Marcel Brown:August 31st, 1897. Thomas Edison receives a patent for the Kinetographic Camera, also called the Kinetograph. Edison and his assistant, W. K. L. Dickson, were credited with inventing the Kinetograph in the early 1890s, and it is often considered to be the first real motion picture camera.

Edwin Kwan: Japan’s Computer Emergency Response Team, JPCERT, recently shared a newly-detected attack that bypasses detection by embedding malicious Word files in PDFs.

Katy Craig: Have you ever said, “I’ll Venmo you,” and think nothing of it? Well, it’s time to think again. Venmo isn’t just for easy payments. It’s a data goldmine. It’s like leaving breadcrumbs that form a trail of your life- where you go, who you see, and when you see ’em.

Ian Garrett: Have you ever wondered what challenges security teams face due to budgetary and staffing constraints? Today is the last part of a three-part series where we explore the 10 common tasks that often bogged down cybersecurity professionals and discuss strategies employed by security leaders to overcome these hurdles.

Olimpiu Pop: NIST, the US National Institute of Standards and Technology, published the public draft of version 2.0 of their Cybersecurity Framework. It expanded from protecting just critical infrastructures like hospitals and power plants, to providing cybersecurity guidance for all organizations, regardless of type or size.

 

The Stories Behind the Cybersecurity Headlines

 

Edwin Kwan
Malicious Word Documents Hiding As PDFs

If it looks like a PDF file and passes traditional PDF scanning, then you might think that the file is a PDF file when, in fact, it could be a malicious Word document disguised as a PDF file.

This is Edwin Kwan from Sydney, Australia.

Japan’s Computer Emergency Response Team, JPCERT, recently shared a newly-detected attack that bypasses detection by embedding malicious Word files in PDFs.

The malicious polygot file is recognized by most scanning engines as being a PDF, but Office applications will open it as a Word document. The sample file JPCERT provided is a PDF document that contains a Word document that has an embedded Visual Basic Script macro, VBS, that would download and install a malicious file. This will happen if the file is open as a Word document in Microsoft Office.

While such polygot files might evade detection by scanning tools, it does not bypass Microsoft’s security settings, such as those that disable Auto-execution of macros on Microsoft Office.

For the defenders wanting to detect such files in their organization, JPCERT has shared a Yara rule, which checks if a file starts with a PDF signature, followed by patterns indicative of a Word or Excel document.

Resources
– Bleeping Computer:https://www.bleepingcomputer.com/news/security/maldoc-in-pdfs-hiding-malicious-word-docs-in-pdf-files/

 

Katy Craig
Is it time to nuke your Venmo account?

Have you ever said, “I’ll Venmo you,” and think nothing of it? Well, it’s time to think again. Venmo isn’t just for easy payments. It’s a data goldmine. The New York Times spilled the beans: the app’s got a social angle that might have you oversharing more than just your love for avocado toast.

This is Katy Craig in San Diego, California.

Sure, Venmo canned its global feed two years ago. That was the thing that let just about anyone peek into your financial comings and goings. But here’s the kicker: visit someone’s profile, and you can still see their payment history. Not a big deal? Think again.

Security buffs like Gennie Gebhart from the Electronic Frontier Foundation are raising eyebrows. It’s not just that you’re broadcasting your pizza nights. It’s like leaving breadcrumbs that form a trail of your life- where you go, who you see, and when you see ’em.

The stakes are high. Some digital sleuths have used Venmo histories to dig up dirt on big wigs like Supreme Court, Justice Clarence Thomas, and even President Joe Biden.

The pro tip? Check those privacy settings folks, or if you’re really skittish, do like the President and nuke that account.

This is Katy Craig. Stay safe out there.

Resources
– New York Times: https://www.nytimes.com/2023/08/09/technology/personaltech/venmo-privacy-oversharing.html
– Buzzfeed News:https://www.buzzfeednews.com/article/ryanmac/we-found-joe-bidens-secret-venmo

 

Ian Garrett
Part Three: 10 Tasks Slowing Down Security Professionals

Have you ever wondered what challenges security teams face due to budgetary and staffing constraints? Today is the last part of a three-part series where we explore the 10 common tasks that often bogged down cybersecurity professionals and discuss strategies employed by security leaders to overcome these hurdles.

Hey folks. This is Ian Garrett in Arlington, Virginia.

In part two, we covered that vendor research, requests for information, and mandatory training are three more tasks that demand time from Chief Information Security Officers. Let’s dive into the final four tasks.

Task seven: Risk Assessments and Evaluations. Quantifying and evaluating security programs is time consuming, but crucial to showing the value of various controls. Leaders can focus on streamlining risk assessments and security evaluations by eliminating unnecessary steps and automating controls to significantly boost efficiency. Similar to the issue surrounding requests for information, having an automated way to pull the data you need for assessments will save time.

Task eight: Communication Overload. Managing excessive emails and reports, consumes resources. Some ways to solve this issue is to implement a comprehensive Security Information and Event Management, otherwise known as a SIEM system, refine email content, and stay on top of prioritizing messages.

Task nine: Communication Requirements. Similarly, balancing communication demands is a common challenge. To help, reduce the number of reports produced and focus on anticipating the kind of information that you’ll be asked. Often inefficiency and communication occurs when the requesting party doesn’t quite understand what they’re being presented. Clarity is key, especially when it comes to complicated topics like security.

Task 10: Reviewing Suspicious Emails. The review of potential phishing emails could be labor-intensive. It’s no surprise that this is a vital area to leverage automation tools for the process and evaluation of potential phishing attacks.

These tools will allow security teams to better allocate their time and resources.

Resources
– CSO Online: https://www.csoonline.com/article/649822/tasks-that-bog-down-security-teams-and-what-to-do-about-them.html

 

Olimpiu Pop
Response to Surging Healthcare Cyberattacks

NIST, the US National Institute of Standards and Technology, published the public draft of version 2.0 of their Cybersecurity Framework. This is a replacement of for the current decade-old standard. In the software world, a version bump translates into significant new features and breaking changes. What does CSF 2.0 bring new?

The changes in the framework recognize the growing threat cybersecurity has become for everybody. Hence, it expanded from protecting just critical infrastructures like hospitals and power plants, to providing cybersecurity guidance for all organizations, regardless of type or size. A notable addition is the “Govern” function, which supplements the existing pillars Identify, Protect, Detect, Respond, and Recover.

“Govern” aims to bolster organizational understanding of cybersecurity governance, encompassing strategy, policies and processes. To win the modern cyber battles, organizations need to respond holistically, as a single body. This new function has a chance of supporting that. Moreover, the enhanced guidance on implementing the CSF, particularly in profile creation, emphasizes its applicability.

A unique feature of this framework is its collaborative development. It’s shaped by its very users, cybersecurity professionals. While NIST is US-based, global input has been significant. Workshops saw participation from over a hundred countries, and numerous feedback was received during public consultations.

On the internet, the wide world is a digital village, where you can help anybody. Also, you can be attacked by anybody.

The full episode is on 505updates.com.

Olimpiu Pop reported from Transylvania, Romania.

Resources
– NIST:https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.ipd.pdf/

 

Marcel Brown
This Day, August 29, in Tech History

This is Marcel Brown bringing you some technology history for August 31st.

August 31st, 1897. Thomas Edison receives a patent for the Kinetographic Camera, also called the Kinetograph. Edison and his assistant, W. K. L. Dickson, were credited with inventing the Kinetograph in the early 1890s, and it is often considered to be the first real motion picture camera.

August 31st, 2004. Aldus, the company that created PageMaker, considered the world’s first desktop publishing application, merges with Adobe, the company that created PostScript, which was the page description language powering many early laser printers. The combination of PageMaker running on Apple’s Macintosh, and printing to Apple’s PostScript-powered LaserWriter, sparked the desktop publishing revolution in the 1980s.

That’s your technology history for today. For more, tune in tomorrow and visit my website thisdayintechhistory.com.

Resources
– http://thisdayintechhistory.com/08/31