- Smart Intel Briefing
- Posts
- The Cybersecurity Crucible - Forging Hard Targets - 22 Sep 2023 | KD Sec & Tech Secure
The Cybersecurity Crucible - Forging Hard Targets - 22 Sep 2023 | KD Sec & Tech Secure
Unveiling the Latest in Cybersecurity: Vulnerabilities, Tech News, and Scams to Watch Out For
Introduction
Welcome to the Cybersecurity Crucible, Hard Targets!
Thank you for being a part of our Cybersecurity Crucible community. Your subscription not only enhances your digital safety but also supports our mission at KD Sec & Tech.
In each semi-weekly issue, released every Monday and Friday, we bring you a unique blend of critical cybersecurity updates and custom artwork. This makes your cybersecurity journey not just informative but also visually engaging.
Why should you subscribe and share? Because in the digital world, knowledge is our strongest armor. The more people we can educate, the fewer Soft Targets there are for cybercriminals to exploit.
Cybersecurity Pop Quiz
Test Your Cybersecurity Knowledge With Our Quick Quiz: Are You a True Hard Target?
Question 1: What does the term "Phishing" refer to?
a) Fishing in a digital ocean
b) Sending fraudulent emails to obtain sensitive information
c) Hacking into a bank's database
d) Creating a fake social media profile
Question 2: Which of the following is NOT a method of Multi-Factor Authentication?
a) Something you know (Password)
b) Something you have (Mobile Phone)
c) Something you are (Fingerprint)
d) Something you eat (Apple)
Question 3: What is the primary purpose of a Firewall?
a) To keep your house warm
b) To block unauthorized access to a network
c) To speed up your internet connection
d) To store data securely
Answers:
b) Sending fraudulent emails to obtain sensitive information
d) Something you eat (Apple)
b) To block unauthorized access to a network
Cybersecurity News and Emerging Technology
Microsoft's Surface Event: What to Expect from the AI-Powered Hardware
Source: The Verge
Summary:
Microsoft is set to unveil new Surface hardware at an event on September 22, 2023. The focus will be on AI-powered features, and rumors suggest updates to the Surface Laptop Studio and the Surface Go.
What’s the importance of this article?
This article is crucial for anyone interested in Microsoft's Surface line of products, especially those who are looking to upgrade or purchase new devices. The AI-powered features could be a game-changer in how we interact with our devices.
How could this affect me?
If you're in the market for a new laptop or tablet, this event could influence your decision. The new AI-powered features could offer functionalities that you may find beneficial for your daily tasks.
YouTube to Use AI Tools to Monitor Content
Source: CNN
Summary:
YouTube is planning to deploy AI tools to better monitor and manage content on its platform. The move aims to improve the accuracy and efficiency of content moderation.
What’s the importance of this article?
This article is important for anyone who uses YouTube, either as a content creator or a viewer. Improved content moderation could lead to a safer and more enjoyable user experience.
How could this affect me?
As a user, you may notice a decrease in harmful or misleading content, making your YouTube experience safer and more reliable.
Apple's New iPhone 15 and 15 Pro: What to Expect
Source: BBC
Summary:
Apple is expected to release the iPhone 15 and 15 Pro in the coming weeks. The new models will feature improved battery life, enhanced camera capabilities, and more.
What’s the importance of this article?
If you're an Apple user or considering switching to an iPhone, this article provides valuable insights into what to expect from the upcoming models.
How could this affect me?
The new features could significantly improve your smartphone experience, from photography to battery life, making it worth considering an upgrade.
Amazon’s Next Prime Day Sales Event Is in October. Here’s What to Know
Source: WIRED
Summary:
Amazon is gearing up for another Prime Day event called "Prime Big Deal Days" on October 10 and 11. The event will feature discounts on Amazon's own products like Kindles and Echo speakers, as well as other brands like Lego, iRobot, Sony, and Apple.
What’s the importance of this article?
This article is important for anyone looking to score deals on tech products, especially as the holiday season approaches. Amazon's Prime Day events are known for offering significant discounts.
How could this affect me?
If you're planning to make any tech purchases, this event could be the perfect time to do so. You could save a considerable amount on products that you've been eyeing.
Cybersecurity Tip of the Issue
Be Cautious of Public Wi-Fi Networks
Summary:
Public Wi-Fi networks are convenient but often lack strong security measures, making them a prime target for hackers. Using a public Wi-Fi network can expose your device and data to various security risks.
Why is this important?
Using an insecure Wi-Fi network can lead to unauthorized access to your device, data theft, and even financial loss. It's crucial to be aware of the risks and take appropriate measures to protect yourself.
How to Implement:
Avoid connecting to open or public Wi-Fi networks for sensitive tasks like online banking.
Use a Virtual Private Network (VPN) to encrypt your internet connection.
Turn off Wi-Fi when not in use to prevent your device from automatically connecting to open networks.
Always keep your device's software up-to-date to benefit from the latest security patches.
Platform-Specific Vulnerabilities and Pertinent News
iOS
Yikes: Apple Patches 3 New Zero-Day Exploits for iOS, MacOS
Source: PCMag
Summary:
Apple has released emergency patches for iOS 16 and the newly launched iOS 17, as well as for other Apple platforms like iPadOS, Safari, watchOS, and macOS Ventura and Monterey. The patches address three critical vulnerabilities discovered by security researchers Bill Marczak from Citizen Lab and Maddie Stone from Google's Threat Analysis Group.
Exploitation:
CVE-2023-41993: Affects Webkit, the browser engine for Safari. It can be manipulated to execute rogue code if it processes certain web content.
CVE-2023-41992: Affects iOS's kernel. Exploiting this can elevate an attacker's privileges over the OS.
CVE-2023-41991: Allows a malicious app to bypass signature validation.
Mitigation:
To update an iPhone, go to Settings > General > Software Update. For Mac users, go to the Apple icon > System Settings > Software Update.
Apple iOS 17: What It Offers and How to Get It
Source: CBS News
Summary:
Apple's iOS 17 update brings a range of new features to iPhones, including StandBy mode, live voicemail transcribing, and enhanced security features. The update is available for iPhone XR and later models.
What’s the importance of this article?
The article highlights the new features in iOS 17, which can significantly improve user experience and security. It's especially important for those using older iPhone models as they can enjoy some of the new features without having to purchase the latest iPhone.
How could this affect me?
If you own an iPhone XR or a later model, updating to iOS 17 will provide you with new functionalities and security features. However, be cautious as new updates may come with bugs that can cause issues like battery drain and app crashes.
Android
Google Takes a Snarky Shot at Apple Over RCS
Source: Engadget
Summary:
Google has released an ad called "iPager" to criticize Apple's use of SMS for messaging between iOS and Android devices. The ad highlights the limitations and vulnerabilities of using SMS, such as lack of end-to-end encryption when texting across operating systems. Google advocates for the adoption of RCS (Rich Communications Service), which has been globally accepted and offers better security features.
What’s the importance of this article?
The article sheds light on the ongoing battle between Google and Apple over messaging standards. It emphasizes the security and privacy concerns related to using SMS for cross-platform messaging.
How could this affect me?
If you are an Android user who frequently communicates with iOS users, this article highlights the security risks you might be exposed to. It also suggests that until Apple adopts RCS, these security issues will persist.
Android's September Security Update Fixes Actively Exploited Zero-Day and More
Source: ZDNet
Summary:
Google's latest security update for Android addresses a high-severity zero-day vulnerability, CVE-2023-35674, that is under targeted exploitation. The vulnerability allows for privilege escalation without user interaction. The update also includes patches for three critical vulnerabilities related to Remote Code Execution (RCE).
Exploitation:
The zero-day vulnerability allows bad actors to escalate privileges on the device without requiring any user interaction. The critical RCE vulnerabilities make it possible for threat actors to execute malicious code remotely.
Mitigation:
Users are advised to update their Android devices as soon as the September security patch becomes available. The update addresses all the listed vulnerabilities and enhances the overall security of the device.
Samsung
3 Samsung Galaxy S24 Ultra Rumors That'll Make You Skip the iPhone 15 Pro Max
Source: Mashable
Summary:
The article discusses three major rumors about the upcoming Samsung Galaxy S24 Ultra that could make it a strong competitor against Apple's iPhone 15 Pro Max. The rumors focus on design and display, camera innovations, and power and performance enhancements.
What’s the importance of this article?
The article provides insights into what potential buyers can expect from Samsung's next flagship phone. It highlights how Samsung is planning to compete with Apple's latest offering, especially in terms of design, camera capabilities, and performance.
How could this affect me?
If you are in the market for a new smartphone and are considering between Apple and Samsung, this article gives you a glimpse into what Samsung's next flagship might offer. It could influence your purchasing decision, especially if you are looking for specific features like a brighter display or more powerful camera.
CVE-2022-22265: Improper Check or Handling of Exceptional Conditions in NPU Driver
Source: NVD
Summary:
The vulnerability is an improper check or handling of exceptional conditions in the NPU driver prior to SMR Jan-2022 Release 1. It allows for arbitrary memory write and code execution.
Exploitation:
The vulnerability can be exploited to write arbitrary memory and execute code, although the specifics of how it can be exploited are not detailed in the NVD listing.
Mitigation:
The advisory suggests applying mitigations per vendor instructions or discontinuing the use of the product if mitigations are unavailable. The CVE is also listed in CISA's Known Exploited Vulnerabilities Catalog, indicating it's a known target for exploitation.
macOS
Ncurses Library Vulnerabilities Affecting Linux and macOS Systems
Source: SC Magazine
Summary:
Malicious actors could exploit various memory corruption vulnerabilities in the ncurses programming library to execute code on Linux and macOS systems. The vulnerabilities are collectively tracked as CVE-2023-29491 and include a range of issues such as denial-of-service with canceled strings, off-by-one errors, and stack information leaks.
Exploitation:
The vulnerabilities could be chained together to elevate an attacker's privileges. For example, exploiting the stack information leak could provide read primitives, while exploiting the heap overflow could offer a write primitive.
Mitigation:
Patches have already been issued for these flaws. Users are advised to update their systems to the latest versions to mitigate the risks.
macOS Sonoma Features Unavailable on Intel Macs
Source: iBoysoft
Summary:
Apple's latest macOS 14, named Sonoma, introduces several new features. However, not all of these features are available on Intel-based Macs. The limitations are mostly due to performance factors and the absence of components like Apple's Neural Engine on older processors.
What’s the importance of this article?
The article highlights the growing divide between Apple's own Silicon chips and Intel-based Macs, especially in terms of feature availability. This could be a crucial deciding factor for users looking to purchase or upgrade their Macs.
How could this affect me?
If you own an Intel-based Mac, you may miss out on several new features, including high-performance screen sharing, Siri activation with a single word, and Game Mode. This could affect your overall user experience and may influence your decision on whether to switch to an Apple Silicon-based Mac..
Windows 10
Vulnerability: ThemeBleed Exploit in Windows
Source: Malwarebytes
Summary:
The ThemeBleed vulnerability, officially known as CVE-2023-38146, is a Windows Themes Remote Code Execution (RCE) vulnerability that was patched in the September 2023 Patch Tuesday updates. The exploit is based on a race condition triggered by opening a specially crafted .theme file. Microsoft has assigned it a CVSS score of 8.8 and labeled it as "Important."
Exploitation:
The exploit can be triggered by opening a specially crafted .theme file. The vulnerability is based on a race condition and also involves issues with the verification procedure of .msstyles files and the 'mark-of-the-web' (MOTW) warning.
Mitigation:
Microsoft has released a patch that removes the functionality triggering the theme version check to avoid the race condition. However, it has not fixed the more fundamental problem in the verification procedure of .msstyles files nor added MOTW warnings to .themepack files.
Announcing Microsoft Copilot – Your Everyday AI Companion
Source: Microsoft Blog
Summary:
Microsoft has announced Copilot, an AI companion designed to assist users in their daily tasks. The AI is integrated into various Microsoft services and aims to make life easier by automating mundane tasks.
What’s the importance of this article?
The introduction of Microsoft Copilot is a significant step in the integration of AI into everyday life. It shows Microsoft's commitment to advancing AI technology and its application across various services.
How could this affect me?
If you are a user of Microsoft services, Copilot could significantly streamline your workflow and automate tasks, making your daily life more efficient.
Windows 11
Microsoft To Offer OpenAI's Dall-E 3 In Bing
Source: Barron's
Summary:
Microsoft has announced that it will integrate OpenAI's Dall-E 3 image creation tool into its Bing search engine. This move is part of Microsoft's ongoing efforts to leverage artificial intelligence to compete with Google. Dall-E 3, set to be released in October, will use ChatGPT to make it easier for users to generate images based on natural language descriptions. Microsoft has also introduced a feature in Bing that allows for more conversational responses to user queries.
What’s the importance of this article?
The integration of OpenAI's Dall-E 3 into Bing signifies Microsoft's commitment to advancing its AI capabilities and offering more interactive and intelligent services to its users. It also highlights the growing role of AI in search engines and other online platforms.
How could this affect me?
If you are a Bing user, you can expect a more interactive and personalized search experience. For businesses and developers, this could mean new opportunities for leveraging Bing's enhanced AI capabilities for various applications.
Windows 11 Security: What You Need to Know (22H2 Update)
Source: Kolide
Summary:
The article discusses the security features introduced in Windows 11 and its 22H2 update. It covers various aspects like phishing protection, virtualization-based security, and hardware requirements. The article also mentions the challenges and considerations for implementing these security features.
What’s the importance of this article?
Understanding the security features and challenges of Windows 11 is crucial for both individual users and organizations. The article provides a comprehensive overview, making it a valuable resource for IT professionals and end-users alike.
How could this affect me?
If you are planning to upgrade to Windows 11 or are already using it, this article provides insights into the security features you should be aware of. It also discusses potential challenges, helping you make informed decisions about your operating system's security.
Scams to Watch Out For
Bank Fraud Drains Local Man's Account of $60K
Source: FOX 13 Seattle
Summary:
The video from FOX 13 Seattle discusses a case where a Washington man lost nearly $60,000 due to bank fraud. Despite the bank being aware of suspicious activities, they failed to stop the transactions. The man took all the recommended steps, including contacting his bank multiple times, but the money was still withdrawn. Eventually, after escalating the issue, he was able to recover his funds.
Key Takeaways:
Always be vigilant about your bank transactions and monitor for any suspicious activities.
Simply contacting your bank may not be enough; consider taking additional steps like filing a report online.
Banks may not always act in your best interest; be proactive in following up and escalating issues.
Thank You, Hard Targets!
I can't express enough how much your support means to us. Your subscription and active engagement make all the difference in our mission to fortify digital landscapes. As Hard Targets, you're not just passive readers; you're active participants in enhancing cybersecurity awareness.
I have a small favor to ask: If you find value in our newsletter, could you please encourage a friend or family member to subscribe before our next issue? The more Hard Targets we have, the safer our digital world becomes.
Reply