In today’s CyberHub Podcast, host James Azar delivers a comprehensive rundown of pressing cybersecurity vulnerabilities and developments, with a special focus on post-quantum cryptography. Joining him as a guest is Brian Penny, co-founder and CEO of Kloch Technologies, who offers insights into NIST’s recent cryptography standards.
Jenkins Vulnerability Exploited
Jenkins, an open-source automation server, continues to be actively exploited seven months after a critical path traversal vulnerability (CVE-2024-2387) was disclosed. This vulnerability allows attackers to read arbitrary files on the system's controller. Despite being reported in January, 45,000 instances remain unpatched.
Action Item:
Organizations using Jenkins should immediately review their instances for this vulnerability and apply available patches.
Additionally, they should evaluate their patch management processes to ensure faster responses to critical vulnerabilities.
GitHub Enterprise Server Flaws
GitHub has released an urgent fix for several vulnerabilities in its Enterprise Server product, with the most critical being CVE-2024-6800, which could allow attackers to gain site administrator privileges through SAML SSO authentication manipulation.
Action Item:
Update all GitHub Enterprise Server versions to 3.14 or later to mitigate these vulnerabilities.
Regularly review and update SAML configurations to avoid similar issues.
Google Chrome Zero-Day Vulnerability
Google has patched a zero-day vulnerability (CVE-2024-7971) in the Chrome V8 JavaScript engine, actively exploited in the wild. This marks the ninth zero-day vulnerability for Chrome this year.
Action Item:
Users should immediately update their Chrome browsers to the latest version by navigating to the Chrome menu > Help > About Google Chrome and then restarting the browser to apply the update.
Post-Quantum Cryptography Standards
NIST recently released three new post-quantum cryptography algorithms focusing on asymmetric encryption. Brian Penny, CEO of Kloch Technologies, discussed the importance of crypto agility, emphasizing the need for systems that can easily adapt to future cryptographic requirements.
Action Item:
Security teams should begin assessing their encryption systems and key management practices to ensure they are prepared for the transition to post-quantum cryptography.
Consider the feasibility of implementing crypto agility within your infrastructure.
Microsoft Co-Pilot Studio Vulnerability
A critical information disclosure vulnerability (CVE-2024-38206) was found in Microsoft Co-Pilot Studio, potentially exposing sensitive internal infrastructure information. Microsoft has mitigated the issue, and no exploits have been reported.
Action Item:
Review and apply the latest patches from Microsoft. Conduct a security audit of sensitive infrastructure to identify and mitigate any residual risks.
Phishing Campaign Targets Mobile Banking Users
A new phishing tactic uses progressive web applications to mimic legitimate banking software, targeting iOS and Android users. This campaign has primarily affected users in the Czech Republic, Hungary, and Georgia.
Action Item:
Educate users on the dangers of downloading apps from unofficial sources. Implement multi-factor authentication (MFA) for mobile banking services and monitor for suspicious activities.
Unusual Identity Theft Case
A 39-year-old man from Kentucky was sentenced to 81 months in jail for faking his own death to avoid child support payments and committing identity theft. He fraudulently registered his death in the Hawaii state registry and used a false identity to open financial accounts.
Russian Scientist Arrested for Treason
Artem Korisolov, a Russian scientist, was detained on charges of treason for allegedly launching DDoS attacks and providing intelligence on Russian troop movements to Ukraine. His arrest, initially concealed, was recently publicized by Russian authorities.
Conclusion
The podcast concludes with James encouraging listeners to stay updated on the latest cybersecurity news and developments by subscribing to the CyberHub Podcast and its Substack newsletter.
The episode highlights the importance of timely patch management, understanding emerging cryptographic standards, and being vigilant against both conventional and unconventional cybersecurity threats.
Next Steps:
Subscribe to CyberHub Podcast and its Substack for ongoing updates.
Implement the recommended action items to bolster your organization’s security posture.
Stay Informed about the latest cybersecurity trends and vulnerabilities.
Stay Cyber Safe!
👀 SHOW Supporters:
Today’s Episode is supported by our friends at Nudge Security free 14-day trial to all CyberHub Podcast community members at https://www.nudgesecurity.com/cyberhub
✅ Story Links:
https://www.securityweek.com/critical-authentication-flaw-haunts-github-enterprise-server/
https://www.securityweek.com/why-linkedin-developed-its-own-ai-powered-security-platform/
https://www.securityweek.com/microsoft-copilot-studio-vulnerability-led-to-information-disclosure/
https://therecord.media/moscow-detains-scientist-ddos-ukraine
🔔 Subscribe now for the latest insights from industry leaders, in-depth analyses, and real-world strategies to secure your digital world. https://www.youtube.com/@TheCyberHubPodcast/?sub_confirmation=1
✅ Important Links to Follow:
👉Substack:
👉Listen here: https://linktr.ee/cyberhubpodcast
✅ Stay Connected With Us.
👉Facebook: https://www.facebook.com/CyberHubpodcast/
👉LinkedIn: https://www.linkedin.com/company/cyberhubpodcast/
👉Twitter (X): https://twitter.com/cyberhubpodcast
👉Instagram: https://www.instagram.com/cyberhubpodcast
✅ For Business Inquiries: info@cyberhubpodcast.com
=============================
✅ About The CyberHub Podcast.
The Hub of the Infosec Community.
Our mission is to provide substantive and quality content that’s more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.
Tune in to our podcast Monday through Thursday at 9AM EST for the latest news.
Share this post