Exploit Code Released for Critical Cryptographic Flaw in Windows; The U.S. National Cybersecurity Talent Discovery Program; Russian Hackers Breached Ukrainian Gas Company

The US National Security Agency (NSA) has deemed a cryptographic flaw it found in Windows 10 so critical that it took the unusual step of disclosing the flaw itself. The flaw could be exploited to spoof code signing certificates. The issue also affects Windows Server 2016 and 2019 and "applications that rely on Windows for trust functionality." The Department of Homeland Security's (DHS's) Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive instructing federal agencies to patch the issue by January 29. Proof-of-concept exploit code for the vulnerability has been released.

Read more in

On Tuesday, January 14, Microsoft released fixes for 50 security issues, including a critical cryptographic vulnerability in Windows 10. While that vulnerability has grabbed headlines, users are also being urged to apply the update to fix a pair of Remote Desktop Protocol (RDP) vulnerabilities. January 14 also marks the last update Microsoft will provide for Windows 7; the operating system will no longer be supported for home users.

Read more in

The U.S. National high school cybersecurity talent discovery program (an extracurricular program) has 6,669 high school girls participating in just the first four days of the multi-week program. Texas, New Jersey and Nevada are leading the nation with Maryland and Virginia rounding out the top 5. In all those states and in 22 more, governors personally invited students to "just try it." California seems to be gaining momentum - reflecting Cisco's initiatives to encourage employees to get the word out and help high school teams. Playing the game doubles the likelihood that a young woman will be interested in pursuing computer science. And students learn far more while playing than in any other cybersecurity competition and in fact more than in most high school or college cybersecurity classes.

Read more in

According to a report from security company Area 1, Russian hackers successfully targeted systems at Ukrainian gas company Burisma through phishing attacks late last year. The attacks appear to be an effort to obtain potentially embarrassing information to be used against Joe Biden. Biden's son once served on Burisma's board of directors. Ukraine's Ministry of Internal Affairs has begun criminal proceedings in connection with the attacks, and is reportedly seeking help from the FBI.

Read more in

Adobe's monthly security release includes fixes for five critical memory corruption flaws in Illustrator CC and four flaws in Adobe Experience Manager.

Read more in

Oracle's Critical Patch Update for January 2020 includes fixes for 334 security issues across a wide spectrum of product families. Forty-three of the vulnerabilities addressed in the update are rated critical.

Read more in

A report from the Norwegian Consumer Council says that the sharing of sensitive information by Android apps is "out of control." According to analysis of 10 popular Android apps conducted by Mnemonic, the apps share sensitive user data with numerous third-parties. Mnemonic conducted its analyses between June and November 2019. In all, the 10 examined apps sent user data to a total of 135 separate third-party entities that all engage in advertising or behavioral marketing.

Read more in

Australia's P&N Bank has disclosed a breach that compromised customer data, including names, account numbers, and account balances. The incident occurred around the second week of December 2019 during a server upgrade. P&N believes that the intruders gained entry through third-party hosting provider.

Read more in

Cisco released fixes for a trio of critical flaws in its Data Center Network Manager software earlier this month. Users are urged to apply the patches as soon as possible because proof-of-concept exploit code has been released.

Read more in

Critical flaws in two WordPress plugins could be exploited to access websites' administrator accounts without a password. The affected plugins - InfiniteWP Client and WP Time Capsule, run on 300,000 and 20,000 websites, respectively. The developers of both plugins have addressed the issues in updates.

Read more in

US federal authorities have arrested a Virginia man for his alleged involvement with a neo-Nazi group that launched swatting attacks and bomb threats against hundreds of targets. John William Kirby Kelley was identified after he phoned in a bomb threat to Old Dominion University in November 2018, while he was a student there. Two other individuals involved in the attacks remain at large.

Read more in

Ryuk Ransomware is capable of using the Wake-on-LAN feature to cause devices in standby state to turn on so it can attempt to encrypt them. The Wake-on-LAN feature allows devices that have been powered down to be woken up by sending a special network packet. Administrators are advised to restrict Wake-on-LAN packet permissions. Researchers at CrowdStrike noted this capability in November 2019.

Read more in

The FBI will now notify state officials when election systems within their states have been breached in a cyber attack. Previously, the FBI notified only affected counties. (Please note that the WSJ story is behind a paywall.)

Read more in