Hello and welcome to TSD, your regular blog post with top of mind security issues! TSD began as an internal newsletter that our Security Lead, Daniel Tobin, would circulate to the team each Tuesday. It proved to be a great resource for all of us so we thought, why not share it with all of you? Our hope is that it helps make you just a bit more secure.
Check back here every Tuesday for more TSD or sign up below to stay in the loop!
Hi Cyraloons and welcome to another week of TSD, your regular email / blog post with top of mind security issues, a few security tips for both work and home and at least 1 fun thing related to owls.
- ZecOps announced that it has found with “high confidence” iPhone zero-day exploitation in the wild “affecting the default Mail application on iOS dating as far back as Jan 2018.”. Apple responded and downplayed the attack yet announced that they will release a patch soon and ZecOps promised to release more information once the fix is available. If you have an iPhone, there is a near zero likelihood that you’ll ever have to worry about one of these zero-day exploits. These are targeted at very specific people. You should keep your phone up to date though to make sure that once it is more widely known you are not affected.
- One bug that could affect your iPhone though is a new text string of Sindhi characters that will crash your phone if you receive it. Originally, it seemed to require an Italian flag, but other users have reported that just the Sindhi characters are all that is needed. If this does happen to you, simply reboot your phone and your phone will be back to normal. More info available at 9to5Mac
- Zoom just released 5.0 with security and privacy features. Glad to see that Zoom is following through with their promise to focus on security and privacy. Make sure you have auto update on if you’re using Zoom. More info at The Verge
- Small business owners that applied for a loan from the SBA may have had their personal information exposed if others hit the back button during the application process. Those that were notified were told that there is no current evidence that the information has been used maliciously. More info at CNBC
- The Supreme Court will be hearing a case that could remake the Computer Fraud and Abuse act (CFAA). “The fight centers on whether the law should apply just to hacking or more broadly to breaking rules on a computer.” Prosecutors are given wide range on how they apply the CFAA and their is wide discrepancy, from merely breaking a website Terms of Service (TOS) all the way to actually bypassing security controls. The CFAA is 34 years old and was written in a much, much different time. More info at Washington Post
Owl fun and facts:
Newborn Great Horned Owls typically spend about 6 weeks in their nest, they start to fly after about a week of testing out nearby branches and become competent flyers at about 10 – 12 weeks old.
It’s breeding season, and you can watch a livestream of this Great Horned Owl family from the Owl Research Institute at Explore.org
A Shout Out:
Bust-a-Kube “is an intentionally-vulnerable Kubernetes cluster, intended to help people self-train on attacking and defending Kubernetes clusters”. Watch the creator of Bust-a-Kube Jay Beale talk from RSA 2020 on Kubernetes Practical Attack and Defenses to see it in action
That’s owl for now!