This week
‘Fictitious’ Trump indictment shows why it’s important to use test data
- Reuters circulated a “fictitious” indictment of Donald Trump this week after clerks of the Fulton County Superior Court connected a trial run to test systems using real data, ahead of the grand jury returning a verdict.
- The paperwork lacked the official stamp and a ‘true’ or ‘no’ bill marking but was available to the press, who can access documents before publication. The official charges were entered the following day.
- This is an excellent example of why you should use representative test rather than live data for development or rehearsals. (UK TV news companies used to rehearse for the death of “Mrs Robinson” instead of mentioning Queen Elizabeth).
More on UK police data breaches
- Police data breaches: Cumbria Constabulary, in the North West of the UK, has also copped to publishing the names, salaries and allowances of its officers on its website. The incident, which occurred in March and resulted in data being available for 25 days, was the result of human error. It comes a week after Police Service Northern Ireland lost data on its staff (vol. 6, iss. 33), with one individual being arrested on suspicion of collection of information likely to be useful to terrorists following a search on 16th August.
Interesting stats
50-85% human accuracy when completing captcha tests, compared to 85-100% accuracy for robots completing the same tests in a new study (PDF) evaluating captchas ability to prevent automated bots, which also found that bots are faster, as well as more accurate, at solving these puzzles. (H/T Ray).
11% of data employees paste into ChatGPT is confidential, according to vendor Cyberhaven.
33% of enterprise cyber budgets have decreased in 2023, while 21% were frozen, and 33% remained unchanged, just 12% saw an increase, according to research by investor YL Ventures (PDF).
Other newsy bits / in brief
-
Seismic activity: China is accusing US intelligence of being behind a cyber-attack on the Wuhan Earthquake Monitoring Centre, which sought to access data from sensors that measured the magnitude of earthquakes and contained information concerning national security.
-
MOVEit: The Colorado Department of Health Care Policy & Financing (HCPF), which manages the Health First Colorado Medicaid programme, says the personal and health information of four million individuals was stolen during the mass-compromise of the MOVEit file transfer appliances (vol. 6, iss. 24).
-
Citrix: Around 2,000 Citrix NetScaler servers vulnerable to CVE-2023-3519 have been compromised by an attacker, according to Fox-IT and the Dutch Institute of Vulnerability Disclosure. CISA are also warning that attackers are exploiting Citrix Content Collaboration tool ShareFile vulnerable to CVE-2023-24489, which was patched in June 2023. If you’re a Citrix organisation and haven’t fixed these, you’d better dust off your incident response plan and investigate if you’re compromised.
-
Ivanti: Two critical (9.8/10) buffer overflow vulnerabilities in Ivanti’s Avalanche (formerly MobileIron) mobile device management system needs patching.
-
WinRAR has a vulnerability that can lead to command execution. Opening a malicious .rar file is sufficient to exploit the vulnerability. If you use WinRAR, I recommend updating!
-
QR codes are being used in phishing emails to circumvent security controls that inspect messages, links and attachments for malicious content.
-
Secure Time Seeding in Windows Server may cause the system clock to jump forward.
-
Hack yourself: Google made improvements to its results about you tool, and it can now notify you if your personal information appears in search results, just so long as you live in the US.
-
Quantum resilient FIDO2 keys are also a step closer after Google released an open-source hardware design.
-
Interpol says that 14 arrests and ‘hundreds’ of malicious IP addresses have been taken down following Africa Cyber Surge II, an international law enforcement operation, spanning 25 countries.
Industry news, merger & acquisitions
-
ProjectDiscovery has closed a $25 million Series A funding round for its platform to detect vulnerabilities in codebases.
-
SecureWorks has announced that it is laying off 15% of its workforce. Around 300 people are thought to be affected. The company previously reduced its workforce by 9% in February.
And finally
- Wi-Fi drones are Mike Lindell’s solution to ‘stop election fraud’. The My Pillow CEO and election conspiracy theorist “demonstrated” the ‘new’ technology this week, which appears to be a Wi-Fi sniffer velcroed to a drone. Such technology isn’t new, but Lindell says he wants to fly the drones above polling places in Louisiana to ‘prove’ that voting machines are connected to the internet. Doing so may violate Louisiana state laws on criminal trespassing and using unmanned aircraft to conduct surveillance.