Rails 7 FTW | WFH is SOP | 586M Passwords Dumped - DevOps.com

In this week’s #TheLongView:
1⃣ Ruby on @Rails 7.0 is go,
2⃣ #WorkingFromHome is still de rigueur, and
3⃣ @HaveIBeenPwned gets far, far bigger.

At @DevOpsDotCom: https://t.co/hcEzoNdi99

— @Richi 😷 Jennings (@RiCHi) December 21, 2021

Boston Cops buy Stingray Spy Stuff—Spending Secret Budget - Security Boulevard

Evil Twin Paid For by … Police all over the nation are using IMSI catchers—such as the infamous Stingray device—to surveil suspects. For example, Boston police spent over $600K in 2019 from a hidden budget (despite Stingray use being effectively illegal in Massachusetts).

Shame about that, because the @ACLU is off to court.

In today’s #SBBlogwatch, we plead the fifth (and the fourth). At @SecurityBlvd: https://t.co/3gIfaiFAw2

— @Richi 😷 Jennings (@RiCHi) December 20, 2021

NSO Zero-Click Exploit: Turing-Complete CPU in Image File - Security Boulevard

SEAR+GP0 vs. NSO: Researchers have reverse engineered NSO Group’s recent zero-click iPhone exploit—from the Pegasus spyware suite. And it’s a doozy: People are using words like, “terrifying,” “alarming,” “dangerous,” “weird,” “amazing,” “impressive,” “brilliant” and “ridiculous.”

It exploits a parser for #JBIG2—an obsolete file format. In today’s #SBBlogwatch, we wonder what other nasties lurk in unmaintained, legacy #OpenSource code.

At @SecurityBlvd: https://t.co/GojEm4oOSo

— @Richi 😷 Jennings (@RiCHi) December 17, 2021

U.S. Govt. CX EO | Mozilla Revenue | Log4j Latest - DevOps.com

In this week’s #TheLongView:
1⃣ Improving U.S. #government #CX,
2⃣ how much money @Mozilla make, and
3⃣ the latest on the #Log4j / #Log4Shell débâcle.

At @DevOpsDotCom: https://t.co/LfQimL14bL

— @Richi 😷 Jennings (@RiCHi) December 15, 2021

Apple AirTag Android App is Absolutely Awful—Tracker Detect Fail - Security Boulevard

Follow the Money: Apple is proud to announce its anti-stalking app for Android. The Tracker Detect app lets Android users scan for malicious, hidden AirTag trackers placed by stalkers, thieves and other bad people. Sounds great, right? Except …

Good grief. In today’s #SBBlogwatch, we get lost.

At @SecurityBlvd: https://t.co/YD5Ig76Q8p

— @Richi 😷 Jennings (@RiCHi) December 14, 2021

Update: Log4Shell RCE Zero-Day—Reactions and Recriminations - Security Boulevard

Java Considered Harmful: Last week’s critical bug in Log4j still reverberates ’round the racks. Disbelief quickly gave way to denial and bargaining.

Next up: Depression and acceptance. In today’s #SBBlogwatch, we wave goodbye to @Java.

At @SecurityBlvd: https://t.co/vKl9vMyGq6

— @Richi 😷 Jennings (@RiCHi) December 13, 2021

Google Nukes Ad-Blockers—Manifest V3 is Coming - Security Boulevard

Manifest Destiny: Firefox? Makers of ad-blocker and anti-tracking browser extensions are spitting blood. Google is planning to change everything, removing features in the Chrome browser APIs that these extensions rely on.

Google calls it #ManifestV3. EFF calls it a “conflict of interest.” In today’s #SBBlogwatch, we call it deeply suspicious.

At @SecurityBlvd: https://t.co/8iRJMo74kL

— @Richi 😷 Jennings (@RiCHi) December 10, 2021

AWS Outage Outrage | Rusty Linux | ARM Latest - DevOps.com

The Moral of the Story: It’s no secret that the both of us are running out of time

In this week’s #TheLongView:
1⃣ Amazon Web Services/@AWSCloud falls on its face,
2⃣ #Linux’s move to #Rust takes the next step, and
3⃣ the @FTC stabs another fatal wound in the horrible @Arm/@Nvidia deal.

At @DevOpsDotCom: https://t.co/q6qyvMhqNJ

— @Richi 😷 Jennings (@RiCHi) December 9, 2021

Microsoft Whac-A-Moles Websites of Chinese Hackers APT15 (‘NICKEL’) - Security Boulevard

Vixen Panda, Royal Dragon: Microsoft issued another of its “look how clever we are” press releases yesterday. It claims to be thwarting Chinese hackers it codenames NICKEL.

It’s not the first time we’ve seen @Microsoft try this tactic. In today’s #SBBlogwatch, we wonder if it actually does any good.

At @SecurityBlvd: https://t.co/BV5CKz4W8u

— @Richi 😷 Jennings (@RiCHi) December 7, 2021

Home Routers are Full of Security Bugs—Patch NOW - Security Boulevard

Cheap, Lazy Vendors: Researchers running automated pentests against nine consumer routers discovered a bucketful of bugs. Vendors such as TP-Link and Linksys came off worst.

So, yes, check for #patches—even if your router isn’t one of the ones tested. In today’s #SBBlogwatch, we don’t trust the auto-update feature.

At @SecurityBlvd: https://t.co/7IR8yuccRd

— @Richi 😷 Jennings (@RiCHi) December 6, 2021

$150M Stolen in ‘Imaginary Money’ Crypto/DeFi Hacks - Security Boulevard

DeFi DAO D’oh! This week saw a pair of high-profile cryptocurrency thefts, totaling over $150 million. One from MonoX and one from BadgerDAO.

Schadenfreude for those of us who know this craze for #ImaginaryMoney is hilariously dumb.

In today’s #SBBlogwatch, we break out the popcorn. At @SecurityBlvd: https://t.co/PZACAzzF3J #DeFi

— @Richi 😷 Jennings (@RiCHi) December 3, 2021

AWS re:Invent Roundup: Private 5G | Graviton3 ARM Chips | DevOps Guru++ - DevOps.com

The Moral of the Story: Misfortune tests the sincerity of friends

In this week’s #TheLongView, three things that caught my eye from Amazon Web Services’ #reInvent 2021 conference:
1⃣ #Private5G,
2⃣ #Graviton3 chips, and
3⃣ something called #DevOpsGuru for RDS (yes, really).

At @DevOpsDotCom: https://t.co/zxrm4gd0M1 @AWSCloud #DevOps #5G $AMZN

— @Richi 😷 Jennings (@RiCHi) December 2, 2021

Crypto Mining Hackers vs. Cloud Computing—Google States the Obvious - Security Boulevard

GCP CAT Fluff: Google’s new Cybersecurity Action Team (CAT) would like you to know that insecure cloud instances can be hijacked by hackers. And the #1 workload they use to steal your CPU time is cryptocurrency mining.

But let’s look closer. In today’s #SBBlogwatch, we see if there’s a “there” there.

At @SecurityBlvd: https://t.co/jLlki8EdHX

— @Richi 😷 Jennings (@RiCHi) November 29, 2021

WTH? We Wanna WFH | DoD Dual-Sources JWCC | More Nvidia ARM Woes - DevOps.com

The moral of the story: You are known by the company you keep

In this week’s #TheLongView:
1⃣ Working from home is de rigueur,
2⃣ #JEDI redux (#JWCC), and
3⃣ more about @Nvidia/@Arm.

At @DevOpsDotCom: https://t.co/wOlrfBaOnx

— @Richi 😷 Jennings (@RiCHi) November 24, 2021

Biggest Single Crypto Theft: Teen Charged with $36M SIM-Swap Heist - Security Boulevard

HPSCU+FBI+SSECTF: A Canadian has been charged with stealing C$46 million of imaginary money. Police in the city of Hamilton, near Toronto, won’t say who the alleged perp is, or even their age—aside from being a “teenager.”

Get off my lawn, you pesky kids.

In today’s #SBBlogwatch, we vicariously visit #TheElectricCity. At @SecurityBlvd: https://t.co/QiH6ejHbSB

— @Richi 😷 Jennings (@RiCHi) November 22, 2021

Nvidia/ARM Wavering | Google Outage Outrage | Backblaze IPO on Fire - DevOps.com

In this week’s #TheLongView:
1⃣@Nvidia’s faltering attempt to buy @Arm,
2⃣@Google’s load balancers go offline, and
3⃣@Backblaze’s newly-IPO’ed stock jumps 60%.

At @DevOpsDotCom: https://t.co/1q7befjy9I

— @Richi 😷 Jennings (@RiCHi) November 18, 2021

Rowhammer Redux: ‘Blacksmith’ Fuzzing—Panic Now? - Security Boulevard

Let’s Blame Intel (Again): Researchers have cast serious doubt on claims that modern DRAM is safe against Rowhammer bit-flip attacks. By fuzzing the patterns used to attack the memory, they’ve demonstrated escalation of privilege and stolen private keys.

3/3: But is this something to worry about?

In today’s #SBBlogwatch, we dig in and find out. At @SecurityBlvd: https://t.co/rAF5N038dq

— @Richi 😷 Jennings (@RiCHi) November 16, 2021

FBI Email—‘Threat Actor in Systems’—is Spam - Security Boulevard

LEEP L337 Lies: Mountains of email spam, from a legit FBI address, were sent to victims by a pseudonymous hacker. The sender, who calls himself Pompompurin, caused much consternation and grief.

There are lessons to be learned. In today’s #SBBlogwatch, we teach them.

At @SecurityBlvd: https://t.co/u1iYtjb8Zd

— @Richi 😷 Jennings (@RiCHi) November 15, 2021

Who is ‘Andrew’—the US Spy who Hacked Booking.com? - Security Boulevard

I Can Tell by Some of the Pixels: Huge hotel reservations site Booking.com was breached.com. And the perp was the NSA, or one of the U.S. intelligence agencies.

Let’s unpick the story. In today’s #SBBlogwatch, we get someone else to make our bed before we lie in it.

At @SecurityBlvd: https://t.co/aA8la0rA4A

— @Richi 😷 Jennings (@RiCHi) November 12, 2021

REvil Perps: Arrests for Some, $10M Bounties on Others - Security Boulevard

DoJ+FBI+State Get Serious: Alleged REvil ransomware hackers have been arrested, with additional suspects charged. A coordinated international effort is tightening the noose around the gang and its many affiliates.

So there’s also a #bounty. In today’s #SBBlogwatch, we wonder if the @StateDept’s latest tactic will bear fruit.

At @SecurityBlvd: https://t.co/w6ptdzUn1B

— @Richi 😷 Jennings (@RiCHi) November 9, 2021

U.S. Blocks Trade with ‘Legal’ Pegasus Spyware Firm, NSO - Security Boulevard

U.S. Beef with Data Thief: What took you so long? The U.S. Commerce Dept. has finally blocked exports to the notorious NSO Group—makers of sophisticated “zero-click” spyware, Pegasus. This is a serious blow to NSO’s grubby business model.

TIL a new phrase: #TransnationalRepression. In today’s #SBBlogwatch, we work out what it all means.

At @SecurityBlvd: https://t.co/cbQc7JDLs5

— @Richi 😷 Jennings (@RiCHi) November 4, 2021

‘Trojan Source’ Makes Scary Headlines—But it’s Not New - Security Boulevard

Stick to Horses: Trojan Source “threatens the security of all code,” screams a widely shared article. Supposedly, this previously unknown attack on compilers allows open source code to hide malicious backdoors—thwarting all attempts to review it for vulnerabilities.

But it is worth talking about. In today’s #SBBlogwatch, we do exactly that.

At @SecurityBlvd: https://t.co/JOomNoxUDX

— @Richi 😷 Jennings (@RiCHi) November 2, 2021

New Russian Hacks Revealed—but U.S. Says it’s Microsoft’s Fault - Security Boulevard

Cozy Bear with Us: Microsoft has issued another of its “look how clever we are” writeups of detecting hackers breaking into its cloud services. In its report, the Redmondites tut-tut to say its customers really need to take more care with their security.

Shots fired. In today’s #SBBlogwatch, we search for the truth.

At @SecurityBlvd: https://t.co/IhaOKdXEfW

— @Richi 😷 Jennings (@RiCHi) October 26, 2021

FTC: ISPs are Spying on You. ISPs: Deal With It. - Security Boulevard

Ghost of Privacy: Your internet service provider snoops on your browsing habits, records them and sells you—the product—to the highest bidder. So says the Federal Trade Commission (FTC) in a new report.

#Privacy is dead. In today’s #SBBlogwatch, we mourn its passing.

At @SecurityBlvd: https://t.co/H1RKjdYNhp

— @Richi 😷 Jennings (@RiCHi) October 25, 2021

Disable Time Sync NOW—Ugly GPSd Bug Brings Sunday FAILs - Security Boulevard

GPSD PTSD? On Sunday, you might find some equipment thinks it’s 2002. That’s because of a weird bug in gpsd—the code on which a bunch of Network Time Protocol servers rely.

It’s yet another case of critical #OpenSource code being maintained by a single unpaid volunteer.

In today’s #SBBlogwatch, we batten down the hatches. At @SecurityBlvd: https://t.co/J1q3hzbonQ

— @Richi 😷 Jennings (@RiCHi) October 22, 2021

Zuckerberg Accused Personally in Cambridge Analytica Next Shoe - Security Boulevard

D.C. AG Vs. $FB & M.Z.—Mark Zuckerberg has been added as a defendant to D.C.’s Cambridge Analytica privacy complaint—this time, it’s personal. The District’s Attorney General says Zuck has his fingerprints all over it.

Sweat, Zuckerdroid, sweat.

In today’s #SBBlogwatch, we visualize justice. At @SecurityBlvd: https://t.co/xwz98CA079

— @Richi 😷 Jennings (@RiCHi) October 21, 2021

Government Gunning for Cryptocurrency—Uses Ransomware as Pretext - Security Boulevard

OFAC & FinCEN SARs Vs. DeFi: The U.S. Treasury Department is telling cryptocurrency fans to stop breaking sanctions and laundering money. Washington’s warning’s worried many of a crackdown on decentralized finance (DeFi).

Won’t *somebody* think of the children? In today’s #SBBlogwatch, we point at palatable excuses for #regulation. At @SecurityBlvd: https://t.co/LYOt7RsuWX

— @Richi 😷 Jennings (@RiCHi) October 19, 2021

Missouri FAIL: Gov. Mike Parson says Viewing Web Source is ‘Hacking’ - Security Boulevard

Parson Knows: The Missouri Department of Education website was leaking teachers’ social security numbers. A local journalist, Josh Renaud, spotted the PII flaw and reported it to the department, giving them plenty of time to fix the leak.

Specifically, section 569.095. But anyone viewing the source of a *public* web page obviously has “reasonable grounds to believe that he has such authorization.”

In today’s #SBBlogwatch, we fact-check sextugenarian politicians. At @SecurityBlvd: https://t.co/MKWSOweuoh

— @Richi 😷 Jennings (@RiCHi) October 15, 2021

Apple Says iPhone Users are Stupid - Security Boulevard

Cui Bono? Apple! Apple wants lawmakers to know that sideloaded apps are dangerous. Okay, I guess that seems kinda reasonable. But, wait a minute …

And naturally, @Apple’s “evidence” is a bunch of cherrypicked research that doesn’t really prove anything of the sort.

In today’s #SBBlogwatch, we follow the money. At @SecurityBlvd: https://t.co/Z250cbrBVq

— @Richi 😷 Jennings (@RiCHi) October 14, 2021

Ex-DoD Security Chief: China is Winning—it’s ‘A Done Deal’ - Security Boulevard

Beijing Back Better: The former chief software officer for the U.S. Air Force, Nicolas Chaillan, says the U.S. is falling far behind China in cybersecurity. In a no-holds-barred interview, he unloads his frustrations, built up over three years of inept bungling at the Pentagon.

Lauren @LKnausenberger now holds the poisoned chalice.

In today’s #SBBlogwatch, we plan to fail. At @SecurityBlvd: https://t.co/cEy6k7FlBL

— @Richi 😷 Jennings (@RiCHi) October 12, 2021

Huge Twitch Breach Leaks eSports ‘Toxic Cesspool’ - Security Boulevard

Fond Memories of Justin.tv: Amazon’s game streaming service, Twitch, got hacked. 125 GB of its most private data is now outside the proverbial toothpaste tube.

Get off my lawn. In today’s #SBBlogwatch, we exit the grassed area.

At @SecurityBlvd: https://t.co/3QnYw8Rp8P

— @Richi 😷 Jennings (@RiCHi) October 7, 2021

Syniverse Hack: Billions of Users’ Data Leaks Over Five Years - Security Boulevard

GTE TSI SMS SS7 APT EDT TLA BBQ: A huge, yet invisible, chunk of phone infrastructure has been breached. Hackers broke into the massive telephony interconnection service run by Syniverse—formerly GTE TSI.

A state sponsored attack? Could be the NSA/GCHQ.

In today’s #SBBlogwatch, we cry me a river. At @SecurityBlvd: https://t.co/ZSklyDAjBy

— @Richi 😷 Jennings (@RiCHi) October 5, 2021

‘GriftHorse’ Android Trojan: 10M Victims Lose Millions per Month - Security Boulevard

Premium SMS is Still a Thing? Researchers found a huge nest of Trojan apps in the Google Play Store. Dubbed GriftHorse, the malware in these 200+ Android apps tricked victims into subscribing to premium SMS services.

GriftHorse is, of course, not to be confused with the podcast of the same name.

In today’s #SBBlogwatch, we stare into an equine oral abyss. At @SecurityBlvd: https://t.co/1GWVdJKosy

— @Richi 😷 Jennings (@RiCHi) September 30, 2021

Amazon Astro: ‘Privacy Nightmare’ in R2D2-Cute Package - Security Boulevard

Bad Robot: Astro—Amazon’s new domestic security robot—is already attracting big criticism. Aside from the questions of how well it’ll do its advertised job, people think their privacy is at risk.

And worry that Amazon Astra integrates with the neighborhood snitchfest that is the Ring doorbell.

In today’s #SBBlogwatch … errm … I, for one, welcome our new #Alexa-enabled overlords. At @SecurityBlvd: https://t.co/Ek1SqMpJug

— @Richi 😷 Jennings (@RiCHi) September 29, 2021

Extremist Epik Clients Fear Unmasking via 180GB Leak - Security Boulevard

Nice shirt, Rob: The fallout from the hack of Epik earlier this month continues to attract the wrong sort of attention. Researchers continue to allege criminality among those who thought Epik was shielding their identities.

😷@RobMonster (pictured) advises people to “delete any data that does not belong to you.”

In today’s #SBBlogwatch, we question the advice of someone with such weak #DataSecurity. At @SecurityBlvd: https://t.co/en1FJFXoco

— @Richi 😷 Jennings (@RiCHi) September 27, 2021

‘Russian’ Ransom Gang Targets Big Agri Co-op—Food Shortages Ahoy? - Security Boulevard

The Next Colonial? NEW Cooperative got hacked by BlackMatter ransomware gits. The Iowa-based agriculture cooperative is facing a $5.9 million ransom.

Will it prompt the retaliation @POTUS Biden promised?

In today’s #SBBlogwatch, we head for the hills and grow our own. At @SecurityBlvd: https://t.co/RjWk5uCsXs

— @Richi 😷 Jennings (@RiCHi) September 23, 2021

Breached Alaska Gov Systems Still Down—After 5 MONTHS - Security Boulevard

The Last Frontier? It’s been more than 20 weeks since a “sophisticated cyberattack” was detected at Alaska’s Department of Health and Social Services (DHSS). It seems likely that hackers compromised the network at least five months ago.

And systems are still down.

In today’s #SBBlogwatch, we point to the culprit. At @SecurityBlvd: https://t.co/7ohPSmajhn

— @Richi 😷 Jennings (@RiCHi) September 21, 2021

‘OMIGOD’ Azure Critical Bugfix? Do It Yourself—Because Microsoft Won’t - Security Boulevard

OMI? DIY PDQ: Using OMI on Microsoft Azure? Drop everything and patch this critical vulnerability, snappily named OMIGOD. But wait! You probably don’t know whether you’re using OMI or not.

What a mess. In today’s #SBBlogwatch, we put the “mess” into message.

At @SecurityBlvd: https://t.co/DJtkmiT7oG

— @Richi 😷 Jennings (@RiCHi) September 17, 2021

Apple Security is Garbage—Change My Mind - Security Boulevard

Federighi Eats His Words: Apple just issued an urgent patch for every single platform. With a maximum VSS score of 10.0, this zero-click, zero-day “ForcedEntry” vulnerability is a huge deal.

Patch now, obvs.

In today’s #SBBlogwatch, we remember embarrassing quotes. At @SecurityBlvd: https://t.co/em1Cfzw0Cu

— @Richi 😷 Jennings (@RiCHi) September 14, 2021

Hackers Leak Schoolkids’ Data—ID Theft of Minors Ensues - Security Boulevard

Schools: Busted—Ransomware attacks on school districts have led to identity theft and data leakage. The victims include millions of students.

The world has gone to hell in a handbasket.

In today’s #SBBlogwatch, we go off grid and run for the hills. At @SecurityBlvd: https://t.co/nYxgwvOsVA

— @Richi 😷 Jennings (@RiCHi) September 13, 2021

Think of the Children: Anti-E2EE Ads Ahoy - Security Boulevard

Priti Vacant: Another Five Eyes government is trying to stop end-to-end encryption (E2EE). This time, it’s the UK—with an actual advertising campaign to convince plebs of the technology’s dangers.

Say it with me, everyone: Banning math doesn’t stop criminals.

In today’s #SBBlogwatch, we get déjà vu all over again. At @SecurityBlvd: https://t.co/mCMXLve9WA

— @Richi 😷 Jennings (@RiCHi) September 9, 2021

Alexa, OK Google, Siri—Sued for Spying - Security Boulevard

Now Hear This: Amazon, Apple and Google will have their days in court. They’ll be defending themselves on charges of listening to your conversations—when you least expect it. It’s been rumored for years—despite denials—but perhaps we’ll finally get to the bottom of things.

What price #privacy?

In today’s #SBBlogwatch, we throw our toys into a bucket of water. At @SecurityBlvd: https://t.co/2H7YcUHvAG

— @Richi 😷 Jennings (@RiCHi) September 7, 2021

Secret Govt. Spy Powers Coming Here—via Australia - Security Boulevard

Next Up: The Other Four Eyes—The Australian government has given itself an enormous surveillance tool. It’s hurriedly passed a law giving police the power to spy on suspects online, modify their data and take over their accounts.

Jane Fonda knows. So do Angela Merkel and Kim Dotcom.

In today’s #SBBlogwatch, we think of the children. At @SecurityBlvd: https://t.co/LkzViC3Zip

— @Richi 😷 Jennings (@RiCHi) September 2, 2021

Windows 11 Security Scare—MS Nixes Fixes on Older PCs - Security Boulevard

MSFT MBEC+HVCI FAIL: Windows 11 won’t auto-update on slightly old PCs. It appears this includes security updates—although Microsoft PR is doing its usual trick of ghosting reporters who ask.

Stand by for #Redmond to walk this one back in an embarrassing climbdown.

In today’s #SBBlogwatch, we hope against hope. At @SecurityBlvd: https://t.co/nM1S4fXw26 $MSFT

— @Richi 😷 Jennings (@RiCHi) August 31, 2021

Your ISP is Selling your Data—Despite Swearing Not To - Security Boulevard

And VPNs Won’t Help: “Netflow Data”—information recording which internet resources you’re talking to—is big business. It’s being traded by brokers, with zero transparency.

It depends on the meaning of the word “is.” In today’s #SBBlogwatch, we ponder semantic chicanery.

At @SecurityBlvd: https://t.co/ZiMdadzQUB

— @Richi 😷 Jennings (@RiCHi) August 26, 2021

This Mouse Gives you Admin on a Windows PC - Security Boulevard

Not This One, That One: Razer gaming mice come with a buggy installer. It starts automatically when you plug in one of Razer’s devices.

😱 Déjà vu? It’s like #PrintNightmare all over again.

In today’s #SBBlogwatch, we point the fingers of blame. At @SecurityBlvd: https://t.co/qWDdlVflaW

— @Richi 😷 Jennings (@RiCHi) August 23, 2021

Great Firewall Ready to Unleash ‘Gigantic’ DDoS—so are Other Middleboxes - Security Boulevard

‘Infinite’ Amplification Ahoy: Researchers have disclosed a nasty new way for bad people to mess up the internet for the rest of us. They’ve found a fantastically powerful reflective-amplification attack technique that could easily be used for distributed denial of service (DDoS).

Nation-states would have to fix their firewalls, which ain’t gonna happen. In today’s #SBBlogwatch, this is why we can’t have nice things.

At @SecurityBlvd: https://t.co/7BdlnUcF64

— @Richi 😷 Jennings (@RiCHi) August 19, 2021

T-Mobile Leaks PII of ‘Every User’ in HUGE 100M+ Breach - Security Boulevard

Yet Another Leak: T-Mobile US has lost control of its account database, hackers say. More than 100 million records are for sale—which is basically $TMUS’s entire user base.

The data disclosed looks to be enough to steal any user’s identity.

In today’s #SBBlogwatch, we hide under the covers and weep #magenta tears.

At @SecurityBlvd: https://t.co/srycKSRGTQ

— @Richi 😷 Jennings (@RiCHi) August 16, 2021

Crypto Hacker Returns Most of Funny Money Stolen from Poly - Security Boulevard

DeFi Deflagration Debate: The hacker who stole $600 million of imaginary money from Poly Network has started to give it back. At the time of publication, about 56% is back in the hands of the decentralized finance (DeFi) platform.

Whoever it is, it’s yet another illustration of #cryptocurrency’s brittleness.

In today’s #SBBlogwatch, we drive over in our Fiat. At @SecurityBlvd: https://t.co/q3BQltWDRY

— @Richi 😷 Jennings (@RiCHi) August 12, 2021

COVID Anti-Vaxxers Make $$$ from Crowdfunding - Security Boulevard

This Guy Raised Half a Million: People who spread garbage anti-vaccine myths on the internet—why do they do it? Turns out, for some of them, it’s actually a business. People like Morgan Kahmann (pictured).

It would be funny—if the outcomes weren’t so serious.

In today’s #SBBlogwatch, we get really, really angry.

At @SecurityBlvd: https://t.co/qyfO3H4YeT

— @Richi 😷 Jennings (@RiCHi) August 9, 2021

SHOCKER: Senate Says Security Sucks—Still - Security Boulevard

Failing at the Basics: A U.S. Senate committee graded cybersecurity as ‘poor’ in seven big agency departments. The litany of failures listed in its report are astounding.

A billion taxpayer dollars spent on improving things, but not a lot to show for it.

Incompetence, laziness and political infighting are noted by insiders in today’s #SBBlogwatch.

At @SecurityBlvd: https://t.co/P0lPwBhc5W

— @Richi 😷 Jennings (@RiCHi) August 5, 2021

Italian Vaccine Sites Shut Down by Ransomware Thugs - Security Boulevard

For the Lazio Lulz? Some Italian healthcare websites and their backroom systems have been wiped off the internet by malware. In the region of Lazio, the vaccination program has been dealt a severe blow by ransomware scrotes.

#Italy is struggling under its third wave of #COVID19 infections—so this is extremely poor timing.

In today’s #SBBlogwatch, we rise up with righteous indignation. At @SecurityBlvd: https://t.co/3oa2JPbCFN

— @Richi 😷 Jennings (@RiCHi) August 3, 2021

Estonian Hacker Steals 300,000 Government ID Photos - Security Boulevard

EE ID PII AWOL Redux: Estonia’s electronic ID system was hacked last week. Again. The eastern European country is well-known for its advanced cryptographic identity card system, but it seems there are flaws in the access management design.

Yeah, we’ve heard that before. About 10 days ago, in fact.

In today’s #SBBlogwatch, oleme mures privaatsuse pärast. At @SecurityBlvd: https://t.co/mUF7JJB39Z

— @Richi 😷 Jennings (@RiCHi) July 30, 2021

Anti-Vax Lies Spread on YouTube—Paid for ‘by Russian PR Company’ - Security Boulevard

Lambs to the Slaughter: Disinformation is rife on social media: No news here. But shadowy interests are paying so-called “influencers” to spread it.

The motivation is unclear. But in today’s #SBBlogwatch, we’re clear it’s despicable.

At @SecurityBlvd: https://t.co/dBISGRviaZ

— @Richi 😷 Jennings (@RiCHi) July 26, 2021

Apple’s Insecure iPhone Lets NSO Hack Journalists (Again) - Security Boulevard

Zero-click, Zero-day: Yet another zero-day bug in iOS has allowed notorious spyware vendor NSO Group to break into the iPhones of journalists and activists. Again, it’s an unpatched zero-click vulnerability in the Messages app.

As usual, #NSO denies everything.

In today’s #SBBlogwatch, we roll our eyes. At @SecurityBlvd: https://t.co/Of5H7jUadB

— @Richi 😷 Jennings (@RiCHi) July 20, 2021

Stalkers: ‘Ugly Truth’ of Facebook Staff Abusing Private Data - Security Boulevard

The Eye of Zuckon: A new book exposes yet another Facebook failure for the social media firm to apologize for. Engineers have been abusing their free access to all users’ data—including data that’s been “deleted.”

>

But nothing’s going to change. Zuck’s PR droid gave a vapid statement making this fact completely clear.#DeleteFacebook. In today’s #SBBlogwatch, we wonder what it will take. At @SecurityBlvd: https://t.co/XGmTKS0iSL @HarperCollins @HarperInsider

— @Richi 😷 Jennings (@RiCHi) July 16, 2021

Apple Safari Leaks Cookies, so ‘Russia-Backed’ Hackers Attack Targets - Security Boulevard

iOS WebKit FAIL: Apple’s under fire yet again for an iOS security bug. And yet again it’s a vulnerability in WebKit—the open source code behind the Safari browser.

They’re said to be backed by the #Russian government. In today’s #SBBlogwatch, мы боимся г-на #Путина.

At @SecurityBlvd: https://t.co/m1IPNe4RKF

— @Richi 😷 Jennings (@RiCHi) July 15, 2021

Finally! Ring Doorbells get End-to-End Encryption, but There’s a Big Catch - Security Boulevard

I’m Sorry, Dave; I’m Afraid I Can’t Do That: Amazon’s Ring unit is moving ahead with plans to allow end-to-end encryption (E2EE). U.S. customers can turn it on now, with the feature rolling out to other countries any second now.

Is it a #DarkPattern? If it walks and swims and quacks like one, then it probably is.

In today’s #SBBlogwatch, we’ve got a bad feeling about #Ring. At @SecurityBlvd: https://t.co/U0wPPiAZgU

— @Richi 😷 Jennings (@RiCHi) July 14, 2021

China ‘Eugenics’ Claim as BGI Hoards Prenatal Test DNA Data - Security Boulevard

NIFTY NIPT not Nice: Chinese genetics company BGI is accused of misusing fetal DNA harvested from prenatal testing around the world, in violation of privacy rights. For its part, BGI claims its secret collaborations “improve population health outcomes around the world.”

While our historic use of #eugenics makes for uncomfortable memories, it’s no reason to turn a blind eye to #China’s alleged actions. In today’s #SB logwatch, we shine a light.

At @SecurityBlvd: https://t.co/711VwAaLrC

— @Richi 😷 Jennings (@RiCHi) July 8, 2021

REvil Makes Monkeys out of Kaseya Customers - Security Boulevard

Wise: No REvil Over the long weekend, a huge ransomware attack emerged. Kaseya, the IT management software supplier, seems to have been the common component used by the criminals to do their dirty deeds.

Things look bad for the #REvil ransomware gang. In today’s #SBBlogwatch, we have little sympathy.

At @SecurityBlvd: https://t.co/8pW26U4nrA

— @Richi 😷 Jennings (@RiCHi) July 6, 2021

One Medical: Sorry-not-Sorry for Leaking your Personal Info - Security Boulevard

ONEM HIPAA FAIL: Primary care med-tech firm One Medical made an intern-level error this week. It sent email to countless customers with hundreds of other customer email addresses visible in the To: field.

@OneMedical also said “We apologize if,” which is never a good look.

In today’s #SBBlogwatch, we’re unapologetically scathing. At @SecurityBlvd: https://t.co/FAtmzUSoup $ONEM

— @Richi 😷 Jennings (@RiCHi) July 2, 2021

LinkedIn Leaks 93% of Users’ Data—Refuses Blame for Breach - Security Boulevard

MSFT PR FAIL: LinkedIn is fighting a crescendo of criticism over a huge data breach, which is being sold by criminals. The firm’s PR people claim it’s not, in fact, a breach—nothing to see here, move along.

Instead, countless users get to suffer yet more #spam, #phishing, #IDtheft, #stalking, #doxxing and other nasties. LinkedIn doesn’t care.

In today’s #SBBlogwatch, we’ve had it with this sociopathic company. At @SecurityBlvd: https://t.co/rDmKesNiMt $MSFT

— @Richi 😷 Jennings (@RiCHi) July 1, 2021

SafeDollar Stablecoin not Safe nor Stable: Hack Sends Value to ZERO - Security Boulevard

Hack or Rug-Pull? SafeDollar, a crypto token that’s pegged to the U.S. dollar, crashed this week. The team behind the Polygon-based stablecoin claim it had been hacked.

That caused the #cryptocurrency’s price to drop to $0, while the hacker got away with $250,000.

A naïve bug, or a malicious insider? In today’s #SBBlogwatch, we prefer Bens.

At @SecurityBlvd: https://t.co/RQzUH0VIHG

— @Richi 😷 Jennings (@RiCHi) June 29, 2021

Did your WD My Book NAS get Wiped? Put a Brave Face on It - Security Boulevard

My Book? Not Any More: A 2019 vulnerability is being exploited to remotely wipe countless Western Digital devices. The WD My Book Live NAS product is coming under attack from Eastern European malefactors.

But that’s no help to people who’ve lost their data. It’s like saying, “Shut the stable door,” after the horse has bolted. In today’s #SBBlogwatch, we force a simile. [You’re fired—Ed.]

At @SecurityBlvd: https://t.co/HqkZadRHzc

— @Richi 😷 Jennings (@RiCHi) June 28, 2021

Rust in Linux: Google pays ISRG to pay Miguel Ojeda - TechBeacon

Rustacean invasion: Google is funding the Internet Security Research Group (ISRG) to sponsor the Rust for Linux organization. Money will be funneled from la GOOG’s bottomless coffers to pay Miguel Ojeda as a full-time developer.

Get off my lawn, with your trendy flavor of the month. In this week’s #SecurityBlogwatch, we look to see if we should believe the hype.

At @TechBeaconCom: https://t.co/zLaBbKe72u

— @Richi 😷 Jennings (@RiCHi) June 25, 2021

In Memoriam: John McAfee, 1945–2021. R.I.P. - Security Boulevard

He Will Be Missed: John David McAfee took his own life yesterday, said his lawyer. A Spanish prison witnessed his final breath on this earth.

The internet has been remembering #McAfee—mostly fondly. In today’s #SBBlogwatch, we share the love.

At @SecurityBlvd: https://t.co/P1gufIOL1i

— @Richi 😷 Jennings (@RiCHi) June 24, 2021

Ransomware and the Tax Code’s Perverse Incentive - Security Boulevard

Greedy Pigs: Ransomware payments are deductible, say tax experts. That’s the shocking finding from a recent investigation.

There’s no accounting for taste. In today’s #SBBlogwatch, can we smell bacon?

At @SecurityBlvd: https://t.co/iIopXElMnU

— @Richi 😷 Jennings (@RiCHi) June 22, 2021

Cops Cop Cl0p Ransomware Gang (or Maybe Not?) - Security Boulevard

Just the Monkeys, not the Organ Grinders? The National Police of Ukraine is crowing about arresting alleged ransomware scrotes from the Clop gang (styled as Cl0p). With the help of Interpol and law-enforcement from South Korea and the U.S., the Ukrainian cops raided 21 addresses and seized the big three: cash, cars and computers.

Still, it’s a start. In today’s #SBBlogwatch, we turn the key (ask your parents). At @SecurityBlvd: https://t.co/JmKKSwtiQb

— @Richi 😷 Jennings (@RiCHi) June 18, 2021

Teamsters doesn’t pay ransom. Should you? It’s not rocket science - TechBeacon

But 2019 was a long time ago: It’s emerged that the International Brotherhood of Teamsters was attacked by ransomware scrotes in 2019. Despite advice from the FBI, the union didn’t pay a penny in ransom—and certainly not the $2.5 million asking price.

So your best bet is to shore up your #security. In this week’s #SecurityBlogwatch, we do our duty as we see fit.

At @TechBeaconCom: https://t.co/gRgHi1biaa

— @Richi 😷 Jennings (@RiCHi) June 17, 2021

Microsoft’s Legal Head: U.S. must Stop Secret Gag Orders - Security Boulevard

President Speaks Unto President: BradSmith, Microsoft president and CLO, says law enforcement’s bad habit has to be broken: Secretly subpoenaing data from cloud providers—blocking them from telling customers—is undemocratic, and hurts international relationships, he argues.

I’ve got a solution for the problem, but I’m not allowed to tell you.

In today’s #SBBlogwatch, we keep schtum. At @SecurityBlvd: https://t.co/PpZ1DBG72x

— @Richi 😷 Jennings (@RiCHi) June 16, 2021

Who, Us? Linux Root Bug Quietly Added 7 Years Ago - Security Boulevard

Linux Lovers, Look the Other Way A nasty vulnerability in most Linux distributions is raising eyebrows among the penguinistas. A simple unchecked error in the polkit component can let a user get root with just a couple of commands.

But how did this happen? In today’s #SBBlogwatch, we unpick the story. At @SecurityBlvd: https://t.co/E3ZMA5EIrB

— @Richi 😷 Jennings (@RiCHi) June 14, 2021

EA’s Source: It’s in the Game (and in Hackers’ Hands) - Security Boulevard

Or, Go Outside for a Walk Electronic Arts got hacked and its source code stolen. Hackers took hundreds of gigabytes of game source code and tools—including internals of FIFA 21 and Battlefield.

So what is it? In today’s #SBBlogwatch, we push a secret button sequence to find out.

At @SecurityBlvd: https://t.co/FVPrCOjlyz

— @Richi 😷 Jennings (@RiCHi) June 11, 2021

Trojan Shield: FBI punks crims with faux app—and international help - TechBeacon

Cops did WHAT? Police forces around the world are arresting more suspects of organized crime. They’re unsealing evidence gathered over the past two to three years via a private-messaging app, Anom (styled ΛNØM or An0m).

This is madness. In this week’s #SecurityBlogwatch, this is Sparta. At @TechBeaconCom: https://t.co/TuvcsxXhTh

— @Richi 😷 Jennings (@RiCHi) June 10, 2021

Genius! Apple Bribes Woman over Naked Pic Theft - Security Boulevard

Three Times a Hypocrite: Apple is under fire for its hypocrisy in promising privacy, while also authorizing repair technicians who allegedly stole naked pictures and video from a woman’s iPhone. To make matters worse, court filings also allege they took control of her Facebook account and posted the sensitive media to her wall for all her friends to see.

And Apple tried to bury the story, by bribing the victim in a secret settlement under #NDA, according to the court filings.

How hypocritical is that? In today’s #SBBlogwatch, we count the ways. At @SecurityBlvd: https://t.co/eQ4DX9Eso9

— @Richi 😷 Jennings (@RiCHi) June 9, 2021

Is Apple’s App Store ‘Teeming’ with Scams? - Security Boulevard

Time to Drop your iPhone? Roughly 2% of the top-grossing iOS apps are, in some way, “scams.” Or so it is said: There’s been much chatter this weekend that Apple is sleeping on the job of reviewing iThing apps.

Is this simply a spat between the A and the A in #FAANG?

In today’s #SBBlogwatch, we wonder if there’s a There there. At @SecurityBlvd: https://t.co/GufRf1Oo2d

— @Richi 😷 Jennings (@RiCHi) June 7, 2021

Chrome Fake Reviews: It’s Worse than We Thought - Security Boulevard

“Nooo, I’ve been phished.” The problem of fake reviews in the Google Chrome extensions store is bigger than it seems. New analysis shows a web of malware with access to all your browsing, that can redirect you anywhere when you least expect it.

Come on, Google, get a grip.

In today’s #SBBlogwatch, we lose trust in la $GOOG. At @SecurityBlvd: https://t.co/SoCUBVMcvV

— @Richi 😷 Jennings (@RiCHi) June 4, 2021

Flashcard study apps expose nuclear secrets to all - TechBeacon

Monkey see, monkey do: US military personnel have been uploading nuclear secrets to online learning platforms, where they can be found by anyone. Free flashcard apps such as Chegg, Quizlet, and Cram have hosted the scarily detailed secret data for as long as eight years—possibly longer.

Rote learning is bad enough without suffering fallout from information leakage.

In this week’s #SecurityBlogwatch, we file our cards away securely. At @TechBeaconCom: https://t.co/G8sYXIr93U

— @Richi 😷 Jennings (@RiCHi) June 3, 2021

Dunhammer: NSA Blamed for Danish Spying on Euro Pols - Security Boulevard

“Something is Rotten in the State of Denmark” In a damning leaked report, Danish authorities reveal that the NSA spies on friendly foreign governments. This time, thanks to the help of FE, its opposite number in Denmark.

What should we tell Horatio? In today’s #SBBlogwatch, Marcellus criticizes incestuous relationships. At @SecurityBlvd: https://t.co/wMRcqfCr2A

— @Richi 😷 Jennings (@RiCHi) June 2, 2021

Grandchild of Rowhammer: ‘Half-Double’ Tactic Flips Farther Bits - Security Boulevard

I Want My ECC: Rowhammer—an attack tactic to escape sandboxes by flipping “neighboring” bits—has a new variant. And it’s been made easier by newer designs of RAM chips.

This new variant, which the team dubbed #HalfDouble, presents a “substantial challenge.” In today’s #SBBlogwatch, we double down, with no half measures. At @SecurityBlvd: https://t.co/6WJoLvrN81

— @Richi 😷 Jennings (@RiCHi) May 28, 2021

DevOps failures cast cloudy shadows over countless apps - TechBeacon

MDM of BYOD might be unfashionable, but it could CYA: Mobile apps are still awful—that’s the scary conclusion from researchers. They sampled a range of @Android apps and easily found 23 that leaked the personal data of 100 million users—and worse.

And it’s not just an #Android problem. In this week’s #SecurityBlogwatch, we go back to school.

At @TechBeaconCom: https://t.co/HtIzqDmzRn

— @Richi 😷 Jennings (@RiCHi) May 27, 2021

Ransomware Gang Frees Irish Medical Data—but Leak Threat Remains - Security Boulevard

What’s Gaeilge for ‘HIPAA’? The Health Service Executive (HSE), the body that runs Ireland’s socialized healthcare system, suffered a catastrophic malware attack last week. Ransomware scrotes wielding the Conti malware demanded $20 million to decrypt all the files.

But they’re still warning they’ll leak private health records unless they get their money.

In today’s #SBBlogwatch, we ponder ways to control this scourge. At @SecurityBlvd: https://t.co/nXfhcNr1IY

— @Richi 😷 Jennings (@RiCHi) May 24, 2021

Fake Chrome Extensions: Google Asleep at the Switch - Security Boulevard

“Yay, I’ve been phished.” Hey there. Umm … that “Microsoft Authenticator” extension you installed? The one with access to all your browsing, and that can redirect you anywhere when you least expect it? It’s actually malware, designed to phish for your passwords. (Nice blue couch, BTW.)

And @Firefox won’t save you, either. In today’s #SBBlogwatch, we burn the whole thing down. At @SecurityBlvd: https://t.co/mAmrDc5rq5

— @Richi 😷 Jennings (@RiCHi) May 20, 2021

AXA’s ransomware gambit comes back to bite - TechBeacon

Like rain on your wedding day: AXA’s Asian arm has been hit by a ransomware attack. The news comes days after AXA’s French HQ said it planned to stop writing cyber-insurance policies that pay out ransoms to hackers.

Malheureusement, the timing isn’t quite as neat as the narrative suggests. In this week’s #SecurityBlogwatch, we never let the facts get in the way of a good story. At @TechBeaconCom: https://t.co/f48imsGUjL

— @Richi 😷 Jennings (@RiCHi) May 20, 2021

DarkSide Ransomware Gang Struck Down — but by Whom? - Security Boulevard

Seduced by the DarkSide: The DarkSide group, hacker of the Colonial Pipeline, has hurriedly shut up shop. The shadowy group claims its servers and cryptocurrency balances have disappeared. People say it was the U.S. government that killed it. Which makes sense in the context of the White House’s recent pronouncements.

This sounds like a job for friar William of Ockham and his famous razor.

In today’s #SBBlogwatch, we look east. At @SecurityBlvd: https://t.co/X4aViMBW63

— @Richi 😷 Jennings (@RiCHi) May 17, 2021

AXA axes ransomware insurance. Who’s next? - TechBeacon

End of the beginning? Huge multinational insurance firm AXA Group has announced it will no longer write cyber-insurance policies that pay out extortionate #ransoms to hackers. So far, this applies only to France, but observers wonder if the strategy will spread.

As the #French say, /pour encourager les autres/. And, yes, it might well encourage other insurers to get serious about this knotty problem.

In this week’s #SecurityBlogwatch, we’re careful with that AXA, Eugene. At @TechBeaconCom: https://t.co/5xFlrCRVrl

— @Richi 😷 Jennings (@RiCHi) May 13, 2021

Rail Firm Staff Fail ‘Bonus’ Phishing Test, Chaos Ensues - Security Boulevard

COVID Pretext FAIL: “Click here to claim your bonus pay,” said email from a British train company, signed by the firm’s chief. Hundreds of @WestMidRailway employees did exactly that. Because of course they did.

What a kick in the teeth for staff who’ve been putting their health on the line since early 2020. OTOH, phishing exercises are an established part of staff #infosec … errm … training. In today’s #SBBlogwatch, we’re deeply conflicted. At @SecurityBlvd: https://t.co/0kxSnG6mU0

— @Richi 😷 Jennings (@RiCHi) May 12, 2021

Colonial Pipeline FAIL: Ransomware Gang Threatens Gas Supplies - Security Boulevard

Something-Something #DarkSide: Carrying almost half of the east coast’s road and jet fuel, the Colonial Pipeline is critical infrastructure—of that there’s no doubt. But ransomware scrotes have stolen and encrypted 100 GB of data, crippling the pipeline’s operation.

Prepare for inflated gas prices, long lines at the pumps and canceled flights.

In today’s #SBBlogwatch, we angrily buy a used Nissan Leaf. At @SecurityBlvd: https://t.co/ZddHFEf1dL

— @Richi 😷 Jennings (@RiCHi) May 10, 2021

Very Many Qualcomm Phone Chips Hiding Very Nasty Vulnerability - Security Boulevard

Time to Get a New Phone? A high-severity bug affects almost 40% of Android phones. The security hole is in Qualcomm modems—specifically in their software interface to the Android platform.

Good luck getting a patch for an old phone. In today’s #SBBlogwatch, we check the insurance for an “accidental” fall onto concrete.

At @SecurityBlvd: https://t.co/kTGWsQ0J1a

— @Richi 😷 Jennings (@RiCHi) May 7, 2021

Log this: iOS and macOS zero-day patches roll; Apple devs under fire - TechBeacon

iFAIL:Apple is patching every current OS it has. WebKit has critical zero-day vulnerabilities, exploitable to execute arbitrary code on Macintosh, iPhone, iPad, and Apple Watch.

“Doesn’t play well with others,” is the damning report card. In this week’s #SecurityBlogwatch, Apple gets a failing grade.

At @TechBeaconCom: https://t.co/A8JTrT3gKr

— @Richi 😷 Jennings (@RiCHi) May 6, 2021

Specter of Spectre is Back, in New Micro-Op Cache Vuln - Security Boulevard

Worry, Worry—Super Scary: It’s been three years, but researchers have disclosed new attacks on speculative execution in Intel and AMD chips. Just be thankful they didn’t give it a catchy name, like Spectre.

There’s a lot to worry about in #BranchPrediction. In today’s #SBBlogwatch, we think happy thoughts. At @SecurityBlvd: https://t.co/kpaL8pTMal

— @Richi 😷 Jennings (@RiCHi) May 3, 2021

With iOS 14.5, Apple shifts peeping apps fight to the OS - TechBeacon

F vs. A—what about the ANG? Pay attention: An important trend is hiding amid the fluff and froth of a fanciful “feud” twixt Tim Cook and Mark Zuckerberg. Ignore the tech soap opera—you need to get ahead of the changes, so read on.

And #iOS 14.5 is part of the reason. In this week’s #SecurityBlogwatch, we finally cut through the fish-eye lens of tear-stained eyes. [You’re fired—Ed.]

At @TechBeaconCom: https://t.co/VOiZz68lK9

— @Richi 😷 Jennings (@RiCHi) April 29, 2021

U.S. DoD has World’s Largest Honeypot: 6% of Internet Space - Security Boulevard

DoD BGP Mystery Solved: 175 million IP addresses owned by the U.S. Defense Department have “appeared” on the public internet. Formerly unroutable, these address ranges are now being advertised by a previously-unknown contractor. But it’s all aboveboard, we’re told.

But he doesn’t look very military. Perhaps he’s in the Navy? In today’s #SBBlogwatch at @SecurityBlvd, we can sail the 0x07000000/8 seas. [You’re fired—Ed.]https://t.co/87KT89G8P1

— @Richi 😷 Jennings (@RiCHi) April 26, 2021

China Silently Hacked Gov’t and Defense for a Year or More - Security Boulevard

These Things Come In Threes:After the Russian SolarWinds hack and the Chinese Exchange débâcle, here’s the third shoe to drop. And again it’s China being fingered by researchers.

Evidence shows the hackers breaking in 10 MONTHS ago, with indications that they’ve been around for some time before that.

In today’s #SBBlogwatch at @SecurityBlvd, we can see where this is going: https://t.co/amquujOF7l

— @Richi 😷 Jennings (@RiCHi) April 23, 2021

Google FLoC is a flop? Not so fast - TechBeacon

Third-party #cookies will soon go away, because people are fed up with being tracked. That’s bad news for advertisers, unless there’s something to replace them.

But #privacy wonks hate it. And so do most other #browser makers.

In this week’s #SecurityBlogwatch at @TechBeaconCom, we munch on a tasty lettuce leaf: https://t.co/kFMC648LEv

— @Richi 😷 Jennings (@RiCHi) April 22, 2021

Wait, What? Nvidia/ARM Sale on Hold—for Security Reasons - Security Boulevard

Nvidia to Stay ARMless? The United Kingdom is investigating the proposed “merger” of ARM and Nvidia. Her Majesty’s government says it’s worried that there are national security implications.

Yes, but is there really a #security question? Or is that a convenient excuse to slam on the brakes?

In today’s #SBBlogwatch at @SecurityBlvd, we avoid weak jokes about fish and chips: https://t.co/Z1z3NuApnm

— @Richi 😷 Jennings (@RiCHi) April 20, 2021

STOP: Opt out of phone numbers as authentication tokens - TechBeacon

It’s a numbers game: This week brings yet more examples of poor design. Specifically: Two apps trusting phone numbers without properly authenticating the actual user.

Watch out—these things come in threes. In this week’s #SecurityBlogwatch at @TechBeaconCom, we got the 411 (ask your parents): https://t.co/XUcOlw8rer

— @Richi 😷 Jennings (@RiCHi) April 15, 2021

YT$AW: FBI Cleans Up Exchange Servers, NSA Tips Microsoft 4 More Bugs - Security Boulevard

Feds Fix Fails Your tax dollars at work: The FBI and NSA have been helping fix the mess caused by the recent Microsoft Exchange hacking, and trying to prevent a further round of it.

“We’re from the government, and we’re here to help.” In today’s #SBBlogwatch at @SecurityBlvd, we’re careful what we wish for: https://t.co/0Oh8fWXdLe

— @Richi 😷 Jennings (@RiCHi) April 14, 2021

Son of Stuxnet? Iran Nuke Site Hacked ‘by Israel’ (Again) - Security Boulevard

Crystal Ball ain’t so Crystal Clear: Iran’s Nantaz nuclear centrifuge facility went dark yesterday. I can’t stand it—I know you planned it.

But something doesn’t add up. In today’s #SBBlogwatch at @SecurityBlvd, we can’t stand rocking when I’m in here: https://t.co/ZAX79I2d8P

— @Richi 😷 Jennings (@RiCHi) April 12, 2021

Facebook Sucks: Huge 500M-User Breach ‘Is Your Fault’ - Security Boulevard

GDPR: Coming for Mark’s Money: Last week’s revelation of a half-billion-user leak is still reverberating around the news cycle. Despite Facebook’s attempts to make it go away, new inconvenient truths keep appearing.

This is bad. I can’t watch. But I can’t *not* watch. In today’s #SBBlogwatch at @SecurityBlvd, we break out the jumbo bag of popcorn: https://t.co/k36bF45QZy

— @Richi 😷 Jennings (@RiCHi) April 8, 2021

Cryptominers flooding GitHub—and other cloudy dev services - TechBeacon

“This is why we can’t have nice things.” Owners of public GitHub projects have been noticing weird stuff recently: Random users are forking repos, then pull-requesting a change that includes an obfuscated GitHub Action.

So there isn’t much an owner can do—other than disable the #GitHubActions feature.

In this week’s #SecurityBlogwatch at @TechBeaconCom, we watch @GitHubSecurity play Whac-A-Mole: https://t.co/6LeTpyvr40

— @Richi 😷 Jennings (@RiCHi) April 8, 2021

Apple Fiddles While App Store Burns: $1M Bitcoin Scam FAIL - Security Boulevard

Tim’s Security Halo Slips: Phillipe Christodoulou got ripped off to the tune of more than a million dollars. An iPhone app stole 17.1 bitcoins from his Trezor hardware wallet.

Are you serious? Deadly. In today’s #SBBlogwatch at @SecurityBlvd, we learn valuable lessons: https://t.co/6GDEr2mOH7

— @Richi 😷 Jennings (@RiCHi) April 5, 2021

Ubiquiti Accused of Lying to Help Stock Price - Security Boulevard

UI PR FAIL: Ubiquiti disclosed a breach in January, implying it was the fault of a “third party.” But this week, an insider says the company lied: “It was catastrophically worse,” said the anonymous source.

Oh what a tangled web … was allegedly woven. In today’s #SBBlogwatch at @SecurityBlvd, we #2FA our @LastPass: https://t.co/BZ5h9v3BEZ

— @Richi 😷 Jennings (@RiCHi) April 1, 2021