Hello and welcome to TSD, your weekly blog post with top of mind security issues. TSD began as an internal newsletter that our Security Lead, Daniel Tobin, would circulate to the team each Tuesday. It proved to be a great resource for all of us so we thought, why not share it with all of you? Our hope is that it helps make you just a bit more secure.
Check back here every Tuesday for more TSD or sign up below to stay in the loop!
Please reach out to us directly, via security@cyral.com or on Twitter at @dant24 if you have any questions, concerns, tips or anything else!
- It’s election time so disinformation and spam campaigns are on the rise. Motherboard began reporting that people were receiving emails reportedly from a far-right group threatening voters if they didn’t vote for the president. CISA’s Chris Krebs later publicly tweeted that it was coming from Iran. The US Treasury followed up by placing sanctions on Iranian entities for their role in this other election interference campaigns, via ZDNet. Normally attribution takes much longer, but according to one official “they made a dumb mistake”, via Reuters. Meanwhile ZDNet is also reporting that two anti spam firms are seeing a new round of phishing attempting to collect personal info via fake voter registration forms.
- Did a Dutch researcher guess that the President’s Twitter password was “maga2020!”, TechCrunch is reporting on his claims. Motherboard did a little more digging and found some inconsistencies with the evidence offered. I hope that wasn’t his password and if that is your password that is definitely going to be added to brute-forcing dictionaries. Unfortunately, that password often satisfies password complexity requirements technically, but only technically. XKCD has a great explainer on both password strength and password reuse. Please use a password manager and you can have unique non guessable passwords across all of your sites.
- Nvidia released a patch for bugs that include privilege escalation and code execution via BleepingComputer. Please update ASAP. Hopefully AOC and Ilhan have updated as well.
- The Nano Adblocker extension had over 300,000 users and was recently sold and began monitoring all requests and at the very least liking Instagram accounts. If you’ve installed this extension, please remove it ASAP. The extension has already been removed from the webstore. Read more at Ars Technica.
- SC Media just published 2020 Women in IT Security and the list is impressive. So many awesome women doing amazing things!
- Wired just published a profile of Project Zero’s Maddie Stone. “Stone’s most important job isn’t just to check the mouse traps. It’s to figure out how to build a better one.”
- A new report finds that law enforcement from all 50 states across 2,000 agencies have conducted at least 50,000 extractions from mobile devices from 2015 – 2019. These extractions copy all data from a cell phone. The laws around data handling vary from state to state and range from deleting data that is irrelevant to the case to keeping all data in perpetuity whether or not the person was charged with a crime, let alone convicted. Needless to say, the calls for weaker privacy protections for cell phones and limited use of encryption cracking seem to be irrelevant given how widespread the practice is already. Read more of the analysis at Wired and then go ahead read Upturn’s full report, Mass Extraction: The Widespread Power of US Law Enforcement to Search Mobile Phones.
Owl-o-ween tricks and treats:
There’s new research out investigating the DNA of owls and how they may have evolved adaptations to nocturnal predatory lifestyle. “There’s something special in the way the DNA molecules in their eyes are packaged, giving them a powerful visual advantage in the dark.” ScienceAlert has a good article summarizing the results or dive straight into the article published in Genome Biology and Evolution.
A Shout Out:
Marco Lancini of CloudSecList aka Cloud Security Reading List has a new project called CloudSecDocs.
“CloudSecDocs is a website collecting technical notes, how-tos, and cheatsheets related to cloud-native technologies (not only security-focused), hand curated by Marco Lancini.”
Read more about the project at his blog post Introducing CloudSecDocs.com
That’s owl-o-ween for now!
