Teamsters doesn’t pay ransom. Should you? It’s not rocket science - TechBeacon

But 2019 was a long time ago: It’s emerged that the International Brotherhood of Teamsters was attacked by ransomware scrotes in 2019. Despite advice from the FBI, the union didn’t pay a penny in ransom—and certainly not the $2.5 million asking price.

So your best bet is to shore up your #security. In this week’s #SecurityBlogwatch, we do our duty as we see fit.

At @TechBeaconCom: https://t.co/gRgHi1biaa

— @Richi 😷 Jennings (@RiCHi) June 17, 2021

Microsoft’s Legal Head: U.S. must Stop Secret Gag Orders - Security Boulevard

President Speaks Unto President: BradSmith, Microsoft president and CLO, says law enforcement’s bad habit has to be broken: Secretly subpoenaing data from cloud providers—blocking them from telling customers—is undemocratic, and hurts international relationships, he argues.

I’ve got a solution for the problem, but I’m not allowed to tell you.

In today’s #SBBlogwatch, we keep schtum. At @SecurityBlvd: https://t.co/PpZ1DBG72x

— @Richi 😷 Jennings (@RiCHi) June 16, 2021

Who, Us? Linux Root Bug Quietly Added 7 Years Ago - Security Boulevard

Linux Lovers, Look the Other Way A nasty vulnerability in most Linux distributions is raising eyebrows among the penguinistas. A simple unchecked error in the polkit component can let a user get root with just a couple of commands.

But how did this happen? In today’s #SBBlogwatch, we unpick the story. At @SecurityBlvd: https://t.co/E3ZMA5EIrB

— @Richi 😷 Jennings (@RiCHi) June 14, 2021

EA’s Source: It’s in the Game (and in Hackers’ Hands) - Security Boulevard

Or, Go Outside for a Walk Electronic Arts got hacked and its source code stolen. Hackers took hundreds of gigabytes of game source code and tools—including internals of FIFA 21 and Battlefield.

So what is it? In today’s #SBBlogwatch, we push a secret button sequence to find out.

At @SecurityBlvd: https://t.co/FVPrCOjlyz

— @Richi 😷 Jennings (@RiCHi) June 11, 2021

Trojan Shield: FBI punks crims with faux app—and international help - TechBeacon

Cops did WHAT? Police forces around the world are arresting more suspects of organized crime. They’re unsealing evidence gathered over the past two to three years via a private-messaging app, Anom (styled ΛNØM or An0m).

This is madness. In this week’s #SecurityBlogwatch, this is Sparta. At @TechBeaconCom: https://t.co/TuvcsxXhTh

— @Richi 😷 Jennings (@RiCHi) June 10, 2021

Genius! Apple Bribes Woman over Naked Pic Theft - Security Boulevard

Three Times a Hypocrite: Apple is under fire for its hypocrisy in promising privacy, while also authorizing repair technicians who allegedly stole naked pictures and video from a woman’s iPhone. To make matters worse, court filings also allege they took control of her Facebook account and posted the sensitive media to her wall for all her friends to see.

And Apple tried to bury the story, by bribing the victim in a secret settlement under #NDA, according to the court filings.

How hypocritical is that? In today’s #SBBlogwatch, we count the ways. At @SecurityBlvd: https://t.co/eQ4DX9Eso9

— @Richi 😷 Jennings (@RiCHi) June 9, 2021

Is Apple’s App Store ‘Teeming’ with Scams? - Security Boulevard

Time to Drop your iPhone? Roughly 2% of the top-grossing iOS apps are, in some way, “scams.” Or so it is said: There’s been much chatter this weekend that Apple is sleeping on the job of reviewing iThing apps.

Is this simply a spat between the A and the A in #FAANG?

In today’s #SBBlogwatch, we wonder if there’s a There there. At @SecurityBlvd: https://t.co/GufRf1Oo2d

— @Richi 😷 Jennings (@RiCHi) June 7, 2021

Chrome Fake Reviews: It’s Worse than We Thought - Security Boulevard

“Nooo, I’ve been phished.” The problem of fake reviews in the Google Chrome extensions store is bigger than it seems. New analysis shows a web of malware with access to all your browsing, that can redirect you anywhere when you least expect it.

Come on, Google, get a grip.

In today’s #SBBlogwatch, we lose trust in la $GOOG. At @SecurityBlvd: https://t.co/SoCUBVMcvV

— @Richi 😷 Jennings (@RiCHi) June 4, 2021

Flashcard study apps expose nuclear secrets to all - TechBeacon

Monkey see, monkey do: US military personnel have been uploading nuclear secrets to online learning platforms, where they can be found by anyone. Free flashcard apps such as Chegg, Quizlet, and Cram have hosted the scarily detailed secret data for as long as eight years—possibly longer.

Rote learning is bad enough without suffering fallout from information leakage.

In this week’s #SecurityBlogwatch, we file our cards away securely. At @TechBeaconCom: https://t.co/G8sYXIr93U

— @Richi 😷 Jennings (@RiCHi) June 3, 2021

Dunhammer: NSA Blamed for Danish Spying on Euro Pols - Security Boulevard

“Something is Rotten in the State of Denmark” In a damning leaked report, Danish authorities reveal that the NSA spies on friendly foreign governments. This time, thanks to the help of FE, its opposite number in Denmark.

What should we tell Horatio? In today’s #SBBlogwatch, Marcellus criticizes incestuous relationships. At @SecurityBlvd: https://t.co/wMRcqfCr2A

— @Richi 😷 Jennings (@RiCHi) June 2, 2021

Grandchild of Rowhammer: ‘Half-Double’ Tactic Flips Farther Bits - Security Boulevard

I Want My ECC: Rowhammer—an attack tactic to escape sandboxes by flipping “neighboring” bits—has a new variant. And it’s been made easier by newer designs of RAM chips.

This new variant, which the team dubbed #HalfDouble, presents a “substantial challenge.” In today’s #SBBlogwatch, we double down, with no half measures. At @SecurityBlvd: https://t.co/6WJoLvrN81

— @Richi 😷 Jennings (@RiCHi) May 28, 2021

DevOps failures cast cloudy shadows over countless apps - TechBeacon

MDM of BYOD might be unfashionable, but it could CYA: Mobile apps are still awful—that’s the scary conclusion from researchers. They sampled a range of @Android apps and easily found 23 that leaked the personal data of 100 million users—and worse.

And it’s not just an #Android problem. In this week’s #SecurityBlogwatch, we go back to school.

At @TechBeaconCom: https://t.co/HtIzqDmzRn

— @Richi 😷 Jennings (@RiCHi) May 27, 2021

Ransomware Gang Frees Irish Medical Data—but Leak Threat Remains - Security Boulevard

What’s Gaeilge for ‘HIPAA’? The Health Service Executive (HSE), the body that runs Ireland’s socialized healthcare system, suffered a catastrophic malware attack last week. Ransomware scrotes wielding the Conti malware demanded $20 million to decrypt all the files.

But they’re still warning they’ll leak private health records unless they get their money.

In today’s #SBBlogwatch, we ponder ways to control this scourge. At @SecurityBlvd: https://t.co/nXfhcNr1IY

— @Richi 😷 Jennings (@RiCHi) May 24, 2021

Fake Chrome Extensions: Google Asleep at the Switch - Security Boulevard

“Yay, I’ve been phished.” Hey there. Umm … that “Microsoft Authenticator” extension you installed? The one with access to all your browsing, and that can redirect you anywhere when you least expect it? It’s actually malware, designed to phish for your passwords. (Nice blue couch, BTW.)

And @Firefox won’t save you, either. In today’s #SBBlogwatch, we burn the whole thing down. At @SecurityBlvd: https://t.co/mAmrDc5rq5

— @Richi 😷 Jennings (@RiCHi) May 20, 2021

AXA’s ransomware gambit comes back to bite - TechBeacon

Like rain on your wedding day: AXA’s Asian arm has been hit by a ransomware attack. The news comes days after AXA’s French HQ said it planned to stop writing cyber-insurance policies that pay out ransoms to hackers.

Malheureusement, the timing isn’t quite as neat as the narrative suggests. In this week’s #SecurityBlogwatch, we never let the facts get in the way of a good story. At @TechBeaconCom: https://t.co/f48imsGUjL

— @Richi 😷 Jennings (@RiCHi) May 20, 2021

DarkSide Ransomware Gang Struck Down — but by Whom? - Security Boulevard

Seduced by the DarkSide: The DarkSide group, hacker of the Colonial Pipeline, has hurriedly shut up shop. The shadowy group claims its servers and cryptocurrency balances have disappeared. People say it was the U.S. government that killed it. Which makes sense in the context of the White House’s recent pronouncements.

This sounds like a job for friar William of Ockham and his famous razor.

In today’s #SBBlogwatch, we look east. At @SecurityBlvd: https://t.co/X4aViMBW63

— @Richi 😷 Jennings (@RiCHi) May 17, 2021

AXA axes ransomware insurance. Who’s next? - TechBeacon

End of the beginning? Huge multinational insurance firm AXA Group has announced it will no longer write cyber-insurance policies that pay out extortionate #ransoms to hackers. So far, this applies only to France, but observers wonder if the strategy will spread.

As the #French say, /pour encourager les autres/. And, yes, it might well encourage other insurers to get serious about this knotty problem.

In this week’s #SecurityBlogwatch, we’re careful with that AXA, Eugene. At @TechBeaconCom: https://t.co/5xFlrCRVrl

— @Richi 😷 Jennings (@RiCHi) May 13, 2021

Rail Firm Staff Fail ‘Bonus’ Phishing Test, Chaos Ensues - Security Boulevard

COVID Pretext FAIL: “Click here to claim your bonus pay,” said email from a British train company, signed by the firm’s chief. Hundreds of @WestMidRailway employees did exactly that. Because of course they did.

What a kick in the teeth for staff who’ve been putting their health on the line since early 2020. OTOH, phishing exercises are an established part of staff #infosec … errm … training. In today’s #SBBlogwatch, we’re deeply conflicted. At @SecurityBlvd: https://t.co/0kxSnG6mU0

— @Richi 😷 Jennings (@RiCHi) May 12, 2021

Colonial Pipeline FAIL: Ransomware Gang Threatens Gas Supplies - Security Boulevard

Something-Something #DarkSide: Carrying almost half of the east coast’s road and jet fuel, the Colonial Pipeline is critical infrastructure—of that there’s no doubt. But ransomware scrotes have stolen and encrypted 100 GB of data, crippling the pipeline’s operation.

Prepare for inflated gas prices, long lines at the pumps and canceled flights.

In today’s #SBBlogwatch, we angrily buy a used Nissan Leaf. At @SecurityBlvd: https://t.co/ZddHFEf1dL

— @Richi 😷 Jennings (@RiCHi) May 10, 2021

Very Many Qualcomm Phone Chips Hiding Very Nasty Vulnerability - Security Boulevard

Time to Get a New Phone? A high-severity bug affects almost 40% of Android phones. The security hole is in Qualcomm modems—specifically in their software interface to the Android platform.

Good luck getting a patch for an old phone. In today’s #SBBlogwatch, we check the insurance for an “accidental” fall onto concrete.

At @SecurityBlvd: https://t.co/kTGWsQ0J1a

— @Richi 😷 Jennings (@RiCHi) May 7, 2021

Log this: iOS and macOS zero-day patches roll; Apple devs under fire - TechBeacon

iFAIL:Apple is patching every current OS it has. WebKit has critical zero-day vulnerabilities, exploitable to execute arbitrary code on Macintosh, iPhone, iPad, and Apple Watch.

“Doesn’t play well with others,” is the damning report card. In this week’s #SecurityBlogwatch, Apple gets a failing grade.

At @TechBeaconCom: https://t.co/A8JTrT3gKr

— @Richi 😷 Jennings (@RiCHi) May 6, 2021

Specter of Spectre is Back, in New Micro-Op Cache Vuln - Security Boulevard

Worry, Worry—Super Scary: It’s been three years, but researchers have disclosed new attacks on speculative execution in Intel and AMD chips. Just be thankful they didn’t give it a catchy name, like Spectre.

There’s a lot to worry about in #BranchPrediction. In today’s #SBBlogwatch, we think happy thoughts. At @SecurityBlvd: https://t.co/kpaL8pTMal

— @Richi 😷 Jennings (@RiCHi) May 3, 2021

With iOS 14.5, Apple shifts peeping apps fight to the OS - TechBeacon

F vs. A—what about the ANG? Pay attention: An important trend is hiding amid the fluff and froth of a fanciful “feud” twixt Tim Cook and Mark Zuckerberg. Ignore the tech soap opera—you need to get ahead of the changes, so read on.

And #iOS 14.5 is part of the reason. In this week’s #SecurityBlogwatch, we finally cut through the fish-eye lens of tear-stained eyes. [You’re fired—Ed.]

At @TechBeaconCom: https://t.co/VOiZz68lK9

— @Richi 😷 Jennings (@RiCHi) April 29, 2021

U.S. DoD has World’s Largest Honeypot: 6% of Internet Space - Security Boulevard

DoD BGP Mystery Solved: 175 million IP addresses owned by the U.S. Defense Department have “appeared” on the public internet. Formerly unroutable, these address ranges are now being advertised by a previously-unknown contractor. But it’s all aboveboard, we’re told.

But he doesn’t look very military. Perhaps he’s in the Navy? In today’s #SBBlogwatch at @SecurityBlvd, we can sail the 0x07000000/8 seas. [You’re fired—Ed.]https://t.co/87KT89G8P1

— @Richi 😷 Jennings (@RiCHi) April 26, 2021

China Silently Hacked Gov’t and Defense for a Year or More - Security Boulevard

These Things Come In Threes:After the Russian SolarWinds hack and the Chinese Exchange débâcle, here’s the third shoe to drop. And again it’s China being fingered by researchers.

Evidence shows the hackers breaking in 10 MONTHS ago, with indications that they’ve been around for some time before that.

In today’s #SBBlogwatch at @SecurityBlvd, we can see where this is going: https://t.co/amquujOF7l

— @Richi 😷 Jennings (@RiCHi) April 23, 2021

Google FLoC is a flop? Not so fast - TechBeacon

Third-party #cookies will soon go away, because people are fed up with being tracked. That’s bad news for advertisers, unless there’s something to replace them.

But #privacy wonks hate it. And so do most other #browser makers.

In this week’s #SecurityBlogwatch at @TechBeaconCom, we munch on a tasty lettuce leaf: https://t.co/kFMC648LEv

— @Richi 😷 Jennings (@RiCHi) April 22, 2021

Wait, What? Nvidia/ARM Sale on Hold—for Security Reasons - Security Boulevard

Nvidia to Stay ARMless? The United Kingdom is investigating the proposed “merger” of ARM and Nvidia. Her Majesty’s government says it’s worried that there are national security implications.

Yes, but is there really a #security question? Or is that a convenient excuse to slam on the brakes?

In today’s #SBBlogwatch at @SecurityBlvd, we avoid weak jokes about fish and chips: https://t.co/Z1z3NuApnm

— @Richi 😷 Jennings (@RiCHi) April 20, 2021

STOP: Opt out of phone numbers as authentication tokens - TechBeacon

It’s a numbers game: This week brings yet more examples of poor design. Specifically: Two apps trusting phone numbers without properly authenticating the actual user.

Watch out—these things come in threes. In this week’s #SecurityBlogwatch at @TechBeaconCom, we got the 411 (ask your parents): https://t.co/XUcOlw8rer

— @Richi 😷 Jennings (@RiCHi) April 15, 2021

YT$AW: FBI Cleans Up Exchange Servers, NSA Tips Microsoft 4 More Bugs - Security Boulevard

Feds Fix Fails Your tax dollars at work: The FBI and NSA have been helping fix the mess caused by the recent Microsoft Exchange hacking, and trying to prevent a further round of it.

“We’re from the government, and we’re here to help.” In today’s #SBBlogwatch at @SecurityBlvd, we’re careful what we wish for: https://t.co/0Oh8fWXdLe

— @Richi 😷 Jennings (@RiCHi) April 14, 2021

Son of Stuxnet? Iran Nuke Site Hacked ‘by Israel’ (Again) - Security Boulevard

Crystal Ball ain’t so Crystal Clear: Iran’s Nantaz nuclear centrifuge facility went dark yesterday. I can’t stand it—I know you planned it.

But something doesn’t add up. In today’s #SBBlogwatch at @SecurityBlvd, we can’t stand rocking when I’m in here: https://t.co/ZAX79I2d8P

— @Richi 😷 Jennings (@RiCHi) April 12, 2021

Facebook Sucks: Huge 500M-User Breach ‘Is Your Fault’ - Security Boulevard

GDPR: Coming for Mark’s Money: Last week’s revelation of a half-billion-user leak is still reverberating around the news cycle. Despite Facebook’s attempts to make it go away, new inconvenient truths keep appearing.

This is bad. I can’t watch. But I can’t *not* watch. In today’s #SBBlogwatch at @SecurityBlvd, we break out the jumbo bag of popcorn: https://t.co/k36bF45QZy

— @Richi 😷 Jennings (@RiCHi) April 8, 2021

Cryptominers flooding GitHub—and other cloudy dev services - TechBeacon

“This is why we can’t have nice things.” Owners of public GitHub projects have been noticing weird stuff recently: Random users are forking repos, then pull-requesting a change that includes an obfuscated GitHub Action.

So there isn’t much an owner can do—other than disable the #GitHubActions feature.

In this week’s #SecurityBlogwatch at @TechBeaconCom, we watch @GitHubSecurity play Whac-A-Mole: https://t.co/6LeTpyvr40

— @Richi 😷 Jennings (@RiCHi) April 8, 2021

Apple Fiddles While App Store Burns: $1M Bitcoin Scam FAIL - Security Boulevard

Tim’s Security Halo Slips: Phillipe Christodoulou got ripped off to the tune of more than a million dollars. An iPhone app stole 17.1 bitcoins from his Trezor hardware wallet.

Are you serious? Deadly. In today’s #SBBlogwatch at @SecurityBlvd, we learn valuable lessons: https://t.co/6GDEr2mOH7

— @Richi 😷 Jennings (@RiCHi) April 5, 2021

Ubiquiti Accused of Lying to Help Stock Price - Security Boulevard

UI PR FAIL: Ubiquiti disclosed a breach in January, implying it was the fault of a “third party.” But this week, an insider says the company lied: “It was catastrophically worse,” said the anonymous source.

Oh what a tangled web … was allegedly woven. In today’s #SBBlogwatch at @SecurityBlvd, we #2FA our @LastPass: https://t.co/BZ5h9v3BEZ

— @Richi 😷 Jennings (@RiCHi) April 1, 2021

PHP backdoored via Git hack: It’s no joke, so don't be a fool - TechBeacon

PHP Group will close its doors. The foolish moral of the story: How much of your infrastructure is built on badly funded open-source projects?

Like many such projects, @official_PHP runs on a shoestring, yet it’s critical infrastructure around the world. In this week’s #SecurityBlogwatch at @TechBeaconCom, we’re never gonna give you up: https://t.co/dHnmf94EJF

— @Richi 😷 Jennings (@RiCHi) April 1, 2021

SolarWinds Hack: U.S. Govt Failure is Deeply Worrying - Security Boulevard

Your Tax Dollars at Work: The U.S. government is doing a piss-poor job of protecting Americans from foreign hackers. That’s the eye-catching conclusion made by a pair of Associated Press scribblers this week.

So say secret sources within the government. In today’s #SBBlogwatch at @SecurityBlvd, we wonder what’s next: https://t.co/yhSShWodWn

— @Richi 😷 Jennings (@RiCHi) March 30, 2021

Alan Turing, WWII Cryptanalyst and Computer Pioneer, on New £50 Note - Security Boulevard

FAQ: About $69. The new 50 pound #banknote honors #AlanTuring. Breaker of Nazi #encryption, a father of computing and #AI pioneer, he’s immortalized on the latest plastic frogskin for England, Wales and Northern Ireland (Scotland issues its own fiat currency).

He was crucial to the “#Ultra” work at @BletchleyPark—widely credited as shortening the war by literally years and saving the lives of millions. In today’s #SBBlogwatch at @SecurityBlvd, we look forward to spending it: https://t.co/0DbxcjgdH7

— @Richi 😷 Jennings (@RiCHi) March 26, 2021

Dark patterns outlawed in Californian data-sale opt-outs - TechBeacon

California has added new regulations to the CCPA—the state’s Consumer Privacy Act. It now prohibits dark patterns that prevent users opting out of having their personal data sold.

But will the tweaked law work? Opinions are divided—and in #SecurityBlogwatch at @TechBeaconCom, that’s exactly how we like it: https://t.co/lvFcWhhiwQ

— @Richi 😷 Jennings (@RiCHi) March 25, 2021

Biden ‘Will Cyberattack Putin’ (Because SolarWinds) - Security Boulevard

MAD World: White House sources confirm that President Joe Biden has authorized retaliation against the Russian government for the recent hacking attributed to Russia. No word of when nor how, but it’s said to be “devastating.”

Where’s Dr. Strangelove when you need him?

In today’s #SBBlogwatch at @SecurityBlvd, we duck and cover: https://t.co/vqXY4hgatK

— @Richi 😷 Jennings (@RiCHi) March 23, 2021

Dirt Cheap DDoS for Hire, via D/TLS Amplification - Security Boulevard

Dirty Deeds: DDoS D/TLS — A new way of sending powerful denial of service traffic emerged this week. Malefactors are now misusing servers that talk Datagram Transport Layer Security (D/TLS).

This possibly includes Sony @PlayStation, whose @LittleBigPlanet service has been AWOL for a week. In today’s #SBBlogwatch at @SecurityBlvd, we ask the question: https://t.co/Ae2q2Eur6m

— @Richi 😷 Jennings (@RiCHi) March 19, 2021

Another reason to stop SMS 2FA—think about this - TechBeacon

NNID abuse in NANP: SMS as a second factor in 2FA/MFA is a bad idea. Really bad. But you’ve heard me say so many, many, many times.

If you didn’t act last time, I’m sure you will now.

In this week’s #SecurityBlogwatch at @TechBeaconCom, what’s old is new again: https://t.co/aXmNOfVApp

— @Richi 😷 Jennings (@RiCHi) March 18, 2021

Hacker Site Hacked: WeLeakInfo Leaks Info - Security Boulevard

Blowback Karma

The deed was done by logging into the original @Stripe account used to process the site payments.

In today’s #SBBlogwatch at @SecurityBlvd, we get all the Schadenfreude feels: https://t.co/PwYXTcijAf

— @Richi 😷 Jennings (@RiCHi) March 16, 2021

150,000 Verkada Cams Hacked, but it Gets Worse - Security Boulevard

After Tuesday’s horrifying news of the @VerkadaHQ data breach, now we learn that countless employees and interns routinely had full access to customers’ video feeds.😱 “Super admin” access was often abused, with no effective auditing, sources say.🧐

It’s the same old story, with the same old lessons that never get learned.🥱

In today’s #SBBlogwatch at @SecurityBlvd, we wax pedagogical: https://t.co/HJiou8MLqu

— @Richi 😷 Jennings (@RiCHi) March 12, 2021

Intel’s fully homomorphic encryption chip: Big science—bigger wait - TechBeacon

What if a public cloud could process encrypted data without knowing the #encryption key? That’s the “data-in-use encryption” problem. And it’s a hard one.

What if you could make it 10,000 times faster? @Intel thinks it can, by implementing it in dedicated hardware.

In this week’s #SecurityBlogwatch at @TechBeaconCom, we fry the fish to complement the chips: https://t.co/rlbs18LmQ6

— @Richi 😷 Jennings (@RiCHi) March 11, 2021

Huge Fallout from Microsoft Incompetence: Let’s Exchange Exchange - Security Boulevard

Nuclear Option: Drop Microsoft Email

In today’s #SBBlogwatch at @SecurityBlvd, we watch Redmond reap the whirlwind: https://t.co/xCqVSPL3mV

— @Richi 😷 Jennings (@RiCHi) March 9, 2021

Chinese Exchange Hack: At Best, Microsoft is Incompetent - Security Boulevard

At Worst, Microsoft is Manipulative

Some suspect it’s a sneaky way to encourage customers to dump on-prem Exchange and use #Office365 instead. In today’s #SBBlogwatch at @SecurityBlvd, we yell at Redmond: https://t.co/D2blDx8XeC

— @Richi 😷 Jennings (@RiCHi) March 4, 2021

Spectre returns to haunt us: Exploit hides in plain sight - TechBeacon

Specter of Spectre: scary

But all might not be as it seems. In this week’s #SecurityBlogwatch at @TechBeaconCom, we learn the lessons, regardless: https://t.co/bfSSHZeH6a

— @Richi 😷 Jennings (@RiCHi) March 4, 2021

Unknown Hacker Grabs Gab’s Data, DDoSecrets Doesn’t Leak it - Security Boulevard

The Gift that Keeps on Giving

Is this the end for Gab? In today’s #SBBlogwatch at @SecurityBlvd, we take the red-eye: https://t.co/fKxerT9aUY

— @Richi 😷 Jennings (@RiCHi) March 2, 2021

‘Dangerous’ RCE in VMware: Patch, or the Puppy Gets It

Music of the vSpheres

And while you’re at it, why are you exposing unhardened admin tools to the internet? In today’s #SBBlogwatch at @SecurityBlvd, we … *squirrel* https://t.co/VJT1Kuo04E

— @Richi 😷 Jennings (@RiCHi) February 26, 2021

China stole NSA zero day—4+ years before Shadow Brokers leak - TechBeacon

APT31 vs. S32: FIGHT!

Too much alphanumeric soup? In this week’s #SecurityBlogwatch at @TechBeaconCom, all will become clear: https://t.co/GfhJWXEDkG

— @Richi 😷 Jennings (@RiCHi) February 25, 2021

SolarWinds Hack: ‘All is Well,’ Microsoft Shrugs - Security Boulevard

“Trust Us (Except Don’t)”

This is all a bit too neat and tidy for my liking. In today’s #SBBlogwatch at @SecurityBlvd, we check under the rug: https://t.co/7CvuWztWms

— @Richi 😷 Jennings (@RiCHi) February 19, 2021

Oracle is Said to Help China Find Dissidents and Jail Minorities - Security Boulevard

When Larry Met 习

But is there a There there? In today’s #SBBlogwatch at @SecurityBlvd, we dig in: https://t.co/Krzffz4jZb

— @Richi 😷 Jennings (@RiCHi) February 18, 2021

Lesson from supply chain attacks: Beware 'dependency confusion' - TechBeacon

After Alex Birsan’s $130,000 bug-bounty haul last week, hundreds of bogus npm packages have popped up out of nowhere. They appear to have been published by copycat researchers—some of whom have less-than-pure intentions.

The moral of the story? Make sure the code you’re importing really is the code you think you’re importing.

And, of course, that means he was running his code on other people’s networks. In this week’s #SecurityBlogwatch at @TechBeaconCom, we get lost: https://t.co/r8SepQEDlY

— @Richi 😷 Jennings (@RiCHi) February 18, 2021

Internal Leak of 4,887 Users: Yandex Employee Fate Unknown - Security Boulevard

$YNDX Stays Schtum

No word on what’s happened to the scrote. In today’s #SBBlogwatch at @SecurityBlvd, we visualize them chopped up and hidden in matryoshka dolls: https://t.co/C37YigOSXu

— @Richi 😷 Jennings (@RiCHi) February 15, 2021

Hackers Sell ‘Cyberpunk 2077’ Data and Source for Millions - Security Boulevard

CDPR PR FAIL

What would Keanu do? In today’s #SBBlogwatch at @SecurityBlvd, we take the #RedPill: https://t.co/zNEcklrmnH

— @Richi 😷 Jennings (@RiCHi) February 12, 2021

There are no good app stores. Not iOS nor Android. Change my mind - TechBeacon

The moral of the story? Watch out for scam clones of your app, and for bad reviews targeting similarly named apps.

It’s all about the mighty dollar. In this week’s #SecurityBlogwatch at @TechBeaconCom, we follow the money: https://t.co/hpkpkK8EKs

— @Richi 😷 Jennings (@RiCHi) February 11, 2021

Water Supply Poisoned by Hacker in Oldsmar, Fla. - Security Boulevard

TeamViewer Vulnerability Probed

It’s another reminder of the risks of putting #SCADA/#ICS systems on the internet. In today’s #SBBlogwatch at @SecurityBlvd, we crack open a delicious Évian: https://t.co/wIAhLbkWrk

— @Richi 😷 Jennings (@RiCHi) February 9, 2021

The SolarWinds Story Keeps Getting Worse: China Too? - Security Boulevard

Time to Ring the Changes?

And to top it off, yet more serious bugs in SolarWinds’ code have been disclosed—and one of them is an absolute doozy. In today’s #SBBlogwatch at @SecurityBlvd, we don’t know whether to laugh or cry: https://t.co/bACUdgjg5I

— @Richi 😷 Jennings (@RiCHi) February 4, 2021

Stolen: perl.com and other domains—was Web.com socially engineered? - TechBeacon

“How you dune?”

Hopefully perl[.]com will be back quicker than that. In this week’s #SecurityBlogwatch at @TechBeaconCom, we sudo vi /etc/hosts: https://t.co/gN5x82YLi6

— @Richi 😷 Jennings (@RiCHi) February 4, 2021

Bad Security Bug in GnuPG: C Language Blamed (Yet Again) - Security Boulevard

Rabbits, White Rabbits

Is it the fault of the programming language, C? Or is it just bad design? In today’s #SBBlogwatch at @SecurityBlvd, we fight the good fight: https://t.co/RI4VEnzMgT

— @Richi 😷 Jennings (@RiCHi) February 1, 2021

BlastDoor: iOS 14’s Shield Over Zero-Click Attacks - Security Boulevard

Talk Nerdy to Me

Let’s dig in. In today’s #SBBlogwatch at @SecurityBlvd, we get a bit nerdy for a Friday: https://t.co/ORJeXV6aYI

— @Richi 😷 Jennings (@RiCHi) January 29, 2021

This is HUGE: Cops Nuke Emotet Crimeware C2 - Security Boulevard

Hey. Where’d Heodo Go?

Don’t “bug” me. I know: They talk funny Over There. In today’s #SBBlogwatch at @SecurityBlvd, we buzz off: https://t.co/1n3zrnDhTL

— @Richi 😷 Jennings (@RiCHi) January 28, 2021

APT team attacks white hats: Google fingers North Korea - TechBeacon

The moral of the story?
Social engineering isn’t only for normies. Whether you’re an IT puke, an agile Dev(Sec)Ops sprinter, or a 1337 haxor: Question everything.

And there are lessons for all of us. In this week’s #SecurityBlogwatch at @TechBeaconCom, let’s be careful out there: https://t.co/9ArSgksyf0

— @Richi 😷 Jennings (@RiCHi) January 28, 2021

ADT Installer Hacks Home Cams for Sexual Thrills - Security Boulevard

Deep in the Heart of Texas

But it took at least FOUR YEARS for @ADT to spot its employee’s naughtiness. In today’s #SBBlogwatch at @SecurityBlvd, let’s see if he likes his #privacy invaded (in jail): https://t.co/HZy3XaOUlx

— @Richi 😷 Jennings (@RiCHi) January 27, 2021

FBI to Investigate Parler, New Russian Host will be Revoked - Security Boulevard

Don’t Mess with Texas National Guard

Oh what a tangled web we weave. In today’s #SBBlogwatch at @SecurityBlvd, we struggle to unpick the story: https://t.co/MqqX2sE5yw

— @Richi 😷 Jennings (@RiCHi) January 22, 2021

Trump Hates Cloud, Because China Cyber? - Security Boulevard

Parting Shot at IaaS

At least, that is, unless @POTUS @JoeBiden decides to click Edit|Undo. In today’s #SBBlogwatch at @SecurityBlvd, we can smell the mission-creep a mile away: https://t.co/RwWJVNCZir

— @Richi 😷 Jennings (@RiCHi) January 21, 2021

Old macOS component defeats malware researchers for 5 years - TechBeacon

Legacy bites Apple

What can #DevOps learn from this? In this week’s #SecurityBlogwatch at @TechBeaconCom, we learn lessons (not “learnings”): https://t.co/Fn13SQeN71

— @Richi 😷 Jennings (@RiCHi) January 21, 2021

Capitol Rioters ID’ed With Help From Dating Apps - Security Boulevard

Don’t Tread On My Statue

Still, how dumb do you have to be to post evidence of your crime on social media, or admit to it in a dating app messenger convo? In today’s #SBBlogwatch at @SecurityBlvd, we swipe alt-right: https://t.co/6wP6wvarzA

— @Richi 😷 Jennings (@RiCHi) January 18, 2021

Revealed: Sophisticated ‘Watering Hole’ Attack – But By Whom? - Security Boulevard

Project Zero Keeps Schtum

There are more questions than answers. In Friday’s #SBBlogwatch at @SecurityBlvd, we fill in the blanks: https://t.co/b4yQBn9A0o

— @Richi 😷 Jennings (@RiCHi) January 18, 2021

Scraped Parler data reveals countless Capitol perps - TechBeacon

The moral of the story? Protect your object references. And throttle attempts to scrape. And strip metadata. And don’t render deleted objects.

It turns out that law enforcers are kinda happy, too. In this week’s #SecurityBlogwatch at @TechBeaconCom, we learn learnings from lemmings: https://t.co/p7JkWbIMkF

— @Richi 😷 Jennings (@RiCHi) January 14, 2021

Hackers Didn’t Only Use SolarWinds to Break In, Says CISA - Security Boulevard

CISA Is Watching

This is a story that’s not going away anytime soon. In today’s #SBBlogwatch at @SecurityBlvd, we keep an eye on the latest: https://t.co/MeXPsDohdE

— @Richi 😷 Jennings (@RiCHi) January 11, 2021

WhatsApp/Facebook Data Sharing: Pants On Fire? - Security Boulevard

Pinky Swear

But that’s exactly what it promised not to do. On several occasions. In today’s #SBBlogwatch at @SecurityBlvd, we watch Zuck’s clothes burn: https://t.co/dSMN58DiYM

— @Richi 😷 Jennings (@RiCHi) January 7, 2021

SolarWinds hack: Who’s to blame? It’s complicated. - TechBeacon

US? SWI? MSFT? PE?

But is there devilment in the detail of #PrivateEquity? In this week’s #SecurityBlogwatch at @TechBeaconCom, we read the runes: https://t.co/FHVs7x11gm #SolarWinds #APT29

— @Richi 😷 Jennings (@RiCHi) January 7, 2021

Zyxel’s Ridiculous Backdoor: Happy New Year, Now Patch Your Gear - Security Boulevard

Taiwanese Trash or Deliberate Door?

Careless or deliberate? In yesterday’s #SBBlogwatch at @SecurityBlvd, we ask the inevitable questions: https://t.co/1bD00EExs5

— @Richi 😷 Jennings (@RiCHi) January 5, 2021