Cybersecurity 🔐 And Much More Newsletter 📪 Vol. 2 Num. 23

Greetings, friends.

Welcome to my newsletter, if you are not yet subscribed, please do. It might include books, articles, tech, tips, and of course exciting stuff about cybersecurity.

Enjoy!

What’s Happening

🚨 CISA Adds 12 New Vulnerabilities to The Must Patch List

The US Cybersecurity and Infrastructure Security Agency’s Catalog of Known Exploited Vulnerabilities can not only help organizations fix high-risk vulnerabilities in their systems, but also help them create or improve vulnerability management processes. This week, 12 vulnerabilities have been added to the list and including Google Chrome, Oracle WebLogic, Fortinet FortiOS, NETGEAR, D-Link Devices, and more.

🏴‍☠️ New 🇺🇸 U.S Sanctions on Iran 🇮🇷

The US Treasury Department on Friday announced sanctions against Iran’s Ministry of Intelligence and Security (MOIS) and its Intelligence Minister Esmaeil Khatib for their involvement in cyber activities against the country and its allies. This time, it was related to the accusations related to the recent attacks from mid-July 2022 targeting the Albanian government.

🌉 Cisco Releases Multiple Security Patches

Cisco addressed 03 out of the 04 most recent vulnerabilities in its products. These vulnerabilities impacted various products like SD-WAN vManage, Catalyst 8000V, ASAv, and FTDv. The one that does not have workarounds or patches was the Cisco Small Business vulnerability related to IPSec Server Authentication.

💉 Multiple 👾 Vulnerabilities in Baxter’s Infusion ⛽️ Pumps

Rapid7 discovered four (04) vulnerabilities on Baxter’s internet-connected infusion pumps that allow attackers to access sensitive information or even change the systems’ configuration.

Why are these pumps connected to the internet? well, it seems absurd, but it allows The pumps allow the hospitals to deliver medication and nutrients to the patients. However, Baxter claims that only wireless-enabled devices are exposed to these vulnerabilities.

👾 WordPress BackupBuddy Plugin Zero Day being Exploited

WordPress security firm Wordfence has revealed that a zero-day vulnerability in a WordPress plugin called BackupBuddy is actively exploited.

This vulnerability allows an unauthenticated user to download arbitrary files from affected websites that may contain sensitive information.

BackupBuddy allows users to back up their entire WordPress installation from the dashboard, including theme files, pages, posts, widgets, user and media files, etc.

👀 2 Billion TikTok Users’ Information Exposed

The hacking group BlueHornet tweeted that TikTok stored their backend source code on Alibaba Cloud and didn’t secure it properly. This was confirmed by multiple security research firms like Security Discovery were publicly exposed code repositories containing user data.

Security Bites

👋 Tips — 🔐 Security — Do you need an anti-virus on your phone?

Phones are more targeted than any other systems because of the way we use them, and the large user base. Android phones on the other hand are more targeted than iPhones due to the same reasons Windows is a more juicy target than MacOS, the number of Android users is way higher than iOS users due to the affordability and variety of options that Android phones makers offer.

You don’t need to sell a kidney to buy an Android phone, but you will need to be more prudent because of the higher number of malicious applications found on the Play store. But what AV should you use? All the major AV vendors offer mobile versions, they also offer free versions with manual scans and basic protection. But you should definitely invest in a commercial version and get the full functionalities.

The AV will not only scan all the newly installed applications but do periodic scans, offering secure browsing and more privacy. However, having an antivirus is not enough to make your mobile device safe, you will need to follow some other best practices, such as:

• Keep your OS and Applications up to date.
• Only install well-known and trusted applications from the official application stores.
• Only install the applications you need.
• Review the applications’ permissions and only grant them the privileges needed while the applications are in use.
• Turn off the features you don’t need.
• Disable application tracking.
• Remove location tagging from your camera settings.
• Use a password manager and enable Multi-factor authentication on all your accounts.

📝 Note — 🔐 Security — What are the tools used for DevSecOps?

While I don’t like acronyms, especially the ones that are used to call out concepts and practices that existed for decades and are tied to the foundations of information security. Before diving into DevSecOps, let’s define DevOps and SDLC briefly.

The software development life cycle (SDLC) is a structured process aimed at producing high-quality, low-cost software in the shortest possible production time. It defines and outlines a detailed plan with phases or stages, each with its own processes and deliverables, and this reduces project risks and costs.

DevOps (a combination of “development” and “operations”) on the other hand is a combination of practices and tools designed to improve an organization’s ability to deliver applications and services faster than traditional software development processes. In this model, development, and operations teams collaborate throughout the lifecycle of software applications, from development and testing to deployment and operations.

DevSecOps is a common practice in application security introducing security early in the software development lifecycle (SDLC). It also expands collaboration between development and operations teams, integrating security teams into the software delivery cycle. The most challenging aspect of DevSecOps is changing the culture.

To achieve the goals of DevSecOps and integrate security into the SDLC process successfully, reduce friction and increase the adoption of automated processes, implementing the tools below is highly recommended:

• Static Application Security testing -SAST: Scans code for errors, and design issues to identify potential vulnerabilities.
• Dynamic Application Security Testing — DAST: Automatically testing applications by imitating threat actors’ scenarios.
• Interactive Application Security testing — IAST: Runs in the background during the application testing to analyze the runtime behavior.
• Software Composition Analysis — SCA: Scans the applications’ source code and binaries to identify vulnerabilities in third-party and open-source components.

My Favorites

📚 🤔 Books I’m Currently Reading 🤞🏻

Title: The Expectation Effect: How Your Mindset Can Change Your World

Author: David Robson

Overview: You may be familiar with the placebo effect and how sugar tablets accelerate recovery. But did you know that phony cardiac operations frequently provide results comparable to stent placement? Or are cardiac arrest deaths four times more likely to occur in persons who believe they have a higher risk of developing cardiovascular disease? The expectation effect, which modifies what really occurs based on what we believe will happen, is so potent and deadly important.

Science journalist David Robson combines neuroscience with storytelling to immerse readers in the many areas of life that permeate expected effects. We saw how people who believed stress was good became more creative when stressed. We see that linking aging to wisdom can add more than seven years to your life People say seeing is believing, but Robson has proven time and time again that the opposite is true: believing is seeing.

The waiting effect is not woo-woo. You can’t find a way to make a lot of money or get rid of a cancer diagnosis But just because magical thinking is absurd doesn’t mean rational magic doesn’t exist Drawing on accepted psychology and objective physiology, Robson provides us with the practical knowledge we need to improve our health, productivity, intelligence, and well-being. Any reader who wants to take his destiny into his own hands has only to get this book.

📚 🤩 Books I Recommend Reading 🕹

Title: All Work No Play: A Surprising Guide to Feeling More Mindful, Grateful, and Cheerful

Author: Dale Sidebottom

Overview: All Work No Play: A Surprising Guide to Feeling More Aware, Grateful, and Joyful is a practical and helpful guide to finding joy and happiness in your daily life. This book shares strategies for play-based mindfulness, empathy, and gratitude exercises that will help readers rediscover their inner child; promote good mental health; establish and maintain more meaningful connections with others, and help combat loneliness and ingrained toxic behaviors and thoughts.

You’re going to learn:

• Recognize and be self-aware of thoughts that prevent you from developing healthy relationships and attitudes.
• Put an end to burnout and fatigue by prioritizing mental health on a daily basis.
• Use visualization tools and self-assessment forms to guide you through exercises that improve well-being, focus, and productivity.

All Work No Play is ideal for anyone looking to improve their ability to derive joy and happiness from their daily lives, and for businesses looking to improve the health and well-being of their employees and colleagues.

🎙 Podcast — Andrew Bustamante: CIA Spy | Lex Fridman Podcast #310 🕵🏻‍♂️

In this episode, Lex interviews Andrew Bustamante who is a former CIA covert intelligence officer. Check out his work and podcast at

🎥 Videos — Great Top Gear Video about the Hyundai 670bhp Hybrid Drift Car 🏎

South Korea is currently experiencing a golden age in the automotive industry: Hyundai and Kia are releasing boldly designed, fun-to-drive cars that should make European veterans sweat. But what does the future hold for the modern and renovated N-Sector? The N Vision 74 hydrogen fuel cell and twin-motor electric RN22e concepts offer some clues — they’re not just for show. Top Gear’s Ollie Kew traveled to Germany’s spectacular Bilster Berg circuit to try them both — to see if the idea of South Korea saving the sports car is the one we should be excited about.

Quote of the Week

“Be yourself; everyone else is already taken.” ― Oscar Wilde

If you’re interested in starting a career in Cybersecurity, watch this one, and don’t forget to subscribe to my channel and leave a comment if there are any topics you’re interested in seeing on my next videos.

Check my other stuff here.

Resources

• The Expectation Effect: How Your Mindset Can Change Your World
• All Work No Play: A Surprising Guide to Feeling More Mindful, Grateful, and Cheerful
• CISA’s Known Exploited Vulnerabilities List
• Security Discovery Tweet about the TikTok Breach
• WordPress BackupBuddy Zero Day
• Baxter SIGMA Infusion Pumps Vulnerabilities
• Treasury Sanctions Iranian Ministry of Intelligence and Minister for Malign Cyber Activities
• Andrew Bustamante Podcast
• Lex Fridman Podcast
• FIRST DRIVE: Hyundai N Vision 74 & RN22e