Cybersecurity 🔐 And Much More Newsletter 📪 Vol. 2 Num. 25

Greetings, friends.

Welcome to my last newsletter for 2022, if you are not yet subscribed, please do. It might include books, articles, tech, tips, and cool stuff about cybersecurity.

Enjoy!

What’s Happening

🤖 CISA’s Latest ICS Advisory

On December 22, 2022, CISA put out four Industrial Control Systems (ICS) advisories. These advisories tell you about current security problems, holes, and ways to take advantage of them in ICS. CISA encourages users and administrators to look at the newly released ICS advisories for technical details and solutions:

• ICSA-22–356–01 Priva TopControl Suite
• ICSA-22–356–02 Rockwell Automation Studio 5000 Logix Emulate
• ICSA-22–356–03 Mitsubishi Electric MELSEC iQ-R, iQ-L Series, and MELIPC Series
• ICSA-22–356–04 Omron CX-Programmer

🐍 New Python PyPA Vulnerability Received by NVD

An issue discovered (CVE-2022–40898) ********in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker-controlled input to wheel cli. Not many details about it, but it’s worth keeping an eye on it.

👾 Apple Patches iPhone Zero-Day

Apple said that the WebKit bug was found and reported by security researchers at Google’s Threat Analysis Group. This group looks into spyware, hacking, and cyberattacks that come from nation-states.

People often use WebKit bugs when they go to a malicious domain in their browser (or via the in-app browser). Bad people often find weaknesses in WebKit that they can use to get into a device’s operating system and the user’s private information. WebKit bugs can be “chained” to other security flaws to get through a device’s many layers of protection.

😱 Samba Releases Security Updates

The Samba Team has put out security updates for multiple versions of Samba to fix security holes. Some of these weaknesses could be used by an attacker to take control of a system.

CISA wants users and administrators to look over the following Samba security announcements and make any updates that are needed.

😱 Anker’s Eufy deleted these 10 privacy promises

It’s been two weeks since the Verge reported that Anker’s Eufy lied to us about the security of its security cameras, and they have been pushing the company for answers ever since. But the company hasn’t answered a single one of their questions. In fact, Verge hasn’t gotten a single reply since December 1st.

Worse than that, the 10 things that were written on Eufy’s privacy commitment page as of December 8th, 2022, are no longer there today:

• “To start, we’re taking every step imaginable to ensure your data remains private, with you.”
• “[Y]our recorded footage will be kept private. Stored locally. With military-grade encryption. And transmitted to you, and only you.”
• “Here at eufy, we’re not just all talk and no action.”
• “With secure local storage, your private data never leave the safety of your home, and is accessible by you alone.”
• “All recorded footage is encrypted on-device and sent straight to your phone — and only you have the key to decrypt and watch the footage. Data during transmission is encrypted.”
• “There is no online link available to any video.”
• “You need to use Eufy software and your account to decrypt the clips for viewing. No one else can access or read this data.”
• “For Your Eyes Only”
• “Peeking Prohibited”
• “Everything In-House”

👀 Google is bringing client-side encryption to Gmail

Google has released a beta version of client-side encryption for Gmail. It lets businesses apply to test out features that make sensitive data and attachments unreadable. In a blog post on Friday, the company told Workspace administrators about the beta, for which they can sign up until January 20. After the feature is turned on and the workspace is set up, users of the web version of Gmail will have an extra choice. When the user clicks on the padlock, they will be able to choose whether or not to add more encryption to their messages. But in exchange, features like a signature, the ability to use emojis, and Smart Compose may be taken away. Google says that the Android and iOS Gmail apps will soon have this client-side encryption.

👀 Apple’s New Encryption Could Have a Larger Impact

By adding end-to-end encryption as an option to protect data on iCloud from cybercriminals and law enforcement, Apple is giving its users the most powerful encryption tools possible. What you save on your iCloud can really only be seen by you, but that comes with its own problems.

The FBI told the Washington Post that this extra security measure makes them “deeply concerned.” But people who care about privacy, like the Electronic Frontier Foundation, are pleased. With the latest iOS update, users now have more responsibility to make sure they don’t get locked out of their accounts and have backup keys in case they forget their passwords.

Fingers crossed 🤞, maybe the next step for Apple will be some more privacy features.

Security Bites

🐥 DuckDuckGo now blocks Google sign-in pop-ups on all sites

DuckDuckGo applications and browser extensions now prevent Google Sign-in pop-ups, which it considers a nuisance and a privacy concern. DuckDuckGo offers a privacy-focused search engine, email, mobile apps, and data-protecting browser extensions. A macOS-only standalone web browser is in beta.

Today, they stated that its Chrome, Firefox, Brave, and Microsoft Edge applications and browser extensions will actively prevent Google sign-in requests.

While Google says that “Data from Sign In With Google is not utilized for marketing or other non-security purposes,” DuckDuckGo says its testing demonstrates that Google still gathers data.

👋 Tips — 🔐 Security — Top 5 Attack Surface Risks of 2022

Like having a high number of windows and doors in a house increases the risks of burglary, entry points to your network, application, or data is defined as an attack surface. With the increasing adoption of cloud, companies are more exposed to the internet than ever, and this drastically increased their attack surface, for this same reasons new security tools are like growing on trees, some shows you the vulnerabilities on your internet facing assets, others help mitigate the risks and manage your attack surface and security posture.

Regardless of the size of the company or how skilled are its engineers, most of the attacks are due to these risks that represent the largest attack surfaces for most of the companies:

1. Misconfigurations
2. Asset Management, and Asset Visibility
3. Not Following the Best Practices
4. Vulnerabilities
5. Insiders and users in general

The solution is simple but not easy to follow in real life due to companies’ culture, priorities, resources and knowledge. But one thing that we all agree on is to follow the best practices, start with the basics, have visibility on our assets, and train our teams to keep up with the new threats and technologies.

My Favorites

📡 🔐 SpaceX Unveils an Encrypted Starlink Service for Governments

After several years of offering satellite internet to the public under the Starlink brand, SpaceX has decided to answer the government’s special demands and announced Starshield, a service based on the same technology as Starlink but with additional encryption and functionality for national security purposes.

According to SpaceX, Starshield will provide federal clients with the communication, hosted payloads, and Earth observations.

The existing Starlink service currently supports end-to-end user data encryption, but the national security version will provide “extra high-assurance cryptographic capabilities” for the safe processing and distribution of classified data. Starshield can also handle “satellites with sensing payloads,” which we interpret as “spy satellites.” SpaceX claims it will even develop unique payloads for federal clients.

📚 🤔 Book 1 to Reflect Well On 2022

Title: The Courage Habit

Author: Kate Swoboda

Overview: In The Courage Habit, certified life coach Kate Swoboda offers a unique program based in cognitive behavioral therapy (CBT) and acceptance and commitment therapy (ACT) to help you act courageously in spite of fear. By identifying your fear triggers, releasing yourself from your past experiences, and acting on what you truly value, you can make courage a daily habit.

Using a practical four-part program, you’ll learn to understand the emotions that arise when fears are triggered and to pause and evaluate your emotional state before you act. You’ll discover how to listen without attachment to the self-defeating messages of your inner critic, understand the critic’s function, and implement respectful boundaries so that your inner voice no longer controls your behavior. You’ll reframe self-limiting life narratives that can — without conscious awareness — dictate your day-to-day decisions. And finally, you’ll nurture more authentic connections with family, friends, and community in order to find support and reinforce the life changes you’re making.

📚 🤔 Book 2 to Reflect Well On 2022

Title: Courage Is Calling: Fortune Favors the Brave

Author: Ryan Holiday

Overview: In Courage Is Calling, Ryan Holiday breaks down the parts of fear, which is an example of being a coward, courage, which is an example of being brave, and heroism, which is an example of being brave. Holiday tells interesting stories about leaders from the past and the present, like Charles de Gaulle, Florence Nightingale, and Dr. Martin Luther King Jr., to show you how to get over your fears and show courage every day.

📚 🤔 Book 3 to Reflect Well On 2022

Title: What Got You Here Won’t Get You There

Author: Marshall Goldsmith

Overview:

What’s holding you back? Your hard work is paying off. You are doing well in your field. But there is something standing between you and the next level of achievement. Perhaps one small flaw–a behavior you barely even recognize–is the only thing that’s keeping you from where you want to be.

Who can help? Marshall Goldsmith is an expert at helping global leaders overcome their sometimes unconscious annoying habits and attain a higher level of success. His one-on-one coaching comes with a six-figure price tag. But, in this book, you get Marshall’s great advice without the hefty fee!

What is the solution? The Harvard Business Review asked Goldsmith, “What is the most common problem faced by the executives that you coach?” Inside, he answers this question by discussing not only the key beliefs of successful leaders but also the behaviors that hold them back. He addresses the fundamental problems that often come with success–and offers ways to attack these problems. Goldsmith outlines twenty habits commonly found in the corporate environment and provides a systematic approach to helping you achieve a positive change in behavior.

📚 🤩 Book 1 To Start 2023 Strong

Title: Atomic Habits

Author: James Clear

Overview: Clear is known for being able to break down complicated ideas into simple steps that can be used in everyday life and at work. Here, he uses the most proven ideas from biology, psychology, and neuroscience to make an easy-to-understand guide to making good habits inevitable and bad habits impossible. Along the way, true stories from Olympic gold medalists, award-winning artists, business leaders, life-saving doctors, and star comedians who have used the science of small habits to master their craft and rise to the top of their field will inspire and entertain readers.

📚 🤩 Book 2 To Start 2023 Strong

Title: The 7 Habits of Highly Effective Families

Author: Stephen R. Covey

Overview: Steven R. Covey’s first major book since The 7 Habits of Highly Effective People is a practical and philosophical guide to solving the problems that all families and strong communities face, no matter how big or small. The 7 Habits of Highly Effective Families shows how and why to have family meetings, why it’s important to keep promises, balance individual and family needs, and move from dependence to interdependence. It does this by telling exciting stories about regular people and giving helpful suggestions about how to change everyday behavior. The 7 Habits of Highly Effective Families is a great book for all families to use as a guide.

📚 🤩 Book 3 To Start 2023 Strong

Title: The Power of Habit

Author: Charles Duhigg

Overview: In The Power of Habit, the award-winning business reporter Charles Duhigg takes us to the exciting, cutting-edge scientific discoveries that explain why habits exist and how they can be changed. Duhigg takes a lot of information and turns it into interesting stories that take us from the boardrooms of Procter & Gamble to the sidelines of the NFL to the front lines of the civil rights movement. This gives us a whole new view of how people work and what they can do. The main point of The Power of Habit is that understanding how habits work is the key to working out regularly, losing weight, being more productive, and being successful. Duhigg shows us that we can change our businesses, our communities, and our lives by using this new science.

🎙 Podcast — Darknet Diaries Episode #130.

Title: Jason’s Pentest

Author: Jack Rhysider

Overview: In this episode, Jack Rhysider talks to Jason Haddix, a well-known penetration tester who has made a name for himself by finding flaws in some of the biggest companies in the world. In this episode, Jason tells funny and interesting stories about breaking into buildings and computers. He also talks about when he found a significant security flaw in a popular mobile banking app.

🎥 Videos — Best Cars of 2022

In this video, folks on the Savagegeese YouTube channels talk about the best cars, trucks, and SUVs they drove in 2022 and the worst ones. Even though many cars and brands were left out, they talked about what made the cars they liked different. This is the end of a crazy year with a lot of big changes in automotive technology.

🏎 Cars — Charge ’67

There’s the cockapoo, springador, puggle, and labsky, as well as the morkie, chiweenie, and whoodle. The idea behind these “designer dogs” is that you get a kind of genetic Goldilocks breed with the best traits of both parents. For example, a retriever with a poodle’s fluffy coat.

Based on this car, it seems that way: This is the Charge ’67, and no, it’s not an old car with a V8 engine that’s been fixed up. It’s a brand-new EV that was made to be an electric car from the ground up.

The ’67 was made in the UK and has genes from two very different gene pools: It looks like the classic 1967 Ford Mustang Fastback that Steve McQueen drove in his cult classic cop movie Bullitt, but inside it has the hardware and software of EV start-up Arrival, which wants to change the world of commercial vehicles with its electric buses and delivery vans.

Quote of the Week

“Never attribute to malice what can be adequately explained by stupidity.” ― Hanlon’s Razor

PLEASE SUBSCRIBE TO MY YOUTUBE CHANNEL 🥹

If you’re interested in starting a career in cybersecurity, watch this one, and don’t forget to subscribe to my channel and leave a comment if there are any topics you’re interested in seeing in my next video.

Check out my other stuff here.

Resources

• SpaceX reveals ‘Starshield’ (LINK)
• Darknet Diaries Ep.130 (LINK)
• Anker’s Eufy Privacy Policy (LINK)
• Apple’s upgraded encryption (LINK)
• Best Cars of 2022 (LINK)
• Client Side Encryption for Gmail (LINK)
• Review: Charge ’67 (LINK)
• Apple Security Updates (LINK)
• Samba Security Updates (LINK)
• CISA ICS Advisories (LINK)
• CVE-2022–40898 Detail (LINK)