Hello world - and welcome to your August update!
We hope you're all healthy and safely enjoying the summer as best as you can. July was an unbelievable month, particularly in the security world, so here's a round-up of some recent events.
Firstly, on a positive note, the three of us have rounded off the academic year really well, with Sarah and Sophia both achieving strong first class honours in their bachelor's degrees, and Morgan scoring a distinction in the first year of her master's. We're really proud of each other and looking forward to new challenges over the next few months. Well done to everybody finishing up their studies during this tense time - it's been tough but you've done the best you could, and we hope you're proud of yourselves and your achievements.
A few big-hitting critical vulnerabilities dropped this month. Checkpoint discovered a wormable remote code execution (RCE) Microsoft DNS vulnerability with a CVSS of 10.0 which affected all versions of Windows Server. F5 announced an unauthenticated RCE vulnerability affecting the configuration utility of BIG-IP also with a CVSS of 10.0; there were also a bunch of Cisco vulnerabilities, several Citrix vulnerabilities, and last week a high-rated vulnerability dubbed Boothole was released, which allows attackers to bypass secure boot and establish pre-OS persistence.
Other unmissable news includes the Twitter hack, which a 17, 19, and 22 year old have now been arrested for; Coinbase says it prevented over 1000 related transactions. Cloudflare experienced a widespread, but short service outage after they accidentally DoSed their Atlanta router during a network change, which impacted third parties leveraging their content delivery network (CDN).
There are significant and growing concerns around the privacy of TikTok users, as the US considers banning the social media app, and Microsoft continues discussions to explore acquiring TikTok in the US. On another geopolitical/cybersecurity-related note, the UK has announced that all Huawei 5G equipment must be removed from mobile networks by 2027, following sanctions imposed by the US on the Chinese technology company.
The UK government has admitted the current COVID-19 track and trace scheme is in breach of GDPR, since a data privacy impact assessment (DPIA) wasn't completed at inception, and have agreed to reduce their data retention to 8 years down from 20 following the threat of legal action. Garmin were hit by a WastedLocker ransomware attack by Evil Corp, and probably paid a $10 million ransom after a day or two to get hold of a decryption key so they were able to restore operations.
A massive sting operation by joint European police forces against criminals using encrypted messaging app EncroChat has resulted in hundreds of arrests and the recovery of millions of pounds, several tonnes of drugs, dozens of firearms, and even the discovery of a Dutch torture chamber. (Eeek.)
On a lighter note, the BSides London ticket challenge deadline has been extended until the 27th September since the conference has been postponed until the 24th of October. Sarah virtually attended HOPE con 2020 last week - the talks have been archived here. The experienced conference goers among you will know that Defcon has gone virtual for 2020 and will be running on Discord - you can check out their website for details on Defcon safe mode, swag, and more.
Speaking of Discord, we recently started a server for women and non-binary people in technology and security to collaborate, support each other and share resources. If you'd like to be part of this, drop us a DM on one of our socials, and we'll invite you.
We also finally got around to starting our Securiteenies series - which are blogs aimed mostly at teenagers and older kids to explain fundamentals - and we have a few fun posts in the pipeline so keep your eyes peeled!
As usual, in case you missed any of our recent blogs, you can check them out below.
Lots of love,
Security Queens xxx