New iPhone bug can permanently break WiFi simply by connecting to a rogue hotspot
Researcher Carl Schou discovered the vulnerability when connecting to his own personal WiFi whose ID included a percent sign (%) as every second character. On connecting, his iPhone’s WiFi would then be disabled, and only a full reset of its network settings allowed restoration. Schou and other Independent security researchers speculate that the flaw could be caused by a parsing issue in the Wi-Fi settings in which Apple iOS misinterprets the letters following the percent sign as string-format specifiers instead of considering it as part of the name of the specific hotspot. This kind of bug, he says, could have a severe impact in a real attack scenario that sees a threat actor setting up an open rogue WiFi hotspot in a crowded area such as a hotel hall or a station.
New York City Law Department hacked
A hacker who infiltrated New York City’s Law Department earlier this month, was able to do so thanks to a single pilfered password. Although it is unknown how the password was obtained, nor the scope of the attack, it is known that the hack was enabled due to the Law Department’s failure to implement multifactor authentication, more than two years after the city began requiring it, according to four people with knowledge of the legal agency’s system and the incident.
SASE: 64% of businesses are adopting or plan to adopt in the next year
Global research commissioned by Versa Networks examining the adoption of Secure Access Service Edge (SASE) by businesses during the lockdown revealed that the adoption of SASE has skyrocketed during the pandemic. The technology, which involves the convergence of networking and security services like CASB, (Cloud access security broker), FWaaS (Firewall as-a-service) and Zero Trust into a single cloud-native service model is being used increasingly to improve the security of devices and applications used by remote users.
Critical flaws in defibrillator management tool poses account takeover, credential risk for hospitals
Multiple remote code execution vulnerabilities found in the ZOLL Defibrillator Dashboard could allow a hacker to take control over the impacted system, according to a CISA alert. The tool provides streamlined management of defibrillators, giving administrators real-time monitoring of devices in the enterprise environment and across multiple sites. One flaw, which CISA warned has a high likelihood of exploit, is the dashboard’s use of hard-coded cryptographic keys that “significantly increases the possibility that encrypted data could be recovered” by an attacker.
Thanks to our episode sponsor,Viakoo
Google force installs Android COVID app
For the past few days, Android phone users in Massachusetts have reported that Google has silently installed the Massachusetts ‘MassNotify’ app on their devices without the ability to open it or find it in the Google Play Store, and without an easy way to uninstall it. MassNotify is Massachusetts’ COVID-19 contact tracing app that allows users who have opted into Android’s ‘COVID-19 Exposure Notifications’ feature to be warned when exposed to the virus. However, some Android users state that they have received the application even though they have not turned on the Android Exposure Notification settings on their device.
North Korea exploits VPN flaw to hack South’s Nuclear Research Institute
The intrusion into South Korea’s state-run Korea Atomic Energy Research Institute is said to have taken place on May 14 through a vulnerability in an unnamed virtual private network (VPN) vendor and involved a total of 13 IP addresses, one of which has been previously linked to a state-sponsored threat actor dubbed Kimsuky. The development comes following a report from SISA Journal, which disclosed the breach, alleging that the agency was attempting to cover up the hack by denying such an incident took place. KAERI attributed it to a “mistake in the response of the working-level staff.”
Chris Inglis confirmed as first national cyber director
Inglis will be tasked with making sure all the federal agencies operate from a coherent cyber policy. Introducing Inglis at his confirmation hearing last week, Maine Senator Angus King called the national cyber director and the head of the CISA “the equivalent of the Secretary of Defense and the head of the Joint Chiefs of Staff.” One key challenge for Inglis will be defining the role of his office in practice. There are a growing number of agencies with offensive and defensive interests in cyberspace.
Carnival Cruise torpedoed by cyberattack
For the second time in a year, attackers have breached email accounts and accessed personal, financial and health information belonging to guests, employees and crew of the world’s largest cruise-ship operator. Representatives stated that the impacted information includes data routinely collected during the guest experience and travel-booking process, or through the course of employment or providing services to the company, including COVID or other safety testing and has “a low likelihood of the data being misused.” This is the fourth time in the last year and a half that Carnival has admitted to breaches, with two of them being ransomware attacks.