News
Hi friends,
This one is a bit earlier than other weeks. I'm headed to a music festival so I wanted to clear my schedule ;-) Plenty of news though, more so than usual even but I didn't want to filter further, too many interesting things to learn about!
Enjoy!
Breaches and leaks
- Jumpcloud confirmed their breach, saying that a nation-state actor targeted specific customers: link.
- Virustotal leaked information of some of their customers: link.
- Estée Lauder, an American cosmetics company, was breached by ransomware: link.
- Colorado State University says it was impacted by the MOVEit ransomware breaches: link.
- Same for Shutterfly, a photography company: link.
Microsoft now offers free security logs amid backlash from State Department hack
The recent breach of the State Departments inbox by China-based hackers was only found because that team had access to a higher tier of security logging. In other words, many customers didn't have the ability to check if they were affected too because they didn't pay enough. That caused quite a backlash, with Microsoft now offering the security logs for free. They also increased the default retention period from 90 days to 180 days. Excellent stuff, let's hope this becomes the norm everywhere.
Microsoft validation error allowed access to email of government agencies and others
Related to the above, Microsoft now knows more about how the attackers gained access. From what I understand, they were able to dual-use a token that was generated as a Microsoft account consumer token, but was able to be used against Azure AD. All in the same tenant, I assume? I'm not sure. Microsoft doesn't know how they were able to get the consumer token in the first place though.
Real-time and continuous security testing
If you feel like doing a quick pentest every few quarters isn't enough, you are correct. Take a look at the combination of continuous vulnerability assessments and real-time pentesting that GlitchSecure offers. Every finding is verified by highly skilled (and wonderful) humans. (Sponsored)
Docker Hub images found to expose secrets and private keys
The researchers analyzed over 300,000 images from Docker Hub and private registries and found that more than 1 in 12 of these images contained sensitive information, including private keys and API secrets.
Cloudflare reports 'alarming surge' in DDoS sophistication and occurence
A lot of the increase seems related to the Russian-Ukraine conflict.
Ukraine takes down massive bot farm
Some of those abovementioned DDoS attacks might have come from this place. Ukraine took down a bot farm containing over 250 GSM gateways and roughly 150,000 SIM cards. They were used to create thousands of bot accounts in various social networks and spread propaganda. The article includes a two-minute video of the captured location, it's impressive to see.
White House advances efforts to add security labels to connected devices
It might sound boring, but I do believe that labels and certifications (especially if one day they become mandatory) might offer the best chance of raising the security posture of a whole range of devices much quicker than anything else.
Kevin Mitnick passed away
Not the kind of news I like to share. He died after a battle with pancreatic cancer. Reading Takedown, the story of Mitnick's capture by Tsutomu Shimomura, was one of the things that got me into cybersecurity when I was a teenager.
The threat of Chinese-made drones flying above U.S. critical infrastructure
The next step in the "do we trust Chinese technology" conundrum: drones.
Coming to DEF CON 31: Hacking AI models
A group of prominent AI companies committed to opening their models to attack at this year's DEF CON hacking conference in Las Vegas. Attendees will be able to attack models from Anthropic, Google, Hugging Face, Microsoft, NVIDIA, OpenAI and Stability AI.
The last paragraph of the article is interesting to read as well, stating that the US governement announced $140 million in funding to launch seven new national AI institutes, and that they will soon release guidelines for public comment on how federal agencies should deploy AI.
Li-Fi: light-based networking standard released, 100x faster than Wi-Fi
I guess it's like infrared on steroids? It might not directly relate to security (yet), but when a new networking standard is released like this is seems good to know about. And it is marketed as being more secure because it doesn't go through walls and is more resistant to jamming, which would definitely have some valid applications. HN thread here.
Security Risk Management Certified Professional (SRMCP)
The Security Risk Management Certified Professional (SRMCP) is a new initiative based on the Security Risk Management Body of Knowledge (SRMBOK). It represents the apex of professional certifications in the domain of Security Risk Management. SRMCP is not merely a credential, but a testament to an individual's deep-seated expertise, robust experience, and unwavering dedication to the field of security risk management. It is something we should all get behind. You can find out more at this link. (Sponsored)
Implement passwordless logins into your app in seconds
Solid security shouldn't have to come at the expense of a great user experience. That's why Passage by 1Password is building a passwordless auth service that allows you to implement passkey logins in your app or website with just a few lines of code. (Sponsored)