News
Biden administration rolls out wide-reaching cybersecurity executive order
There's a whole lot in there. From the article:
The executive order aims to:
- Give the U.S. more authority to level sanctions against attackers.
- Require software vendors doing business with the federal government to prove they are using secure development practices. The federal government plans to validate that evidence and publish the information to help private sector buyers make informed decisions on secure software.
- Identify minimum cybersecurity standards for companies working with the federal government.
- Federal authorities will begin research into AI-based tools to search for software vulnerabilities, manage patching and detect threats.
- A public-private partnership will be developed to use AI to protect critical infrastructure in the energy sector.
- The U.S. will only buy internet-connected devices that meet Cyber Trust Mark standards starting in 2027.
CISA shares guidance for Microsoft expanded logging capabilities
They published a 60-page PDF here. Way to go CISA.
Google OAuth flaw lets attackers gain access to abandoned accounts
It's a weakness that enables attackers to register domains of companies that no longer exist, after which they can access data from third parties where the Google sign in flow was used. It was known for a while but only recently has Google validated it as an actual problem.
FTC sues GoDaddy for years of poor hosting security practices
"According to the FTC's complaint, GoDaddy's unreasonable security practices included failing to use MFA, manage software updates, log security-related events, segment its network, monitor for security threats, and failing to inventory and manage assets. "
Good Lord. I was never a fan of GoDaddy but that's just insanely irresponsible for a hosting and domain provider.
Quick stories
- New UEFI Secure Boot flaw exposes systems to bootkits: link.
- CISA director says threat hunters spotted Salt Typhoon on federal networks before telco compromises: link.
- DOJ deletes China-linked PlugX malware off more than 4,200 US computers: link.
- US issues rule barring some Chinese and Russian connected car tech: link.
Breaches and leaks
- Hackers leak configs and VPN credentials for 15,000 FortiGate devices: link.
- OneBlood confirms personal data stolen in July ransomware attack: link.
- Russia's largest platform for state procurement hit by cyberattack from pro-Ukraine group: link.
- STIIIZY data breach exposes cannabis buyers’ IDs and purchases: link.
- UK domain registry Nominet confirms breach via Ivanti zero-day: link.
- Stolen Path of Exile 2 admin account used to hack player accounts: link.
- Label giant Avery says website hacked to steal credit cards: link.
- Wolf Haldenstein law firm says 3.5 million impacted by data breach: link.
- Biotech firm settles class action lawsuit over ransomware attack for $7.5 million: link.
Issues and fixes
- Fortinet warns of auth bypass zero-day exploited to hijack firewalls: link.
- Microsoft January 2025 Patch Tuesday fixes 8 zero-days, 159 flaws: link.
- Over 660,000 Rsync servers exposed to code execution attacks: link.
- SAP fixes critical vulnerabilities in NetWeaver application servers: link.
- W3 Total Cache plugin flaw exposes 1 million WordPress sites to attacks: link.
- Docker Desktop blocked on Macs due to false malware alert: link.
- Hackers exploit critical Aviatrix Controller RCE flaw in attacks: link.
- Microsoft to force install new Outlook on Windows 10 PCs in February. I can't in good conscience state that this is a security issue, but I'm including it anyway. link.
What 1Password can do for developers
If you're an engineer, it's really worth checking out 1Password's developer tools. It can manage secrets for your infrastructure and CI/CD pipeline, manage SSH keys, and inject tokens into CLI scripts. Play around with it and see how it can fit in your development flow. (Sponsored)