Security News > 2022 > January

Managing the security of your third parties is crucial, but security assessments are riddled with problems, including a lack of context, scalability and relevance. In this comprehensive guide, we provide the direction you need to make your organization's third-party security program efficient and scalable.

Microsoft has released an emergency out-of-band update to address a Windows Server bug leading to Remote Desktop connection and performance issues. Affected platforms include Windows Server 2022, Windows Server 2019, Windows Server 2016, and Windows Server 2012 R2. The updates that address this issue are not available from Windows Update and will not install automatically on affected systems.

Threat actors vigorously launched exploit attempts and testing during the last weeks of December, Microsoft said on Monday, in the latest update to its landing page and guidance around the flaws in Apache's Log4j logging library. To evade detection, attackers are mixing up the request patterns: For example, Microsoft has seen exploit code written that runs a lower or upper command within the exploitation string.

Microsoft is warning of continuing attempts by nation-state adversaries and commodity attackers to take advantage of security vulnerabilities uncovered in the Log4j open-source logging framework to deploy malware on vulnerable systems. "We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks."

Google says Manifest V3 is focused on security, privacy and performance, but it could also break Chrome browser extensions used by millions of people. The EFF is right, and Google's plans for MV3 is yet another reason why the best browser for Linux, Windows and Mac isn't Google Chrome.

While this new report outlines authentication requirements for government agencies, they are also excellent guidelines for all fields and user levels. On the strength of passwords, NIST underlines that the requirements of using special characters, for example !$#%&, are obsolete since users still tend to add something that will keep the password memorable.

Gaming giant SEGA Europe recently discovered that its sensitive data was being stored in an unsecured Amazon Web Services S3 bucket during a cloud-security audit, and it's sharing the story to inspire other organizations to double-check their own systems. The laundry list of SEGA's potentially exposed data is nauseating - API keys, internal messaging systems, cloud systems, user data and more.

A supply-chain campaign infecting Sotheby's real-estate websites with data-stealing skimmers was recently observed being distributed via a cloud-video platform. "In skimmer attacks, cybercriminals inject malicious JavaScript code to hack a website and take over the functionality of the site's HTML form page to collect sensitive user information," researchers explained in a Monday posting.

The US Federal Trade Commission has warned today that it will go after any US company that fails to protect its customers' data against ongoing Log4J attacks. "The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future," the US government agency said.

"The Microsoft Pluton is a security processor, pioneered in Xbox and Azure Sphere, designed to store sensitive data, like encryption keys, securely within the Pluton hardware, which is integrated into the die of a device's CPU and is therefore more difficult for attackers to access, even if they have physical possession of a device," explained David Weston, Director of Enterprise and OS Security at Microsoft. In November 2020, Microsoft announced it would integrate its Pluton security processor into Intel, AMD, and Qualcomm CPUs as an on-die chip to reduce the available attack surface on Windows PCs. First introduced with the XBOX One and Azure Sphere, Pluton emulates a Trusted Platform Module to protect the boot process, encryption keys, and credentials directly on the CPU with the end goal of blocking threat actors from gaining access to such sensitive data.