Transcript
Sean Kelly (0:00)
From the CISO series, it's Cybersecurity Headlines these are the cybersecurity headlines for Thursday, April 17, 2025. I'm Sean Kelly. Mitre Gets last Minute Bailout from CISA Yesterday, the day that Mitre's contract was set to expire, Mitre Vice President Yasri Barsum confirmed that CISA has provided funding to avoid a break in service for both the common vulnerabilities and exposures and and the common weakness enumeration programs. CISA issued a statement saying the CVE program is invaluable to the cyber community and a priority of CISA. The extension of MITRE's contract is set for 11 months. Krebs exits Sentinel 1 after security clearance pulled following up on a story we brought to you on Friday, Chris Krebs has resigned as Sentinel 1's Chief Intelligence and Public Policy Officer, effective immediately. This follows a presidential order that revoked Krebs security clearance and ordered a review of Cease's conduct under his leadership. In a farewell note to Sentinel 1 staff, Krebs said, quote, I want to be clear. This is my decision and mine alone. This is my fight, not the company's. This will require my complete focus and energy. It's a fight for democracy, for freedom of speech and for rule of law. I'm prepared to give it everything I've got, end quote. Apple fixes 20 days exploited in targeted iPhone Attacks On Wednesday, Apple released emergency fixes for two zero day vulnerabilities that were used in an extremely sophisticated attack on the iPhones of specific targets. The two vulnerabilities are in Core Audio and RPAC, with both bugs impacting iOS, iOS, TVs, iPadOS and Vision OS. The Core Audio flaw can be exploited with a maliciously crafted media file to execute remote code on the device. Meanwhile, the RPAC bug allows attackers with read or write access to bypass pointer authentication, an iOS security feature that helps protect against memory vulnerabilities. Apple has yet to share further details related to how the flaws were exploited. CISO warns of potential data breaches caused by a legacy Oracle cloud leak in another follow up to a story we covered last week, federal officials at CISA on Wednesday warned of the potential fallout of a data breach impacting Oracle. The incident surfaced when an alleged hacker boasted on social media that they were selling Oracle's stolen data on cybercriminal forums. The claims were substantiated by CloudSec, SibelAngel and several other cybersecurity firms. Last week, Oracle admitted that credential data was stolen from two obsolete servers, but not from its Oracle Cloud infrastructure or oci. SISA said, quote, the compromise of credential material, including usernames, emails, passwords, authentication tokens and encryption keys, can pose significant risk to enterprise environments, end quote. The agency urged organizations to reset passwords for affected services, review source code for potential issues, monitor authentication logs and report any incidents to authorities. And now we'd like to thank our episode sponsor, Vanta. Do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. More than 9,000 companies have continuous visibility into their controls with Vanta. Vanta brings automation to evidence collection across over 35 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and also help you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get started at Vanta.com headlines that's V A N T A dot com headlines Nvidiaflog gets a second patch amidst reporting confusion Back in September, Nvidia released a patch for a high severity time of check, time of use vulnerability. However, after closer inspection, researchers from Trend Micro and Wiz separately discovered a secondary flaw that the patch did not mitigate. In a blog post last week, Trend Micro said the incomplete fix leaves systems exposed to a secondary denial of service bug affecting Nvidia Container toolkit or Docker in AI, cloud or containerized environments. Interestingly, Wiz released its own report on the secondary bug back on February 11th. About a week later, Nvidia released an advisory and a patch for the secondary issue. This leaves overtax defenders and other industry experts to wonder why it took Trend Micro until last week to issue its report. Microsoft to Strengthen Email Sender Requirements Microsoft recently announced that effective May 5, it will enforce new security requirements for domains, sending over 5,000 daily emails to outlook.com, hotmail.com and live.com. these requirements include Sender Policy Framework or SPF checks to ensure sending domains DNS records accurately, list authorized IP addresses, domain keys identified mail or DKIM validation to confirm message integrity and authenticity and Domain Based Message Authentication Reporting and Conformance policies, or dmarc, which action messages that fail authentication. Microsoft's initiatives align with similar measures introduced by Google and Yahoo in 2024. Google blocked over 5 billion harmful ads in 2024. On Wednesday, Google reported that it suspended over 39.2 million advertise accounts last year. Google leveraged AI powered tools to identify and block the majority of the accounts before they could serve harmful ads to users. In all, the tech giant blocked 5.1 billion malicious ads and restricted 9.1 billion ads across 1.3 billion pages last year. The top six ad policy violations included ad network abuse, trademark misuse, personalized ads, legal requirements, financial services, and misrepresentation. 92% of mobile apps found using poor encryption practices new research from Ximperium's Z Labs examined over 17,000 Android and iOS mobile apps from the official app stores and being used by the firm's own customers. Employees of these 83 Android apps were found to use unprotected or misconfigured cloud storage. In some cases, file indexes are world viewable, and in others the content can be accessed without credentials. The researchers also found that 92% of the apps it tested use weak or flawed cryptographic methods. The researchers concluded that organizations should take measures to identify and resolve misconfigured cloud storage settings, detect and rotate exposed credentials and API keys, avoid the use of outdated insecure algorithms, and monitor third parties SDKs for known vulnerabilities. And that does it for today's cybersecurity headlines. But with respect to those trying to break into the field of cybersecurity, are we creating far too many unnecessary requirements and missing a massive opportunity to truly help our security programs? That's what we'll be discussing in our latest episode of Defense In Depth. Look for what can someone with no experience do in cyber security? Wherever you get your podcasts thank you for listening to the podcast that brings you more of the top cyber news stories and more cowbell. I'm Sean Kelly. Cybersecurity headlines are available every weekday. Head to csoseries.com for the full stories behind the headlines.