ポッドキャスト収録用のメモですよ。
podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。
事件、事故
米連邦通信委員会 (FCC) は、米大手携帯電話会社 4社に対して、利用者の同意なく位置情報データを共有したとして、総額 196M ドルの罰金
(4/29) FCC Fines Largest Wireless Carriers for Sharing Location Data | Federal Communications Commission
Today, the Federal Communications Commission fined the nation’s largest wireless carriers for illegally sharing access to customers’ location information without consent and without taking reasonable measures to protect that information against unauthorized disclosure. Sprint and T-Mobile – which have merged since the investigation began – face fines of more than $12 million and $80 million, respectively. AT&T is fined more than $57 million, and Verizon is fined almost $47 million.
英国で IoT 製品にセキュリティ対策を義務付ける PSTI 法が施行
(4/29) New laws to protect consumers from cyber criminals come into force in the UK - GOV.UK
From today, regulations enforcing consumer protections against hacking and cyber-attacks will take effect, mandating that internet-connected smart devices meet minimum-security standards by law.
Dropbox Sign で外部からの不正アクセス
(5/1) A recent security incident involving Dropbox Sign - Dropbox Sign
On April 24th, we became aware of unauthorized access to the Dropbox Sign (formerly HelloSign) production environment. Upon further investigation, we discovered that a threat actor had accessed Dropbox Sign customer information. We believe that this incident was isolated to Dropbox Sign infrastructure, and did not impact any other Dropbox products. We’re in the process of reaching out to all users impacted by this incident who need to take action, with step-by-step instructions on how to further protect their data. Our security team also reset users’ passwords, logged users out of any devices they had connected to Dropbox Sign, and is coordinating the rotation of all API keys and OAuth tokens. Please read on for additional details and an FAQ.
攻撃、脅威
Sophos が "The State of Ransomware 2024" を公開
(4/30) The State of Ransomware 2024 – Sophos News
CISA、FBI などが共同で、親ロシアのハクティビストによる制御系システムなどへの攻撃活動に関する注意喚起
(5/1) Defending OT Operations Against Ongoing Pro-Russia Hacktivist Activity | CISA
Verizon が "2024 Data Breach Investigations Report" を公開
Mandiant がイランの攻撃者グループ APT42 による攻撃活動について報告
(5/2) Uncharmed: Untangling Iran's APT42 Operations | Google Cloud Blog
APT42, an Iranian state-sponsored cyber espionage actor, is using enhanced social engineering schemes to gain access to victim networks, including cloud environments. The actor is targeting Western and Middle Eastern NGOs, media organizations, academia, legal services and activists. Mandiant assesses APT42 operates on behalf of the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO).
脆弱性
CISA が Known Exploited Vulnerabilities (KEV) カタログに 1+1 個の脆弱性を追加
(4/30) CISA Adds One Known Exploited Vulnerability to Catalog | CISA
- CVE-2024-29988 Microsoft SmartScreen Prompt Security Feature Bypass Vulnerability
(5/1) CISA Adds One Known Exploited Vulnerability to Catalog | CISA
- CVE-2023-7028 GitLab Community and Enterprise Editions Improper Access Control Vulnerability
Bitsight が KEV への組織の対応状況に関するレポートを公開
The report, titled "A Global View of the CISA KEV Catalog: Prevalence and Remediation," analyzes data from 1.4 million organizations globally – the only such study to encompass Internet-wide scans – and highlights the deep challenges that global organizations face in remediating critical, exploited vulnerabilities in a timely manner: Over a third of organizations analyzed had at least one known vulnerability in 2023, with nearly a quarter of those facing five or more, and 60% of vulnerabilities remained unaddressed past CISA's deadlines.
その他
ODNI が "Annual Statistical Transparency Report" を公開
(4/30) ODNI Releases 11th Annual Intelligence Community Transparency Report
The Office of the Director of National Intelligence (ODNI) today released the Annual Statistical Transparency Report (ASTR) Regarding the Intelligence Community’s (IC) Use of National Security Surveillance Authorities for Calendar Year 2023. The report, published every year since 2014, provides the public with statistics and context regarding the government’s use of Foreign Intelligence Surveillance Act authorities, National Security Letters, and other national security authorities.
JNSA がセキュリティ年表を公開
(5/1) JNSAセキュリティ年表
Google が passkeys の利用状況を報告。2022年からの 2年間に、4億以上の Google アカウントにおいて、10億回以上 passkeys が利用された。
(5/2) Google shares update on passkeys and new ways to protect accounts
Passwords are often at the core of today’s major cybersecurity issues, which is why we’ve continued to create new authentication technology over the years. In 2022, for World Password Day, we launched passkeys. Today, we’re proud to announce that they have since been used to authenticate users more than 1 billion times across over 400 million Google Accounts.
Microsoft が個人向けアカウントで passkeys に対応
(5/2) New passkey support for Microsoft consumer accounts | Microsoft Security Blog
Ten years ago, Microsoft envisioned a bold future: a world free of passwords. Every year, we celebrate World Password Day by updating you on our progress toward eliminating passwords for good. Today, we’re announcing passkey support for Microsoft consumer accounts, the next step toward our vision of simple, safe access for everyone.
