Tag: Cybersecurity
Microsoft accused of major security gaps
Microsoft is accused of failing to implement some basic security controls on its hugely popular Visual Studio Code (VSCode) extensions marketplace. An open letter from independent researchers published on Medium reports “an incredible number of security design flaws implemented by Microsoft that provide amazing ways for threat actors to gain credibility and access.” The researchers say the biggest security design flaw with VSCode extensions is the lack of any permission model. For example, a theme extension that should only change the colors of the user’s integrated development environment (IDE) may execute code and read or write files without any visibility or explicit authorization from the user. The researchers have also published research evidencing the security flaws highlighted in the open letter.
64% to Look for New Cybersecurity Jobs in the Next 12 Months – June 13th
According to a new Bitdefender survey, 64% of cybersecurity professionals are considering a shift to a new job in the sector within the next 12 months. The 2024 Cybersecurity Assessment Report also discovered that 57% of respondents experienced a data breach in the last 12 months, mainly in the UK, Germany, and Singapore.
Musk deems “Apple Intelligence” offering insecure
Bereft of fresh ideas or new products, Apple’s main offering at its long-awaited annual Worldwide Developer's Conference in Cupertino, California, is a cobbled-together artificial intelligence (AI) offering. While AI may be Silicon Valley’s latest buzzword and marketing tool, “Apple Intelligence,” as Apple AI is branded, is already attracting heavy criticism – even from other tech giants. By pairing Microsoft-backed OpenAI’s ChatGPT with Apple’s voice-activated assistant, Siri, Apple hopes to make AI mainstream. But its critics say that all Apple has done is create a cybersecurity nightmare for corporations while sounding a death knell for the personal privacy of Apple users. "It's patently absurd that Apple isn't smart enough to make their own AI, yet is somehow capable of ensuring that OpenAI will protect your security & privacy!... Apple has no clue what's actually going on once they hand your data over to OpenAI. They're selling you down the river,” says Elon Musk, Tesla and SpaceX founder and the owner of X Corp, formerly Twitter.
Adobe Applies Patches to Critical Flaws – June 12th
Yesterday, June 11th, Adobe announced that they rolled out security patches for 6 critical vulnerabilities affecting Adobe After Effects, Photoshop, and Illustrator. According to Adobe, the vulnerabilities could have led to successful arbitrary code execution and/or memory leaks in the current user's context.
Microsoft Helping US Hospitals from Cyber Attacks – June 11th
Microsoft announced the launch of its new cybersecurity program to support hospitals in rural America from cyber attacks. Microsoft's new security suite and cyber training offering will provide nonprofit pricing and discounts to critical access hospitals and rural emergency hospitals.
It’s official…It definitely IS the Russians
The US Federal Bureau of Investigation (FBI) has laid the blame for escalating worldwide ransomware attacks squarely at Russia’s door. Speaking at the 2024 Boston Conference on Cyber Security last week, FBI Cyber Division Assistant Director Bryan Vorndran said: “Almost all of the criminals developing sophisticated malware to enable ransomware attacks are based in Russian-speaking countries and operate as organized crime syndicates, similar to traditional organized crime elements.” He focused on the FBI’s earlier this year disruption of Dark Web ransomware gang LockBit, stressing that organized cybercriminal gangs, particularly Russian ones, are essentially the same as old-school mafia mobsters. They differ only in their methods and avenues of attack.
$10M Reward for LockBit Mastermind – June 10th
The U.S. Government launched a manhunt for the LockBit ransomware mastermind, Dmitry Yuryevich Khoroshev, for a bounty worth $10M. According to the Justice Department, LockBit is suspected to be behind attacks in almost 120 countries that have extorted nearly $1 billion.
Meta, IRS, Apple, and Amazon Among Impersonated Brands – June 7th
According to a report from Mailtrack, Meta, the IRS, Apple, and Amazon are among the top impersonated American brands. Mailtrack's report also outlined the top impersonated non-American brands, such as Japanese au by KDDI, JR East, Aeon, and JCB. It was based on an analysis of more than 1.14 million phishing scam reports listed on PhishTank.
InfoSecurity Europe 2024 – Was It All Worth It?
As the stands were being packed away on the show floor at the end of the InfoSecurity Europe 2024 conference in London this week (June 4-6), it was time for exhibitors and attendees to take stock of the three-day event. The mood among exhibitors as they packed everything away in cardboard boxes was distinctly upbeat compared to last year’s event, which was still overshadowed by two long years of lockdown. “It was great to be among people two years post-pandemic and to be able to see the whites of their eyes and the smiles on their faces. In an industry as serious as cybersecurity, it is also important to have face-to-face moments of levity and bonhomie,” said Matt Butterworth, senior account manager at data erasure specialist Blancco Technologies. Neal Smyth, of managed cloud and cybersecurity company Ekco, commented: “Our presentation was oversubscribed with standing-room only. As well as generating leads, we had more customers coming to the stand this year. For example, a representative of a government department simply turned up and asked us to tender. I also hear that other exhibitors were seeing more potential customers attending InfoSecurity this year.”
TikTok Confirms Account Hack Targeting CNN – June 5th
In a public statement, Alex Haurek, TikTok's spokesperson, announced the hack on CNN's TikTok account, among other high-profile accounts. "We have taken measures to stop this attack and prevent it from happening in the future. We're working directly with affected account owners to restore access if needed," he added.
Deepfakes dominate InfoSecurity Europe 2024
InfoSecurity Europe, widely acknowledged as the chief global challenger to RSA in the US, kicked off with a Keynote speech and panel discussion on “Mapping the Deepfake Landscape.” Broadcaster and researcher Henry Adjer quoted numerous examples of the increasing sophistication of malicious deepfakes. The most interesting example of a deepfake was a false image purporting to show an explosion near the Pentagon shared by multiple verified Twitter accounts last year, resulting in a brief dip in the value of the New York Stock Exchange. “Threat actors are starting to explore the possibility of using deepfakes to move share prices with fake podcasts and video interviews with company C-suite executives of listed companies. Even if the fake is quickly spotted and squashed and the company’s shares are only impacted for 10 minutes, the threat actor can make a huge profit by speculating on the movement of a specific stock,” says Tim Grieveson, senior vice president of global cyber risk at cybersecurity firm BitSight, which in 2021 received £250 million funding from financial services giant Moody’s.
Cox Communications Patched Flaw that Placed Millions at Risk – June 4th
Cox Communications fixed an authorization bypass vulnerability that could have enabled threat actors to abuse backend APIs to reset millions of modems and steal customer data. Discovered by Sam Curry, the exploit gave a similar set of permissions as the ISP tech support.