AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 03/01/2021

78% of top security leaders say their organizations are unprepared for a cyberattack

Seventy-eight percent of senior IT and security leaders believe their organizations lack sufficient protection against cyberattacks, according to research conducted by IDG Research Services on behalf of Insight. The high level of concern expressed by these leaders resulted in 91% of organizations increasing their cybersecurity budgets in 2021 — a figure that nearly matches the 96% that boosted IT security spending in 2020. Insight’s report was based on responses from more than 200 C-level IT and IT security executives in organizations with an average of 21,300 employees across a wide range of industries. Respondents overwhelmingly said that dramatic improvements in corporate security programs were needed. They expressed the least confidence in their organization’s security roadmap (32%), security-related technology and tools (30%), and internal teams and skill sets (27%). The respondents reported the highest level of trust in the company’s data management strategy, but, even then, less than half (45%) voiced confidence in that area of security operations.


LastPass in privacy hot seat over web trackers

LastPass’ slate of web trackers is in the spotlight after a security researcher recommended switching away from the password manager based on the findings of a well-known privacy advocacy app. The analysis follows LastPass’ recently announced restrictions to its free-tier service, which will become effective in March.  The Exodus Privacy app, developed by the Guardian Project to document the number of trackers and permissions other apps use, discovered seven web trackers in the Android version of LastPass. Highlighting the findings in an analysis published Thursday, German security researcher Mike Kuketz recommended users move away from the password manager in favor of one without trackers. The web trackers on LastPass include those from Google Analytics, AppsFlyer and Mixpanel. While LastPass’ password encryption normally protects your passwords from being viewed by any tracker or site, these trackers let third-party companies collect a startlingly complete record of the sites you visit. 


Apple has released Big Sur 11.2.2, an urgent fix for some MBP and MBA models

Apple has just released an update to Big Sur, bringing it to version 11.2.2. This is an urgent and out-of-cycle fix which Apple says “prevents MacBook Pro (2019 or later) and MacBook Air (2020 or later) models from incurring damage when they are connected to certain third-party, non-compliant powered USB-C hubs and docks.” The update is 2.6 GB for Intel models, and 3.1 GB for M1 Macs. Yes, it really is that huge, and is intended to be installed on every Mac model running Big Sur, it seems. There are no changed version or build numbers among bundled apps, nor in the System/Library folder, indicating that this update brings essentially no significant change to Macs other than the MacBook Pro and Air models affected by the bug described by Apple.


Chrome will soon try HTTPS first when you type an incomplete URL

Google engineers have been some of the most ardent promoters of browser security features over the past few years and, together with the teams behind the Firefox and Tor browsers, have often been behind many of the changes that have shaped browsers into what they are today. From pioneering features like Site Isolation and working behind the scenes at the CA/B Forum to improve the state of the TLS certificate business, we all owe a great deal of gratitude to the Chrome team. But one of the biggest areas of interest for Chrome engineers over the past few years has been in pushing and promoting the use of HTTPS, both inside their browser, but also among website owners. As part of these efforts, Chrome now tries to upgrade sites from HTTP to HTTPS when HTTPS is available. Chrome also warns users when they’re about to enter passwords or payment card data on unsecured HTTP pages, from where they might be sent across a network in plaintext.


Can auditing eliminate bias from algorithms?

For more than a decade, journalists and researchers have been writing about the dangers of relying on algorithms to make weighty decisions: who gets locked up, who gets a job, who gets a loan — even who has priority for COVID-19 vaccines. Rather than remove bias, one algorithm after another has codified and perpetuated it, as companies have simultaneously continued to more or less shield their algorithms from public scrutiny. The big question ever since: How do we solve this problem? Lawmakers and researchers have advocated for algorithmic audits, which would dissect and stress-test algorithms to see how they work and whether they’re performing their stated goals or producing biased outcomes. And there is a growing field of private auditing firms that purport to do just that. Increasingly, companies are turning to these firms to review their algorithms, particularly when they’ve faced criticism for biased outcomes, but it’s not clear whether such audits are actually making algorithms less biased — or if they’re simply good PR.


T-Mobile discloses data breach after SIM swapping attacks

American telecommunications provider T-Mobile has disclosed a data breach after an unknown number of customers were apparently affected by SIM swap attacks. SIM swap fraud (or SIM hijacking) allows scammers to take control of targets’ phone numbers after porting them using social engineering or after bribing mobile operator employees to a SIM controlled by the fraudsters. Subsequently, they receive the victims’ messages and calls which allows for easily bypassing SMS-based multi-factor authentication (MFA), stealing user credentials, as well taking over the victims’ online service accounts.  The criminals can then log into the victims’ bank accounts to steal money, change account passwords, and even locking the victims out of their own accounts. The FBI shared guidance on how to defend against SIM swapping following an increase in the number of SIM hijacking attacks targeting cryptocurrency adopters and investors.

Related Posts