Cybersecurity And Much More Newsletter — Week 10 (2022)
Welcome to my weekly newsletter, if you are not yet subscribed, please do. It might include books, articles, tech, tips, and of course interesting stuff about cybersecurity.
🚨 SEC wants public companies to report breaches within four days
The US Securities and Exchange Commission (SEC) has proposed rule amendments to require publicly traded companies to report data breaches and other cybersecurity incidents within four days after they’re determined as being a material incident (one that shareholders would likely consider important).
🚨 Linux “Dirty Pipe” vulnerability gives unprivileged users root access
A vulnerability in the Linux kernel, nicknamed “Dirty Pipe”, allows an unprivileged user to overwrite data in read-only files. This can lead to privilege escalation as a result of unprivileged processes being able to inject code into root processes.
If you’re not sure what that means but you think it sounds bad — you are correct!
The vulnerability was found and explained in detail by Max Kellerman of CM4all. The affected Linux kernel versions are 5.8 and above. The fixed versions are 5.16.11, 5.15.25, and 5.10.102.
🚨 APT41 Spies Broke Into 6 US State Networks via a Livestock App
The China-affiliated state-sponsored threat actor used Log4j and zero-day bugs in the USAHerds animal-tracking software to hack into multiple government networks.
USAHerds — an app used by farmers to speed their response to diseases and other threats to their livestock — has itself become an infection vector, used to pry open at least six U.S. state networks by one of China’s most prolific state-sponsored espionage groups.
In a report published by Mandiant on Tuesday, researchers described a prolonged incursion conducted by APT41. They detected the activity in May 2021 and tracked it through last month, February 2022, observing the spy group pry open vulnerable, internet-facing web apps that were often written in ASP.NET.
APT41 — aka Winnti, Barium, Wicked Panda, or Wicked Spider — is an advanced persistent threat (APT) actor known for nation state-backed cyber espionage, supply-chain hits, and profit-driven cybercrime.
📰 WhatsApp introduces Code Verify extension to add extra security to web app
Instant messaging application WhatsApp has rolled out a new extension for adding extra security to its web app. As per GSM Arena, the extension is called Code Verify and its sole purpose is to ensure the web version of WhatsApp is secure enough and the end-to-end encryption has not been compromised. They also said that the web app is naturally less resilient against attacks. So Code Verify ensures the same level of security as a native app on Windows, iOS, or Android.
📰 FBI Issues a Lookout for SIM Swapping Attacks
FBI stated that cybercriminals are leveraging SIM swapping attacks to steal millions from U.S. citizens. The agency recently disclosed the increase in SIM swapping accounts to compromise victims’ virtual currency accounts and steal money. From January 2018 to December 2020, the FBI Internet Crime Complaint Center (IC3) received 320 complaints related to SIM swapping incidents with adjusted losses of approximately $12 million. In 2021, IC3 received 1,611 SIM swapping complaints with adjusted losses of more than $68 million.
📰 REvil ransomware member extradited to the U.S. to stand trial for Kaseya attack
The U.S. Department of Justice announced that alleged REvil ransomware affiliate, Yaroslav Vasinskyi, was extradited to the United States last week to stand trial for the Kaseya cyberattack.
Vasinkyi, a 22-year-old Ukrainian national, was arrested in November 2021 while entering Poland for his cybercrime activities as a REvil member.
Vasinkyi is believed to be a REvil ransomware affiliate tasked to breach corporate networks worldwide, steal unencrypted data, and then encrypt all of the devices on the network.
You can also check my video about the Kaseya Hack.
📰 EuroUSEC 2022 is coming soon…
The European Symposium on Usable Security (EuroUSEC) serves as a European forum for research and discussion in the area of human factors in security and privacy. EuroUSEC solicits previously unpublished work offering novel research contributions or clearly articulated research visions in any aspect of human-centered security and privacy. The aim of EuroUSEC is to bring together an interdisciplinary group of researchers and practitioners in human-computer interaction, security, and privacy. Participants are researchers, practitioners, and students from domains including computer science, engineering, psychology, the social sciences, and economics.
👾 Zero-Click Flaws in Widely Used UPS Devices Threaten Critical Infrastructure
Researchers at Armis Research Labs discovered the flaws, which they’ve dubbed TLStorm, in APC Smart-UPS devices, which number about 20 million in deployment worldwide. APC is a subsidiary of Schneider Electric, one of the leading vendors of UPS devices. UPS devices provide emergency backup power for mission-critical assets that require high availability.
The risk for widespread disruption and damage in both the cyber and physical worlds is high if the vulnerabilities are exploited, researchers said in a report published online on Tuesday — and could have an impact on a global scale.
👾 Microsoft fixes critical Azure bug that exposed customer data
Microsoft has addressed a vulnerability in the Azure Automation service that could have allowed attackers to take complete control over other Azure customers’ data.
Microsoft Azure Automation Service provides process automation, configuration management, and update management features, with each scheduled job running inside isolated sandboxes for each Azure customer.
The vulnerability, dubbed AutoWarp by Orca Security’s Cloud Security Researcher Yanir Tsarimi, who discovered it, made it possible for an attacker to steal other Azure customers’ Managed Identities authentication tokens from an internal server that manages the sandboxes of other users.
👾 Samsung confirms hackers stole Galaxy devices' source code
Samsung Electronics confirmed on Monday that its network was breached and the hackers stole confidential information, including source code present in Galaxy smartphones.
As first reported by BleepingComputer, the data extortion group Lapsus$ leaked at the end of last week close to 190GB of archives claiming to have been stolen from Samsung Electronics.
In a note posted earlier today, the extortion gang teased about releasing Samsung data with a snapshot of C/C++ directives in Samsung software.
🔐 How to Enable End-to-End Encryption on Facebook Messenger
Meta’s Messenger app is one of the popular instant messaging apps available. Messenger is feature-rich, but end-to-end encryption has been missing on the platform for far too long. However, Messenger now includes an end-to-end encryption feature. The only caveat is this feature is not enabled by default.
This article will show you the two ways you can use to enable end-to-end encryption on Messenger.
📝 Physicists steer chemical reactions by magnetic fields and quantum interference
Physicists in the MIT-Harvard Center for Ultracold Atoms (CUA) have developed a new approach to controlling the outcome of chemical reactions. This is traditionally done using temperature and chemical catalysts, or more recently with external fields (electric or magnetic fields, or laser beams).
MIT CUA physicists have now added a new twist to this: They have used minute changes in a magnetic field to make subtle changes to the quantum mechanical wavefunction of the colliding particles during the chemical reaction. They show how this technique can steer reactions to a different outcome: enhancing or suppressing reactions.
This was only possible by working at ultralow temperatures at a millionth of a degree above absolute zero, where collisions and chemical reactions occur in single quantum states. Their research was published in Science on March 4.
📝 Note — 🔐 Encryption — CGI or Computational Ghost Imaging?
Ghost imaging is an optical technique in which the information of an object is encoded in the correlation of the intensity fluctuations of light. The computational version of this fascinating phenomenon emulates, offline, the optical propagation through the reference arm, enabling 3D visualization of a complex object whose transmitted light is measured by a bucket detector.
Computational ghost imaging can be used to encrypt and transmit object information to a remote party. It correlates the outputs from two photodetectors: a high spatial-resolution (scanning pinhole or charge-coupled-device camera) detector that measures a field that has not interacted with the object to be imaged and a bucket (single-pixel) detector that collects a field that has interacted with the object.
📝 Note — 📡 Telco/IoT Security — What do you know about 3GPP?
3GPP unites seven telecommunications standard development organizations and provides their members with a stable environment to produce the reports and specifications that define 3GPP technologies.
The project covers:
- Cellular telecommunications
- Network technologies, including radio access, the core transport network, and service capabilities, as well as
- Codecs, security, and quality of service. Wi-Fi networks.
📚 🤔 Books I’m Currently Reading
Title: Braving the Wilderness: The Quest for True Belonging and the Courage to Stand Alone
Author: Brené Brown
Overview: “True belonging doesn’t require us to change who we are. It requires us to be who we are.” Social scientist Brené Brown, PhD, MSW, has sparked a global conversation about the experiences that bring meaning to our lives — experiences of courage, vulnerability, love, belonging, shame, and empathy. In Braving the Wilderness, Brown redefines what it means to truly belong in an age of increased polarization. With her trademark mix of research, storytelling, and honesty, Brown will again change the cultural conversation while mapping a clear path to true belonging.
📚 🤩 Books I Recommend Reading
Title: Indistractable: How to Control Your Attention and Choose Your Life
Author: Nir Eyal
Overview: You sit down at your desk to work on an important project, but a notification on your phone interrupts your morning. Later, as you’re about to get back to work, a colleague taps you on the shoulder to chat. At home, screens get in the way of quality time with your family. Another day goes by, and once again, your most important personal and professional goals are put on hold.
What would be possible if you followed through on your best intentions? What could you accomplish if you could stay focused and overcome distractions? What if you had the power to become “indistractable?”
Inside, Eyal overturns conventional wisdom and reveals:
- Why distraction at work is a symptom of dysfunctional company culture — and how to fix it
- What really drives human behavior and why “time management is pain management”
- Why do your relationships (and your sex life) depend on you becoming indistractable
- How to raise indistractable children in an increasingly distracting world
Empowering and optimistic, Indistractable provides practical, novel techniques to control your time and attention, helping you live the life you really want.
🎙 Podcast — Fake Doctors, Real Friends.
If you’ve been meaning to rewatch Scrubs, this podcast gives you an extra reason. Zach Braff and Donald Faison, who plays the best-bud duo of JD and Turk on the show, host Fake Doctors, Real Friends. Each episode of the podcast goes over an episode of the show — in chronological order, thankfully. Perfect if you wistfully remember the 2001–10 medical comedy.
🎥 Videos — Shoah (1985)
The past is never past; in bringing the Holocaust to life in his towering nine-and-a-half-hour masterpiece, director Claude Lanzmann would stick solely to the present. Shoah is composed of the reflections of Polish survivors, bystanders, and, most uneasily, the perpetrators. The memories become living flesh, and an essential part of documentary filmmaking finds its apotheosis: the act of testifying. Our top choice was an obvious one.
Quote of the Week
“I must not fear. Fear is the mind-killer. Fear is the little-death that brings total obliteration. I will face my fear. I will permit it to pass over me and through me. And when it has gone past I will turn the inner eye to see its path. Where the fear has gone there will be nothing. Only I will remain.”
Frank Herbert, Dune