Hello readers!
In today's Inside Security, our premium content offers the PATCH WATCH feature with the latest security patches from leading vendors and the SECURITY FUNDING column with the latest news on startup funding.
Also, check out the CISO CORNER section in which I interviewed Chuck Brooks, Georgetown University professor, member of CyberTheory's Inner Circle CISO advisory board, and ambassador for the Cybersecurity Collaborative.
If you'd like to read this special content, Inside Security is offering a 14-day free trial. To sign up, click here. Plus, if you sign up now, you get to enjoy Inside Security five days a week!
Thanks for your support!
|
|
Fred
|
|
|
|
President Joe Biden's picks to head the Department of Homeland Security (DHS) and the intelligence community stressed the need to strengthen federal government cybersecurity during their confirmation hearings. Both Alejandro Mayorkas, nominee to head the DHS, and Avril Haines, nominee for director of national intelligence, cited the recent SolarWinds hack as the reason they believe cybersecurity needs to be prioritized.
More:
- Mayorkas testified before the Senate Homeland Security and Governmental Affairs Committee that he would direct the Cybersecurity and Infrastructure Security Agency to improve the "cyber hygiene" of the federal government.
- Haines told the Senate Select Intelligence Committee that she would focus on thoroughly investigating the SolarWinds hack if confirmed.
- Security firm Malwarebytes revealed on Tuesday that the SolarWinds attackers gained access to some of its systems.
- Lloyd Austin, Biden's nominee for secretary of defense, told the Senate Armed Services Committee that he supports the Pentagon's new offensive cyber strategy known as "defense forward."
- Some security experts are warning that President Biden's internet-connected Peloton exercise bike could pose a security risk in the White House.
THE HILL
|
|
|
|
PATCH WATCH:
Apache Software Foundation patched a vulnerability that affected multiple versions of Apache Tomcat that could enable an attacker to steal sensitive data.
To receive the full list of security patches and receive this feature weekly, start your FREE 14-day trial of premium!
|
|
Open-source DNSmasq software contains seven bugs that could enable attackers to carry out Domain Name System (DNS) cache poisoning, denial-of-service, and remote code execution attacks. The bugs could be chained together in an attack called DNSpooq by JSOF researchers.
More from JSOF:
- DNSmasq, which is used for caching DNS responses, is installed on millions of devices, including Cisco routers, Android phones, and Ubiquiti networks.
- The vulnerabilities include three DNS cache poisoning bugs and four buffer-overflow bugs.
- The vendor fixed the vulnerabilities in the latest version of DNSmasq 2.83.
THREATPOST
|
|
Chimera, a hacking group suspected of having links to the Chinese government, has been stealing airline passenger data for years to track people of interest, warned NCC Group/Fox-IT researchers. This group targeted passenger name record (PNR) data stored in flight booking servers.
More from NCC/Fox-IT:
- Chimera used credentials stolen in previous breaches to gain access to airlines' remote services, such as webmail.
- Once inside the victims' network, the group deployed Cobalt Strike to find IP and passenger data.
- The group then uploaded the data to public cloud services like Dropbox and Google Drive.
- The researchers warned that victims might not be aware that they have been compromised and the group might still be collecting data.
ZDNET
|
|
Security bugs found in Facebook Messenger and Google Duo chat apps could enable hackers to spy on users, according to Google Project Zero researcher Natalie Silvanovich. The flaws could enable a caller to force a callee device to transmit audio or video without callee interaction.
More from Project Zero:
- Other chat apps that have these bugs are Signal, JioChat, and Mocha.
- All of the vendors patched the bugs last year.
- Apple's Group FaceTime app suffered from similar problems, and those were patched last February.
BLEEPING COMPUTER
|
|
QUICK HITS:
- How are companies deciding on privacy management solutions in 2021? This eGuide breaks it down.*
- Rob Joyce, who is currently serving at the U.S. embassy in London, will take over the National Security Agency's cybersecurity division.
- Hackers posted 1.4 million Pixlr user records for free on a dark web forum.
- New York's Center for Alternative Sentencing and Employment Services notified clients about a data breach involving employee email accounts.
- The Russian cryptocurrency exchange Livecoin is shutting down after a cyberattack compromised its infrastructure and exchange rate system.
- Bullish on Bitcoin? Start earning daily interest on it with Nexo’s This eGuide.*
* This is sponsored content.
|
|
|
|
Fred Donovan is a professional writer, editor, and content specialist with decades of experience, most recently in the areas of information technology and cybersecurity. He has written for such publications as HealthITSecurity.com, FierceITSecurity, InfoSecurity Magazine, Report on Patient Privacy, TechGenix, and NetDefense. Fred has a B.A. from Harvard University in government and an M.S. in national security from Georgetown University.
|
|
|
|
Editor
|
Charlotte Hayes-Clemens is an editor and writer based in Vancouver. She has dabbled in both the fiction and non-fiction world, having worked at HarperCollins Publishers and more recently as a writing coach for new and self-published authors. Proper semi-colon usage is her hill to die on.
|
|
