Week in review: Windows EoP flaw still exploitable, GoDaddy breach, malicious Python packages on PyPI

week in review

Here’s an overview of some of last week’s most interesting news, articles and interviews:

After failed fix, researcher releases exploit for Windows EoP flaw (CVE-2021-41379)
A local elevation of privilege vulnerability (CVE-2021-41379) in the Windows Installer that Microsoft supposedly fixed on November 2021 Patch Tuesday is, according to its discoverer, still exploitable.

GoDaddy breach: SSL keys, sFTP, database passwords of WordPress customers exposed
GoDaddy, the popular internet domain registrar and web hosting company, has suffered a data breach that affected over a million of their Managed WordPress customers.

Malicious Python packages employ advanced detection evasion techniques
JFrog researchers have discovered 11 malicious Python packages on PyPI, the official third-party package repository for Python, which have been collectively downloaded over 41,000 times.

How to find hidden spy cameras with a smartphone
Researchers from the National University of Singapore and Yonsei University in South Korea have devised a mobile application that uses smartphones’ time-of-flight (ToF) sensor to find tiny spy cameras hidden in everyday objects.

What’s stopping consumers from acting on a data breach notice?
Only three percent of consumers implemented a credit freeze after receiving a data breach notice, 11 percent enrolled in credit/data monitoring, and only 22 percent changed all of their account passwords, a recent survey by DIG.Works on behalf of the Identity Theft Resource Center (ITRC) has shown.

How do I select an automotive IoT security solution?
To select a suitable automotive IoT security solution, you need to think about a variety of factors. We’ve talked to several industry professionals to get their insight on the topic.

Businesses compromise on cybersecurity in favor of other goals
90% of IT decision makers claim their business would be willing to compromise on cybersecurity in favor of digital transformation, productivity, or other goals. Additionally, 82% have felt pressured to downplay the severity of cyber risks to their board, a Sapio Reserach report reveals.

An introduction to U.S. data compliance laws
Due to technological advances like the rise of cloud storage and social media, there is an increasing concern over privacy — especially when it comes to how businesses collect and use customer data. While the U.S. does not presently have an all-encompassing privacy law for the entire country, more and more states are establishing their own privacy laws, following the lead of California, which has the CPRA (superseding the CCPA).

Ethical hackers and the economics of security research
Bugcrowd released a report which provides CIOs and CISOs valuable insight on ethical hackers and the economics of security research. New findings indicate a startling shift in the threat landscape with 8 out of 10 ethical hackers recently having identified a vulnerability they had never seen before.

Top 5 cybersecurity considerations for file uploads of vaccination records
Having a web application for uploading proof of vaccination records is a double-edged sword. When implemented properly, web applications save a good deal of time verifying everyone’s health information. But vaccination cards submitted to an online portal can expose organizations and their user data to cyber risks.

10 trends likely to shape the IT industry, its workforce and its business models in 2022
Companies in the business of technology and IT professionals are optimistic that the new year will bring a return to growth and new strategic innovations, according to a report published by CompTIA.

Guarding against DCSync attacks
Gaining access to domain admin credentials is part of the endgame in many sophisticated attacks where threat actors are trying to maintain persistence. One of the ways that adversaries accomplish this is through DCSync attacks.

CISOs missing major holidays due to work demands
Two in five Chief Information Security Officers (CISOs) have missed holidays like Thanksgiving due to work demands, a Tessian report reveals. In addition, one-quarter have not taken time off work in the past 12 months.

Why cybersecurity training needs a post-pandemic overhaul
COVID-19 may have ushered in the rise of remote work (either temporarily or permanently) but not all organizations were prepared to manage a fully remote workforce and the cybersecurity challenges that come with it.

Ransomware attacks surge, but victims are recovering quickly
Cymulate announced the results of a survey, revealing that despite the increase in the number of ransomware attacks this past year, overall victims suffered limited damage in both severity and duration.

Securing open-source code supply chains may help prevent the next big cyberattack
Keeping track of open-source dependencies is a mind-boggling task. But security leaders must know where developers are getting their open-source and third-party packaged code, containers, and infrastructure as code.

Companies ditching VPNs for zero trust architectures to secure hybrid workplaces
Hybrid workplaces are the new norm, with 99% of respondents’ reporting their workforces will split time between the office and remote settings post-pandemic, a Teradici survey of more than 8,000 respondents across a range of industries reveals.

From fragmented encryption chaos to uniform data protection
On the surface, having encryption everywhere seems like a great idea. However, in many ways the drive to achieve ubiquitous data security has undermined itself. That’s because often the only way to approach ubiquity is by combining a variety of point systems, vendors, and technologies to cover data in a dizzying combination of various states and potential locations (on site, in the cloud, in use, at rest, and in motion).

Nearly 600,000 open cybersecurity-related jobs were listed over 12 months
New CyberSeek data reveals that there were 597,767 online job listings for cybersecurity-related positions in the 12 months from October 2020 through September 2021.

Your supply chain: How and why network security and infrastructure matter
With digital transformation, the rapid adoption of cloud computing and the IoT, and the global scale of today’s supply chains, cybercriminals have more entry points to networks and access to data than ever before. In the past year alone, cyberattacks on the supply chain have negatively impacted industries across the globe almost four times more than last year, with no slowing in sight.

Which technologies will be the most important in 2022?
IEEE released the results of a survey of global technology leaders from the U.S., U.K., China, India and Brazil. The study, which included 350 CTOs, CIOs and IT directors, covers the most important technologies in 2022, industries most impacted by technology in the year ahead, and technology trends through the next decade.

The CIS Benchmarks community consensus process
The CIS Benchmarks don’t just tell you what to configure; they provide extensive detail on each setting including a description, rationale, audit, impact, mapping to CIS Controls, etc. All of this is in a human-readable format, so you can fully understand each setting and why it’s important.

eBook: Using NIST guidelines for secure passwords
Designing and implementing a password policy that responds directly to NIST guidelines is a crucial step in locking down your company’s security. Enzoic for Active Directory achieves password security in line with NIST by enabling real-time password policy enforcement and daily password auditing with automated remediation.

New infosec products of the week: November 26, 2021
Here’s a look at the most interesting product releases from the past week, featuring releases from Avast, Boxcryptor, Code42, Hiya and Siren.

More about

Don't miss