Skip to main content

2023.01.10.News You Should Know

House omnibus spending bill brings three interesting cybersecurity measures.

  • Section 7030 will require cybersecurity to be a key consideration in the adoption of technology and specifically 5g technologies for members of the Digital Connectivity and Cybersecurity Partnership.
  • The “No TikTok on Government Devices Act” bans the use of the Chinese-owned ByteDance company’s TikTok social media platform on goverment owned devices with power being given to the Director of the Cybersecurity and Infrastructure Security Agency (CISA) to dictate how application management is performed.
  • Section 3305 will require the FDA to ensure cybersecurity requirements are placed on medical devices. This is a change in posture from the FDA’s previous encouragement to follow cybersecurity best practices. Lawfare gives a breakdown of Section 3305.

Chair of the Senate Select Committee on Intelligence, and former techie, Sen. Mark Warner (D-VA) gave an interview via TechCrunch at the 2023 Consumer Electronics Show. In the interview, Warner discusses his legislation preventing the use of Huawei technologies, TikTok on federal devices, and the FTC’s handling of acquisitions and monopolies.

Speaking of the Senate Select Committee on Intelligence, Sen. Diane Feinstein (D-CA) has announced a bid for Congress. This comes among mental-health concerns for the recently widowed Senator, who if elected would exit Congress at age 95.
Representative Katie Porter (D-CA) has announced a bid for Feinstein’s seat. If displaced, Porter would have signficant impact on the end-to-end encryption and warrantless spying legislation Feinstein has been the main champion of for the last two decades.
Feinstein has served as the enemy of privacy, security, and firearm advocates, as well as mathematicians over the last twenty years by championing a revokation of Section 230 of the Communications Decency Act, attacking Snowden for his 2013 revelations on PRISM, co-sponsoring the proposed Protect IP Act, and defending the Patriot Act and other FISA court/warrantless spying provisions.

Microsoft ends all support for Windows 8.1 today. This is followed by the end of support by Google Chrome for the Windows 7 and 8.1 platforms as well.

Interestingly, as I was compiling this weeks round-up, I came across reports of a report from Microsoft about malware and ransomware on macOS platform devices. However, all my attempts to access the report led to dead ends on the Microsoft.com domain.
Further research led me to allegations from Patrick Wardle, head of the Objective-see Foundation, that Microsoft had essentially ripped off the Art of Mac Malware by failing to provide any credit or citations for the information contained in the report.

PyPi packages are leaking keys and loading malicious code. Bleeping Computer writer, Bill Toulas, identified 6 malicious packages in the Python Package Index. All are now removed, and none had over 230 downloads. Additionally Tom Forbes reported on multiple PyPi packages with live AWS keys included. Packages ranged from Amazon to The Australian Government to Intel.

Bruce Schneier entertained Chinese researches who published a report claiming they could defeat 2048-bit RSA encryption. Though minimal creedance is being given to these claims, and the researches admit they haven’t successfully broken any, security organizations would do good to start moving towards quantum resistant keys. Specifically, larger ECDSA keys.

Popular posts from this blog

LibWebP (CVE-2023-4863)

Here is a non-exhaustive list of possible mitigations to prevent the exploitation of CVE 2023-4863 in the LibWebP library. This library has a heap buffer overflow available across all operating systems, most browsers, an exceptional number of Electron framework applications. This CVE is rated a 10 after previously being rated 8.8. This was due to an original disclosure from Google stating that Chrome was the only effected application. After investigation, it was discovered that all instances of the LibWebP library were vulnerable across all platforms. A similar CVE ( 2023-5217 ) is pending analysis for the VP8 webstream video format (a sister library to libwep.) As working proof-of-concepts are generally available to the public and Google and Apple both acknowledge threat actors and spyware vendors making use of the vulnerability, it is essential that you begin reviewing and patching all business critical applications. Patch Browsers, All of them All major and minor browsers acr

Show And Tell

Once a week, our security team gathers everyone into a meeting and shares the last week’s worth of security related news and any new security initiatives. This one hour may be the most valuable meeting we attend and has the greatest impact on successful security outcomes. What is it? We call ours a Security Show & Tell. (You can call it whatever fun and exciting name fits your corporate culture.) Regardless of the name, the goal is to set aside an hour each week to share three kinds of security stories and our response to them. Stories that are in the news. Stories that impact our work. Stories that impact our lives. Author’s Note: There’s some helpful tips below on how to gather these stories.  Why you should do it There’s a lot of great reasons to do this, but I want to drive home a few really important ones. How many times has this happened to you? You wake up, open infosec.exchange , and begin scrolling only to find out that $Vendor has a nasty zero-day and organiza

Savory Dutch Babies

Ingredients: 1/4 Stick butter 1/2C AP flour 3/4C room temp milk 3 room temp eggs Salt pepper mace nutmeg allspice etc if you want it Blend it or whisk it until homogeneous  Put a castiron in a cold oven at 425°.  Remove when preheat finishes and melt in a 1\4 stick of butter.   Pour in batter.  Top with parm and fresh herbs.  Cook 15m.