Weekend Update

A quick Saturday digest of cybersecurity news articles from other sources.


Ukraine Invasion Threatens US Cybersecurity

Hacking groups throughout the world are increasing their activities as a result of the Russian invasion of Ukraine on February 24, 2022. Some of these groups are supporting a particular side, while others simply want to take advantage of the resulting chaos.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning concerning the growing threat of advanced persistent threat (APT) actors resulting from the invasion. While world superpowers have fought each other by proxy in the past, the current conflict in Ukraine may be the first cyber proxy war.  More…


Why Apple hasn’t revealed their rumored AR/VR headset

Tamara Scott predicts that Apple won’t release their augmented reality product this year because they’re waiting for it to be perfect—or at least paradigm changing.  [about Augmented Reality (AR) Virtual Reality (VR), and the Metaverse]


The NSA Says that There are No Known Flaws in NIST’s Quantum-Resistant Algorithms

Bruce Schneier [2022.05.16] Rob Joyce, the director of cybersecurity at the NSA, said so in an interview:

The NSA already has classified quantum-resistant algorithms of its own that it developed over many years, said Joyce. But it didn’t enter any of its own in the contest. The agency’s mathematicians, however, worked with NIST to support the process, trying to crack the algorithms in order to test their merit.

“Those candidate algorithms that NIST is running the competitions on all appear strong, secure, and what we need for quantum resistance,” Joyce said. “We’ve worked against all of them to make sure they are solid.”


Attacks on Managed Service Providers Expected to Increase

Bruce Schneier  [2022.05.17] CISA, NSA, FBI, and similar organizations in the other Five Eyes countries are warning that attacks on MSPs — as a vector to their customers — are likely to increase. No details about what this prediction is based on. Makes sense, though. The SolarWinds attack was incredibly successful for the Russian SVR, and a blueprint for future attacks.

News articles.


Websites that Collect Your Data as You Type

Bruce Schneier  [2022.05.19] A surprising number of websites include JavaScript keyloggers that collect everything you type as you type it, not just when you submit a form.   Research paper.


Bluetooth Flaw Allows Remote Unlocking of Digital Locks

Bruce Schneier  [2022.05.20] Locks that use Bluetooth Low Energy to authenticate keys are vulnerable to remote unlocking. The research focused on Teslas, but the exploit is generalizable. Another news article.


Half of IT leaders say passwords too weak for security purposes

Most IT leaders are worried about passwords being stolen at their organization, according to a survey from Ping Identity.  [Bob says, Only half?  What’s wrong with the other half?]  Article discusses passwordless authentication.


M1 Chip Vulnerability

Bruce Schneier

This is a new vulnerability against Apple’s M1 chip. Researchers say that it is unpatchable.

Researchers from MIT’s Computer Science and Artificial Intelligence Laboratory, however, have created a novel hardware attack, which combines memory corruption and speculative execution attacks to sidestep the security feature. The attack shows that pointer authentication can be defeated without leaving a trace, and as it utilizes a hardware mechanism, no software patch can fix it.  More…


Privacy and Your Cell Phone

Here is a good resource for anyone concerned with cellphone privacy issues.


SolarWinds Security Announcement

The December 2020 SUNBURST cyberattack on the SolarWinds® software build environment shows sophisticated attacks are becoming more common, and what was once industry-standard is no longer sufficient. As a result, we created our Secure by Design principles with a focus on people, infrastructure, and software development.

Starting in 2021, we rolled out incremental changes to elevate the strength and integrity of our build environment. As a result, we’ve created a new standard for the secure software development life cycle.

Download our whitepaper to learn about the SolarWinds next-generation build system, how it meets the four tenets of Secure by Design principles, and how this affects software development in 2022 and beyond.


Attacking the Performance of Machine Learning Systems

Bruce Schneier

Interesting research: “Sponge Examples: Energy-Latency Attacks on Neural Networks“:


Cybersecurity expert reveals how $13,000 of fuel was stolen from Virginia gas station

VIRGINIA BEACH, Va. — Virginia Beach Police are investigating an incident where people reportedly hacked into a gas station pump and stole more than $13,600 worth of gas. Two men have been charged in connection with the crime.

Police said it happened at the CITGO gas station on 1405 North Great Neck Road in Virginia Beach.

Officers said the individuals used a remote device to hack the pump and steal over 400 gallons of fuel in the span of a few hours. The devices allowed them to bypass the computer and not register the sale.  More…


Mullvad VPN – Here’s a company that is serious about customer privacy!

At Mullvad VPN we strive to know as little as possible about our users. We are constantly looking for ways to reduce the amount of data we store while still providing a usable service. Nowhere is the tension between privacy and usability more apparent than in the area of payments.  More…


2022 Dark Web prices for cybercriminals services

Almost every cybercriminal service is on sale on the Dark Web’s marketplaces and forums. Learn more about these service’s prices in 2022 and how to protect from being exposed on the Dark Web.


 

 

0

About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com
  Related Posts

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.