Security Leftovers
Fraudsters use 'fake emergency data requests' to steal info • The Register [Ed: El Reg adopted Microsoft lobbying term, "Big Tech"]
Both Apple and Meta handed over users' addresses, phone numbers, and IP addresses in mid-2021 after being duped by these emergency requests, according to Bloomberg.
EDRs, as the name suggests, are used by law enforcement agencies to obtain information from phone companies and technology service providers about particular customers, without needing a warrant or subpoena. But they are only to be used in very serious, life-or-death situations.
As infosec journalist Brian Krebs first reported, some miscreants are using stolen police email accounts to send fake EDR requests to companies to obtain netizens' info. There's really no quick way for the service provider to know if the EDR request is legitimate, and once they receive an EDR they are under the gun to turn over the requested customer info.
Google Claims Microsoft Makes Governments Less Secure [Ed: Decades-long Microsoft propagandist Paul Thurrott covering up for Microsoft back doors and other inherent security issues]
In its most insane attack yet against Microsoft, Google this week claimed that using Microsoft technologies made governments less secure. But it has no data to back up that claim at all.
Modem-wiping malware caused Viasat satellite broadband outage in Europe
Viasat did not provide technical indicators-of-compromise nor a full incident response report, the researchers noted. Instead, the satellite biz said malicious commands disrupted modems in Ukraine and other European countries. The SentinelOne duo questioned how legitimate commands could cause this level of modem chaos. "Scalable disruption is more plausibly achieved by pushing an update, script, or executable," the researchers said.
They suggest the ukrop executable, which they dubbed AcidRain, could do the trick.
[...]
So, by destructive commands, Viasat meant: modems were commanded by their compromised support servers to run destructive malware.
Apple emits macOS, iOS, iPadOS patches for 'exploited' security bugs
Apple has released updates for its mobile and desktop operating systems to patch security holes that may well have been exploited in the wild.
On Thursday, the iPhone giant issued macOS Monterey 12.3.1; iOS 15.4.1 and iPadOS 15.4.1; tvOS 15.4.1; and watchOS 8.5.1 to address vulnerabilities in its software.
CISA Ask Federal Agencies To Patch 66 New Flaws Exploited By Attackers - IT World Canada
U.S. Cybersecurity and Infrastructure Security Agency (CISA) has uncovered 66 new vulnerabilities that are exploited by attackers.
Free security training from the Open Source Security Foundation [Ed: What if OpenSSF does not pursue real security?]
The Open Source Security Foundation (OpenSSF) has partnered with Linux Foundation Training & Certification to release a free online training course, Developing Secure Software. The two organisations say the training course will help elevate these security issues and improve access to cybersecurity training for everyone from developers to operations teams to end-users.
Fixing Spring4Shell Starts With Software Supply Chain Management [Ed: More Linux Foundation puff pieces/ads]
The Linux Foundation’s SBOM contributions provided all of us a head start to begin addressing issues with software supply chain management. With widespread adoption, SBOM equips software projects and users to assess and address Spring4Shell as well as any other as-yet-unknown vulnerabilities and prepare us for what is undoubtedly a season of high-impact infrastructure software vulnerabilities.
Cyber Wyoming Tracking Local Phishing Attacks
Clicking on links in emails from well-known brands can be dangerous because of brand abuse.
