Security News > 2023 > February

The team of computer scientist George Lasry, pianist Norbert Biermann and astrophysicist Satoshi Tomokiyo-all keen cryptographers-initially thought the batch of encoded documents related to Italy, because that was how they were filed at the Bibliothèque Nationale de France. They quickly realised the letters were in French.

ASCON is the name of the group of lightweight authenticated encryption and hashing algorithms that the U.S. National Institute of Standards and Technology has chosen to secure the data generated by Internet of Things devices: implanted medical devices, keyless entry fobs, "Smart home" devices, etc. Why are the ASCON encryption algorithms a good choice for IoT devices?

A previously unknown threat actor dubbed NewsPenguin has been linked to a phishing campaign targeting Pakistani entities by leveraging the upcoming international maritime expo as a lure. "The attacker sent out targeted phishing emails with a weaponized document attached that purports to be an exhibitor manual for PIMEC-23," the BlackBerry Research and Intelligence Team said.

Scammers are now exploiting the ongoing humanitarian crisis in Turkey and Syria: this time stealing donations by abusing legitimate platforms like PayPal and Twitter. BleepingComputer has identified multiple scams running on Twitter and abusing legitimate platforms like PayPal's fundraising pages to create convincing scam websites and collect proceeds from donors hoping to aid earthquake victims.

In the private sector, health insurance firm Accuro reported an illegal download and dissemination of corporate data following the Mercury IT attack. Even while new forms of authentication are being developed to make passwords obsolete, passwords remain the most common and most vulnerable method of securing data.

The Gootkit malware is prominently going after healthcare and finance organizations in the U.S., U.K., and Australia, according to new findings from Cybereason. The cybersecurity firm said it investigated a Gootkit incident in December 2022 that adopted a new method of deployment, with the actors abusing the foothold to deliver Cobalt Strike and SystemBC for post-exploitation.

The OpenSSL Project has released fixes to address several security flaws, including a high-severity bug in the open source encryption toolkit that could potentially expose users to malicious attacks. The vulnerability is rooted in the way the popular cryptographic library handles X.509 certificates, and is likely to impact only those applications that have a custom implementation for retrieving a certificate revocation list over a network.

A team of codebreakers discovered - and then cracked - more than 50 secret letters written by Mary Stuart, Queen of Scots while she was imprisoned in England by her cousin, Queen Elizabeth I. In total, the team deciphered 57 letters penned between 1578 to 1584. The three codebreakers - George Lasry, a computer scientist and cryptographer; Norbert Biermann, a pianist and music professor; and Satoshi Tomokiyo, a physicist and patents expert - essentially stumbled upon the letters while combing the Bibliothèque nationale de France's online archives for enciphered letters.

Software development teams always strive to master their trade, improve their practices, and deliver secure applications and services, especially because application security risks are mounting and expectations are higher than ever. Despite continuous breaches at the fault of insecure code, secure coding training for development teams is still almost completely absent from computer science programs in top US colleges.

TikTok and Lensa AI have sparked worldwide conversations on the future of social media and consumer data privacy. In this Help Net Security video, Rick McElroy, Principal Security Strategist at VMware, offers a perspective on these trends, including tips on how consumers and organizations can bolster their security practices to keep up with evolving technologies.