CyberSecure Specialist

12 Jan

S3 Ep117: The crypto crisis that wasn’t (and farewell forever to Win 7) [Audio + Text]

Information

by Paul Ducklin THE CRYPTO CRISIS THAT WASN’T Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud. With Doug Aamoth and Paul Ducklin Intro and outro music by Edith Mudge. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found. Or just drop the URL of our RSS feed into your favourite podcatcher. READ THE TRANSCRIPT DOUG.  Call…

Read More
12 Jan

Juniper Networks Releases Security Updates for Multiple Products

Attacks, Insights, Malware

Original release date: January 12, 2023 Juniper Networks has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.  CISA encourages users and administrators to review Juniper Networks’ security advisories page and apply the necessary updates.  This product is provided subject to this Notification and this Privacy & Use policy.

Read More
12 Jan

Tesla Returns as Pwn2Own Hacker Takeover Target

Information, Malware, News

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to complete vehicle compromise. Tesla, in tandem with Pwn2Own organizations Zero Day Initiative, is offering a $600,000 cash prize to any hacker capable of writing exploits that pivot through multiple systems in the car to gain arbitrary code execution. “Success here gets a big payout and, of course, a brand-new Tesla,” contest…

Read More
12 Jan

Third-Party Benefits Administrator Suffers Data Breach

Attacks, Malware

Affected parties are being notified by BBA and should not refrain from asking BBA how they plan to remediate the issue. Staying vigilant after becoming a victim of a data breach is extremely important. Refraining from interacting with unfamiliar senders who request payment or other personal information is a crucial element of such vigilance. Since Social Security numbers were part of the impacted data in this case, affected parties should reach out to credit bureaus…

Read More
12 Jan

IcedID Malware Strikes Again: Active Directory Domain Compromised in Under 24 Hours

Attacks, Malware

Since the initial infection vector relates to a phishing email containing a malicious ZIP file, it is recommended to implement and maintain proper email security controls. Email security controls, such as AV scanning and sandboxing, can help prevent phishing emails from reaching end users, thus potentially preventing the malware from infecting a workstation, to begin with. It is also recommended to maintain appropriate endpoint security controls. Most of the behaviors exhibited by this attack post-compromise…

Read More
12 Jan

House Lawmakers Introduce Bill to Create National Digital Reserve Corps

Attacks, Malware

This legislation aligns with the current administration’s whole government approach to improving the nation’s cyber security posture. The government and the private sector have looked for creative ways to fill critical information technology and cyber security roles. At a time when the U.S. military is struggling to reach its recruitment goals, incentivizing reservist roles may be the best option for the government. Source: https://www.fedscoop.com/house-lawmakers-introduce-bill-to-create-national-digital-reserve-corps/

Read More
12 Jan

Drupal Releases Security Update to Address Vulnerability in Private Taxonomy Terms

Attacks, Insights, Malware

Original release date: January 12, 2023 Drupal has released a security update to address a vulnerability affecting private vocabulary modules for Drupal 8.x. An unauthorized user could exploit this vulnerability to bypass access permissions to create, modify, and delete private vocabulary terms. CISA encourages users and administrators to review Drupal’s security advisory SA-CONTRIB-2023-001 and apply the necessary update. This product is provided subject to this Notification and this Privacy & Use policy.

Read More
12 Jan

CloudSek launches free security tool that helps users win bug bounty

Data Breaches, Malware, Social Engineering

Cybersecurity firm CloudSek has launched BeVigil, a tool that can tell users how safe the apps installed on their phone are, and helps users and developers win bug bounty by helping them identify and report bugs in the code. BeVigil scans all the apps installed on a user’s phone and rates them as dangerous, risky, or safe. Running as a web application for the past one year, BeVigil has already scanned over a million apps…

Read More
12 Jan

IOTW: LastPass facing class action lawsuit following data breach

Attacks, Data Breaches

An anonymous plaintiff has filed a class action lawsuit against password management company LastPass after the company suffered two data breaches within four months in 2022. The suit, which was filed by an anonymous plaintiff referred to as ‘John Doe’ with the United States District Court of Massachusetts, alleges that LastPass failed to “exercise reasonable care in securing and safeguarding highly sensitive consumer data”. The lawsuit also alleges that bad actors could “wreak financial havoc…

Read More
12 Jan

Cybersecurity spending and economic headwinds in 2023

Data Breaches, Malware, Social Engineering

Now that everyone, their brother, sister, and dog have chimed in on cybersecurity predictions for 2023, here are a few observations based on some recent ESG research. First the numbers: 53% of organizations will increase IT spending in 2023, 30% say IT spending will remain flat in 2023, and 18% forecast a decrease in IT spending. As for cybersecurity, 65% of organizations plan to increase cybersecurity spending in 2023. These numbers mean that some organizations…

Read More