May 2, 2022
David Redekop

TWINN Security News May 02

Welcome to this week in NerdNews (TWINN). Your weekly top 5 technical and security issues Nerds should pay attention to:

Let’s first address some repeat problems we see around services that are visible to the public internet. Let’s think about it like leaving doors permanently unlocked. Many small businesses expose services like security cameras, phone systems, network attached storage or even remote desktops. Even if they require authentication, the door should still be considered unlocked. Such exposure is still a common initial attack vector and it seems to be a hard lesson to learn. What continues to happen is that Remote Code Execution is possible on yet again newly-discovered bugs, like these for example:

Critical Vulnerabilities Leave Some Network-Attached Storage Devices Open to Attack. The truth is, we may never stop seeing zero days, but what we can do, is limit our exposure. First, check at every site at which you carry responsibility, for publicly-exposed services with, test all ports, and if anything is found, close it up.

Russia Began Setting Stage for Cyberattacks Against Ukraine a Year Ago. A week cannot go by without mentioning Russia and Ukraine, and what’s interesting is how much planning went into the offensive but no noticeable planning for a defense. We are seeing more cyber attacks on Russia than in all of internet history.

How the French fiber optic cable attacks accentuate critical infrastructure vulnerabilities. This is an important reminder to us all that paying attention to operational security needs to meet the same scrutiny as online operational security.

European Wind-Energy Sector Hit in Wave of Hacks. An important lesson here is that the strength of the security chain is only as strong as the weakest link. Criminals need to find only one weak link. Defenders have to find all of them.

Mexico’s top court strikes down controversial cellphone registry with biometric data. Ending this post with good news that I hope will continue. Years ago Cory Doctorow wrote an article titled Personal data is as hot as nuclear waste. It’s worth celebrating when such warnings are taken seriously by lawmakers.

Did you know?

security.txt is now an RFC which is a solid step in the right direction.

For a video version of this see