AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 01/27/2022

Threats Are (Still) on the Rise: 2022 Ponemon Report

Insider threats are a major risk for organizations of all sizes—and it’s expensive to ignore them. Insider threat incidents are costing businesses upwards of $15 million annually, on average. And it’s not just careless insiders who are to blame for insider threats; more organizations are reporting that credential theft is a growing concern in 2022. To compound matters, it now takes 85 days to contain an insider threat, compared to an average of 77 days just two years ago. As the cybersecurity landscape becomes more complex, it’s important to stay up to date on insider threat trends so you can create a proactive strategy to avoid these risks and reduce the cost and impact of incidents when they do occur. The following highlights from the 2022 Cost of Insider Threats Global Report from Ponemon Institute can help you better understand and manage insider threats.

 

iOS 15.3 patches 10 major security flaws affecting Safari, root privileges, and more

Along with Apple’s software updates today for iPhone, iPad, Mac, Apple Watch, and more, a variety of security issues have been fixed. iOS 15.3 specifically patches 10 notable security bugs ranging from the Safari web browsing leak to a flaw that can give malicious apps root privileges, and more. We knew about the web browsing and Google account ID flaw being patched ahead of time as it arrived with the RC versions of iOS 15.3 and macOS 12.2 However, Apple has now detailed the full list of security patches with documentation showing up for iOS 15.3, watchOS 8.4, and more. macOS 12.2 may include the same fixes, but Apple hasn’t published the security update for that just yet.

 

Google Illegally Used Dark Patterns to Trick Users Into Handing Over Location Data, State AGs Say

On Monday, attorneys general from Washington D.C., Texas, and at least two other states refocused their sights on Google, claiming the company repeatedly pressures its users to forfeit their location data through dark pattern tactics and other deceptive practices. Altogether, these practices may amount to violations of D.C.’s Consumer Protection Procedures Act, and Texas’ Deceptive Trade Practices Consumer Protection Act the lawsuits allege. Washington State and Indiana are expected to file similar suits later today according to D.C. attorney general Karl A. Racine. Though Google does provide its users some options in their settings to limit the types of data they share, the suit argues these are insufficient, and leave many uncertain just how much they’re giving up to Google.

 

Umbrella company cyber attacks prompt fresh calls for sector regulation to protect contractors

The government is facing renewed calls to pick up the pace on pushing through statutory regulation for payroll processing firms, in the wake of a series of cyber attacks against umbrella companies that left thousands of workers across the UK struggling to pay their bills. Umbrella companies process the payroll for large numbers of contractors that provide their services via an employment agency to end-clients in the private or public sector. This creates a labour supply chain through which a sum of money will pass from the end-client to the agency, and then on to the umbrella company and – finally – the contractor.

 

Mentoring and Role Models Key to Improving Female Representation in Cybersecurity

The importance of mentoring and role models in helping women develop careers in cybersecurity was emphasized during the HackerOne Women in Cybersecurity Press Roundtable. The panel, which comprised a range of leading female figures in the cybersecurity industry, discussed practical ways of improving gender diversity in the industry. Marjorie Janiewicz, chief revenue officer at HackerOne, began by setting out a bleak picture regarding cyber’s gender imbalance. “It’s no secret that the cyber skills gap is rapidly growing, and women continue to be a minority in technical and cyber roles. We especially notice that underrepresentation in leadership roles,” she outlined. The panelists then highlighted personal experiences that inspired them to successful careers in cyber. Keren Elazari, a cybersecurity analyst, researcher, author and speaker, described initially feeling “lonely” operating in the industry as an anonymous white hat hacker. However, when attending her first hacker conference, Y2hacK, she became inspired mixing and interacting with like-minded people.

 

Accepting card payments on iPhone without extra hardware may soon be possible

Apple is working on a service that will enable iPhones to accept payments, thus turning them into payment terminals (via Bloomberg). The new feature would most likely utilize the iPhone’s NFC chip and enable small business owners to accept payments directly with their iPhones. According to Bloomberg’s sources, Apple has been working on this feature since around 2020, when it bought a Canadian startup company called Mobeewave. Mobeewave was developing technology that would allow smartphones to take payments with the tap of a credit card. There is currently no official information on whether the new payment acceptance feature will be part of Apple Pay, or whether Apple plans to launch the service independently or in collaboration with an existing payment network.

Related Posts