CyberSecurity Updates

06 Nov

Black Hat – Windows isn’t the only mass casualty platform anymore

Information

Windows used to be the big talking point when it came to exploits resulting in mass casualties. Nowadays, talks turned to other massive attack platforms like #cloud and cars In years past, a massive Windows exploit netted mass casualties, but here at Black Hat, talks turned toward other massive attack platforms like clouds and cars. Windows is no longer alone at the front of the pack, hackwise – it has company. It makes sense. If…

Read More
05 Nov

How a spoofed email passed the SPF check and landed in my inbox

Information

The Sender Policy Framework can’t help prevent spam and phishing if you allow billions of IP addresses to send as your domain Twenty years ago, Paul Vixie published a Request for Comments on Repudiating MAIL FROM that helped spur the internet community to develop a new way of fighting spam with the Sender Policy Framework (SPF). The issue then, as now, was that the Simple Mail Transfer Protocol (SMTP), which is used to send email…

Read More
05 Nov

DEF CON – “don’t worry, the elections are safe” edition

Information

Don’t worry, elections are safe – this is just one highlight from the DEF CON 30 conference. Scattered around a bevy of tables in the election hacking village here at DEF CON 30 are all the devices – opened wide – that are supposed to keep elections safe. Oh, the irony. It’s unclear how some of these devices ended up here, another unsolved mystery. Luckily, they contain a myriad of tamper-resistant defenses, but from the…

Read More
05 Nov

Ransomware rages on – Week in security with Tony Anscombe

Information

This week’s news offered fresh reminders of the threat that ransomware poses for businesses and critical infrastructure worldwide A number of reports published this week offered a reminder of the threat that ransomware poses for organizations and critical infrastructure worldwide, and were also an indication of the enormous repercussions that a successful ransomware attack can have for the victims – and beyond. For example, an analysis by the U.S. Treasury Department has found that financial…

Read More
05 Nov

Twitter Blue Badge email scams – Don’t fall for them!

Information

by Naked Security writer It’s only a week since Elon Musk’s take-private of Twitter on 28 October 2022… …but if you take into account the number of news stories about it (and, perhaps ironically under the circumstances, the volume of Twitter threadspace devoted to it), it probably feels a lot longer. There’s been plenty to set the fur flying, starting with Musk’s curious choice of metaphor in arriving at Twitter HQ on takeover day with…

Read More
05 Nov

Surveillance ‘Existential’ Danger of Tech: Signal Boss

Information, News

The mysticism that has allowed tech firms to make billions of dollars from surveillance is finally clearing, the boss of encrypted messaging app Signal told AFP. Meredith Whittaker, who spent years working for Google before helping to organise a staff walkout in 2018 over working conditions, said tech was “valorised” and “fetishised” when she first began in the industry in 2006. “The idea that technology represented the apex of innovation and progress was fairly pervasive…

Read More
04 Nov

LinkedIn Adds Verified Emails, Profile Creation Dates

Information, Insights

Responding to a recent surge in AI-generated bot accounts, LinkedIn is rolling out new features that it hopes will help users make more informed decisions about with whom they choose to connect. Many LinkedIn profiles now display a creation date, and the company is expanding its domain validation offering, which allows users to publicly confirm that they can reply to emails at the domain of their stated current employer. LinkedIn’s new “About This Profile” section…

Read More
04 Nov

Qualys previews TotalCloud FlexScan for multicloud security management

Data Breaches, Malware, Social Engineering

Vulnerability management vendor Qualys this week announced the trial availability of its TotalCloud with FlexScan offering, an agentless, cloud-native vulnerability detection and response platform designed for use in multicloud and hybrid environments. The software is designed to provide a holistic overview of an organization’s cloud-based workloads and identify known vulnerabilities. The system also scans workloads to check whether they’ve opened network ports, and monitors a host of other factors to offer a detailed picture of…

Read More
04 Nov

As Twitter Brings on $8 Fee, Phishing Emails Target Verified Accounts

Attacks, Malware

Standard phishing defense tactics apply in this situation. Users should always take a close look at the sender’s display name when checking the legitimacy of an email. Most companies use a single domain for their URLs and emails, so a message that originates from a different domain is a red flag. It is also important to check for mismatched URLs. While an embedded URL might seem perfectly valid, hovering above it might show a different…

Read More
04 Nov

BEC Scam Impersonating Top Law Firms

Attacks, Malware

BEC attacks account for a very small percentage of phishing emails that are targeting companies worldwide yet is still a multibillion-dollar issue. Organizations should adapt policies to prevent BEC scams from being executed, including a verification process for all business transactions or money transfers. Because it is so easy for a threat actor to set up a typo-squatted domain, this verification should take place in person or over the phone. Companies can work to prevent…

Read More