Cyber ​​Security Today, December 12, 2022 – Toronto hacking contest ends with 63 zero-day bugs, and more

Welcome to Cyber ​​Security Today. Today is Monday, December 12, 2022. I’m Howard Solomon, contributing cybersecurity reporter for ITWorldCanada.com.

Just under a million US dollars prize was awarded to security researchers at the end of the four-day Pwn2Own hacking contest in Toronto. In this edition of the event, sponsored by Trend Micro, participants demonstrated 63 unique zero-day exploits by breaking into home and small business routers and printers. The biggest amount of money went to a team from Devcore Security Consulting from Taiwan, who won US$142,500. As a result, he was named the event’s Master of Pwn. The total amount awarded to all participants was $989,750. The biggest payout of the series was at the 2021 event in Vancouver, where participants took home US$1.2 million. The next competition will take place in Miami in February.

A week after suffering ransomware attack Rackspace Technology faces legal attack. A California law firm is proposing a class action lawsuit against the hosting provider over the incident. The lawsuit still needs to be certified by a state court. On Friday, Rackspace said it was still investigating the cause of the attack. It says the attack was contained within its hosted Microsoft Exchange service. Rackspace also helps its customers recover their data. He did not specify how much data, if any, was encrypted or copied by the hackers.

After a few days of reflection, the experts had the opportunity to evaluate the security and privacy announcements made last week by Apple. It expands the range of data users can protect with end-to-end encryption in iCloud. Currently, health information, passwords, and payment card data can be protected in this way. Soon, photos, notes and iCloud backups will also be able to benefit from additional protection. In a comment, SANS Institute editorial board member William Murray noted that this is device-to-device encryption, not true end-to-end encryption. Another SANS commentator predicts that it won’t be long before US intelligence agencies and police forces protest that Apple’s latest move will hamper investigations.

Texas and Maryland joined South Dakota, South Carolina and Nebraska in banning state employees from using the Chinese-owned TikTok app on government-issued computing devices. This comes after the FBI branded the video-sharing app a national security concern of the United States. Earlier this year, TikTok’s chief operating officer told the US Senate that the company is complying with US laws and has strict rules about what data employees can access.

isolated computers are isolated from the internet for the best computer security. However, an Israeli academic researcher claims that if compromised in the right way, a hacker can transmit supposedly protected data from an isolated computer to a very nearby smartphone. How? On the electromagnetic signals emitted by the power supply of a PC. However, an attacker would first have to physically install malware on the computer. But it’s been done before, by someone in 2008 on a classified US military computer. So it’s not an impossible mission. Government, banking, and research organizations that rely on isolated computers should continue to limit access to areas with these machines — and be wary of anyone hanging around them.

Software Supply Chain Security is one of the most critical risks for any organization, according to Google. That’s why he launched a new research report detailing how developers should make open source software more secure. One is to use a framework called Supply Chain Tiers for Software Artifacts, or SLSAs. It includes a checklist of controls and practices to prevent code tampering.

australian police are now releasing the arrest of four Chinese nationals accused of participating in the $100 million investment scam. Most of the victims were people in the United States. It is alleged that the operation found victims on job sites and dating messengers, where, after gaining people’s trust, opportunities to invest in things like cryptocurrency were created. The American secret service informed the Australians of the link with their country. Two men were arrested in October. The other two were arrested just before trying to board planes for Hong Kong last month. Police allege the gang behind the scam used the four defendants to register Australian companies and open bank accounts so the money could be laundered.

To finish, a month ago, I told listeners it was the time of year when scammers try to trick employees in a variety of ways, including with email gift card scams. The scammer poses as a corporate executive and asks a member of staff to buy gift cards – with his own money – to reward employees for a job well done during the year. The scam asks the victim to send the so-called executive the numbers on the back of the cards. Then the scammer can cash them out. A new report from Trustwave warns employees that scammers are increasingly attempting this type of SMS scam. Again, the sender pretends to be a business executive who finds an excuse for not being able to buy the card himself. Sometimes the request starts with an email and then the scammer asks the messenger to switch to text. So be aware of text and email messages like this.

Follow Cyber ​​Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.

Leave a Reply