IT Security Newsletter - 10/7/2021
US gov't will slap contractors with civil lawsuits for hiding breaches
In a groundbreaking initiative announced by the Department of Justice this week, federal contractors will be sued if they fail to report a cyber attack or data breaches. The newly introduced "Civil Cyber-Fraud Initiative" will leverage the existing False Claims Act to pursue contractors and grant recipients involved in what the DoJ calls "cybersecurity fraud." READ MORE...
Hackers use stealthy ShellClient malware on aerospace, telco firms
Threat researchers investigating malware used to target companies in the aerospace and telecommunications sectors discovered a new threat actor that has been running cyber espionage campaigns since at least 2018. Dubbed ShellClient, the malware is a previously undocumented remote access trojan (RAT) built with a focus on being stealthy and for "highly targeted cyber espionage operations." READ MORE...
Unpatched Dahua cams vulnerable to unauthenticated remote access
Unpatched Dahua cameras are prone to two authentication bypass vulnerabilities, and a proof of concept exploit that came out today makes the case of upgrading pressing. The authentication bypass flaws are tracked as CVE-2021-33044 and CVE-2021-33045, and are both remotely exploitable during the login process by sending specially crafted data packets to the target device. For more details on how that works, you may check out the proof of concept (PoC) that was part of today's full disclosure. READ MORE...
Medtronic Recalls Medical Devices Due to Security Risks That Can Lead to Injury, Death
Medical device maker Medtronic is recalling remote controllers used with some of its insulin pumps due to cybersecurity risks that could lead to injury and even death. The recall is related to a series of vulnerabilities discovered by a team of cybersecurity researchers in 2018. In June 2019, the U.S. FDA and Medtronic informed the public of a recall of MiniMed 508 and Paradigm series insulin pumps due to vulnerabilities that could allow an attacker to remotely hack the devices. READ MORE...
Canopy Parental Control App Wide Open to Unpatched XSS Bugs
Canopy, a parental control app that offers a range of features meant to protect kids online via content inspection, is vulnerable to a variety of cross-site scripting (XSS) attacks, according to researchers. The attacks could range from a sneaky kid disabling the monitoring to a much more serious third-party attack delivering malware to parental users. READ MORE...
America Urged to Prepare for Shift to Post-Quantum Cryptography
The Department of Homeland Security (DHS) has teamed up with?the?Department of Commerce's National Institute of Standards?and?Technology (NIST) to release a roadmap on the best way for organizations to navigate the transition to post-quantum cryptography. The guide provides relevant stakeholders with achievable steps they can take to reduce the risks related to the advancement of quantum computing technology. READ MORE...
- ...in 1931, South African archbishop and Nobel Prize-winning anti-apartheid activist Desmond Tutu is born in Klerksdorp, Western Transvaal.
- ...in 1951, singer-songwriter John Mellencamp ("Jack & Diane", "Pink Houses") is born in Seymour, IN.
- ...in 1955, cellist and Presidential Medal of Freedom recipient Yo-Yo Ma is born in Paris, France.
- ...in 1959, the Soviet probe Luna 3 transmits the first-ever photographs of the far side of the Moon.