CyberSecure Specialist

14 Dec

Top tips for security‑ and privacy‑enhancing holiday gifts

Information

Think outside the (gift) box. Here are a few ideas for security and privacy gifts to get for your relatives – or even for yourself. Some don’t cost a penny! Thanks to a decade or more of big-name data breaches, global privacy scandals and consumer rights legislation like the GDPR, we’re all more aware of cybersecurity and privacy issues today. And now that many of us are working more from home and our personal and…

Read More
14 Dec

COVID-bit: the wireless spyware trick with an unfortunate name

Information

by Paul Ducklin If you’re a regular Naked Security reader, you can probably guess where on the planet we’re headed in this virtual journey…. …we’re off once more to the Department of Software and Information Systems Engineering at Ben-Gurion University of the Negev in Israel. Researchers in the department’s Cyber-Security Research Center regularly investigate security issues related to so-called airgapped networks. As the name suggests, an airgapped network is deliberately disconnected not only from the…

Read More
14 Dec

Patch Tuesday: 0-days, RCE bugs, and a curious tale of signed malware

Information

by Paul Ducklin Another month, another Microsoft Patch Tuesday, another 48 patches, another two zero-days… …and an astonishing tale about a bunch of rogue actors who tricked Microsoft itself into giving their malicious code an official digital seal of approval. For a threat researcher’s view of the Patch Tuesday fixes for December 2002, please consult the Sophos X-Ops writeup on our sister site Sophos News: For a deep dive into the saga of the signed…

Read More
14 Dec

Apple patches everything, finally reveals mystery of iOS 16.1.2

Information

by Paul Ducklin Apple has just published a wide range of security fixes for all its supported platforms, from the smallest watch to the biggest laptop. In other words, if you’ve got an Apple product, and it’s still officially supported, we urge you to do an update check now. Remember that even if you’ve set your iDevices to update entirely automatically, doing a manual check is still well worth it, because: It ensures that you…

Read More
14 Dec

Lacework adds new capabilities to its CSPM solution

Data Breaches, Malware, Social Engineering

Lacework on Wednesday released new cloud security posture management (CSPM) capabilities, designed to help organizations create custom policies for AWS, Google Cloud, and Azure to secure their cloud infrastructure.  The new CSPM solution offers three key enhancements. First, it allows organizations to customize policies and ensure configurations align with an organization’s specific needs. Second, it helps organizations build custom cross-account reports to measure hygiene. Finally, the new CSPM will now be compliant with the latest…

Read More
14 Dec

High-Severity Memory Safety Bugs Patched With Latest Chrome 108 Update

Information, News

Google this week announced a Chrome update that resolves eight vulnerabilities in the popular browser, including five reported by external researchers. All five security defects are use-after-free flaws, a type of memory safety bug that has been prevalent in Chrome over the past years, and which Google has long-battled to eliminate. According to Google’s advisory, four of these issues are high-severity bugs, impacting components such as Blink Media, Mojo IPC, Blink Frames, and Aura. The…

Read More
14 Dec

Wiz debuts PEACH tenant isolation framework for cloud applications

Data Breaches, Malware, Social Engineering

Cloud security vendor Wiz has announced PEACH, a tenant isolation framework for cloud applications designed to evaluate security posture and outline areas of improvement. The firm stated that the framework has been developed on the back of its cloud vulnerability research to tackle security challenges impacting tenant isolation. Security boundaries, incohesion, transparency impacting tenant isolation in cloud applications In a blog post, Wiz wrote that there have been several cross-tenant vulnerabilities in various multi-tenant cloud…

Read More
14 Dec

New Royal ransomware group evades detection with partial encryption

Data Breaches, Malware, Social Engineering

A new ransomware group dubbed Royal that formed earlier this year has significantly ramped up its operations over the past few months and developed its own custom ransomware program that allows attackers to perform flexible and fast file encryption. “The Royal ransomware group emerged in early 2022 and has gained momentum since the middle of the year,” researchers from security firm Cybereason said in a new report. “Its ransomware, which the group deploys through different…

Read More
14 Dec

International Engagement Blog: Singapore International Cyber Week, the Regional Initiative for Cybersecurity Education and Training, and More

Insights

NIST has continued to collaborate into the fall season with partners throughout the world on the Cybersecurity Framework 2.0 update.  International engagement and alignment with international standards are important themes for the 2.0 update and will drive changes to ensure global relevance.  As part of this ongoing international engagement, NIST welcomed visitors to the NCCoE and NIST headquarters to discuss various cybersecurity topics and explore areas for mutual collaboration.  In the past few weeks, NIST…

Read More
14 Dec

How acceptable is your acceptable use policy?

Data Breaches, Malware, Social Engineering

In a world before smartphones, social media, and hybrid workplaces, an acceptable use policy was a lot easier to write—and to enforce. These days, it’s a lot more complicated. Work can take place almost anywhere, on any number of devices. An employee can accept a job and then never physically set foot in the office, working from home (or the Caribbean) on their personal laptop. That’s why an acceptable use policy, or AUP, is more…

Read More