Security News > 2023 > April

Most organizations put the burden on their users to mitigate the risks associated with password use: they require their employees or customers to create longer/stronger passwords and force frequent password changes. To be clear, there is no such thing as a "Secure password." Adversaries use social engineering techniques to trick users into handing over their password or deploy malware to steal them.

To defend and protect our respective organizations from cyber threats, our role as CISOs begins with exercising the discipline needed to make smart decisions that accelerate progress in a rapidly changing threat environment. Where an organization is on its OT cyber journey is an important way to gauge progress.

While applications like Slack and Teams have transformed how we collaborate and communicate, cybersecurity training has not kept pace with these advancements. Most security training is still being delivered through web-based learning management systems, according to CybSafe.

As criminal groups increase in size, they adopt corporate-like behavior, but this shift brings about its own set of challenges and costs, according to Trend Micro. "The criminal underground is rapidly professionalizing - with groups beginning to mimic legitimate businesses that grow in complexity as their membership and revenue increases. However, larger cybercrime organizations can be harder to manage and have more 'office politics,' poor performers, and trust issues. This report highlights to investigators the importance of understanding the size of the criminal entities they're dealing with," said Jon Clay, VP of threat intelligence at Trend Micro.

Data Subject Requests, which are formal requests made by individuals to access, modify, or delete their personal data held by a company, increased by 72% from 2021 to 2022. These numbers will continue to increase as new data privacy laws, like those in Virginia and Colorado, come into effect and focus attention on responsible data privacy practices.

If you want to sneak malware onto people's Android devices via the official Google Play store, it may cost you about $20,000 to do so, Kaspersky suggests. Before cybercriminals can share their malicious apps from Google's official store, they'll need a Play developer account, and Kaspersky says those sell for between $60 and $200 each.

The liquidators picking over the remains of FTX have released their first formal report into Sam Bankman-Fried's imploded empire - and it somehow appears things are worse than feared. FTX lacked any real form of management or governance oversight, the report claims, stating that SBF, former FTX engineering lead Nishad Singh, and FTX cofounder and CTO Gary Wang were the only ones with any governance capabilities.

Apple rolled out patches on Good Friday to its iOS, iPadOS, and macOS operating systems and the Safari web browser to address vulnerabilities found by Google and Amnesty International that were exploited in the wild. The updates are to iOS 16.4.1, iPadOS 16.4.1, Safari 16.4.1, and macOS 13.3.1.

Simply put, there were zero days during which even the most proactive and cybersecurity conscious users amongst us could have been patched in advance of the crooks. Just to be clear: the Apple Safari browser uses WebKit for "Processing web content" on all Apple devices, although third-party browsers such as Firefox, Edge and Chromium don't use WebKit on Mac.

Apple has released emergency updates to backport security patches released on Friday, addressing two actively exploited zero-day flaws also affecting older iPhones, iPads, and Macs. The second zero-day is a WebKit use after free that can let threat actors execute malicious code on compromised iPhones, Macs, or iPads after tricking their targets into loading malicious web pages.