CyberWire Daily - A Patch Tuesday overload.
Episode Date: September 11, 2024Patch Tuesday rundown. Microsoft integrates post-quantum cryptography (PQC) algorithms into its SymCrypt cryptographic library.The FTC finalizes rules to combat fake reviews and testimonials. A paymen...t card thief pleads guilty. On our latest CertByte segment, N2K’s Chris Hare and George Monsalvatge share questions and study tips from the Microsoft Azure Fundamentals (AZ-900) Practice Test. Hard Drive Heaven: How Iconic Music Sessions Are Disappearing. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CertByte Segment Welcome to CertByte! On this bi-weekly segment hosted by Chris Hare, a content developer and project management specialist at N2K. In each segment, Chris is joined by an N2K Content Developer to help illustrate the learning. This week, Chris is joined by resident Microsoft SME George Monsalvatge to break down a question from N2K’s Microsoft Azure Fundamentals (AZ-900) Practice Test. Have a question that you’d like to see covered? Email us at certbyte@n2k.com. If you're studying for a certification exam, check out N2K’s full exam prep library of certification practice tests, practice labs, and training courses by visiting our website at n2k.com/certify. Reference: What is public cloud? (RedHat) Please note: The questions and answers provided here, and on our site, are not actual current or prior questions and answers from these certification publishers or providers. Remembering 9/11 In today’s episode, we pause to honor and remember the lives lost on September 11, 2001. We pay tribute to the courageous first responders, the resilient survivors, and the families whose lives were forever altered by that tragic day. Amidst the profound loss, the spirit of unity and compassion shone brightly, reminding us of our shared humanity. Additionally, you can check out our special segment featuring personal remembrances from N2K CyberWire’s very own Rick Howard, who was in the Pentagon on that fateful day. His reflections provide a heartfelt perspective on the events and are well worth your time. Tune in to hear his poignant insights. Special Edition Podcast In today’s special edition of Solution Spotlight, we welcome Mary Haigh, Global CISO of BAE Systems, as she sits down with N2K’s Simone Petrella. Together, they discuss moving beyond the technical aspects of cybersecurity to build and lead a high-performing security team. Selected Reading Microsoft Fixes Four Actively Exploited Zero-Days (Infosecurity Magazine) Adobe releases september 2024 patches for flaws in multiple products, including critical (Beyond Machines) Chrome 128 Update Resolves High-Severity Vulnerabilities (SecurityWeek) ICS Patch Tuesday: Advisories Published by Siemens, Schneider, ABB, CISA (SecurityWeek) Ivanti fixes maximum severity RCE bug in Endpoint Management software (Bleeping Computer) Microsoft Adds Support for Post-Quantum Algorithms in SymCrypt Library (SecurityWeek) Federal Trade Commission Announces Final Rule Banning Fake Reviews and Testimonials (Federal Trade Commission) Hacker pleads guilty after arriving on plane from Ukraine with a laptop crammed full of stolen credit card details (Bitdefender) Inside Iron Mountain: It’s Time to Talk About Hard Drives (Mixonline) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach top security leaders. Explore our network sponsorship opportunities and build your brand where industry leaders get their daily news. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. We've got our Patch Tuesday rundown.
Microsoft integrates post-quantum cryptography algorithms
into its SimCrypt cryptographic library.
The FTC finalizes rules to combat fake reviews and testimonials.
A payment card thief pleads guilty.
On our latest CertByte segment,
N2K's Chris Hare and George Monsalvachi share questions and study tips
from the Microsoft Azure Fundamentals practice test.
And hard drive heaven,
how iconic music sessions are disappearing.
It's Wednesday, September 11th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing. Intel briefing. Today, we pause to remember the lives lost on September 11th, 2001.
We honor the courage of the first responders, the resilience of the survivors, and the strength of the families forever changed by that tragic day.
In the face of unimaginable loss, the spirit of unity and compassion shone brightly,
reminding us of our shared humanity.
As we reflect, may we continue to seek peace, understanding, and hope for a better future.
We will never forget.
My CyberWire colleague and friend Rick Howard was working in the Pentagon on that fateful day,
and we'll be running a special edition of his personal remembrances in your CyberWire feed.
It is worth your time, and I hope you'll check it out.
Moving on.
It is worth your time, and I hope you'll check it out.
Moving on.
Yesterday was Patch Tuesday,
and Microsoft patched four actively exploited zero-day vulnerabilities,
creating additional work for system administrators.
The most severe is a remote code execution flaw in Windows Update, scoring 9.8 on the CVSS scale,
in Windows Update scoring 9.8 on the CVSS scale,
caused by a rollback of a previous fix due to a servicing stack defect.
A Privilege Escalation bug in Windows Installer poses a serious threat by granting attackers full system control.
A Windows Mark of the Web bypass could facilitate ransomware attacks,
Windows Mark of the Web Bypass could facilitate ransomware attacks, and a Microsoft Publisher Security Bypass enables exploitation of embedded macros in documents.
Adobe has released security updates across multiple products to address critical, important, and moderate vulnerabilities,
potentially leading to arbitrary code execution, memory leaks, and denial of
service attacks.
Affected applications include Photoshop, ColdFusion, Acrobat, Illustrator, Premiere Pro, After
Effects, Audition, and Media Encoder, with versions on both Windows and macOS impacted.
Key vulnerabilities include a critical RCE in Photoshop and a critical flaw in Cold
Fusion. Adobe urges users to apply the updates promptly to mitigate risks of exploitation.
Google released a Chrome 128 update addressing five vulnerabilities, four of which were high
severity memory safety issues reported by external researchers.
These include a heap buffer overflow in Skia,
use-after-free flaws in MediaRouter and Autofill,
and a type confusion bug in the V8 JavaScript engine.
Google awarded $26,000 in bug bounties and is rolling out the update for Windows, Mac OS, and Linux.
Users are advised to update their browsers promptly.
Ivanti has patched a critical vulnerability in its endpoint management software,
which could allow unauthenticated attackers to remotely execute code on the core server. The flaw, caused by deserialization of untrusted data, is addressed
in EPM 2024 hot patches and EPM 2022 service update 6. Avanti stated that no known exploitations of
the vulnerability have occurred so far. The company also fixed nearly two dozen other high-severity
vulnerabilities in its EPM,
workspace control, and cloud service appliance products.
Turning to industrial control systems, the September 2024 Patch Tuesday includes security
advisories from Siemens, Schneider Electric, ABB, and CISA. Siemens issued 17 advisories,
and CISA. Siemens issued 17 advisories, including a critical authentication bypass in industrial edge management and unauthenticated remote code execution flaws in somatic and scalance products.
Schneider Electric addressed a high-severity privilege escalation in VHEO Designer and a
medium-severity cross-site scripting flaw. ABB published an advisory for two
medium-severity DDoS issues in Relion relays. CISA highlighted critical flaws in Weissman systems and
high-severity vulnerabilities in SpiderControl, Rockwell Automation, and BPL Medical Technologies products. Elsewhere, in preparation for the quantum computing era,
Microsoft has integrated post-quantum cryptography, PQC algorithms, into its
SimCrypt cryptographic library. Quantum computers threaten to break current encryption methods,
but PQC algorithms are designed to resist such attacks. These algorithms,
based on complex mathematical problems, have trade-offs like larger key sizes and longer
computation times, requiring careful optimization. Microsoft's Quantum Safe program aims to ensure
quantum readiness, and recent updates to SimCrypt include support for MLKEM and XMSS algorithms.
Microsoft emphasizes that PQC is an evolving field and not a definitive solution,
but integrating these algorithms marks a crucial step toward a quantum-safe future,
enhancing security in products like Azure, Windows, and Microsoft 365.
The Federal Trade Commission has introduced a new rule to combat fake reviews and testimonials
targeting deceptive practices in the marketplace.
The rule prohibits the creation, sale, or dissemination of fake reviews
including AI-generated or false testimonials.
It also bans businesses from paying for reviews with specific positive or negative sentiments and ensures that insider reviews must disclose material connections to the company.
The rule also addresses review suppression, misrepresentation of review sites,
and misuse of fake social media metrics. Violators may face
civil penalties. The rule, effective 60 days after publication, strengthens the FTC's enforcement
capabilities, which were previously hindered by a Supreme Court decision. Vitaly Antonenko,
a 32-year-old from New York City, pleaded guilty to hacking and stealing
hundreds of thousands of payment card details, selling the data on the dark net.
Antonenko used SQL injection attacks to breach vulnerable systems, targeting organizations
such as a hospitality business and a non-profit research institution.
He and his associates laundered the proceeds
through cryptocurrency and traditional bank transactions. Antonenko was arrested in 2019
at JFK Airport carrying computer equipment with stolen data. Investigators linked him to Bitcoin
wallets involved in transactions totaling $94 million. Following his arrest, Antonenko's
defense team requested a psychiatric evaluation after he claimed to be working for the CIA.
He faces up to 25 years in prison, hefty fines, asset seizures, and restitution,
with sentencing scheduled for December 10th of this year.
Coming up after the break on our latest CertBytes segment,
questions and study tips from the Microsoft Azure Fundamentals practice test. Stay with us. could go skating. Too icy. We could book a vacation. Like somewhere hot. Yeah, with pools. And a spa.
And endless snacks. Yes, yes, yes. With savings of up to 40% on Transat South packages, it's easy to say
so long to winter. Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply. Air Transat. Travel moves us.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies, like Atlassian and and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to
evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for a thousand dollars off. And now a message from Black Cloak. Did you know
the easiest way for cyber criminals to bypass your company's defenses is by targeting your
executives and their families at home. Black Cloak's award
winning digital executive protection platform secures their personal devices, home networks,
and connected lives. Because when executives are compromised at home, your company is at risk.
In fact, over one third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Chris Hare is a content developer and project management specialist here at N2K.
And on our bi-weekly CertByte segment, she shares practice questions from our suite of
industry-leading content and a study tip to help you achieve the professional certifications you
need to fast-track your career growth. Hi, everyone. It's Chris. I'm a content
developer and project management specialist here at N2K
Networks. I'm also your host for this week's edition of CertByte, where I share a practice
question from our suite of industry-leading content and a study tip to help you achieve
the professional certifications you need to fast-track your career growth. Today's question
targets the Microsoft AZ-900 exam.
I've got our resident Microsoft SME here, George. He's going to help us out today.
Hey, George. How are you? I'm good. Thanks for having me.
Absolutely. So today is going to be a little different. We're going to turn the tables,
and George is going to be asking me this week's question. But first, George, before you ask me the question, can you please share a
10-second study bit for this test, and what do you have for us? Well, for this particular test,
AZ-900 is a fundamental test, and I would always tell someone who's taking this exam to go through
the flash questions. Flash card questions basically hit on concepts,
and there are a lot of flash questions, and especially this is a fundamental exam,
and you want to make sure that you go through and understand all the concepts. That will help
you with practice test questions, but make sure you go through the flash questions.
That's a great tip. All right, I'm nervous, but I'm ready for my question, George, whenever you are.
Okay, you'll do fine.
You'll do fine.
Okay, so here's the question.
Thank you.
Thank you for the vote of confidence.
All right.
Which of the following are characteristics of a public cloud?
And there are three correct answers out of this, so listen carefully.
Okay.
A, is it virtually unlimited storage?
B, resource pooling?
C, provider manages the network and virtualization software?
D, only one tenant is supported?
And E, the services are always free?
So got to pick three out of those.
Wow.
I have to pick three?
Can you please repeat my choices again?
Sure.
Virtually unlimited storage.
Resource pooling.
Provider manages the network and virtualization software.
Only one tenant is supported.
And the last one is services are always free.
So in this case, I have three correct answers, I'm going to use the process of elimination.
And I'm pretty certain that foundationally a public cloud is built on the principle of having multiple tenants supported.
So I'm going to rule that one out first.
The other one that is not ringing true is that services are always free.
And since it's got an absolute in there, that always makes me suspect in an exam and usually false.
So do you find that to be the case in these types of exams, George?
Absolutely.
So anytime there's an absolute, you got to look at it cross-eyed.
And you're correct.
Ain't nothing in this world free, so services are not free.
All right. So then my answer is A, B, and C. My answer is virtually unlimited storage,
resource pooling, and the provider manages the network and virtualization software.
And you are correct. And you were worried about this. I knew you'd get it.
Yes. Thank you. All right, excellent. And thank you
for walking us through that because those types of questions, I'm sure, are pretty typical for
the AZ-900. You're going to have three choices that are going to be correct out of five that
you're going to have to guess. You will have what we call multiple answer, multiple choice,
where there'll be multiple choices that you have to pick from.
So it can be a little daunting, but if you certainly go through and understand the concepts, then you can certainly master them and make a question easy.
And the process of elimination, would that work for Microsoft type of questions that I just used here?
It always works.
Great. That's a great tip. Another great tip. Bonus tip for everybody out there.
So thank you so much, George.
Are there any other Microsoft exam updates coming out soon that you'd like to promote here?
Well, Microsoft's always updating their exams, but we have recently put out our Power BI practice exams for the PL900,
which is the foundation Power BI exam, and the PL300 exam.
Great.
Thank you so much.
Appreciate your time today.
Thanks for having me.
Anytime.
And thank you for joining me for this week's CertByte.
If you're actively studying for this certification and have any questions about study tips or even future certification questions you'd
like to see, please feel free to email me at certbyte at n2k.com. That's C-E-R-T-B-Y-T-E
at n number 2k.com. If you'd like to learn more about N2K's practice tests, visit our website at n2k.com forward slash certify.
For sources and citations for this question, please check out our show notes.
Happy certifying, everyone.
That's N2K's Chris Hare and George Monsalvachi.
If you want to learn more about the Microsoft Azure Fundamentals practice test,
check out the link in our show notes.
Cyber threats are evolving every second, Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And finally,
our old-time rock and roll desk
pointed us to a story
from Mix Online,
a publication focused
on the music production industry
that serves as a good reminder
for cyber folks tasked
with managing backups and long-term storage. Iron Mountain Media and Archive Services
discovered that about 20% of hard drives archived from the 1990s are now unreadable,
raising concerns about the preservation of historic music sessions. Robert Kozella, global director of studio growth,
notes that many iconic recordings from the early 1990s are at risk of being lost.
The problem emerged when record labels revisited vaults for remixing and repurposing,
only to find deteriorating tapes and obsolete formats.
Hard drives, like magnetic tapes,
are proving to be vulnerable despite following best practices for storage.
Legacy formats, unsupported connections, and physical damage complicate recovery efforts.
Iron Mountain offers specialized services to retrieve data from these drives, but stresses that action is needed now, as assets may
be irretrievable in the future. Cozzello highlights the challenges of identifying the correct version
of a track due to poor metadata or incomplete digital workflows. He warns that without proactive
efforts, many assets could be permanently lost, especially for smaller entities with limited
preservation budgets. It's a good reminder that just because it's stored doesn't mean it's secure.
Whether it's music archives or historical data, neglect leads to decay.
And that's the Cyber Wire. A quick program note.
We've released a full version of our Solution Spotlight conversation of Dr. Mary Haig, CISO of BAE Systems, and N2K's Simone Petrella speaking about building a cybersecurity team.
There's a link in our show notes.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show,
please share a rating and review
in your favorite podcast app.
Please also fill out the survey in the show notes
or send an email to cyberwire at n2k.com. We're privileged that N2K Cyber Wire is part of the
daily routine of the most influential leaders and operators in the public and private sector,
from the Fortune 500 to many of the world's preeminent intelligence and law enforcement
agencies. N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams while making your team smarter.
Learn how at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.