Security Queens Hello World!
June Newsletter

Yoo-hoo, big summer blowout! It's June and we have finally had some beautiful British summer sunshine.

To kick-off the news roundup, we're both thrilled to announce we had the pleasure of partaking at this month's CyNam 21.2 event "Smart Cyber: Securing the IoT and the cities of the future". Sarah and the lovely Ladies of Cheltenham Hacking Society hosted an amazing breakout session about breaking into industry, with Sophia talking on the main track about "The Future of Cars: Are We Safe?". It was a great event (as always!) and we cannot wait until the next one. You can see a recording of Sophia's talk, and a broadcast of the whole event, on our "Talks & Conferences" page. 

Sophia was also recently a panelist for a Cyber Discovery virtual event in an industry panel session and Q&A. Helping answer questions about industry life from budding cyber security students, it was an excellent chance to give back to the community and support the Cyber Discovery elite student program.  

Both Sophia and Sarah also passed their CREST Security Practitioner Analyst (CPSA) exams this month, and are looking forward to working towards being CREST Registered Testers (CRT) in the near-future. 

Moving onto industry news, a fair few things have happened this month...

A few weeks ago the White House issued an open letter addressing the increased threat of ransomware to US companies. Many business leaders and executives received the memo from the National Security Council's leading cyber official Anne Neuberger.

Revisiting the Colonial Pipeline Co. hack that happened in April earlier this year, it was recently publicised that hackers breached the pipeline by using a compromised password discovered on the dark web. Due to the nature of the discovery, it is assumed that this password was reused on another account that was compromised in a previous breach.

A huge number of high profile websites were affected in a global outage earlier in the month. Fastly, the cloud computing provider of companies such as Amazon and Twitch, admitted that the outage was due to issues with their global content delivery network. 

One of the biggest things to happen this month, 8.4 billion password entries were leaked online in a hacker forum. The collection of passwords, dubbed "RockYou2021", exposed 100GB of private login information such as PayPal, Facebook, Gmail accounts and more. 

If you are worried that you have been affected by a breach, you can check your details against the Have I Been Pwned? service.

Newly discovered "Vigilante" malware has recently targeted software piracy by rigging files that out software pirates and attempt to prevent further unauthorised downloading in the future. These "booby-trapped" files have been planted on websites that are frequently visited by users that pirate software. 

In a statement to the stock exchange, law firm Gately recently suffered a loss of client data in a cyber-attack. Gately reported that only a small part of it's data store was affected, namely 0.2%. 

In the latter part of this month Google issued a warning to all of it's users due to the discovery of a new zero-day exploit. Over 2 billion users were issued the warning to remain on high-alert whilst they issued an urgent security update to patch the vulnerability in the Google Chrome browser. 

Ransomware strikes again in an unfortunate incident where a fertility clinic was attacked and 38,000 patient details were supposedly exposed. The Atlanta-based clinic was originally struck by a ransomware attack that encrypted some of it's embryology data on their central servers. However it was then discovered that patient details were also extracted in the attack. 

Another piece of ransomware news, a new strain of ransomware dubbed DarkRadiation was recently discovered by researchers. DarkRadiation is written in Bash script and targets RedHat, CentOS and Debian Linux distributions.

To finish off our news roundup, the Marvel Avengers game have recently patched a bug that was exposing streamer IP addresses. A warning was issued to users that streamed the game, as the PlayStation 5 version of the game accidentally exposed the player IP address to viewers in the form of a "floating string of text". 

And that's a wrap! We all hope you are enjoying a little bit of R&R this summer, and let's hope the sunshine stays for a little! 

As always, you can find our most recently blog posts below.

Lots of love,

The Security Queens xxx


MOBster4: Insecure Authentication
Estimated difficulty: πŸ’œπŸ’œπŸ’œπŸ’œπŸ€ We are continuing on our quest to conquer the OWASP Mobile Top 10, and if you have been following this series then congratulations, you have made it…
Who Ya Gonna Call? DirBuster!
Estimated difficulty: πŸ’œπŸ’œπŸ€πŸ€πŸ€ Need to bruteforce directory names on a web application? Or perhaps you need to find unlisted files on a web server? Who ya gonna call? DIRBUSTER! So…
It's All About Communication, Insecure Communication!
Estimated difficulty: πŸ’œπŸ’œπŸ’œπŸ€πŸ€ Welcome back to another MOBster post! It’s part three of our OWASP Mobile Top 10 series and in this post, we are covering M3: Insecure Communication! The…
Twitter LinkedIn Youtube Instagram
Modify your subscription    |    View online