Feedback & Followups
- ๐บ๐ธ The recently disclosed massive hack of western telecommunications firms that lead the US FBI & CISA to issue advice to switch to E2EE VoIP and messaging apps like Signal over SMS & phone calls has been confirmed to be just a little bit bigger โ the official tally of compromised US telcos has gone from 8 to 9 โ www.bleepingcomputer.com/โฆ
- Related: Two of the now nine breached US telcos, AT&T & Verizon, have reported that the attacks have been successfully evicted from their networks โ www.bleepingcomputer.com/โฆ
- ๐บ๐ธ Meta scored an important legal victory against the NSO group over their infamous Pegasus spyware’s hacking of WhatsApp โ a US federal judge in CA has issued a pre-trial ruling that the Israeli company did hack Meta’s servers, so the only issue for the trial to decide on is the damages. The ruling was scathing against the NSO group, calling them out for failing to comply with discovery orders โ www.bleepingcomputer.com/โฆ
- ๐บ๐ธ The US Federal Trade Commission (FTC) has wrapped up their investigation of a massive 344M user data breach at Starwood Hotels (a subsidiary of Marriott) in 2016, the company has been ordered to implement a comprehensive information security program, and to submit to supervision for 20 years โ www.bleepingcomputer.com/โฆ
Deep Dive(s)
โ Action Alerts
- A timely reminder of why you can’t run un-patched or un-patchable routers: Malware botnets exploit outdated D-Link routers in recent attacks โ www.bleepingcomputer.com/โฆ
Worthy Warnings
- Cybersecurity researchers are warning of a novel new take on the concept of click-jacking, which they’ve dubbed DoubleClickjacking โ www.bleepingcomputer.com/โฆ
- Traditional click-jacking was a big problem about a decade ago, when attackers noticed they could abuse transparent iframes to trick users into clicking on buttons they could not see, and hence inadvertently grant permissions to the attackers, but browsers and websites developed strong defences against this technique, denting the technique’s effectiveness
- Security researchers have observed a new variant of this attack that evades all current protections by abusing the sub-second timing delay between the two halves of a human double-click, letting them sneak the malicious button under the mouse pointer in time for the second half of the double click, and then hiding it again before a human can see or do anything
- It’s inevitable browsers and websites will develop defences against this new variant too, but that’s going to take time
- In the meantime, don’t allow any website to social-engineer a click gesture on the web. This is not normal, so you can assume all such requests are illegitimate!
Notable News
- Details have emerged of a broad phishing campaign targeted at Chrome browser plugin developers that succeeded in injecting malware into at least 35 extensions, most notably those from security firm Cyberhaven โ www.bleepingcomputer.com/โฆ
- This story emphasises the fact that attackers are heavily focusing on browser plugins these days, seeing them as one of the weakest links in our current cybersecurity chain.
- Attackers are specifically targeting the developers of popular legitimate plugins, so just avoiding new and rarely used plugins is not going to provide any defence.
- The advice to enterprises is to move from a block-listing to an allow-listing approach for plugins, which is a lot of extra work, so I doubt that’s going to happen in all but the most security-aware organisations
- For home users, the only vaguely useful advice is to run only plugins that give you genuine value, so you are getting something real in return for the security tradeoff each plugin represents.
- Expect this to get worse before it gets better โ 2025 is likely to be the year where browser plugin compromises really start making the news in all the wrong ways ๐
- ๐ฎ๐น Italy fines OpenAI โฌ15M for ChatGPT GDPR violations, but more importantly, forces the company to launch a national ad campaign informing users of how to exercise their GDPR rights with respect to ChatGPT โ thehackernews.com/โฆ
- ๐บ๐ธ 2024 was noteworthy for the amount of US health organisations that suffered massive data breaches as cybercriminals turned their attention to what proves to be a woefully under-prepared sector. This has now triggered the Department of Health & Human Services (HSS) to update the HIPPA cybersecurity rules to raise the baseline requirements for all healthcare organisations โ www.bleepingcomputer.com/โฆ
- Apple will pay $95 million to people who were spied on by Siri – The Verge www.theverge.com/…
Excellent Explainers
- Related: An excellent overview of how the state of AI has evolved in 2024: Things we learned about LLMs in 2024 โ simonwillison.net/โฆ
- Not strictly a cybersecurity topic, but relevant none-the-less, because attackers are already using LLMs to craft better phishing and social engineering attacks, and that trend is only going to grow in 2025!
Interesting Insights
- A nice overview of the biggest cybersecurity stories of 2024 โ www.bleepingcomputer.com/โฆ
- From Bob Goodrich & Norbert Frassa in our Slack: Passkey technology is elegant, but itโs most definitely not usable security โ Ars Technica
Palate Cleansers
- Allison asked on Mastodon, why isn’t open source hyphenated when used in the phrase “open source license”? Calum aka @[email protected] responded with the official answer from opensource.org
Legend
When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| ๐ง | A link to audio content, probably a podcast. |
| โ | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| ๐ | A link to graphical content, probably a chart, graph, or diagram. |
| ๐งฏ | A story that has been over-hyped in the media, or, “no need to light your hair on fire” ๐ |
| ๐ต | A link to an article behind a paywall. |
| ๐ | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
| ๐ฉ | A tip of the hat to thank a member of the community for bringing the story to our attention. |
| ๐ฆ | A link to video content. |