Timo Sablowski

Some interesting thoughts on regulation and its actual effects on security in a real world case. Both in the OP and some of the discussion below.

1

Information is beatiful visualised the most commonly used PINs - and no surprise here I guess ;) "According to the analysis, just 20 4-digit numbers account for 27% of all PINs: 1234, 0000, 7777, 2000, 2222, 9999, 5555, 1122, 8888, 2001, 1111, 1212, 1004, 4444, 6969 (nice), 3333, 6666, 1313, 4321, 1010. The diagonal line is people using repeated pairs of digits (e.g. 2727 or 8888) while the horizontal line near the bottom is people who are presumably using their (19xx) birth year as a PIN. (You can see the beginning of a 20xx line on the left side.)" https://lnkd.in/eCHmqzmq

12

Safeguard Sensitive Financial Data with Secure Managed File Transfer 👉 Read the blog: https://lnkd.in/eu-dpzwe #cybersecurity #MFT #SecureFileTransfer #datasecurity

3

During a threat-hunting exercise, Cisco Talos discovered documents with potentially confidential information originating from Ukraine. The documents contained malicious VBA code, indicating they may be used as lures to infect organizations.  The results of the investigation have shown that the presence of the malicious code is due to the activity of a rare multi-module virus that's delivered via the .NET interop functionality to infect Word documents. The virus, named OfflRouter, has been active in Ukraine since 2015 and remains active on some Ukrainian organizations’ networks, based on over 100 original infected documents uploaded to VirusTotal from Ukraine and the documents’ upload dates. We assess that OfflRouter is the work of an inventive but relatively inexperienced developer, based on the unusual choice of the infection mechanism, the apparent lack of testing and mistakes in the code. The author’s design choices may have limited the spread of the virus to very few organizations while allowing it to remain active and undetected for a long period of time. 

46

What a great post from Dries on DORA en NIS2 differences and overlap. Answers most, if not all, of the questions I get on the subject! Must read, especially if you're active in the financial sector!

14

#Safety, #governance, safety! - Where in the system should these be positioned? - What became of #EO13636? ⚠🚨 The criticality of #cni is deadly important (it cannot be overstated) and should not be ignored due to the lack of action. It is really time for governments and CNI Operators to start activities to build CNI Resilience, reduce attack surfaces, and, worst case scenario, reduce knowing and unknowing deaths and consequences. "....the agency will review its security measures and improve cybersecurity after the investigation, which he said is being led by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency." #criticalinfrastructureprotection #securityleadership https://lnkd.in/eUMNkKuy

2

📱Hacking someone's WhatsApp account used to be worryingly easy… but fear not, that’s no longer the case!🔒 Passkeys are a more secure (and easier!) way to log into your account using Face ID/Touch ID/device passcode and they are finally available on iOS. (They’ve been on Android for a few months). #Passkeys let you bypass the traditional login method that includes passwords and two-factor authentication via SMS on your registered phone number. So being #WorldPasswordDay why not ditch the password and set up your passkey now!👇 (Only on iOS 17 or later) Settings > Account > Passkeys NB the Passkeys update roll-out is being conducted in phases and will gradually extend to all global regions and phones.

65

13 Kommentare

End-to-End Encryption vs. Protecting Children: Can We Have Both? A recent proposal by the European Union has ignited a fierce debate: should tech companies be mandated to scan private messages for child sexual abuse material (CSAM)? Protecting children is imperative, but this proposal raises grave concerns about the integrity of end-to-end encryption. Encryption is the cornerstone of our online privacy. It ensures that only the sender and recipient can access a message's contents. Undermining encryption would have profound consequences, leaving our communications vulnerable to malicious actors. How can we trust the government to safeguard our privacy when vulnerabilities exist in platforms like Signal, a widely trusted encrypted messaging service? Consider the following CVEs: Signal Desktop: CVE-2023-36665, CVE-2022-37601, CVE-2021-23440, CVE-2019-10747 Signal Server: CVE-2022-1471, CVE-2022-42889, CVE-2022-0839 libsignal: CVE-2023-42282 These vulnerabilities highlight the ongoing challenges in maintaining secure communication channels, making it even more critical to question any measures that could further weaken encryption. Advocates of the EU's plan assert that it's necessary to combat the proliferation of CSAM. However, critics argue that scanning private messages sets a dangerous precedent, paving the way for mass surveillance and infringing on our right to privacy. Moreover, such measures might prove futile, as criminals could simply migrate to more secure platforms. The critical question is whether we can protect children without compromising our privacy. This issue demands careful deliberation. We must devise solutions that tackle CSAM effectively without dismantling encryption's security advantages. Consider these questions: 1. Are there alternative methods to detect and prevent CSAM that do not involve scanning private messages? 2. Can education and awareness programs be enhanced to empower people to identify and report CSAM? 3. What role can tech companies play in creating solutions that protect children while upholding privacy? I would like you to please engage in this conversation and share your perspectives on this vital issue. Together, we can find a solution that protects our children and our privacy. #Signal #cybersecurity #privacy #encryption #childsafety #EU #technology What do you think? Can we strike a balance between protecting children and safeguarding privacy? Websites reviewed https://lnkd.in/e_CHeGfU

16

1 Kommentar

Go se our new webpage regarding OWASP® Foundation. 🎇 🚀 Here you can read our newest post about OWASP and we keep adding more 👍 😉 Se all already posted articles regarding OWASP here: https://lnkd.in/dpUv3Z5u

6

1 Kommentar

#DieHard4 https://lnkd.in/ddY83AsN 2007 -> 2024 = 17 years to prepare for it. Everyone can fall victim anytime, just remind me why we don't isolate towns' vital systems, as we isolate airport tower's radar systems? Emergency or Disaster Recovery usually means you reset damaged systems, and you give yourself a way to re-initialise them as they were, at a given time. (It's called RPO, and it's done within a given RTO). https://lnkd.in/dpCZ28rj We evidently need a #DieHard #OG. Alessandro Bottonelli not that our recent risk management discussion was that crazy of an idea, right? Seems like plan B is "try rebooting plan A twice", here. https://lnkd.in/dEf3hnv3 ...this brings back memories. 👀🙄 Is technology as we created it, and as we maintain it, still #Safe for humans? Or is it?

1

Critical RCE Vulnerability Discovered in Ollama AI Infrastructure Tool. Tracked as CVE-2024-37032, the vulnerability has been codenamed Probllama. https://lnkd.in/e6y-cu79

5

⚠️Low Risk Vulnerability Alert⚠️: CVE-2024-5812 A low severity vulnerability in BIPS has been identified where an attacker with high privileges or a compromised high privilege account can overwrite Read-Only smart rules via a specially crafted API request. CVSSv3.1 Base Score: 3.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) https://lnkd.in/dR9W5CrQ

5

We found several vulnerabilities in the Open Source Content Management System Bludit, which is used to create websites and blogs. This advisory explains the vulnerabilities and proposes possible fixes and mitigations: https://lnkd.in/diUxkrXc

9

Comprehensive steps for a complete AD takeover

9