Cybersecurity And Much More Newsletter — Week 12 (2022)
Welcome to my weekly newsletter, if you are not yet subscribed, please do. It might include books, articles, tech, tips, and of course interesting stuff about cybersecurity.
🚨 CISA adds 66 New Vulnerabilities to its Catalog
CISA has added 66 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose a significant risk to the federal enterprise.
🚨 FBI and FinCEN Release Advisory on AvosLocker Ransomware
The Federal Bureau of Investigation (FBI) and the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) have released a joint Cybersecurity Advisory identifying indicators of compromise associated with AvosLocker ransomware. AvosLocker is a ransomware-as-a-service affiliate-based group that has targeted victims across multiple critical infrastructure sectors in the United States including, but not limited to, the Financial Services, Critical Manufacturing, and Government Facilities sectors.
📰 Okta confirms 2.5% of customers were impacted by the hack in January
Okta, a major provider of access management systems, says that 2.5%, or approximately 375 customers, were impacted by a cyberattack claimed by the Lapsus$ data extortion group.
The company announced its conclusion today, saying that there are no corrective actions that its customers should take.
🏎 Honda Bug Lets Hacker Unlock and Start your Car via Replay Attack
The vehicles impacted by this bug primarily include the 2016–2020 Honda Civic (LX, EX, EX-L, Touring, Si, Type R) cars.
In a GitHub repository, Berry shared that it was also possible to manipulate the captured commands and re-transmit them to achieve a different outcome altogether.
For example, in one of his tests, Berry recorded the “lock” command sent by the key fob, which consisted of the following bits.
[653–656, 667–668, 677–680, 683–684, 823–826, 837–838, 847–850, 853–854]
Berry then “flipped” and re-sent these bits to the vehicle, that in turn had the effect of unlocking the vehicle.
📱 URL Rendering Trick Enables (WhatsApp, Signal, and iMessage) phishing
A rendering technique affecting Instagram, iMessage, WhatsApp, Signal, and Facebook Messenger, allowed threat actors to create legitimate-looking phishing messages for the past three years.
The vulnerabilities are rendering bugs resulting in the apps’ interface incorrectly displaying URLs with injected RTLO (right to left override) ****Unicode control characters, making the user vulnerable to URI spoofing attacks.
The vulnerabilities have been assigned the following CVEs and are known to work in the following versions of IM apps:
CVE-2020–20093 — Facebook Messenger 227.0 or prior for iOS and 126.96.36.199.116 or prior on Android
CVE-2020–20094 — Instagram 106.0 or prior for iOS and 188.8.131.52 or prior on Android
CVE-2020–20095 — iMessage 14.3 or older for iOS
CVE-2020–20096 — WhatsApp 2.19.80 or prior for iOS and 2.19.222 or prior on Android
Signal doesn’t have a corresponding CVE ID because the particular attack method was disclosed to them just recently.
According to Sick.Codes suggest users of all IM apps is the following:
“Turn off link previews in everything, especially mail apps and anything related to notifications. Don’t visit weird websites with popups. Don’t click random prize giveaways. You already have a phone, so use your bookmarks and make sure to keep it up to date. Given the amount of zero-days flying around, especially those disclosed recently for iOS, it would be perilous to trust URLs in IMs.”
👾 Emergency Google Chrome Update fixes zero-day used in multiple attacks
While type confusion flaws generally lead to browser crashes following successful exploitation by reading or writing memory out of buffer bounds, attackers can also exploit them to execute arbitrary code.
👾 Lapsus$ suspects arrested for Microsoft, Nvidia, Okta hacks
London police announced that (07) individuals connected to the gang were arrested and a minor from oxford is believed to be one of the leaders behind the source code disclosure of Nvidia, Samsung, Microsoft, and Okta. This 17 yo individual accumulated 300 BTC ($13M) from his hacking activities.
🏴☠️ Hackers are stealing from Hackers using Fake Malware on Forums
Researchers from ASEC discovered a distribution of ClipBanker disguised as a Malware creation tool and monitors the clipboard of the infected systems for coin wallet information.
🔐 Open-source database protection with field-level encryption and intrusion detection
Cossack Labs updated its flagship open-source product Acra database security suite to version 0.90.0 and made many of its core security features previously available only for enterprise customers free in Acra Community Edition.
Acra’s features enable the implementation of application-level encryption in modern cloud applications, saving development costs and allowing a tighter grip on sensitive data lifecycle.
🔬 Nano-antennas gather the power of light
Combining the light-enhancing qualities of plasmonic materials with the charge-handling abilities of polymer semiconductors creates nanometer-scale antennas that might one day provide a new way to power certain chemical reactions. When they shone a light on the nanoparticles, about 50% of the energy gathered in the plasmons was transferred to the polymer.
📝 Note — 🔐 Security — Encryption, Masking, Tokenization, are they the same?
Encryption combined mathematical algorithms and secret information (Encryption Key) to transform data into unreadable binary strings. The original information can be retrieved using the decryption key.
Tokenization is the process of turning a meaningful piece of data into a random string of characters called a token that has no meaningful value if breached. Data can be retrieved by doing a lookup using token value and matching it to the original information.
Masking or anonymization replaces the original information with null or fabricated data. It is also considered permanent tokenization.
📝 Note — 📡 Telco/IoT Security — Anatomy of Telco Networks
Mobile Telco Networks are generally separated into (04) logical parts
- Radio Access Network: connects end-user devices, like smartphones, to other parts of the network through radio links.
- Core Network: central element of the network that provides services to customers who are connected by the access network.
- Transport Network: transports user data on a variable geographic scale
- Interconnect Network: enables users from one network to communicate with users of another network.
📚 🤔 Books I’m Currently Reading
Title: The Inner Game of Tennis
Author: W. Timothy Gallwey
With more than 800,000 copies sold since it was first published thirty years ago, this phenomenally successful guide has become a touchstone for hundreds of thousands of people. Not just for tennis players, or even just for athletes in general, this handbook works for anybody who wants to improve his or her performance in any activity, from playing music to getting ahead at work. W. Timothy Gallwey, a leading innovator in sports psychology, reveals how to:
- focus your mind to overcome nervousness, self-doubt, and distractions
- find the state of “relaxed concentration” that allows you to play at your best
- build skills by smart practice, then put it all together in match play
Whether you’re a beginner or a pro, Gallwey’s engaging voice, clear examples, and illuminating anecdotes will give you the tools you need to succeed.
📚 🤩 Books I Recommend Reading
Title: Rest: Why you get more done when you work less
Author: Alex Soojung-Kim Pang
For most of us, overwork is the new norm, and we never truly take the time to rest and recharge. But as Silicon Valley consultant Alex Soojung-Kim Pang explains in this groundbreaking book, rest needs to be taken seriously and to be done properly, because when you rest better you work better. Drawing on emerging neuroscience, Rest is packed full of practical and easy tips for incorporating rest into our everyday:
- Stopping work on a task when you know exactly what the next step is will make it easier to get started the next day
- Take a long walk when you’re stuck on a task; it will help stimulate new ideas and creativity
- Have deliberate rest periods — scheduled into your diary — and use this time on trying a new activity
When you rest better you’ll find that it won’t just be your work which improves — you’ll have more time for hobbies, stronger relationships and you’ll sleep better, too.
🎙 Podcast — What’s behind Buy Now, Pay Later Scams?
Jim Ducharme, COO of Outseer joins Dave to discuss buy now pay later scams, Joe and Dave share some listener follow up, Joe has an interesting story about an Unchained Capital partner and how they were hit with a social engineering attack, and Dave’s story is on the FIDO alliance, our catch of the day comes from listener Matt, who shares how he won 20.5 million and why he wasn’t falling for it.
🎥 Videos — To Have To Continuously Train your Mind
It doesn’t matter how much we work on our mindset, it’s easy for our brain to get us off track and push us away from what we are aiming to do. That’s why resetting our mindset and working on it every day is the key to staying in the mindset that enables us to reach our full potential. Otherwise, your brain will keep acting against you and get you stuck in negative self-talk.
Quote of the Week
“Everything can be taken from a man but one thing: the last of the human freedoms — to choose one’s attitude in any given set of circumstances, to choose one’s own way.” — Viktor E. Frankl