Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
The UK has released the first global guidelines for the secure development of AI technology, with endorsement from agencies in 17 other countries, including the US. Developed by the UK's National Cyber Security Centre (NCSC) in collaboration with the US's Cybersecurity and Infrastructure Security Agency (CISA), these guidelines focus on four key pillars of security: secure design, secure development, secure deployment, and secure operation and maintenance.
These guidelines address the need for international cooperation and have received support from cybersecurity agencies around the world. With the rapid development of AI technology, incorporating new security measures is hugely important, and utilising the strengths of industry experts is promising for the future of AI.
By ncsc.gov.uk
This week, Google released an emergency security update to address another zero-day vulnerability found in the Chrome browser. The flaw exists in Chromes graphics engine, Skia, and has been described by Google as a high-severity integer overflow flaw. While it was confirmed that an exploit exists in the wild, not much more has been shared about this vulnerability.
This update also addresses five other high-severity vulnerabilities, including use-after-free issues and out-of-bounds memory access flaws. We advise applying the latest patch as soon as possible.
By securityweek.com
Berglund Management Group, a Virginia-based motor dealer, has revealed a data breach potentially impacting over 50,000 individuals in the United States. The compromised data is believed to include names and Social Security numbers, though Berglund assures there is no evidence of misuse.
The company, which had initially detected unauthorized activity in its network in May, completed its investigation in October. Berglund has enhanced its security measures and is providing affected individuals with free credit monitoring services.
By cybernews.com
Due to technical issues with their planning application portal, Reading Borough Council has advised site visitor to disable HTTPS within their browser. Safari users were also advised to use Google Chrome to access the website as Safari has no option to turn of HTTPS. By removing HTTPS any visitors attempting to access the portal would have their credentials exposed in plaintext, potentially allowing hackers to collect login details. The post has since been taken down and the council and "Apologies for the incorrect information that was tweeted." The planning portal is now back online providing secure connections through HTTPS.
By theregister.com
A “severe design flaw” in Google Workspace's domain-wide delegation feature could allow threat actors to elevate their privileges and obtain unauthorised access by exploiting Workspace APIs. To exploit this weakness, the attacker must have pre-existing access to an account that is capable of creating new private keys within the target Google Cloud Platform.
"Such exploitation could result in theft of emails from Gmail, data exfiltration from Google Drive, or other unauthorized actions within Google Workspace APIs on all of the identities in the target domain," stated technical report produced from cybersecurity firm Hunters.
By thehackernews.com
Dollar Tree, an American discount retail franchise, was impacted by a third-party data breach that affected 1,977,486 people. Zeroed-In Technologies suffered the security incident between 7th-8th August 2023, in which threat actors managed to steal personal information relating to Dollar Tree employees.
"While the investigation was able to determine that these systems were accessed, it was not able to confirm all of the specific files that were accessed or taken by the unauthorized actor," reads the letters sent to affected individuals.
Names, dates of birth, and Social Security numbers were all stolen in the breach while affected individuals will be enrolled on a twelve-month identity protection and credit monitoring service.
By bleepingcomputer.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #260 – 1st December 2023
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
