Hello and welcome to TSD, your regular blog post with top of mind security issues! TSD began as an internal newsletter that our Security Lead, Daniel Tobin, would circulate to the team each Tuesday. It proved to be a great resource for all of us so we thought, why not share it with all of you? Our hope is that it helps make you just a bit more secure.
Check back here every Tuesday for more TSD or sign up below to stay in the loop!
Hi Cyraloons and welcome to another week of TSD, your regular email / blog post with top of mind security issues, a few security tips for both work and home and at least 1 fun thing related to owls.
Please reach out to us directly, via security@cyral.com or on twitter at @dant24 if you have any questions, concerns, tips or anything else!
- Microsoft patch Tuesday arrived last week afer our publication with fixes for 113 total bugs, including 19 critical and 3 zero-days. One of the reasons for the plethora of bugs is that Microsoft hired SandboxEscaper, a former serial publisher of zero-days. More info at KrebsOnSecurity
- Linksys forced a password reset of all of their Smart Wi-Fi accounts due to an observed DNS hack that we first mentioned in TSD-03. Linksys said the attacks were due to credential stuffing, an attack where stolen credentials are reused on another website. Credential stuffing continues to be incredibly prevalent and is another reminder that you should never reuse passwords across different websites. More info at The Register
- Microsoft took down a botnet that it traced the command and control center to an LED light console connected to the Internet! If you have any Internet connected devices, please make sure that they can be secured before you buy them and take the necessary precautions when you install them. You can find the full details at BleepingComputer
- If you’re a security professional or at least interested in security and have some free cycles to donate, join the COVID-19 Cyber Threat Coalition slack. Learn more about what they and others are doing to fight criminal activity online at KrebsOnSecurity
- The spring issue of 2600 is out now, but it’s not hitting the stands like normal. Not only that, they have already been printed and were stopped for distribution and they are stuck with the bill and possible penalties. The current issue that was already in bookstores is also not able to be sold via driveup. According to 2600 “this might be an insurmountable battle for us.” I’ve personally been reading 2600 for a long time, it fueled my interest in security when there weren’t many resources. I was always so excited to be able to find the print issue when my parents brought me to one of the bookstores that actually carried it. If you’ve been a fan and don’t have an up to date subscription, get the latest issue mailed, digitally or opt for one of the subscription packages and read their full annoucement at 2600 Spring Issue Update.
- One last thing for all the parents and really everyone out there, Elmo’s dad Louie has a special message for you. You are doing an amazing job!
Owl fun and facts:
In contrast to the Burrowing Owl of TSD-05, the Great Horned Owl is the quintessential storybook owl. This “tiger of the sky” can even take down raptors such as Osprey and and Peregrine Falcons alongside small rodents and even scorpions.
This image is of a Great Horned Owl rescued from a chimney by Lindsay Wildlife Experience in Walnut Creek, California. The Lindsay Wildlife Experience was the US’s first wildlife hospital having been founded in 1955 and is currently running a donation campaign to ensure that they can continue their mission.
A Shout Out:
OWASP Zed Attack Proxy (ZAP) is an open source project that “can help you automatically find security vulnerabilities in your web applications.” ZAP was originally just a standalone proxy, but has since added features that allow you to integrate it into your automation pipeline. Automating with ZAP is now easier than ever with the recently announced ZAP Github action. Check out the new ZAP website today to get started.
That’s owl for now!