Welcome to the fifth edition of the Secjuice Squeeze, where we present a selection of last weeks interesting infosec articles curated for your reading enjoyment in case you missed them! This week's volume was created by Manmeet Singh Bhatia, Miguel Calles, and Chad Calease.
Microsoft releases patch updates for recent Windows zero-day
In the course of the investigation, Kaspersky revealed it discovered another zero-day exploit, this time in Windows, which worked in conjunction with the chrome vulnerability. Marked as CVE-2019-1458, this zero-day allowed to gain escalated privilege on the infected machine. Kaspersky technology explained, "During our investigation, we discovered that yet another 0-day exploit was used in those attacks. The exploit for Google Chrome embeds a 0-day EoP exploit (CVE-2019-1458) that is used to gain higher privileges on the infected machine as well as escaping the Chrome process sandbox."
Microsoft, in its December security updates, 2019, patches a total of 36 vulnerabilities and advises its users about the zero-day vulnerability. The latest developments as perceived by Kaspersky can be read on their latest blog post.
Merry Christmas from EMOTET Trojan Virus
It is a festive time of year and malicious actors are taking advantage. Before you open an email inviting you to a holiday party, stop and be cautious. You might get an email containing an attachments giving you details to a holiday party. The email is written calmy and suggestive toward downloading the attachment. If you open the attachment, it installs a trojan virus that starts sending emails to others and potentially installs a ransomware virus too.
K-12 Cybersecurity Act of 2019
Senators introduced a new act to address cybersecurity in the K-12 school systems. They recognized the "K–12 educational institutions across the United States are facing cyber attacks." The education institutions store and maintain personally identifiable information, medical records, family records, and scholastics records (e.g., grades). This is valuable information to hackers. The act proposes the Department of Homeland Security to become more involved.
There's a media frenzy about Ring cameras getting broken into. It's not a "hacking apocalypse" so much as it's people using weak passwords, like 12345.
Third Party Risk Providers
The Pentagon is developing a cybersecurity maturity model with five levels of compliance that correspond to the sensitivity of data being protected. Their vendors and contractors will have to step-up their own practices if they want to stay in the game.
Not Your Grampa's Break-In Tactics
Bluetooth scanners are the new hotness for thieves. They use them to identify valuable devices like laptops, phones, and tablets inside vehicles, making their target-selection more on-point. No more breaking into a nice car just because they "think" there might be something worth stealing inside.