January 4, 2024

Hello all,

Wow, 2025! It seems surreal that we are now a quarter of a century into the new millennium. But here we are. I vividly remember the Y2K hysteria of two and a half decades ago. And lest you think it was mere hype, that’s not the case; it was a very real and potentially crippling and even dangerous software issue. The reason the year 2000 came in with great fanfare and 1999 went out with a no world-ending crash was because the computer industry recognized the situation for what it was, put out heroic effort, and fixed the problem.

In a similar vein, based on the stunning advances that we’ve seen in artificial intelligence recently, I’m hopeful that this may be the year where we finally see an end to many of the defects, bugs, and vulnerability issues that plague our industry. Yes, human behavior will always play a factor in breaches and threat actor activity, but if we can eliminate the software defects that are being continually found and exploited, cyber criminals and terrorists will have a significantly more difficult time. Of course, that presupposes that we update, upgrade, and replace vulnerable, out-of-date, and obsolete end-of-life items in a timely fashion. But, until that day comes, we do still have lots to report on, so let’s get to it.

As usual, my commentary is followed by a plethora of links to other items that are worth skimming to see if they interest you or pertain to your particular environment or of those you support.

Headline NEWS:

  • Net Neutrality has been ping-ponging back and forth for a few decades now, ever since the Clinton administration. The Sixth Circuit Court of Appeals recently ruled that the Federal Communications Commission (FCC) has no legal right to regulate internet traffic since it is not a utility. Proponents are vowing that the fight isn’t over, and are setting their sights on Congressional legislation, where this should have been from the start, not with an unelected federal agency.
  • LDAPNightmare has suddenly rocketed to a substantial concern for most organizations that have Windows servers. In December, Microsoft patched a zero-click defect in Windows Lightweight Directory Access Protocol (LDAP). This nasty bug can crash Domain Controllers and enable Remote Code Execution (RCE). Proof of Concept (PoC) exploits are now available in the wild, meaning that evil people now have all they need to exploit this vulnerability. Patch quickly!
  • Microsoft Teams Device Mandatory Updates coming in February. Android-based Microsoft Teams devices, such as room controllers, conference devices, etc. must receive a mandatory “session flows” firmware update. And starting in June, device firmware must be no older than five months for it be allowed to function. Updates should be available from your organization’s Teams admin center.
  • Tenable Nessus has some major egg on their face after pushing out a faulty update to their Nessus Agent on December 31, 2024. The defective version causes the agent to go offline. Reminiscent of the CrowdStrike fiasco, the fix is to manually uninstall and then either install a corrected version, or downgrade to the prior unaffected version. Depending on the number of devices, Tenable has given admins quite a bit of work for the first week of the new year.

In Ransomware, Malware, and Vulnerabilities News:

  • 2024 retrospectives and 2025 predictions are offered up by a large number of links in this section. We have badly handled breaches like 23andMe, Change Healthcare, and Snowflake. The most common types of cyberattacks could easily be a reprint from last year with Phishing, Ransomware, DoS, and Man-in-the-Middle leading the pack. And recommendations for 2025 are urging vigilance in Network Edge, Cloud Environments, and Social Engineering.
  • China continues to garner headlines, being implicated by US authorities for telecom hacking, exploiting vulnerabilities, and deeply embedding themselves into critical infrastructure. For their part, the Middle Kingdom denies that they are at fault, that the claims are “groundless” and that they have “always opposed all forms of hacker attacks…”

In Other News Events of Note and Interest:

  • Passkeys are supposed to be the cat’s-meow as it relates to online accounts – putting an end to vulnerabilities associated with passwords. Several articles have appeared recently that cast some doubt about the new darling of the security industry. They rightly state that until there is a ubiquitous and homogeneous method of registering and using passkeys, adoption will be spotty at best and will cause significant issues and confusion at the least.

Musings:

As mentioned in my opening commentary, human behavior will always be the weak link in security. You can implement all of the foolproof schemes that you can conceive to keep your folks safe, but as the joke goes, the world will invent a better fool. That’s not to imply we shouldn’t keep trying, but instead it is a reminder that not only are we the wranglers of technology, but we must also be educators and counselors. Because ultimately, we are the final layer of security.

Visc. Jan Broucinek

Keep the shields up and may your 2025 be awesome!

Viscount Jan Broucinek
Red Dot Security News

Headline NEWS
Ransomware, Malware, and Vulnerabilities News
Other News Events of Note and Interest

 

Tags
Share this with: