Eelcome to this week in NerdNews (TWINN). Your weekly top 5 technical and security issues Nerds should pay attention to:
I would like to talk about our location data. By default, our smart phones we carry in our pockets collect an extreme amount of precise location data. In fact, we have to go out of our way to find the many ways that we leave digital trails everywhere. And this isn’t a situation of “If you have nothing to hide, you shouldn’t be worried” scenario.
Then you add our pandemic situation to this, and it has had the result of being used as an excuse to scale up citizen surveillance. Because the data already exists. There’s nothing that needs to be invented. Nothing that requires to be deployed. Only someone to ask for such data, and under the guise of anonymous data, it is easy to obtain. Now here’s what our country of Canada has done:
Ottawa’s use of our location data raises big surveillance and privacy concerns.
It should concern us all, and we must act accordingly now that we all know this.
Appalled opposition MPs called for an emergency meeting of the ethics committee of the House of Commons, fearing that the pandemic was being used as an excuse to scale up surveillance.
Zerodium looks to buy zero-days in Outlook and Thunderbird email clients.
The $200,000 – $400,000 reward for finding vulnerabilities in some of the world’s most popular email programs tells us a lot. Even staying up-to-date on those programs isn’t sufficient anymore. Doing your email in a browser is actually the safest path today.
US-based exploit broker Zerodium announced plans today to pay $200,000 and $400,000 for zero-day exploits in Mozilla Thunderbird and Microsoft Outlook, respectively, two of today’s most popular and widely used desktop email clients.
The company, which buys exploits from security researchers and sells them to government and law enforcement agencies, announced its intentions earlier today via a message posted on its official Twitter account.
This NFT on OpenSea Will Steal Your IP Address.
More about NFTs later, but here’s an interesting nefarious use of NFT makers in a marketplace.
NFTs are usually passive affairs. A consumer buys the token, and then sells or stores the NFT. The NFT doesn’t really do anything.
Some new NFTs are being used to harvest viewers’ IP addresses, though, in a demonstration of how NFT marketplaces like OpenSea allow vendors, or attackers, to load custom code when someone simply views an NFT listing.
Hackers Using Device Registration Trick to Attack Enterprises with Lateral Phishing.
This multi-phase approach is all about taking advantage of companies’ BYOD policies that allow non-managed devices to join a network. With Zero Trust, this can be mitigated while allowing BYOD to continue.
Microsoft has disclosed details of a large-scale, multi-phase phishing campaign that uses stolen credentials to register devices on a victim’s network to further propagate spam emails and widen the infection pool.
The tech giant said the attacks manifested through accounts that were not secured using multi-factor authentication (MFA), thereby making it possible for the adversary to take advantage of the target’s bring-your-own-device (BYOD) policy and introduce their own rogue devices using the pilfered credentials.
Office of Management and Budget Releases Federal Strategy to Move the U.S. Government Towards a Zero Trust Architecture.
To us, this is obviously good news.
Today, the Office of Management and Budget (OMB) released a Federal strategy to move the U.S. Government toward a “zero trust” approach to cybersecurity. The strategy represents a key step forward in delivering on President Biden’s Executive Order on Improving the Nation’s Cybersecurity, which focuses on advancing security measures that dramatically reduce the risk of successful cyber attacks against the Federal Government’s digital infrastructure.
Did you know?
There’s a neutral video about NFTs: (ok about as neutral as you can possibly get, I would assert)