WACD Reading List

Adversaries are relying less on malware to conduct attacks that are consequently more difficult to detect, according to an annual report released by cybersecurity firm CrowdStrike.

The pandemic has caused a tectonic shift in how we live and work. Many companies are slowly returning to offices while an estimated 40% of the U.S. workforce continues to work remotely. A year into the pandemic and one thing is crystal clear, the future of work is hybrid. Regardless of whether employees are on-site or remote, this convenience is now a permanent cyber-risk for businesses.

Microsoft today released another round of security updates for Windows operating systems and supported software, including fixes for six zero-day bugs that malicious hackers already are exploiting in active attacks. June’s Patch Tuesday addresses just 49 security holes — about half the normal number of vulnerabilities lately. But what this month lacks in volume it makes up for in urgency: Microsoft warns that bad guys are leveraging a half-dozen of those weaknesses to break into computers in targeted attacks.

Virtually no mandatory cybersecurity rules govern the millions of food and agriculture businesses that account for about a fifth of the U.S. economy. And now, the risk has become real.

Text-based 2FA, where a text with a six-digit code is sent to your phone to verify your identity, is better known and better understood because it uses technology most of us use all the time anyway. But it’s a technology that wasn’t meant to serve as an identify verifier, and it’s an increasingly insecure option as hackers continue to find ways to exploit it. That’s why I recommend using an authenticator app, like Google Authenticator, instead. Don’t let the name intimidate you: There are a few extra steps involved, but the effort is worth it.

Social Engineering is a technique that is performed by cybercriminals who indulge in exploiting human weaknesses. The act of Social Engineering involves various techniques all of which involve the manipulation of human psychology.

A phishing attack last week gave attackers access to email and files at the California State Controller’s Office (SCO), an agency responsible for handling more than $100 billion in public funds each year...“This isn’t even the full extent of the breach,” said the California state employee, who spoke on condition of anonymity.

Ne’er-do-wells leaked personal data — including phone numbers — for some 553 million Facebook users this week. Facebook says the data was collected before 2020 when it changed things to prevent such information from being scraped from profiles. The HaveIBeenPwned project, which collects and analyzes hundreds of database dumps containing information about billions of leaked accounts, has incorporated the data into his service.

Did you think DDoS attacks were over? They are not. Actually, recent research has discovered that these attacks attained a record high during the pandemic.

Google is hurrying out a fix for a vulnerability in its Chrome browser that’s under active attack – its third zero-day flaw so far this year. If exploited, the flaw could allow remote code-execution and denial-of-service attacks on affected systems.

By using the .zipx extension to obfuscate EXE payloads, crooks might be hoping to sneak the elderly NanoCore remote-access trojan through users' email and endpoint-scanning software.

CISA issued ED 21-02 requiring federal civilian departments and agencies running Microsoft Exchange on-premises products to update or disconnect the products from their networks until updated with the Microsoft patch.

Cyberattacks always happen when you least expect them. And when they happen, they happen quickly. Responding appropriately is not just the responsibility of your cybersecurity team; everyone in the organization has a role to play.

Microsoft has released its regularly scheduled March Patch Tuesday updates, which address 89 security vulnerabilities overall. Included in the slew are 14 critical flaws and 75 important-severity flaws. Microsoft also included five previously disclosed vulnerabilities, which are being actively exploited in the wild.

At least 30,000 organizations in the U.S. have been hacked by a Chinese cyber espionage unit, known as "Hafnium." The group is targeting and exploiting security vulnerabilities in Microsoft Exchange Server email software.

Staying in is the most effective way to protect yourself during the pandemic, and that means a lot more time online at home. A VPN can help secure that critical connection.

DuckDuckGo isn’t just a private alternative to Google and Bing’s web search. It has a built-in online mapping solution designed with privacy in mind. If you want to leave Google, you don’t have to stick around for Google Maps.

“The URLs are malformed, not utilizing the normal URL protocols, such as http:// or https://,” researchers said in a blog post about their findings. “Instead, they use http:/\ in their URL prefix.”