Proprietary Junk and Security Failures
-
Microsoft Warns of Outlook Zero-Day Exploitation, Patches 80 Security Vulns [iophk: Windows TCO]
The Redmond, Wash. software giant pushed out fixes for at least 80 Windows flaws and called special attention to CVE-2023-23397, a critical-severity issue in Microsoft Outlook that has been exploited in zero-day attacks.
As has become customary, Microsoft’s security response center did not provide details or indicators of compromise (IOCs) to help defenders hunt for signs of compromise.
-
Microsoft squashes Windows bug exploited to inflict ransomware misery
Both vulnerabilities allow crooks to bypass this feature, which means their victims can download malicious files packed with ransomware that do not carry the MotW flag, which would trigger this added layer of security.
While miscreants used JScript files to deliver Magniber ransomware via the earlier bug, the new campaign uses Microsoft Software Installer (MSI) files with a different type of malformed signature, according to TAG.
-
Crims exploit Microsoft, Fortinet flaws before any patches exist [iophk: Windows TCO
"The attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client," Microsoft explained. "This could lead to exploitation BEFORE the email is viewed in the Preview Pane."
-
Stop Using Custom Web Fonts
I was trying to understand how we ended up in a situation where web/UI designers (myself included) have started to insist on using proprietary, custom web fonts. Do any users actively benefit from custom web fonts? Are there any useful and measurable goals achieved by including them? Do end-users actually care about a website's typeface?
For the most part, I believe the answer to all those questions is: not really.
-
Ransomware Group Claims Theft of Valuable SpaceX Data From Contractor [iophk: Windows TCO]
The LockBit ransomware group claims to have stolen valuable SpaceX files after breaching the systems of piece part production company Maximum Industries.
-
Microsoft and GM deal means your next car might talk, lie, gaslight and manipulate you
Still, details are scant for now. GM's vice president of software defined vehicle and operating system, Scott Miller, let slip to news site Semafor "that the company is developing an AI assistant" claimed to "push things beyond the simple voice commands available in today's cars."
-
We need a new way to measure AI security
Tl;dr: Trail of Bits has launched a practice focused on machine learning and artificial intelligence, bringing together safety and security methodologies to create a new risk assessment and assurance program. This program evaluates potential bespoke risks and determines the necessary safety and security measures for AI-based systems.
-
NetWire Remote Access Trojan Maker Arrested
From Brian Krebs:
A Croatian national has been arrested for allegedly operating NetWire, a Remote Access Trojan (RAT) marketed on cybercrime forums since 2012 as a stealthy way to spy on infected systems and siphon passwords. The arrest coincided with a seizure of the NetWire sales website by the U.S. Federal Bureau of Investigation (FBI). While the defendant in this case hasn't yet been named publicly, the NetWire website has been leaking information about the likely true identity and location of its owner for the past 11 years.
-
Presidential advisory council recommends cyber mandates for critical infrastructure
The National Infrastructure Advisory Council also stresses the need for cybersecurity mandates on tech vendors serving the industrial sector.
[...]
Some of its other recommendations include developing a common playbook for local government, engaging vulnerable communities in planning and restoration efforts such as low-income, tribal communities and organized labor, enhanced information sharing between sectors, and to analyze “common cause” failures in critical infrastructure supply chains.
Additionally, the advisory group recommends harmonizing standards across the federal government, particularly when it comes to organizations that operate in multiple critical infrastructure sectors.
-
CISA tests ransomware alert system to safeguard vulnerable organizations
The Cybersecurity and Infrastructure Security Agency launched a ransomware warning pilot for critical infrastructure owners and operators.
-
Two Men Charged for Breaching Federal Law Enforcement Database and Posing as Police Officers to Defraud Social Media Companies
A criminal complaint was unsealed today in federal court in Brooklyn charging Sagar Steven Singh and Nicholas Ceraolo with wire fraud and conspiracy to commit computer intrusions. The charges stem from Singh’s and Ceraolo’s efforts to extort victims by threatening to release their personal information online. Singh was arrested this morning in Pawtucket, Rhode Island, and will make his initial appearance this afternoon in federal court in Providence, Rhode Island. Ceraolo remains at large.
In pursuit of victims’ personal information, Singh and Ceraolo unlawfully used a police officer’s stolen password to access a restricted database maintained by a federal law enforcement agency that contains (among other data) detailed, nonpublic records of narcotics and currency seizures, as well as law enforcement intelligence reports. Ceraolo (with Singh’s knowledge) also accessed without authorization the email account of a foreign law enforcement officer, and used it to defraud social media companies by making purported emergency requests for information about the companies’ users.