AppsMas: 9 Memorable Moments of 2022
Thu, 12/08/2022 – 22:38
AppsMas: 9 Memorable Moments of 2022
Thu, 12/08/2022 – 22:38
The attack was followed by a series of failed attempts to hack India’s top medical research organization, the Indian Council of Medical Research. This raised further concerns about the vulnerability of India’s health system to attacks at a time when the government is pushing hospitals to digitize their records. More than 173,000 hospitals have registered with a federal program to digitize health records since its launch in September 2021. The program assigns patients numbers that are linked to medical information stored by hospitals on their own servers or in cloud-based storage. Experts fear that hospitals may not have the expertise to ensure digital security.
On the first day of Pwn2Own Toronto, the STAR Labs team and a contestant known as Chim demoed two other zero-day exploits as part of successful improper input validation attacks against the Galaxy S22. In all three cases, according to the contest rules, the devices ran the latest version of the Android operating system with all available updates installed.
“The need to reduce cyber risk has never been greater, and SafeBreach has demonstrated excellence in this regard. The TAG Cyber analysts have selected SafeBreach as a 2022 Distinguished Vendor, and such award is based on merit. Enterprise teams using SafeBreach’s platform will experience world-class risk reduction. Nothing is more important in enterprise security today.” – TAG Cyber
While privacy groups and apps applaud Apple for the expansion of end-to-end encryption in iCloud, governments have reacted differently. In a statement to The Washington Post, the FBI, the largest intelligence agency in the world, said it’s “deeply concerned with the threat end-to-end and user-only-access encryption pose.” Speaking generally about end-to-end encryption like Apple’s Advanced Data Protection feature, the bureau said that it makes it harder for the agency to do its work and that it requests “lawful access by design”: “This hinders our ability to protect the American people from criminal acts ranging from cyber-attacks and violence against children to drug trafficking, organized crime, and terrorism,” the bureau said in an emailed statement. “In this age of cybersecurity and demands for ‘security by design,’ the FBI and law enforcement partners need ‘lawful access by design.'”
FIDO2 has become a prominent touchstone in security conversations, primarily those around Zero Trust authentication. The significant increase in authentication attacks over the last several years, despite many of the breached companies having multi-factor authentication (MFA) in place, make clear that traditional, non-FIDO MFA methods have failed. The Office of Management and Budget (OMB) endorses FIDO, and the Cyber and Infrastructure Security Agency (CISA) describes it as the “gold standard” of phishing-resistant MFA.
Welcome back to Chain Reaction.
It’s still a pretty busy time in the wild, wild world of crypto. But it felt somewhat more tame than the whirlwind the industry has experienced in the past few weeks, and for that, I thank the crypto gods (for now.)
Ransomware groups are constantly devising new methods for infecting victims and convincing them to pay up, but a couple of strategies tested recently seem especially devious. The first centers on targeting healthcare organizations that offer consultations over the Internet and sending them booby-trapped medical records for the “patient.” The other involves carefully editing email inboxes of public company executives to make it appear that some were involved in insider trading.
Zscaler’s ThreatLabz researchers recently observed the rise of a sophisticated phishing campaign spreading via fake banking sites targeting big indian banks like HDFC, AXIS and SBI. The team will continue monitoring the emerging situation and will provide an update on any significant new developments. Previously, ThreatLabz researchers observed Indian banking customers being targeted with fake complaint forms from phishing sites spreading short message service (SMS) mobile text stealer malwares. In contrast, this new campaign leverages fake card update sites to spread Android-based phishing malware aimed at collecting banking information for financial fraud.
Ubuntu Security Notice USN-5768-1
December 08, 2022
Businesses are often in the dark when it comes to applying for a cyber insurance policy. What documentation is necessary? What should they expect? What security controls are underwriters actually looking for? I spoke to John Hennessy, RVP of underwriting at Cowbell, for an insider’s perspective on the underwriting process.
A year ago, in December 2021, the Log4Shell vulnerability (CVE-2021-44228) in the Apache Log4j library caused a sensation. Although by the spring it was no longer on the front pages of IT media outlets, in November 2022 it reemerged when it was reported that cybercriminals had exploited the vulnerability to attack a US federal agency and install a cryptocurrency miner in its systems. That’s a good reason to explain what Log4Shell actually is, why it’s too early to write it off, and how to protect your infrastructure.
Written by Suzanne Smalley
Malicious hackers, hell-bent on infiltrating an organisation, have no qualms about exploiting even the most tragic events.
On the second day of the Zero Day Initiative’s Pwn2Own Toronto 2022 hacking competition, participants earned a total of more than $280,000 for smart speaker, smartphone, printer, router, and NAS exploits.
A bunch of Android OEM signing keys have been leaked or stolen, and they are actively being used to sign malware.
Getting those customers would require abandoning the company’s mechanical inertial-sensor systems in favor of a new, unproven quartz technology, miniaturizing the quartz sensors, and turning a manufacturer of tens of thousands of expensive sensors a year into a manufacturer of millions of cheaper ones.
Just to clarify, the subheading isn’t a normal quote, but a message that Janicab malware attempted to decode in its newest use of YouTube dead-drop resolvers (DDRs).