Nothing special to report this week, just the usual stream of news :-) Enjoy the read and have a good weekend!
This court battle was watched, with popcorn in (somewhat nervous) hands, by many folks in this industry. To refresh your memory: Merck's cyber security insurance provider denied $700 million in coverage because they deemed the NotPetya attack an "act of war", because it was most likely created by Russian nation-state hackers.
This was ruled to be invalid by the courts, and again when appealed. There was another appeal, but right before the case spun up again they reached an undisclosed settlement.
It's interesting to read that one of the main reasons given by the courts that the coverage still applied was that the fine print defining "act of war" was never changed, even though over the years it's become very clear that the role that nation-state actors play in the cybersecurity scene has. So when it's time for you to choose or renew your cybersecurity insurance, make sure to read that fine print.
Speaking of nation-state actors, Stuxnet! This has been quite the story to see in my local Dutch newspaper. It seems that the engineer was recruited by the Dutch intelligence services without anyone else in the governement knowing about it. It's also unclear if the intelligence services really knew what they were recruiting him for. Also, he died two years later (not two weeks later, like the article says) in a motorbike accident. Plenty of news to raise eyebrows.
A Chinese state-backed research institute claims to have discovered how to decrypt device logs for Apple's AirDrop feature, allowing the government to identify phone numbers or email addresses of those who shared content. The researchers say that this data is hashed in the iOS device logs, and that it can be retrieved using rainbow tables.
Dive by into key insights on security, design, performance, and reliability of public APIs revealed through Escape’s extensive scanning process. (Sponsored)
Heads up if you use Authy on desktop, you have until August to switch to the mobile apps, or another solution. Although the iOS app will also be available to M1/M2 Apple users, which I guess can run the app natively.
Bitwarden has announced that all users can now log in to their web vaults using a passkey instead of the standard username and password pairs.
There are some interesting technical details in the article that I hadn't read before, namely that deriving an encryption key from passkeys to encrypt user data is not possible, because the third party would receive a different value for each authentication. But encrypting user data requires a single, static key that remains the same across different authentication sessions. That's why there is an extension to the standard, called the PRF WebAuthn extension, which allows you to create a fixed value key. TIL.
They're working to remove the requirement for four-year degrees for some federal cybersecurity contracting jobs, in order to see a more diverse cybersecurity workforce and more positions filled. Couldn't agree more. I've yet to see any correlation between degree and how well someone performs in this industry.
Researchers have found flaws in the way SMTP servers handle messages, allowing them to send spoofed emails to and from targets even if security measures like SPF/DMARC/DKIM are in place. It takes advantage of inconsistencies in the way that proxy servers and firewalls handle SMTP traffic.
Breaches and leaks
- Pro-Ukraine hackers breach Russian ISP in revenge for KyivStar attack: link.
- Fidelity National Financial: Hackers stole data of 1.3 million people: link.
- Halara probes breach after hacker leaks data for 950,000 people: link.
- Framework discloses data breach after accountant gets phished: link.
- Memorial University recovers from cyberattack, delays semester start: link.
- Web3 security firm CertiK's X account hacked to push crypto drainer: link.
- Netgear, Hyundai latest X accounts hacked to push crypto drainers: link.
- LoanDepot caught in mortgage industry cyberattack spree: link.
- SEC X account hacked to hawk crypto-scams: link.
- Online services down for German craft associations following ‘security incident’: link.
- LockBit claims November attack on New Jersey hospital that disrupted patient care: link.
- Hackers disrupt Beirut airport with anti-Hezbollah message: link.
Issues and fixes
- Microsoft January 2024 Patch Tuesday fixes 49 flaws, 12 RCE bugs: link.
- Ivanti Connect Secure devices face active exploitation, patch schedule staggered: link.
- Cisco says critical Unity Connection bug lets attackers get root: link.
- Over 150k WordPress sites at takeover risk via vulnerable POST SMTP Mailer plugin: link.
- Hackers target Apache RocketMQ servers vulnerable to RCE attacks: link.
- Apache OFBiz critical CVE leads to surge in exploitation attempts: link.
- Decryptor for Babuk ransomware variant released after hacker arrested: link.
Solid security shouldn't have to come at the expense of a great user experience. That's why Passage by 1Password is building a passwordless auth service that allows you to implement passkey logins in your app or website with just a few lines of code. (Sponsored)