CyberSecure Specialist

07 May

Using Discord? Don’t play down its privacy and security risks

Information

It’s all fun and games until someone gets hacked – here’s what to know about, and how to avoid, threats lurking on the social media juggernaut There are several tools or software applications that enable us to stay connected with our fellow teammates even during gameplay, with the best of them having a low impact on our network connection while allowing important elements like tap-to-talk or messaging capabilities. Discord is one of the online services…

Read More
07 May

Creating strong, yet user‑friendly passwords: Tips for your business password policy

Information

Don’t torture people with exceedingly complex password composition rules but do blacklist commonly used passwords, plus other ways to help people help themselves – and your entire organization When engineer Bill Burr from the U.S. National Institute of Standards and Technology (NIST) wrote in 2003 what would soon become the world’s gold standard for password security, he advised people and organizations to protect their accounts by inventing long and ‘chaotic’ lines of characters, numbers, and…

Read More
07 May

APTs target MSP access to customer networks – Week in security with Tony Anscombe

Information

The recent compromise of the networks of several companies via the abuse of a remote access tool used by MSPs exemplifies why state-aligned threat actors should be on the radars of IT service providers Managed service providers (MSPs) that don’t consider themselves targets for state-aligned threat actors may need to think again. While many people may associate advanced persistent threat (APT) groups with cyberespionage targeting only state agencies and large corporations, the fact is that…

Read More
07 May

World Password Day: 2 + 2 = 4

Information

by Paul Ducklin World Password Day is always hard to write tips for, because the primary advice you’ll hear has been the same for many years. That’s because the “passwordless future” that we’ve all been promised is still some time away, even if some services already support it. Simply put, we’re stuck with the old, while at the same time preparing for the new. That’s why we’ve come up with four tips for 2023, but…

Read More
07 May

S3 Ep133: Apple takes “tight-lipped” to a whole new level

Information, Malware

by Paul Ducklin SILENT SECURITY! (IS THAT A GOOD THING?) No audio player below? Listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found. Or just drop the URL of our RSS feed into your favourite podcatcher. READ THE TRANSCRIPT DOUG.  Passwords, botnets, and malware on the Mac. All…

Read More
07 May

PHP Packagist supply chain poisoned by hacker “looking for a job”

Information

by Paul Ducklin We’ve written about PHP’s Packagist ecosystem before. Like PyPI for Pythonistas, Gems for Ruby fans, NPM for JavaScript programmers, or LuaRocks for Luaphiles, Packagist is a repository where community contributors can publish details of PHP packages they’ve created. This makes it easy for fellow PHP coders to get hold of library code they want to use in their own projects, and to keep that code up to date automatically if they wish.…

Read More
07 May

When will AI be fully integrated into cyber security?

Malware

ChatGPT, a machine learning (ML)-powered chatbot, is rapidly growing across all sectors. The app’s developer, OpenAI, reported that it gained one million users in just five days. The app has now been visited over two billion times, according to research by Similarweb. This being said, concerns have been raised about the use of the intelligent chatbot, with Italy’s data privacy agency even going so far as to temporarily ban the use of the app in…

Read More
07 May

Italy bans ChatGPT over data privacy concerns

Malware

In a move that one Italian minister has called “disproportionate”, Italy has temporarily banned ChatGPT due to data privacy concerns. Italy has made the decision to temporarily ban ChatGPT within the country due to concerns that it violates the General Data Protection Regulation (GDPR). GDPR is a law concerning data and data privacy which imposes security and privacy obligations on those operating within the European Union (EU) and the European Economic Area (EEA). The Italian…

Read More
07 May

Google ads are being used to spread malware

Malware

Malicious actors are using Google advertisements and SEO tactics to entice victims into clicking on links poisoned with malware. According to cyber security company Secureworks, malicious actors have been using poisoned ad installers as trojans, specifically to spread Bumblebee malware. These ad installers are associated with a number of well-known companies including Zoom, Citrix Workspace, Cisco AnyConnect and OpenAI’s ChatGPT. For example, Secureworks researchers found that a malicious actor had not only created a poisoned…

Read More
05 May

Azure API Management flaws highlight server-side request forgery risks in API development

Data Breaches, Malware, Social Engineering

Microsoft recently patched three vulnerabilities in its Azure API Management service, two of which enabled server-side request forgery (SSRF) attacks that could have allowed hackers to access internal Azure assets. The proof-of-concept exploits serve to highlight common errors that developers could make when trying to implement blacklist-based restrictions for their own APIs and services. Web APIs have become an integral part of modern application development, especially in the cloud. They allow services to communicate and…

Read More