Security Newsletter - weekly curated infosec news

Hi folks,

Lot's of smaller, interesting articles this week, and a bunch of breaches and issues, unfortunately. Also I really wouldn't want to be a Fortinet admin (or sales person) these days. Either way, happy reading and have a good weekend!

Cheers,

Hackers exploit 52 zero-days on the first day of Pwn2Own Ireland

Always interesting to read these. Their blog has a post for every one of the four days in total.

Microsoft creates fake Azure tenants to pull phishers into honeypots

They not only set up the honeypot tenants, but also go to known phishing sites and "get phished" with the fake tenants, to then study what the attackers do once they're in. That must be so cool to do :-)

Apple creates Private Cloud Compute VM to let researchers find bugs

From the article: "Private Cloud Compute (PCC) is a cloud intelligence system for complex AI processing of data from user devices in a way that does not compromise privacy. Shortly after Apple announced PCC, the company gave early access to select security researchers and auditors so they could verify the privacy and security promises for the system.". Nice! Sounds like a worthy effort.

CISA proposes new security requirements to protect govt, personal data

It looks like a good, down to Earth list that might be a good starting point for a security program.

Chinese researchers break RSA encryption with a quantum computer

It doesn't sound like a practical attack yet, but it's a good reminder not to take standard encryption necessarily for granted towards the future.

The struggle for software liability: Inside a ‘very, very, very hard problem’

Very interesting read on what I imagine will be a hot topic the next decade: legal liability of software makers.

Apple passwords’ generated strong password format

Nice short post on why Apple's generated passwords are what they are, with UX in mind.

Quick links

Intel, AMD CPUs on Linux impacted by newly disclosed Spectre bypass: link.
Removal of Russian coders spurs debate about Linux kernel’s politics: link.
SEC hits four companies with fines for misleading disclosures around SolarWinds hack: link.

Breaches and leaks

UnitedHealth says data of 100 million stolen in Change Healthcare breach: link.
Spate of ransomware attacks on German-speaking schools hits another in Switzerland: link.
Ransomware gang stoops to new low, targets prominent nonprofit for disabled people: link.
Cyprus' critical infrastructure targeted by coordinated cyberattacks linked to pro-Palestine groups: link.
Cisco takes DevHub portal offline after hacker publishes stolen data: link.
Internet Archive breached again through stolen access tokens: link.
Japanese watchmaker Casio warns of delivery delays after ransomware attack: link.
Tech giant Nidec confirms data breach following ransomware attack: link.
ESET partner breached to send data wipers to Israeli orgs: link.
Insurance admin Landmark says data breach impacts 800,000 people: link.
Henry Schein discloses data breach a year after ransomware attack: link.

Issues and fixes

Fortinet warns of new critical FortiManager flaw used in zero-day attacks: link.
VMware fixes bad patch for critical vCenter Server RCE flaw: link.
Cisco fixes VPN DoS flaw discovered in password spray attacks: link.
CISA confirms Veeam vulnerability is being used in ransomware attacks: link.
Hackers exploit Roundcube webmail flaw to steal email and credentials: link.
Exploit released for new Windows Server "WinReg" NTLM Relay attack: link.
Severe flaws in several E2EE cloud storage platforms used by millions: link.

1Password for developers: secrets, SSH keys, and more

I don't think most developers realise how valuable 1Password can be. It doesn't just hold passwords, it also hold your SSH keys, signs your Git commits, injects token and other secrets in CLI scripts when you want, and much more. (Sponsored)