, but often, you have to manage those patches yourself. Learn more here.
FISA section 702, which allows the government to do warrantless bulk data collection, expires in about 7 weeks. There is a lot of distrust of 702 on both sides of Capitol Hill. This week a draft of a bill extending 702 with new restrictions was introduced and the White House doesn’t like it (even though they have not read the bill, they say). This could get down to a game of chicken around December 31st. Learn what is in this new bill here.
Executive Orders have limited power because they don’t carry the force of law. But, they likely do impact the billions of dollars that the Feds spend on IT, so that can have a strong impact on what vendors do. The AI executive order gets the executive branch moving in the direction of guardrails, which is a good thing. Learn more about what it aims to do, here.
The White House announced a 50 country meeting next week to fight ransomware. While we will learn more next week, some details are already being announced. Learn more here.
Passkeys are a real security win for end users and IT, but it is not ready for prime time. Still, now is the time for IT to learn more about it. Read about it here.
Rumor has it that the DoD, in their work to get CMMC approved correctly, has been working with the FAR Council to update the cybersecurity rules for all government purchases, not just military. While we don’t know the extent of that, it certainly looks like cybersecurity 2.0 is a very significant upgrade. Learn more here.
The risk represented by the hundreds of “vendors” that you likely share data with is really being brought to the spotlight by this breach. The breach has affected over 2,200 companies and 62 million people so far – and growing every week. And the breach is not just affecting your third party vendors, but also their vendors and their vendors’ vendors. Are you prepared for that? Learn more here.
Hackers claim to have stolen a lot of Sony’s source code. While Sony is trying to verify this, the hackers said they didn’t bother encrypting the data. Here is why. This is the new hacking model.
NIST SP 800-171 is a standard that many government contractors are required to comply with, especially, but not limited to, defense contractors and their subs. It appears that Penn State did not take this responsibility seriously, hence the lawsuit, which could cost the University tens of millions and net the whistle blower possibly as much as 60 percent of that fine. If you are required to comply with NIST SP 800-171, this is required reading, here.
The FBI, NSA and CISA just issued a warning to businesses that deepfakes or what they call synthetic media are coming after your brand and your money. In the end, you will wind up being sued and paying the bill. And, given the rate of improvement of the technology, at this time next year, what we are seeing today will look like child’s play. Learn more here.
While this may not be a total surprise, the extent to which car makers go to sell your data – AKA make money from your data will likely even surprise you. Read the details here.
Are you adequately backing up your cloud hosted data? Your provider is not responsible for your data and won’t even pay you if they lose all of your data. It happens time and again that something happens with a cloud provider and your data is gone. And, it is your problem, not theirs. Read the details here.
AT&T’s Alien Labs says that there is a rapidly growing proxy network that is using your employee’s home computers to launch attacks, possibly against you. While the attack network owners claim that the employees and others who own the computers agreed to participate in illegal cyberattacks, that is highly unlikely. Read the details here.
Reports are that account takeovers on LinkedIn have increased 5,000% in the recent months and LinkedIn has been of no help in recovering access to stolen accounts. Are you prepared? Learn more here.
Potentially, it is hard to abuse this flaw and it may cause a major performance hit; companies need to assess the risk and decide for themselves where and if they should deploy the fix. Read the details here.
Facebook and Instagram have announced that they are banning news from their apps in Canada as a result of a new law. They said that users don’t come to their apps to get news anyway. We will see whether this expands to other social media brands and the laws expand to other countries. If Canada is a market for you, you should watch what is happening. Read the details here.
Starting in December SEC regulated companies will have four days to disclose cybersecurity breaches to the SEC. They will also need to explain what their Board is doing to manage the risk and disclose all of this in their annual report. Even if YOU are not regulated by the SEC, if your customers are, expect good news to trickle down to you in your contracts. Read more here.
The five major objectives of the strategy are massive. The plan, which is still high level, is almost 60 pages and assigns specific tasks to specific agencies. If the administration follows through on at least some of these tasks, this will be a major step forward for the security of the country. Learn more here.
CISA and the FBI released an alert today about a Chinese attack that compromised users’ email mailboxes, including some at the State Department. CISA released details on how they detected the attack; things that you may be able to do. Microsoft did NOT release a patch for the attack in today’s Patch Tuesday patch fest. Read the details here.
Businesses evolve and the business of ransomware is no different. As we have seen in the last several months, the Russian ransomware group Cl0p is doing very well using their new business model (which we have been predicting for a year, so it is not really that novel). Learn what they are doing that is different here.
Without regard to any other possible solutions, this is something that needs to happen. Ransomware only works because it is effective. Effective may mean disabling an adversary or it may mean extracting money from that adversary. The feds plan to protect themselves, but protecting you – that is your problem. Are you ready? If it becomes harder to attack the feds, guess who the hackers are going to go after? Learn more here.
Hundreds and potentially thousands of organizations have been breached as a result of the Progress Software MOVEit vulnerability. Smart organizations will learn from this event and make changes to their processes as a result. Here are our observations; if you need assistance, please contact us.
We always like it when CISA tells people that they have 14 days to do what we have been telling them to do for years. CISA says federal agencies have two weeks to do it – but they are not saying what attack caused them to do this. Clearly, there is something very serious going on. If you have not already followed our advice about this, now would be a good time. Read the details here.
Usually, when companies find a bug they patch it and move on. Sometimes you have to decontaminate as well. Sometimes that is not enough. For some Barracuda users. this time it is a matter of a total replacement and checking the rest of your network for malware. Read the details here.
Apparently there is not a clear-cut answer to this question and the courts have been wrestling with it for the better part of a decade. In case you don’t want to be in court for a decade, there is a step you might want to consider taking. Learn what that is here.
Microsoft, multiple US government agencies and the rest of the “Five Eyes” countries announced today that China had infiltrated U.S. critical infrastructure and is trying to obtain a further beachhead into other infrastructure both to conduct espionage and also to stealthily lie in silence to be able to detonate an attack at a moment’s notice. Are you prepared to detect and respond? Learn more here.
Last week China raided the offices of a U.S. company and accused them of stealing China’s IP. This week the DoJ indicted a number of Chinese and other nationals, accusing them of the same thing. Only one has been arrested, but they are working hard to improve that. They need your help. Read the details here.
Remember, I always say learn from mistakes others make so you don’t have to make the same ones. Western Digital discovered a breach last month and the hackers, apparently, were monitoring the company’s response because of one major mistake the company made. Read the details here.
Researchers have discovered a flaw in Salesforce Community websites lets people see data that they should not – AKA the websites leak sometimes very sensitive data. Salesforce says this is not a bug, just developers not configuring things correctly. Whatever the excuse, people’s sensitive data is being leaked. Read the details here.
By the end of this year there could be a dozen states, or more. Each with their own nuances. Are you prepared? See who joined the club this year and who is still working on new legislation – it may not be whom you think, here.
OpenAI’s ChatGPT is facing a new threat that demands that the model is fatally flawed and the demander is saying that they have to delete the model completely and start over. That probably is not going to happen without a large fight. If your company joins the large-language-model fray, even just using it, you could get sucked into a lawsuit yourself. Learn what is happening this week, here.
A survey by Bitdefender says that 75 percent of US companies say they have experienced a breach in the last year and 70 percent of US company IT security pros say they have been told not to report a breach. Read the details here.
Researchers have demonstrated an attack vector using anything with a speaker and a microphone. There does not appear to be a “fix” other than turning off any smart devices you might have at home or at work. That is unlikely to happen. That means that users – businesses and personal – need to understand the risk and understand their own risk tolerance. Read the details here.
Generative AI such as Bard and ChatGPT are advancing at warp speed. But they are leaving the law in the dust. Fortunately or unfortunately, the law is nipping at their heels and the lawsuits have just begun. Depending on which side of the AI game you are on, that should be very concerning. Actually, no matter which side you are on, you should be concerned. Learn why, here.
Microsoft recently patched a bug in Outlook that can be exploited not only without the user clicking on anything, but it could compromise the system before the user even sees the message in their inbox. Read the details here and patch now.
Spies have used sex as a lure since time began and still do. Now they just have different tools to do it with. Here is a real world example – in this the lure was love – of money -, but the love scams are still very popular. Are you sure your team won’t get hooked by one of these scams. Learn more, here.
An executive protection firm says that they are seeing a precision, targeted attack against high level staff, using data from the dark web, prior breaches and even company websites. There are things that you can do to protect yourself and your family, but it is not simple. Learn more, here.
While the politicians and “govies” seem to make the news about having documents they should not have, the real problem is at every company in America. Half of your employees will take your documents with them if they leave and most of them don’t see a problem with this. Read the details here.
The Supreme Court is being asked to determine whether Google and Twitter are protected from being sued out of business over user generated content. We won’t know until this summer how badly they will damage it, however. This could affect all businesses that use social media, YouTube and search engines as part of their customer engagement strategy. Read the details here.
To say that Intel’s Software Guard Extension instructions have been a problem for Intel is an understatement. Intel’s solution is to get rid of them. Which is fine if the software you use doesn’t require them. Intel released 5 new SGX patches this month alone. Read the details here.
The news of these seems to come in waves although Cisco seems to have a perennial problem with it. Manufacturers often create a secret, invisible password that Internet providers (and hackers) can use to get into your network devices, especially those in the homes of your work from home employees, putting your systems, data and networks at risk of ransomware attacks and breaches. Read the details here.
The discovery of firmware flaws in remote management controllers, sometimes called baseboard management controllers (BMCs), goes on. This time it is AMI’s RAC that is buggy and it affects every major server vendor and many others. Learn more here.
CISA, the NSA and MS-ISAC issued a joint alert warning of an attack that is actively being exploited on government networks, but we should assume it will expand now. Learn what is happening and what you should do, here.
Sophos, Cisco and Fortinet, three of the biggest firewall vendors, recently announced bugs/patches/attacks in the wild against their firewalls. That makes this a good time to talk about network cyber hygiene. That includes those networks in employees homes. Hackers know that coming in via the back door (your employee’s home Internet connection) is likely way easier and highly unlikely to be detected when compared to your office network. Read the details and our list of firewall/router security tips, here.
Apple is facing yet another lawsuit claiming that even if users tell Apple not to track them, Apple still tracks them. This is not the first lawsuit claiming that and this one is seeking class-action status. Apple has always differentiated itself in its ads by claiming that Apple is privacy focused. If it turns out that Apple was lying, well, that makes them no different from Google and Facebook, maybe just a little more subtle. Read the details here.
Whether the current Chinese claim of having broken RSA 2048 encryption with a quantum computer is slightly exaggerated or not, it is not far away. That means planning for a complete overhaul of your encryption architecture should start now because it will take years to implement. Read the details here.
Unfortunately, it is nothing we are good at right now and the SOC software and service vendors are not good at it either. The hackers know this, which is, in part, why they are cleaning our clocks. And, I don’t anticipate it getting better any time soon. That is probably why Google bought Mandiant. They know that breach response is going to be an exponentially growing business. Read the details here.
macOS is supposed to detect when you download a program from the Internet and flag it to make sure that it is signed by an approved signer. Note that this isn’t failproof because sometimes developers don’t protect their signing certificates, but it is pretty good. Except that Microsoft researchers found a weak spot in how Apple implemented the feature, completely neutering it. They call it Achilles. Read the details here.
Fortinet urges all of their customers to patch their firewalls now as hackers scan the entire Internet looking for vulnerable firewalls. Read the details here.
One vendor of BMC firmware that more than a dozen manufacturers use has several vulnerabilities, the highest rated one coming in at 9.9 out of 10. Each computer hardware maker will need to release their own patches for this. The highest rated bug allows arbitrary code execution and since this runs in the BMC, even if you have the best, super-dooper, newest zero-trust endpoint protection, that protection won’t even detect the attack. Read the details here.
Microoft has discovered a new ransomware technique that is pretty hard for end users to detect and should be worrisome to IT staff. There are some techniques to block it, but many companies are not using them yet. Read the details here.
That is a scary statistic. This was a study of over a million and a half users; not one of those studies that talked to 200 people and extrapolated the data. Are you part of the 90 percent or the 10 percent? Are you using the tools that Microsoft provides? Do you have a security to-do list (called a PoAM)? If not, you are putting your company at risk. Learn more here.
A U.S. front company to disguise real ownership and a lack of due diligence on the part of developers allowed Russia to install software on 2+ billion devices. The tracking software gives Russia access to a huge amount of user data. This is just another example of how our adversaries use our supply chain against us. Read the details here.
Microsoft says that they saw these being exploited by a nation state actor in August, but now that the patches are out, expect China to have a lot of company exploiting these bugs. Consider patching these six bugs very soon. Reports say that it only takes hackers 1-3 days to start exploiting high priority vulnerabilities, maybe less. Read the details here.
An unnamed supply chain vendor that feeds news and ads to hundreds of news websites was compromised and is now also distributing malware. While this particular campaign uses a vendor to news web sites, this attack could use any vendor. The key is to compromise a vendor that a lot of other sites use. If you are not already prepared, get prepared. Read the details here.
Microsoft made a decision decades ago to foil many countries’ attempts to make them remove Internet Explorer as a way to dominate the browser market (which ultimately failed). But even though they stopped supporting IE last June, the ghost of IE is still haunting Windows users and will until they migrate to an operating system that does not have IE in it’s guts. Two new bugs allow a hacker that has gained very limited access to the domain to crash the Windows logging service, making security blind or even crash the entire computer. Any computer in the domain. Read the details here.
You did not misread that. When a researcher announced that Microsoft is using a weak form of AES to encrypt files and messages, Microsoft’s reply was that their implementation of encryption was not a security feature, just designed to reduce accidents. That means that if you are using Microsoft encryption, you might want to reconsider that decision. Read the details here.
Researchers Have discovered hundreds of “poisoned” open source libraries, known as packages, as a way to steal credentials and data. While this has been an occasional problem in the past, hackers have figured out that this is relatively easy to implement and the odds of getting caught are low. Read the details here.
Apparently, LinkedIn has turned into as big a dumpster fire as Twitter is and it seems to be getting worse. And, like Twitter, they either are unable or uninterested in controlling it. Read the details here.
Someone, likely Russia, blew up the Nordstream pipeline, shutting off the flow of gas. This is an escalation of the war in Ukraine, but it would wise for U.S. businesses to consider that Russian aligned terrorists might think that doing the same against Ukraine’s primary proxy – us – might be a good thing. Are you prepared for that? Read the details here.
The feds are working to make it harder for Chinese investors to get their hooks into U.S. companies in a way that could harm national interests by undermining security or stealing our intellectual property. If you have foreign investments, remember that they can not only veto new investment, but also unwind old investment. Read the details here.
Uber’s former security chief is now on trial on criminal charges related to Uber’s 2016 breach. Uber is not paying his legal expenses. This trial is being carefully watched as a precedent on handling breaches. Read the details here.
As the FBI, Department of Education, Homeland Security, CISA and local law enforcement swarm the LA Unified School District in the wake of a cyberattack just days before school started, it is coming out that there is something that, if they had been doing, probably would have stopped the attack. Learn what they – and you – should be doing, here.
With only 30 days and limited infrastructure researchers evaluated 30,000 Android apps and found that over 18,000 of those apps hard-coded secrets like API keys and data buckets. While this tested Android apps, there is no reason to believe this practice is limited to them. Read the details here and if need assistance, please contact us.
Former head of Twitter security Mudge filed a whistleblower complaint with the feds alleging that Twitter’s security is a large scale dumpster fire. The result of this is a large scale federal investigation plus media coverage in every blog and magazine in the country. In fact, some are saying this is a national security issue. Read the details here.
People love IoT devices. Whether it is Siri, Alexa or something that lets you tell if you need more milk in your refrigerator, the software and hardware is sometimes impressive. But, as we have seen with a lot of these devices, they are rushed to market and are often buggy. We have seen that with cryptocurrency apps which have lost companies and investors hundreds of millions of dollars. These bugs are very visible. Today’s bug could get you killed. If, after reading this, you need help, please contact us. Read the details here.
If you are regulated by New York’s DFS, the regs are going to get tougher if what they want to do becomes the law. Read what they want to do here.
Yet another Managed Service Provider was hit by a cyber attack and shut down their servers. In the meantime, their customers don’t have access to their data. How long it will take them to recover and for their customers to get access to their data again is unknown. While we anticipate that this vendor will eventually recover, are you prepared to run your business for a few months without access to your data? Read the details here.
Russian security firm Kaspersky has dissected a new rootkit that will persist even if you reinstall Windows or even replace the hard drive. Read the details here.
Time and again, companies seem to badly butcher the after-breach crisis communications process. I can think of at least two this year so far. Some companies just go dark. Hoping the problem will just go away never turns out well. See who has been butchering it this year and then give us a call. Read the details here.
Microsoft is warning of a large scale man in the middle attack that has targeted at least 10,000 companies in the last 10 months and that only counts what Microsoft sees, not other companies like Google. The best defense is aggressive user training plus some additional tools. Read the details here.
As expected, NIST has released the algorithms to replace AES and SHA-2 in a post quantum computing world. That is expected to be around two years from now. Remember, it is not when YOU get post quantum computing, it is when the other guys (like China or North Korea) get it. If they have it, that will allow them to decrypt anything that they have saved in preparation for that happening – all of your personal data, financial data, security data and anything else sensitive. Learn what NIST has done and what you need to do, starting now, here.
Researchers have discovered dozens of libraries of a popular digital signature algorithm are vulnerable to leaking the user’s private key. These libraries are used in cryptocurrency and financial services platforms. Learn more about the problem and what to do both short and long term here.
Ambulance billing service Comstar discovered they were hacked in March. A month later they discovered that hackers may have accessed sensitive patient data. Last week they issued a press release announcing that some customers, number unknown, some data, amount unknown, may have been compromised. Is this what you want to do when you are hacked? Learn more here.
Water may be the greatest vulnerability in our national infrastructure, said Samantha Ravich, chair of CCTI. Much of the problem lies in just how decentralized water systems are, she explained. 50,000 drinking water plants; 15,000 waste water plants – all different and underfunded. Read the details here.
The agencies have issued a follow on alert to ones that they issued in 2020 and 2021 alerting ISPs, network service providers, private companies and home uses about an apparently successful attack method used by the Chinese. Unlike ransomware, which makes a lot of noise and so is discovered quickly, these attacks are quiet and remain installed and active for years. Read the details here.
A new Microsoft Office Exploit, dubbed Follina, works in all versions of Office released in the last 10 years and does not have a released fix. It is trivial to exploit and is being actively used by the Chinese to attack users. Read the details here.
Hackers have figured out that it is easier to go after the target company’s executives personal digital world than their company’s network and devices. In general, executive’s security practices at home – along with those of other family members – is not nearly as good as when they are at work. Which is sometimes not so great either. Look at the stats and read the details here. If you need help, contact us.
CISA issued emergency directive 22-03 to patch all instances of VMware, public facing or not, within five days or pull the plug. There is proof of concept code available and CISA has been working on this for a month. Read the details here.
As more states create privacy laws, there are going to be a lot of Attorneys General filling in the blanks that the legislatures left. Here is one from California. While it is the first, it is definitely not the last. If you collect personal information, you need to pay attention to these interpretations. Read the details here.
Once again, a popular software library embedded in many vendors’ hardware has bugs that make that hardware vulnerable to remote, unauthenticated attacks. The vulnerabilities not only allow an attacker to compromise the networks those devices are on but also steal data from the network owners. Read the details here.
Because of the severity of Log4Shell, Amazon AWS decided to help their customers and develop a hot fix while they were working on the final fix. Only problem is that the hot fix can be compromised and let hackers escape the virtual environment completely. Read the details here.
The NSA doesn’t publicly acknowledge that they are the source of bug reports very often. In fact, if you believe rumors, they don’t report bugs hardly ever (although they would say that is not true). In this case, the bug, patched yesterday (along with 10 critical bugs and three that are wormable), is being exploited in the wild. Does that mean that the NSA saw that say, Russia or China, is using it. They are not going to say. But there are hundreds of bugs patched yesterday from a dozen vendors. Happy Patch Tuesday. You are probably going to have to prioritize your patch process. Read the details here.
Everyone’s whipping boy, TSA, is doing it again. After the Colonial Pipeline hack they were directed to step up pipeline security. Now! Unfortunately, an organization who’s main goal is to pat people down for guns at airports doesn’t have a lot of cyber expertise or industrial IoT expertise and that is showing up in the regulations they are trying to push on pipeline operators. According to the industry, it is a total cluster. Read the details here.
Google released a patch for a high severity bug in Chrome that is being exploited in the wild. Right after that Microsoft said the exploit affects Edge too. Likely all other Chromium-based browsers are affected too since the bug is in the JavaScript engine. Remember that browsers only update when all browser windows are closed. Read more details and get the fixed version numbers here.
Dell has patched 5 high severity bugs in the UEFI code of millions of Dell computers. Dell now joins other vendors like HP in having buggy security software. The bugs appear to be around six years old and affect multiple Dell product lines. Read the details here.
Whether accidental or intentional, Russia’s invasion just made our chip shortage worse. Ukraine is a key supplier of this one mineral used in semiconductor production and while some of the bigger chip fabs might be okay for a few months, if Putin takes over Ukraine, it puts him in the driver’s seat. Read the details here.
Due to a software bug inside Samsung’s Trusted Execution Environment, hackers could obtain a user’s encryption keys and trivially decrypt all of the user’s data. The bug was patched last fall, but the Android patching environment is convoluted and dependent on carriers testing and pushing patches forward and on users actually installing them. Of course, any phone that is no longer being supported by their carrier will be vulnerable forever. Read the details here.
As the Russia-Ukraine war continues, there is significant concern that it will extend to countries friendly to Ukraine. As a result, a bill that got booted out of the NDAA last year was passed unanimously yesterday. While the House still needs to pass it, it is very likely that will happen quickly. Learn some of the key pieces of the package here.
9339