The Cybersecurity Apprenticeship Sprint campaign aims to help tackle the cyber skills gap

Read More

This is a dangerous vulnerability:

An assessment from security firm BitSight found six vulnerabilities in the Micodus MV720, a GPS tracker that sells for about $20 and is widely available. The researchers who performed the assessment believe the same critical vulnerabilities are present in other Micodus tracker models. The China-based manufacturer says 1.5 million of its tracking devices are deployed across 420,000 customers. BitSight found the device in use in 169 countries, with customers including governments, militaries, law enforcement agencies, and aerospace, shipping, and manufacturing companies.

BitSight discovered what it said were six “severe” vulnerabilities in the device that allow for a host of possible attacks. One flaw is the use of unencrypted HTTP communications that makes it possible for remote hackers to conduct adversary-in-the-middle attacks that intercept or change requests sent between the mobile application and supporting servers. Other vulnerabilities include a flawed authentication mechanism in the mobile app that can allow attackers to access the hardcoded key for locking down the trackers and the ability to use a custom IP address that makes it possible for hackers to monitor and control all communications to and from the device.

The security firm said it first contacted Micodus in September to notify company officials of the vulnerabilities. BitSight and CISA finally went public with the findings on Tuesday after trying for months to privately engage with the manufacturer. As of the time of writing, all of the vulnerabilities remain unpatched and unmitigated.

These are computers and computer vulnerabilities, but because the computers are attached to cars, the vulnerabilities become potentially life-threatening. CISA writes:

These vulnerabilities could impact access to a vehicle fuel supply, vehicle control, or allow locational surveillance of vehicles in which the device is installed.

I wouldn’t have buried “vehicle control” in the middle of that sentence.

Read More

Much has been written about NSO Group’s collision with government reality when the Israeli firm found itself on the wrong side of a business decision to sell their technologies to entities that used it to target human rights activists, political leaders, journalists, and a bevy of U.S. persons. The collision came in the form of the U.S. government blacklisting the company, effectively drying up a great percentage of their clients to the point where bankruptcy was seen on the horizon.

White House nixes L3Harris interest in NSO

Then, according to a recent New York Times expose, U.S. defense contractor/supplier L3Harris allegedly attempted a Phoenix-like save and raise the charred NSO from the ashes, with the sub rosa assistance of the U.S. intelligence community. Apparently, L3Harris had its eye on the “zero-click” exploit provided by NSO’s Pegasus for resale or exploitation by the U.S. To those not well versed in the government supply and contract world, L3Harris has expertise in the exploitation of cellphones.

To read this article in full, please click here

Read More

This blog was written by an independent guest blogger.

Move to Earn (M2E) industry growing:

Currently, Move to Earn or free step tracking apps seek to improve the health of the users with innovative methods to earn money. Free step tracking apps are now mostly related to the blockchain industry aka “Move to Earn” technology. There are now hundreds of M2E apps in development. The idea is simple. You sign up in the app (using your email & full name), turn on location tracking & you’re good to go jogging , running & walking. Users get Coins for the effort, which one can sell on the open Crypto market for Fiat money. Remember, to earn you always need to have the internet access as well as location turned on. Otherwise, you will not be able to gain anything.

This may seem like not a big deal for many people who don’t know about the security & privacy risks attached to the app.  Surely, these are not the first apps which have asked location to be turned on. Many fitness trackers also require the location information to be available online.

Are step tracking apps safe?

Step tracking apps can pose serious security & privacy threats to the millions of users using M2E apps. When you run, the tracker monitors your location all the time. Also, most of these apps are not tested against security & privacy issues. They don’t have Responsible Disclosure programs where security researchers can report security issues. Oftentimes , we saw developers of these apps ignoring the reports by security researchers about the security risks attached with them.

Data can be shared or sold to third parties

Well, no one reads the lengthy privacy policy of the services. Meanwhile, advertisers & insurance companies really need the information related to your daily number of footsteps (which discloses some aspects of your health) and location. The US Health privacy Law HIPAA excludes these step tracking and fitness tracker apps. So, these step tracking (M2E) companies can share data with anyone they want.

Tough choice – Trade offs?

If we look at M2E , these apps have helped a lot of families around the world to earn a livelihood when there were no jobs due to the pandemic. During the pandemic, many companies have cut off their employees & people have limited choices to earn a livelihood.

So, it’s a tough choice for many. Personally, I would never sign up for these apps as most of them are unsecured.

Poll Results:

Kate Brew, editor of the AT&T Cybersecurity blog, recently conducted poll on Twitter on whether people would use a step tracking app. Here are the final results:

Would you add a free app to your smart phone that allows you to track your number of steps per day for health reasons? Or advise friends and family to do so?

— Kate Brew (@securitybrew) June 30, 2022

Tips for users to ensure their privacy and security:

1. Always read the complete and critical points of privacy policy before you hit the sign-up button.
2. Check if the app requires 2FA Setup or not
3. Check where data is being stored. You can ask the developers about that.
4. Protect your anonymity with VPN
5. Turn off location tracking when the app is not in use
6. Avoid using public & unsecured Wi-Fi networks.

Read More

Manufacturers were the hardest hit in the quarter

Read More

As part of my job as an industry analyst, I do lots of quantitative research with security professionals.  One question we often pose to security professionals is around their biggest challenges.  The research results often include issues like coping with alert storms, addressing the dangerous threat landscape, managing a multitude of point tools, scaling manual processes, and staffing shortages, along with one other challenge that comes up on nearly every survey, often with the highest percentage of responses:  Security professionals report that they are challenged because the cybersecurity team at their organization spends most of its time addressing high-priority/emergency issues and not enough time on strategy and process improvement.

To read this article in full, please click here

Read More

Tens of thousands of card details swiped from online users

Read More