A (0:04)

The European Union has a problem attracting and retaining cyber talent. The CEO of Coupang resigns following the company's security breach. Microsoft expands its bug bounty program to cover third party code and Chrome and Gogs patch zero days this is the risky bulletin prepared by Catalyn Kim Panu and read by me, Clare aird. Today is the 10th of December and this podcast episode is brought to you by MasterCard, committed to building a more secure, connected digital ecosystem. In today's top story, organisations across the EU are struggling to attract and retain cybersecurity talent. According to a survey by the EU's cybersecurity agency, many candidates lack the necessary skills. Employers also don't have proper training programs. Cyber experts who leave cite excessive workloads, burnout and the lack of competitive salaries and bonuses. Overall, European organisations average cybersecurity spend was roughly 9% of their IT budgets. In other news, the US will soon require all foreign travellers to provide five years worth of social media history. Foreigners will be required to list email addresses, phone numbers and social media accounts used in the last five years. The new requirement will apply to citizens of all countries including those on the visa waiver program, including Japan, the EU and Australia. The UK government has imposed sanctions on two Chinese security firms. Sanctions were levied against Isoon and Integrity Tech. Both are contractors that have provided hacking services to Chinese intelligence agencies. Integrity Tech has been linked to a Chinese cyber espionage group known as Flax Typhoon. Both companies have also been sanctioned by the us. The CEO of South Korean e commerce giant Kupeng has resigned following a recent security breach. Park Dae Jun resigned on Wednesday after authorities raided the company's headquarters. The police sought evidence related to a recent hack that exposed the personal data of two thirds of the country's population. Coupang is the third major South Korean company breached this year. The CEOs of SK Telecom and Korea Telecom also resigned following their breaches. Meantime, South Korean authorities have also further identified the Coupang hacker as a 43 year old Chinese national who worked in the company's security team. He worked at Coupang between 20 and 2024 and has since left the country. Ukraine has hacked and wiped the service of Russian logistics company L Transplus. The cyber attack was conducted by Ukraine's military intelligence agency and the Hacktivist Group BO team. The two claim they wiped more than 165 terabytes of data from 700 Systems. Petcare company Petco has shut down part of its website that supported its veterinary arm Vetco. TechCrunch reported that it had identified a flaw in the website that exposed customer data without authentication. This included customer names, addresses, phone numbers and pet medical details. The UK's privacy watchdog has fined password manager LastPass 1.2 million pounds over the company's 2022 security breach. The incident exposed the personal data of 1.6 million customers in the UK. The ICO says LastPass failed to implement robust security measures. In August 2022, a hacker gained access to a LastPass employee's personal laptop and jumped from there into the company's network. The US has indicted a Ukrainian woman for participating in cyber attacks against critical infrastructure. Victoria Eduardovna Dubraneva was allegedly part of two pro Kremlin hacktivist groups named NoName057 and the Cyber army of Russia Reborn. The U.S. justice Department says the groups tampered with water system systems and caused an ammonia leak at a US meat processing factory. Dubranova pleaded not guilty in a US court this week. Dutch prosecutors are seeking an eight month prison sentence for a man who launched DDoS attacks against the country's 112 emergency number. The suspect was identified as a 47 year old man from the city of Delft. He allegedly executed the attack using multisim devices that belong to a company that rents telephone numbers. The man tried to frame the owners of the company with whom he had a business conflict. The U.S. department of justice has indicted an Accenture product manager with fraud for lying about compliance in government contracts. Danielle Hilmer allegedly said the company's cloud platform was Fedramp compliant. She also allegedly obstructed Federal auditors during 2020 and 2021 trying to hide the platform's deficiencies. She faces more than 30 years in prison if found guilty. A Malaysian man was sentenced by a Singaporean court to five years and six months in prison for training cybercrimin to use malware. Qiu Haibeng was charged with recording 20 videos that taught members of a cybercrime group how to deploy and use the Spymax Android remote access trojan. Chi O was recruited by the group while incarcerated in a South Korean prison. Ukrainian authorities have arrested a 22 year old man for hacking and selling social media accounts. He also managed a bot farm with more than 5,000 accounts. He faces up to 15 years in prison. The Paxful cryptocurrency exchange has pleaded guilty to laundering crypto assets and helping to evade sanctions. The platform has agreed to pay a $4 million fine in the US to settle the charges. Paxful failed to maintain a Know youw Customer system and other anti money laundering measures. According to the U.S. justice Department, the platform was used to launder funds from online fraud, romance scams, extortion schemes and prostitution. Google has released a security update to patch an actively exploited Chrome zero day. The company has not provided a CVE number or any other details. It's the eighth Chrome Zero day patch this year. Meantime, threat actors are exploiting a zero day in the gogs open source Git server. The zero day is a bypass of a previous remote code execution attack. According to Wiz, more than 700 GOG servers have already been compromised. The GOGs project has yet to release a patch. Net applications are vulnerable to a new flaw known as sopone. The issue is discovered by Watchtower Labs and can lead to remote code execution. Vulnerable applications include the Umbraco, cms, Barracuda's Service center, the Ivanti Endpoint Manager and more. Microsoft elected not to patch Net itself, instead leaving it to individual applications to fix. The Notepad code editor has rolled out a patch to fix its update system. The project released the patch after users reported it in stored updates containing malware. The patch enforces file signatures and certificate validation to prevent users from being redirected to malicious update servers. The Traefik reverse proxy shipped with a key security control backwards for the last five months. The setting that enabled TLS verification actually disabled it. The issue was found by Aisle Security and corrected this month. Microsoft has expanded its public bug bounty program for its online services. The company will now pay bounties for vulnerability that impact its systems, even if the root cause is in third party code. Researchers have discovered a new variation of the clickfix attack. The new technique tricks users into copy pasting text that contains OAuth secrets into an attacker controlled webpage push. Security spotted the technique being used to target Microsoft business accounts. The technique is a variation of an attack used by Russian state sponsored hackers earlier this year. Those relied on tricking victims into sending OAuth data in an email reply to to the hackers. The CA browser forum will sunset 11 domain validation methods used to issue TLS certificates. This includes methods that rely on email and phone verification, as well as IP and reverse address lookups. The verification methods will be phased out by March 2028. Google is rolling out a new feature for Android users that will let them share live video with emergency services. The feature is being rolled out in the US and some regions of Mexico and Germany. It'll be available for all devices running Android 8 or later. Android 8 was released in 2017 and finally Microsoft is adding a new PowerShell security feature to warn users when they're about to execute web content. The new feature is rolling out with PowerShell version 5.1. The warning will alert users when executing the Invoke WebRequest command without additional security parameters. And that is all for this podcast edition. Today's show was brought to you by our sponsor, MasterCard. Find them@mastercard.com thanks for your company.