Weekend Update

A quick Saturday digest of cybersecurity news articles from other sources.

Barracuda Networks Releases Update to Address ESG Vulnerability

06/15/2023 08:00 AM EDT

Barracuda Networks has released an update to their advisory addressing a vulnerability—CVE-2023-2868—in their Email Security Gateway Appliance (ESG). According to Barracuda, customers should replace impacted appliances immediately.

CISA urges organizations to review the Barracuda advisory and for all impacted customers to follow the mitigation steps as well as hunt for the listed indicators of compromise (IOCs) to uncover any malicious activity. For more information, see Mandiant’s advisory on Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor.

Note: Customers who used enterprise privileged credentials for management of their Barracuda appliance (such as Active Directory Domain Admin or similar) should take immediate incident investigation steps to validate the use and behavior of all credentials used on the appliance. It is of utmost importance to verify that threat actors have not compromised customer enterprise networks via this entry vector.

Worker Deletes Thousands Of Files He Created After Finding Out That The Company That Fired Him For Being ‘Incompetent’ Is Still Using His Work

Most companies make new employees well aware that anything they create during work hours is no longer their intellectual property but belongs to the organization they work for. That doesn’t take the sting out of relinquishing the rights to everything you’ve spent time on when you leave employment as one fired employee learned the hard way.

In a Reddit post titled “I just deleted thousands of hours of work from my old job,” later shared on a TikTok account called “@reddit_replay,” a man described what happened when he realized his former employer was still using the work he created, despite telling him that he was not competent enough for the job.  More…

EU AI draft law: Could Europe’s new AI rulebook set a global precedent?

Dubbed the AI Act, Europe’s draft regulations concerning the use of artificial intelligence are comprehensive and far-reaching. Here’s what you need to know.

[Bob says: Of course this act will set a world-wide precedent and standard, just as the GDPR has for privacy.]

Bruce Schneier Cryptogram

I have been reposting lots of Bruce’s articles for many years and at some level it is a little like plagiarism.  This month’s issue is so chock full of security goodness that I decided simply to post the links he provided in his email.

If these links don’t work in your email client, try reading this issue of Crypto-Gram on the web.

  1. Micro-Star International Signing Key Stolen
  2. Microsoft Secure Boot Bug
  3. Security Risks of New .zip and .mov Domains
  4. Google Is Not Deleting Old YouTube Videos
  5. Credible Handwriting Machine
  6. Indiana, Iowa, and Tennessee Pass Comprehensive Privacy Laws
  7. On the Poisoning of LLMs
  8. Expeditionary Cyberspace Operations
  9. Brute-Forcing a Fingerprint Reader
  10. Chinese Hacking of US Critical Infrastructure
  11. On the Catastrophic Risk of AI
  12. Open-Source LLMs
  13. The Software-Defined Car
  14. Snowden Ten Years Later
  15. How Attorneys Are Harming Cybersecurity Incident Response
  16. Paragon Solutions Spyware: Graphite
  17. Operation Triangulation: Zero-Click iPhone Malware
  18. AI-Generated Steganography
  19. Identifying the Idaho Killer
  20. On the Need for an AI Public Option



About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.