News
Hi everyone,
I hope this e-mail finds you well.
Good news: the breach section only has five stories!
The bad news: it's probably because everyone is busy hacking Exchange servers.
But hey, didn't it feel nice to read the words "good news" for once?
Not becoming cynical in this business is an ongoing struggle :D Either way, I hope you enjoy this issue!
Cheers!
Dieter
Exchange hacks continued
As you would expect, this issue is going to be mostly about Exchange. Here goes:
The urgent bits:
- Microsoft Exchange exploits now used by cryptomining malware: link.
- Also being used by ransomware: link.
- There is a PoC exploit available: link.
- Other state-sponsored hacking groups are joining in the frenzy: link.
- Exchange attacks are quoted as "doubling every two hours": link.
- Microsoft has issued patches for older, no longer supported versions of Exchange: link.
Some known breaches so far:
- European Banking Authority discloses Exchange server hack: link.
- Norway parliament data stolen in Microsoft Exchange attack: link.
And some good general information to get up to speed:
Other breaches and leaks
- Researchers hacked Indian govt sites via exposed git and env files: link.
- Ryuk ransomware hits 700 Spanish government labor agency offices: link.
- Hackers access surveillance cameras at Tesla, Cloudflare, banks, more, through super-admin account: link.
- Molson Coors brewing operations disrupted by cyberattack: link.
- Flagstar Bank customer data breached through Accellion hack: link.
Linux Foundation introduces sigstore: easy code signing & verification for supply chain integrity
Actual good news! This looks awesome. Sigstore is a "Let's Encrypt for code signing", aiming to make it very easy and free to digitally sign code to verify its authenticity. It's also backed by a transparancy log for easy auditability. It's still in the early stages, they currently want to gather feedback. I have to dive deeper into this, but it feels like a great step forward in supply chain security.
Google releases Spectre proof-of-concept for a Spectre-proof web
I didn't really expect Spectre to become news again, but it seems it will. Google released a PoC that shows the practicality of Spectre exploits in browsers. They advocate for a number of new security measures that need to be taken, and have released a browser extension called Spectroscope to help developers with that process.
SCA and DAST in action with Snyk and StackHawk
Join Snyk and StackHawk on March 18 as they walk through how to use Software Composition Analysis (SCA) and Dynamic Application Security Testing (DAST) in CI/CD to ship more secure applications. Click the link to register. (Sponsored)
OVH data center burns down knocking major sites offline
It might not be directly related to security, but it definitely relates to disaster recovery planning.
Metadata left in security agency PDF's
I hadn't previously considered properly that PDF's, apart from meta data on the author and what not, also shows what (vulnerable) version of software you're running. Which could be excellent information for an attacker to know who to target in an organisation.
Microsoft expands AccountGuard ahead of elections, deepens Yubico partnership
Safer elections are always a good thing to know about and share.
CISA takes over .GOV top-level domain (TLD) administration
It's part of a broader effort to help government organizations run more secure and accessible services.
Intel joins DARPA in search of encryption 'holy grail'
Today, when you have data encrypted, you need to decrypt it in order to be able to use it. "Fully homomorphic encryption", or FHE, would apparently make it feasible to run computations on encrypted data. That sounds like magic to me. Kudos to you, crypto wizards.
Important protection features in 1Password Business
1Password Business has some very solid protection mechanisms that are worth highlighting. You can allow, report or deny access to vaults based on location or IP address, enforce 1Password updates, monitor sign-in attempts, a lot of good stuff. Check out the link to learn more. (Sponsored)