Back to a full issue this week, feels good.
I only came across four breach-related articles, which makes me think I must have missed a few. But I don't know if I want to dig deeper for more. One of them is a breach of 11 million health records so I won't call it a win. Temporary progress? Maybe everyone is just on holiday.
On that note, have a good weekend y'all!
Breaches and leaks
- HCA Healthcare disclosed a breach impacting an estimated 11 million patients: link.
- Gaming gear company Razer seems to have been breached: link.
- Deutsche Bank confirms a breach at one of its service providers through MOVEit: link.
- John Hopkins is facing a class-action lawsuit in response to its MOVEit related breach: link.
They seem to be taking this serious, very nice. Quick random sample of initiatives that they want to implement: accelerate adoption of memory safe programming languages, disrupt the ransomware ecosystem, look into a Federal insurance response in case of a catastrophic cyber event, and much more. An overview of the five pillars of the strategy can be found here, and the full implementation plan here (pdf).
Gotta patch 'em all
- Microsoft's Patch Tuesday fixed no less than 130 vulnerabilities, four of which are actively exploited: link.
- Apple issued emergency updates for an actively exploited WebKit vulnerability: link.
- MOVEit fixed another three vulnerabilities: link.
- In case you run a Mastodon instance: four issues were found in a security audit requested by Mozilla, one of which makes it easy to completely own an instance: link.
If you feel like doing a quick pentest every few quarters isn't enough, you are correct. Take a look at the combination of continuous vulnerability assessments and real-time pentesting that GlitchSecure offers. Every finding is verified by highly skilled (and wonderful) humans. (Sponsored)
Queue a few years of confusion in documentation and architecture meetings. If you're thinking "which exec got promoted over this brilliant nugget" you're probably not alone. This article from The Register voices some of the community feedback as well.
These kind of attacks happen all the time, but it's worth highlighting a deep dive once and a while, especially on something as big as a NATO summit. Apparently they are burning a Microsoft Office zero-day in the attack.
Could be fun to try out, but be warned that there are currently some issues.
Google is fighting back against the constant invasion of malware on Google Play by requiring all new developer accounts registering as an organization to provide a valid D-U-N-S number before submitting apps. TIL is that such a DUNS number is used everywhere, but is actually a proprietary standard issued by one private company? I had no idea.
Seems interesting enough to be aware off. I don't have anything intelligent to say about this though. I can rant about how idiotic I generally find software patents but I'll spare you. Popcorn?
Most of you would be familiar with the excellent Security Risk Management Body of Knowledge (SRMBOK). The folks behind that initiative have released a series of guides as well as a fully worked out risk assessment template. The template alone can save you hours of work, and even the video on this page is a free mini-training course in the style and content of a risk assessment. I hope it's useful. (Sponsored)
With 1Password Shell Plugins, you can forget about storing insecure plaintext keys on your disk or manually typing credentials into your terminal, and instead sign on to any CLI with biometrics. Use an existing plugin for AWS, Github, Gitlab, or dozens of other services. (Sponsored)