WyzGuys Tech Talk

A quick Saturday digest of cybersecurity news articles from other sources.

Barracuda Networks Releases Update to Address ESG Vulnerability

06/15/2023 08:00 AM EDT

Barracuda Networks has released an update to their advisory addressing a vulnerability—CVE-2023-2868—in their Email Security Gateway Appliance (ESG). According to Barracuda, customers should replace impacted appliances immediately.

CISA urges organizations to review the Barracuda advisory and for all impacted customers to follow the mitigation steps as well as hunt for the listed indicators of compromise (IOCs) to uncover any malicious activity. For more information, see Mandiant’s advisory on Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor.

Note: Customers who used enterprise privileged credentials for management of their Barracuda appliance (such as Active Directory Domain Admin or similar) should take immediate incident investigation steps to validate the use and behavior of all credentials used on the appliance. It is of utmost importance to verify that threat actors have not compromised customer enterprise networks via this entry vector.

Worker Deletes Thousands Of Files He Created After Finding Out That The Company That Fired Him For Being ‘Incompetent’ Is Still Using His Work

Most companies make new employees well aware that anything they create during work hours is no longer their intellectual property but belongs to the organization they work for. That doesn’t take the sting out of relinquishing the rights to everything you’ve spent time on when you leave employment as one fired employee learned the hard way.

In a Reddit post titled “I just deleted thousands of hours of work from my old job,” later shared on a TikTok account called “@reddit_replay,” a man described what happened when he realized his former employer was still using the work he created, despite telling him that he was not competent enough for the job.  More…

EU AI draft law: Could Europe’s new AI rulebook set a global precedent?

Dubbed the AI Act, Europe’s draft regulations concerning the use of artificial intelligence are comprehensive and far-reaching. Here’s what you need to know.

[Bob says: Of course this act will set a world-wide precedent and standard, just as the GDPR has for privacy.]

Bruce Schneier Cryptogram

I have been reposting lots of Bruce’s articles for many years and at some level it is a little like plagiarism.  This month’s issue is so chock full of security goodness that I decided simply to post the links he provided in his email.

If these links don’t work in your email client, try reading this issue of Crypto-Gram on the web.

1. Micro-Star International Signing Key Stolen
2. Microsoft Secure Boot Bug
3. Security Risks of New .zip and .mov Domains
4. Google Is Not Deleting Old YouTube Videos
5. Credible Handwriting Machine
6. Indiana, Iowa, and Tennessee Pass Comprehensive Privacy Laws
7. On the Poisoning of LLMs
8. Expeditionary Cyberspace Operations
9. Brute-Forcing a Fingerprint Reader
10. Chinese Hacking of US Critical Infrastructure
11. On the Catastrophic Risk of AI
12. Open-Source LLMs
13. The Software-Defined Car
14. Snowden Ten Years Later
15. How Attorneys Are Harming Cybersecurity Incident Response
16. Paragon Solutions Spyware: Graphite
17. Operation Triangulation: Zero-Click iPhone Malware
18. AI-Generated Steganography
19. Identifying the Idaho Killer
20. On the Need for an AI Public Option