Skip to main content

2022.20.12.News You Should Know

Most of the Information Security community has fled Twitter in favor of a Mastodon instance Infosec.Exchange
Mastodon is a federated replacement for Twitter and has balloned from 100k user to over 2.5m users since Musk’s takeover of the Twitter platform. As most vendors, businesses, consultants, and infosec personalities made the move to Mastodon, so has the public zeitgeist of up-to-date security news and disclosures. To keep tabs, you can check out the public feeds CTI and ThreatIntel (These tags do not require an account to view.)

Video Game maker’s Epic have been hit by the FTC with a $500m fine for violating the Children’s Online Privacy Protection Act (COPPA) and for utilizing “dark patterns” in their user interfaces. Dark patterns intentionally trick users into spending money or prevent the cancelling of services to persist revenue streams for the company. This marks the first significant enforcement of COPPA by the FTC.

Cloudflare and GoDaddy have acknowledged INC-5492776 in which some sites will on occassion return adult and pornagraphic material, instead of the expected site. This cause is currently unknown, the problem is not reproducible, and any company making use of Cloudflare and GoDaddy may be effected.

Paypal money request scams are on the rise as attackers utilize the note section of payment requests to scare victims in to “returning” money that was deposited to their accounts in error. In reality, no money has been deposited to the victims account and the phone number for PayPal support included in the note contacts the scammers call centers.

A woman employed by a legal firm has been ejected from Radio City Music Hall after being identified by facial recognition scanners. The woman, who is employed by a firm that is currently suing MSG Entertainement, was ejected after guards told her the facial recognition software had identified her in the lobby as an employee of the litigating firm.

Choose Boring Tech becomes a website
The wildly popular talk by Dan McKinley, Choose Boring Technology is now available as a website. Known for it’s tag line, “How to be old, for young people” the talk encourages developers to consider the total cost of ownership when pivoting between frameworks and technologies.

This is what we’re implicitly saying when we want to add a piece of semi-redundant technology.
We’re saying that the new tech is going to make our work so much easier in the near term that this benefit outweighs the cost of dealing with that technology indefinitely into the future.

Popular posts from this blog

LibWebP (CVE-2023-4863)

Here is a non-exhaustive list of possible mitigations to prevent the exploitation of CVE 2023-4863 in the LibWebP library. This library has a heap buffer overflow available across all operating systems, most browsers, an exceptional number of Electron framework applications. This CVE is rated a 10 after previously being rated 8.8. This was due to an original disclosure from Google stating that Chrome was the only effected application. After investigation, it was discovered that all instances of the LibWebP library were vulnerable across all platforms. A similar CVE ( 2023-5217 ) is pending analysis for the VP8 webstream video format (a sister library to libwep.) As working proof-of-concepts are generally available to the public and Google and Apple both acknowledge threat actors and spyware vendors making use of the vulnerability, it is essential that you begin reviewing and patching all business critical applications. Patch Browsers, All of them All major and minor browsers acr

Show And Tell

Once a week, our security team gathers everyone into a meeting and shares the last week’s worth of security related news and any new security initiatives. This one hour may be the most valuable meeting we attend and has the greatest impact on successful security outcomes. What is it? We call ours a Security Show & Tell. (You can call it whatever fun and exciting name fits your corporate culture.) Regardless of the name, the goal is to set aside an hour each week to share three kinds of security stories and our response to them. Stories that are in the news. Stories that impact our work. Stories that impact our lives. Author’s Note: There’s some helpful tips below on how to gather these stories.  Why you should do it There’s a lot of great reasons to do this, but I want to drive home a few really important ones. How many times has this happened to you? You wake up, open , and begin scrolling only to find out that $Vendor has a nasty zero-day and organiza

Savory Dutch Babies

Ingredients: 1/4 Stick butter 1/2C AP flour 3/4C room temp milk 3 room temp eggs Salt pepper mace nutmeg allspice etc if you want it Blend it or whisk it until homogeneous  Put a castiron in a cold oven at 425°.  Remove when preheat finishes and melt in a 1\4 stick of butter.   Pour in batter.  Top with parm and fresh herbs.  Cook 15m.