- 1. The Establishment of a Cyber Safety Review Board – Security Boulevard
Yea, except cybersecurity, hacking and cyber crime is nothing like investigating airplane crashes in the sense that everything changes all the time, incidents happen at a far greater rate, and we're dealing with digital incidents, not physical (for the most part, unless they intersect, which happens).
- 2. Try This One Weird Trick Russian Hackers Hate – Krebs on Security
Russian virtual keyboard for the win?
- 3. Apple sent my data to the FBI, says boss of controversial research paper trove Sci-Hub
Information should be free (free like free beer and free like running naked through a field)
- 4. CISA: Disconnect Internet for 3-5 Days to Evict SolarWinds Hackers From Network
Oh yea, let me just go unplug the Internet for a few days...
- 5. Biden calls for $22 billion in cyber security funding
Throwing money at the problem does not fix cybersecurity issues, if it did, the companies who spend the most on cybersecurity would not have breaches, except they do.
- 6. New open source scanning tool is built for ethical hackers
- 7. The basics of security code review – Help Net Security
- 8. Wind River’s enhancements deliver cybersecurity and anti-tamper protection – Help Net Security
“Security must be taken seriously – the only way to do that is to be proactive. With billions of new devices constantly connecting locations around the world, the attack surface is staggering. It will be important for solution builders, both hardware and software, to be thoughtful stewards and strong advocates for cybersecurity in order to deliver trustworthy compute infrastructure.” - I read this as "our customers told us security is important to them now, so now security is important to us." Also, not necessarily a bad thing...
- 9. Scans for Vulnerable Exchange Servers Started 5 Minutes After Disclosure of Flaws
- 10. Watering Hole Attack Was Used to Target Florida Water Utilities
"An investigation undertaken in the aftermath of the Oldsmar water plant hack earlier this year has revealed that an infrastructure contractor in the U.S. state of Florida hosted malicious code on its website in what's known as a watering hole attack. "This malicious code seemingly targeted water utilities, particularly in Florida, and more importantly, was visited by a browser from the city of Oldsmar on the same day of the poisoning event,"" - The irony of poisoning the watering hole to poison the watering hole is not lost...
- 11. Israel Says Its Fighter Jets Bombed Buildings Used by Hamas Cyber Unit
- 12. Lessons Learned From High-Profile Exploits
- 13. Exploit released for wormable Windows HTTP vulnerability
- 14. PeterM on Twitter
When availability ranks way higher than confidentiality.
- 15. Ransomware’s Dangerous New Trick Is Double-Encrypting Your Data
Just don't use XOR. However, attackers will double encrypt, maybe not all, but some of your data, so you have to pay twice.
- 16. Our cybersecurity ‘industry best practices’ keep allowing breaches
""Industry best practices," for instance, dictate that network administrators should be boxed in administratively. They should not be able to see what is happening on workstations, servers or storage resources." - Actually, we do not dictate this at all. "Implement a "one strike and you are out" hiring policy for information security employees. When they fail, do not let it happen twice." - This is just wrong on so many levels, such as how do you measure failure? And so we all have to be perfect because no one makes mistakes, in any profession, right? Somehow we are different because we deal with cybersecurity? "Also, never hire an information security employee who has ever worked for a firm that has had a security incident." - Wow, you have really hit the crack pipe hard by this point in the article. I will let you in on a not-secret: 99% of us in information security have worked at a company that has had a security incident. Maybe we should just all quit? Maybe we should just all turn to the darkside and take over the galaxy? Just how is this a solution? "Embrace "holistic" approaches to information security." - You took a huge bong rip before you wrote that, then said it out loud when you typed it, and it sounded really good huh? And then you try to cover your ass: " The author, Professor Gwinn, states that his column included “what is likely to have been the worst wording I have ever used in my life” in the 19th and 20th paragraphs, which suggested that he favored the “willy-nilly firing of a whole staff of people after a security incident. My intent was to hold leadership accountable." He now states that businesses and industries should “implement a ‘one strike and you are out’ hiring policy for information security leadership whose job it was to secure systems and networks after a major, expensive breach. Rotate leadership and do not let it happen twice. Also, weed out and avoid hiring that former information security leader.”" Guess what? You are still wrong, on basically all points. Also, we will be looking at all of your future publications and I hope you have better suggestions in the future, because this article...sucks.
- 17. Samba arbitrary file access vulnerability attack
- 18. Why Is There a Lack of Women in Cyber?
This was a great article and did not get into finger-pointing, blaming people, or other such nonsense. For example, the media has continued the notion that the hacker/cybersecurity persona is a male, typically wearing a hoodie, alone, using a computer in the dark: "In general, Cybersecurity in the media typically has a very masculine look. As you can see in the above screenshot, eight of the nine images have the same blue/black color scheme. While this may seem trivial, it’s something that can subconsciously impact perception. Much of these images align with what’s referred to as masculine colors." This is also a great point: "Second, many of the images in my search showed lines of code, which can lead people to come to the conclusion that coding experience is a requirement for a cybersecurity career, which isn’t true." - Again the media is reinforcing the notion that not only should you be male, alone, in the dark, but you also better be super technical and able to write code. All just not true!
- 19. “Those aren’t my kids!” – Eufy camera owners report video mixups
- 20. Expert released PoC exploit code for Windows CVE-2021-31166 bug
- 21. Google makes a big security change, but other companies must follow
- 22. Dumping Plaintext RDP credentials from svchost.exe – n00py Blog
- 23. FIN7 Backdoor Masquerades as Ethical Hacking Tool
- 24. Darkside ransomware gang says it lost control of its servers & money a day after Biden threat
- 25. Publishing exploits early doesn’t encourage patching or help defense, data shows
I am challenging this one, I don't believe this is what the data shows: "The report found that network defenders were almost exactly as likely to mitigate a problem when an exploit had been released before the patch. If an exploit was released first, a median of 46.3% of systems were patched in the first three months, a cumulative 57.5% after six months and 67.8% after 12 months. Patches were actually more common when the first exploit was released after the patch, although only marginally so, and remediation followed the same curve (49.1% at three months, 59.3% at six and 70.6% at 12 months)." - There is a HUGE difference between an exploit being released, and an exploit being used in the wild, and this data did not represent that aspect. There is also a huge difference between a PoC and the overall effectiveness of an exploit. Was the exploit a DoS or restricted to RCE? Also, what if an exploit does not have a patch? Or, what if the patch is REALLY hard to apply and rollout, vs. other vulnerabilities that are easier to remmediate? Also, what if I didn't apply a patch but I turned off the service, created a firewall rule or implemented some other compensating control? What if I do that more often when an exploit is released than I do patch a system? What if an exploit being release actually helps me with compensating controls rather than applying a patch? What if exploits are released for software that is not popular or I just don't have in my environment, therefore I don't have to patch?
- 26. I Mailed an AirTag and Tracked Its Progress; Here’s What Happened – The Mac Security Blog
- 27. AirTag Used to Successfully Track a Mailed Package Across the UK
- 28. Send My: Arbitrary data transmission via Apple’s Find My network
- 29. CVE?2021?1079 – NVIDIA GeForce Experience Command Execution – VoidSec