Security Leftovers
-
Scoop News Group ☛ Microsoft’s security culture reboot includes cyber governance council, all-staff trainings [Ed: PR, damage-limiting cruft, of just lobbying?]
The tech giant launched its Secure Future Initiative after a string of major security breakdowns.
-
GeekWire ☛ Microsoft details ‘largest cybersecurity engineering effort in history’ — securing its own code [Ed: Microsoft-sponsored puff pieces like these (composed by Microsoft operatives) serve to show it's truly a crisis for the company]
Microsoft gave new details about its security initiatives on Monday morning, less than five months after CEO Satya Nadella and security leader Charlie Bell outlined a series of reforms to address cybersecurity breaches, and said the company would be making security its top priority.
-
LWN ☛ Security updates for Monday
Security updates have been issued by AlmaLinux (expat, fence-agents, firefox, libnbd, openssl, pcp, ruby:3.3, and thunderbird), Debian (ruby-saml), Fedora (aardvark-dns, chromium, expat, jupyterlab, less, openssl, python-jupyterlab-server, python-notebook, python3-docs, and python3.12), Gentoo (calibre, curl, Emacs, org-mode, Exo, file, GPL Ghostscript, gst-plugins-good, liblouis, Mbed TLS, OpenVPN, Oracle VirtualBox, PJSIP, Portage, PostgreSQL, pypy, pypy3, Rust, Slurm, stb, VLC, and Xen), SUSE (container-suseconnect, ffmpeg-4, kernel, libpcap, python3, python310, python36, and wpa_supplicant), and Ubuntu (firefox, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-azure, and linux-ibm-5.15, linux-oracle-5.15).
-
Medevel ☛ WordPress Under Siege: Decoding the Appeal for Cybercriminals. Should You Use WordPress in Your Next Website? No, here is Why!
WordPress, one of the most popular content management systems (CMS) in the world, has a rich history dating back to 2003. Its roots can be traced to b2/cafelog, an open-source blogging platform developed by Michel Valdrighi between 2001 and 2003.
-
Announcing Istio 1.21.6
This release fixes the security vulnerabilities described in our September 19th post, ISTIO-SECURITY-2024-006. This release note describes what’s different between Istio 1.21.5 and 1.21.6.
-
Security Week ☛ Necro Trojan Infects Surveillance Giant Google Play Apps With Millions of Downloads
The Necro trojan was found in two Android applications in Surveillance Giant Google Play with a combined downloads count of over 11 million.
-
Digital Music News ☛ Cybersecurity Experts Closing in on Ticketmaster Hacker, Report Says
Cybersecurity defense firm Mandiant is stalking the Ticketmaster hacker known as Judische who was behind the massive Snowflake breach. This breach impacted Ticketmaster, AT&T, Lending Tree, and more than 165 companies who utilized Snowflake’s services.
-
Silicon Angle ☛ Necro malware infects 11M+ Android devices via Surveillance Giant Google Play apps
A new version of Necro malware, a form of malware that first emerged in 2019, has been found to have been installed on at least 11 million devices through apps that were distributed through the Surveillance Giant Google Play store.
-
Bruce Schneier ☛ Hacking the “Bike Angels” System for Moving Bikeshares
I always like a good hack. And this story delivers. Basically, the New York City bikeshare program has a system to reward people who move bicycles from full stations to empty ones. By deliberately moving bikes to create artificial problems, and exploiting exactly how the system calculates rewards, some people are making a lot of money.
At 10 a.m. on a Tuesday last month, seven Bike Angels descended on the docking station at Broadway and 53rd Street, across from the Ed Sullivan Theater. Each rider used his own special blue key -- a reward from Citi Bike— to unlock a bike. He rode it one block east, to Seventh Avenue.
-
Research: Why layoffs might lead to data breaches [Ed: IBM cited in new report about why layoffs cause security problems (while IBM lays off staff in droves, in secret)]
Data breaches are almost daily news. The government’s Cyber Security Breaches Survey 2024, published in April, found that 50% of businesses and 32% of charities in the UK had reported some form of cyber breach or attack in the previous 12 months. In addition to the immediate operational hit, there are other less obvious costs – associated, for example, with loss of reputation. This year’s Cost of a Data Breach Report from IBM puts the global average cost of a data breach in 2024 at $4.88m – a 10% increase on 2023 and the highest total ever. No wonder that 722 chief financial officers in a 2022 report by PwC said that cyber attacks were the number one risk their businesses faced.
-
Security Week ☛ Versa Networks Patches Vulnerability Exposing Authentication Tokens
Versa Networks has released patches for a Versa Director vulnerability for which proof-of-concept (PoC) code exists.
-
Security Week ☛ ESET Patches Privilege Escalation Vulnerabilities in Windows, macOS Products
ESET has released patches for two local privilege escalation vulnerabilities in security products for backdoored Windows and macOS.
-
Security Week ☛ Cybersecurity Products Conking Out After macOS Sequoia Update
macOS Sequoia updates are causing cybersecurity software failures and breaking network connectivity for many.
-
Security Week ☛ Mandiant Offers Clues to Spotting and Stopping North Korean Fake IT Workers
Mandiant shines the spotlight on the growing infiltration of US and Western companies by North Korean fake IT workers.
-
Security Week ☛ CERT/CC Warns of Unpatched Critical Vulnerability in Microchip ASF
Microchip Advanced Software Framework (ASF) 3 is affected by a critical vulnerability that could lead to remote code execution.
-
The Strategist ☛ PIF hack highlights the need for cyber capacity building
The public revelation this month that the Pacific Islands Forum (PIF) Secretariat had been hacked has exposed significant cybersecurity vulnerabilities in the region.