CyberSecure Specialist

Threat Actor Accessed Unencrypted Customer Metadata, LastPass Reports

The primary risk introduced by this breach is the combination of the unencrypted metadata with customer account information. With those two pieces of information, malicious actors can put together a profile of websites the exposed customers have accounts on, combine that with open source intelligence (OSINT) from social media, and perform activities such as spearphishing, vishing, or other social engineering techniques against employees. Additional social engineering awareness training may be effective over the next couple…

Read More

RisePro Infostealer Being Distributed Via Pay-Per-Install Service PrivateLoader

Pay-per-install services aren’t new, but their presence usually indicates a reasonable degree of confidence by the service provider that their malware will provide the desired end state to their client. Primarily, companies should keep any Detection and Response systems (EDR/MDR/XDR/etc.) and Anti-Virus (AV) up-to-date to identify the latest detected malware campaigns. Additionally, netflow analysis and DNS monitoring can help detect command and control (C2) and data exfiltration, which requires an understanding of baseline user behavior…

Read More

EarSpy Attack Uses Speaker to Eavesdrop on Android Users

Although this proof of concept (PoC) was crafted for academic proposes, it does establish that if an attacker were to trick a victim into downloading the right application, these types of data could be extracted from the victim’s phone calls. The researchers suggest that phone manufacturers should ensure sound pressure stays stable during calls and place the motion sensors in a position where internally originating vibrations are either leaving motion sensors unaffected, or at the…

Read More

Data of 400 Million Twitter Users for Sale as Irish Privacy Watchdog Announces Probe

An individual is offering to sell the data of more than 400 million Twitter users, just as Ireland’s data protection watchdog has announced an investigation into the recent data leaks impacting the social media giant. On December 23, someone posted a message on a popular hacking forum announcing the sale of a database containing the names, usernames, email addresses, phone numbers and follower counts of over 400 million Twitter accounts. A sample of roughly 1,000…

Read More

CPRA explained: New California privacy law ramps up restrictions on data use

On January 1, 2023, 20, the California Privacy Rights Act (CPRA) will go into effect. Approved by ballot measure as Proposition 24 in November 2020, it created a new consumer data privacy agency and put California another step ahead of other states in terms of privacy productions for consumers—and data security requirements for enterprises. California already had a privacy law in place, the California Consumer Privacy Act (CCPA), adopted in 2018. It went into effect in…

Read More

How does CISO strategy prevent threats?

Executive summary of CISO CISOs are under immense pressure to protect their organization and keep them out of the breach headlines. The largest obstacle to this goal is an evolving threat landscape that is increasing in sophistication. Payments from successful ransomware attacks fuel this evolution in the form of ransomware-as-a-service models. To break the trend, this report will explore why CISOs, and their teams can no longer simply react to these threats and must prevent…

Read More

The most dangerous cyber security threats of 2023

In this round up, we reveal which threat vectors cyber security experts believe will rise to prominence in 2023, and they offer their advice on how best to combat them. When asked in mid-2022 by Cyber Security Hub which threat vectors posed the most dangerous threat to their organizations, 75 percent of cyber security professionals said social engineering and phishing. Since the survey closed, multiple organizations such as Dropbox, Revolut, Twilio, Uber, LastPass and Marriott…

Read More

The top 12 tech stories of 2022

The technology sector’s vulnerability to the vagaries of geopolitics and the macroeconomy became clearer than ever in 2022, as IT giants laid off workers en masse, regulators cracked down on tech rule-breakers, nations negotiated data privacy, the EU-China chip war widened, and the Ukraine war disrupted business as usual. Through it all the classic tech themes—including innovation, constant change, and the fight to bolster cybersecurity—continued as ChatGPT was released, Broadcom sought to purchase VMWare, a…

Read More

LastPass finally admits: They did steal your password vaults after all

by Paul Ducklin Popular password management company LastPass has been under the pump this year, following a network intrusion back in August 2022. Details of how the attackers first got in are still scarce, with LastPass’s first official comment cautiously stating that: [A]n unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account. A folllow-up announcement about a month later was similarly inconclusive: [T]he threat actor gained access…

Read More

S3 Ep114: Preventing cyberthreats – stop them before they stop you! [Audio + Text]

by Paul Ducklin STOP THE CROOKS BEFORE THEY STOP YOU! Paul Ducklin talks to world-renowned cybersecurity expert Fraser Howard, Director of Research at SophosLabs, in this fascinating episode, recorded during our recent Security SOS Week 2022. When it comes to fighting cybercrime, Fraser truly is a “specialist in everything”, and he also has the knack of explaining this tricky and treacherous subject in plain English. Click-and-drag on the soundwaves below to skip to any point.…

Read More