News
Hi folks,
I hope you're all doing great, and ready to step into the weekend. I myself had a rather calm week, taking some more time for myself which felt good. I went to see Dune 2, and it hasn't let me go yet. It seemed like every other frame of that movie left me jaw-dropped, it's so beautifully made. If you're a sci-fi nerd like me, I can recommend it highly.
But anyway, before all that, I hope you enjoy this week's issue :-)
Cheers!
Microsoft says Kremlin-backed hackers accessed its source and internal systems
It seems the attacks are still ongoing, with the threat group having breached internal systems and source code, and using stolen secrets in follow-on attacks against customers.
Google Chrome gets real-time phishing protection later this month
Google's current Safe Browsing feature uses a client-side list of known malware URL's to check against, a feature that I very much like. They now plan to switch this to real-time, server-side checks. I'm probably not the only one who gets a little nervous when hearing that. The article does a good job of explaining what measures will be taken to safeguard user privacy, in cooperation with Fastly's Oblivious HTTP (OHTTP) relays. I'm still nervous though.
FCC approves cybersecurity label for consumer devices
It's called the Cyber Trust Mark, and it's initially focused on consumer IoT devices but may be broadened in the future. I know that labels sound boring, but I honestly believe this is one of the best ways to both educate consumers and force vendors to do the right thing.
SIM swappers hijacking phone numbers in eSIM attacks
I realise that I haven't really thought of the implications of eSIM's in SIM swapping attacks, and this article explains it well. It really is just a matter of breaching your online provider account, generating a new QR code, et voila, the attacker now has your number and yours phone stops working. I don't know if various mobile service providers have different security measures in place for this, but either way it's worth being aware off.
Roll your own private LetsEncrypt
This is a deep-diving technical write-up that just tickled me. It's on how you can set up your own LetsEncrypt-like flow to sign your own certificates for use in your homelab or LAN. It's not at all necessary, but lovingly nerdy and interesting.
1Password for developers: secrets, SSH keys, and more
I don't think most developers realise how valuable 1Password can be. It doesn't just hold passwords, it also hold your SSH keys, signs your Git commits, injects tokens and other secrets in CLI scripts, and much more. (Sponsored)
Quick links
- Google paid $10 million in bug bounty rewards last year: link.
- Tor’s new WebTunnel bridges mimic HTTPS traffic to evade censorship: link.
- LockBit ransomware affiliate gets four years in jail, to pay $860k: link.
- Training days: How officials are using AI to prepare election workers for voting chaos: link.
- Feds seize $1.4 million of tech support scam proceeds with the help of Tether crypto firm: link.
- JetBrains vulnerability exploitation highlights debate over 'silent patching': link.
Breaches and leaks
- French unemployment agency data breach impacts 43 million people: link.
- Over 15,000 hacked Roku accounts sold for 50¢ each: link.
- Equilend warns employees their data was stolen by ransomware gang: link.
- Okta says data leaked on hacking forum not from its systems: link.
- Acer confirms Philippines employee data leaked on hacking forum: link.
- Stanford: Data of 27,000 people stolen in September ransomware attack: link.
- Scottish health service says ‘focused and ongoing cyber attack’ may disrupt services: link.
- Nissan: About 100,000 people in Australia, New Zealand affected by recent cyberattack: link.