Welcome to this edition of ‘This Week in Cybersecurity’ where we explore a common subject that affects us all: cybersecurity and privacy in the digital age.
Join us as we present these curated brief summaries in the cybersecurity world that unfolded this week. Explore the most recent trends, including the new deep learning that can decipher laptop keystrokes, insights into Microsoft Visual Studio Code flaw and Intel’s Downfall bug. This compilation aims to keep you updated and well-informed with the latest trends so sit back, relax and enjoy this week’s roundup.
Indian lawmakers recently approved a data protection legislation that seeks to better regulate big tech firms and penalise companies for data breaches. The legislation aims at limiting cross-border transfer of data and setting up a data protection authority to ensure compliance from tech companies. However, this legislation has faced criticism from opposition lawmakers, digital experts and rights activists that it could allow the government to access user and personal data without consent, potentially undermining people’s privacy rights and the landmark Right to Information. This is the government’s third attempt to pass such legislation, which comes after 6 years that privacy is recognised as a fundamental right.
|Date:||Aug 11, 2023|
|Tag:||Data Protection, Data Privacy|
A Google researcher discovered a security flaw, tracked as CVE-2022-40982 known as Downfall, affecting Intel processors and enabling malicious actors to steal encryption keys, passwords and private data. The bug exploits a “gather” instruction, leaking content of the internal vector register file during speculative execution and steals sensitive data including those safeguarded by Software Guard eXtensions (SGX). The bug affects Intel processors spanning from 6th-generation Skylake series to the 11th-generation Tiger Lake chips. Intel has released a microcode update to address the issue but warned that this could result in performance reduction of up to 50% for workloads reliant on Gather instruction.
|Date:||Aug 10, 2023|
|Tag:||Vulnerability, Cyber Risk/Cyber Threats|
Google has changed its security updates from bi-weekly to weekly security updates to address the growing patch issue, reducing the time for threat actors to exploit n-day and zero-day flaws. These changes aim to reduce exploitation opportunities and increase security fixes. While the open-source nature of Chromium provides transparency in its development, it also leaves room for advanced threat actors to exploit vulnerabilities before a fix is reached. These weekly updates will minimise the risk for n-day exploitation opportunities and enable users to a more consistent security maintenance schedule.
|Date:||Aug 9, 2023|
|Tag:||New Releases, Vulnerability|
The UK’s Electoral Commission suffered a “complex cyber-attack” exposing the details of millions of British voters. The attack was identified in October 2022 after suspicious activity was detected on its system, but attackers had access to the servers since August 2021. The breach exposed “reference copies” of the electoral registers, including personal data of UK voters from 2014 to 2022, except those who register anonymously. Concerns were raised regarding the breach’s duration and the delay in public notification, but the UK Commission assured that this does not impact the elections. Security measures are put in place to address the issue but the perpetrator of the breach is still unknown.
|Date:||Aug 8, 2023|
|Tag:||Hack, Cyber Crime|
Microsoft’s Visual Studio Code (VS Code) code editor has a security flaw that allows malicious extensions to steal authentication tokens stored in Windows, Linux and macOS credential managers. These tokens are essential for third-party services such as Git and GitHub and exploiting this flaw could lead to unauthorised system access and data breaches. Cycode researchers who discovered the flaw stated that the security problem is due to lack of isolation of authentication tokens in VS Code’s Secret Storage which provides for access to stored tokens. The researchers have reported the flaw to Microsoft along with a proof-of-concept (PoC) but Microsoft is yet to fix the issue.
|Date:||Aug 8, 2023|
Researchers have developed a “deep learning-based acoustic side-channel attack” that can classify keystrokes recorded via a nearby phone with 95% accuracy. A new study shows that 93% accuracy was achieved when trained on keystrokes recorded using Zoom. Side-channel attacks exploit system security by monitoring the system’s physical effects during the processing of sensitive data. This attack exploits keyboard acoustic emanations, which is often underestimated as a security threat. Such attacks have damaging consequences for user privacy and security as malicious actors can steal passwords and confidential data. As a countermeasure, it is recommended to change typing style, randomised passwords, and use fake keystrokes to deter such attacks.
|Date:||Aug 7, 2023|
|Source:||The Hacker News|
|Tag:||Cyber Risk/Cyber Threats, Tech|
Well, that concludes ‘This Week in Cybersecurity’ roundup. We hope you enjoyed reading these news articles. Our main purpose is to keep everyone well-informed and updated about the latest cybersecurity and data privacy news.
Feel free to share any news articles that you come across in the ‘In the News’ category of the Passbolt community forum.
We handpick the most interesting article/articles of the week to be featured in our monthly video edition of “This Month in Cybersecurity”
Cast your vote below for the article(s) you’d like to see featured in the video:
- India’s Data Protection Legislation
- Intel’s Downfall bug
- Weekly Chrome security updates
- UK’s voter’s data exposed
- Microsoft visual studio code flaw
- New deep learning attack