InfoSec Dot - Issue #17. 🚗 Ford's Listening Ads 🎧 | 💻 Ivanti's Security Update 🛡️ | 🕵️ $10M Russian Hacker Bounty

Hi there,

Welcome to this Thursday's quick update edition of InfoSec Dot!

Since our comprehensive Monday newsletter, the cybersecurity world has seen several urgent updates. This includes insights into Ford's new in-car advertising technology that listens to conversations, urgent security patches from Ivanti, and a hefty reward offered by the U.S. Department of State for information on Russian hackers.

On a personal note, last week was troubling as Instagram suspended both our InfoSecDot page and my linked personal (10+ years old) Facebook and Instagram accounts, without an option to appeal. Last month they had done the same but immediately reinstated after recognizing their error but now, I am facing unappealable suspension losing access to my personal accounts as well.

This situation highlights significant issues with Instagram's AI-driven moderation. I'd greatly appreciate any support from the community to secure a human review of our accounts, given the possible flags raised by our cybersecurity content and keywords that might have triggered this suspension.

Stay secure, and thank you for your continued support!

🗓️ What’s New

NSA Launches 'No Such Podcast' to Discuss Intelligence and Cybersecurity

The NSA has introduced 'No Such Podcast,' aiming to illuminate its roles in signals intelligence and cybersecurity through discussions with agency personnel. The podcast will cover a range of topics, from counterterrorism efforts to the technological strategies used in protecting national security. This initiative reflects the NSA's commitment to transparency and public engagement in its operations. Read More (2 Mins)

Critical Vulnerability in Windows Hyper-V Discovered

Microsoft has issued an advisory for a critical vulnerability in Windows Hyper-V, designated as CVE-2024-43491. This flaw permits attackers to execute arbitrary code on the host system from a guest virtual machine, representing a significant security threat. Users are strongly encouraged to implement the latest security patches to avoid potential exploits. Read More (3 Mins)

Ivanti Releases Urgent Security Updates for Endpoint Manager

Ivanti has urgently updated its Endpoint Manager software to address ten critical vulnerabilities, including a severe deserialization issue that allows remote code execution. These vulnerabilities affect versions up to 2024 and 2022 SU5, with patches available in 2024 SU1 and 2022 SU6. Ivanti urges users to upgrade immediately to protect against potential exploits, emphasizing improved security measures following recent zero-day attacks. Read More (4 Mins)

Major Flaw in WhatsApp's 'View Once' Feature

WhatsApp's 'View Once' feature, designed to offer privacy by allowing messages to be viewed only once, has a major flaw that undermines its security. Developers have found that the feature can be bypassed by manipulating the flag that controls it, effectively turning private messages into regular, shareable ones. This discovery was made by the team at Zengo while developing a web interface, revealing vulnerabilities in WhatsApp's API server's enforcement of the feature. Read More (3 Mins)

Data Breach at Avis Affects 300,000 Customers

Avis Car Rental has reported a data breach affecting approximately 300,000 customers. The breach, which occurred in August 2024, involved unauthorized access to one of its business applications. Personal information including names, addresses, birth dates, driver’s licenses, and financial details were compromised. Avis is providing affected customers with one year of free credit monitoring services to help mitigate potential fraud and identity theft risks. Read More (2 Mins)

$10 Million Reward for Information on Russian Hacker Group 'Cadet Blizzard'

The U.S. Department of State is offering a $10 million reward for information leading to the identification or location of the Russian hacking group known as Cadet Blizzard. This group, linked to Russia's GRU, has been involved in significant cyber-attacks aimed at espionage and disrupting aid to Ukraine since 2020. The announcement underscores the severity of the threats posed by these cyber actors and the ongoing geopolitical tensions. Read More (2 Mins)

Ford Develops In-Car Advertising Based on Passenger Conversations

Ford is pursuing a patent for technology that would listen to conversations inside vehicles to tailor in-car advertisements. The technology would analyze spoken words and other data like location and travel speed to display targeted ads through the vehicle’s human-machine interface. This initiative, which aims to maximize ad-based monetization, has raised concerns regarding privacy and data protection. Read More (3 Mins)

Want SOC 2 compliance without the Security Theater?

• Oneleet is the all-in-one platform for SOC 2 Compliance & Attestation.

• Get the automation software, penetration test, 3rd party audit, and vCISO services in one place!

• Focus on what matters to build real-world security & pass security reviews!

Schedule a demo for pricing!

🔗 Quick Links

• Privileged Identity Management (PIM): For Many, a False Sense of Security

• Are cybersecurity professionals OK?

• Revival Hijack: A PyPI Supply Chain Attack Technique

• Gartner Research: 4 Ways Generative AI Will Impact CISOs and Their Teams

• Complying with PCI DSS requirements by 2025

If you like this issue, I'd really appreciate it if you could forward it to your friends and colleagues! Your support helps us grow and continue providing great content.

If you have specific feedback or anything interesting you’d like to share, please let me know by replying to this email.

Regards,

Dot