Cyber Round-up

Cyber Round-up for 17th December

Welcome to the latest edition of the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.

In this week’s round-up:

Security News

The UK’s Secret Situation Centre Is Changing A Nation

Located in the Cabinet Office building a secret data centre accessing a flood of data is helping the way the UK handles anything from food shortage to national relations. The situation centre has been called SitCen and is helping to inform the UK government with better, more accurate and up to date analytics. SitCen is designed to collect data from numerous sources and produce actionable data in a crisis event. Recently SitCen has been used in the fuel shortages to understand where fuel is most needed across the country to allow for fuel tankers to be directed effectively across the country. SitCen & its data analytics capability is expected to play a big role in the UK’s cyber strategy and response, specifically in the event of significant cyber attacks.


Grindr Fined for Breaching GDPR

The gay and bi dating app Grindr has recently been under investigation by the Norwegian Data Protection Authority for its breach of the European General Data Protection Regulation. The application has been found to be selling user information to third parties without explicit permission. Users were forced to agree to the terms within the privacy policy however should have been asked specifically if they consent to their data being shared for behavioural purposes. This overstep in data sharing was met with a fine of €6.5 million. Grindr has made changes to its application however it is unclear if they wish to launch an appeal against the ruling.


Vulnerabilities & Updates

Apache Log4j Vulnerability Resources

This week has seen a huge amount of focus on product vulnerabilities, no more so than the critical Apache Log4j (aka Log Forge) flaws. This has already had a huge impact on businesses and product vendors around the globe with millions of devices thought to be vulnerable. Here you can find our round-up of the recent Apache Log4j vulnerability, including advisories, recommendations, resources and other information.

Microsoft’s December Patch Tuesday

We are already half way through December which means Microsoft’s December Patch Tuesday updates are now available. Please click here for our Patch Tuesday post, including 7 critical vulnerabilities in Microsoft Defender, Office & more.

iOS Update Stops iPhone 13 Jailbreak Exploit

The most recent update to Apple’s IOS has been released and is fixing a slew of security problems. One of the problems has been a Remote Code Execution vulnerability allowing a jailbreak exploit chain. Safari could be exploited allowing arbitrary code to run on the device with kernel permissions. Hacker group Kunlun Lab was able to jailbreak an iPhone 13 in just 15 seconds at the International Cyber Security Contest Tianfu Cup in China. Updating to the latest version is highly recommended due to the severity and ease of the exploitation.


New Vulnerabilities Affects Billions Of Wi-Fi chips

A recent vulnerability was found in System-on-Chip Wi-Fi devices prepared by Broadcom, Cypress, and Silicon Labs. The vulnerabilities were found after a series of attacks were detected using previously unknown exploit methods. The attack allowed hackers to read and alter network traffic including passwords and other private credentials. The vulnerabilities found were:

•             CVE-2020-10368: Wi-Fi unencrypted data leak

•             CVE-2020-10367: Wi-Fi code execution

•             CVE- 2019-15063: Wi-Fi denial of service

•             CVE-2020-10370: Bluetooth denial of service

•             CVE-2020-10369: Bluetooth data leak

•             CVE-2020-29531: Wi-Fi denial of service

•             CVE-2020-29533: Wi-Fi data leak

•             CVE-2020-29532: Bluetooth denial of service

•             CVE-2020-29530: Bluetooth data leak

The security teams analysing the exploit have notified chip vendors which are pushing security updates. It is advised to update your devices as they become available, in case you are affected by these serious vulnerabilities.


Chrome Hit with Another Zero-Day Exploit Patch

A high severity ‘use after free’ zero-day vulnerability in Chrome’s V8 JavaScript engine has been disclosed by a security researcher. These types of vulns allow hackers to run arbitrary code or escape the Chrome’s security sandbox. Details about the vulnerability are scarce as Google hasn’t disclosed information, only saying that the attack has been seen in the wild.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google added.

Google has since released a security patch to protect against the vulnerability but its expected to take a while before it is rolled out and available to all its users.


And that is it for this week’s round-up, please do not forget to tune in for new instalments every week.

Stay Safe, Secure and Healthy!

Edition #171 – 17th December 2021

Why not follow us on social media:

Ironshare – Security Simplified