Components of DOT Security’s Services
Explore each of the core elements that combine to form DOT Security’s complete offering
See how it all comes together
DOT Security’s holistic service- A plan to get back up and running if a problem occurs
- Comply with data security laws and industry regulations
- Expert planning and training to improve overall security
- Protection for a controlled internal environment
- Coverage for individual systems and devices
- Control who can get into your networks
- Improved insight into data and communications
- Extra fortification for your most sensitive data
Risk Assessment
InsightsCybersecurity insights and analyses
Dive into the world of modern cybersecurity with explanations, predictions, and expert opinions
Find blogs, infographics, videos, and more
DOT Security insights- Definitions for industry terms and acronyms
- The complete beginner’s guide to everything cybersecurity
Cybersecurity Consulting
Cybersecurity News and Headlines From November 2023
December 05, 2023
8 minute read
In an industry like cybersecurity, new developments are happening every month that affect the market as a whole. Not only that, but oftentimes, the developments in cybersecurity have broader implications.
It’s important for business leaders, decision-makers, and even staff members to stay abreast of the latest cybersecurity news stories as they can affect daily operations, compliance requirements, and necessary security updates.
Sign up for our newsletter!
November’s cybersecurity news recap from DOT Security covers the new research on Bluetooth vulnerabilities coming out of Eurecom, the SiegedSec cyberattack on the Idaho National Laboratory, and how IT leaders have been responding in the wake of a breach.
To address your cybersecurity needs, consider consulting with an expert from DOT Security to get started on a comprehensive cybersecurity strategy that fits your business needs.
Researchers Uncover Bluetooth Security Flaws
Eurecom is one of the top research institutions in France for data sciences engineering. One of their researchers, Daniele Antonioli, recently discovered a series of new cyberattacks against Bluetooth technologies known as BLUFFS.
In total, Antonioli discovered six different BLUFFS that are effective against Bluetooth versions 4.2-5.4 which were released in December of 2014 and February of 2023, respectively.
These attacks are of specific note because they don’t pertain to a specific hardware or software, and instead exploit fundamental vulnerabilities in Bluetooth architecture.
With that in mind, the report from Eurecom also offers suggestions on how organizations and individuals can protect themselves from intrusive Bluetooth attacks like device impersonation and man-in-the-middle attacks which can compromise both past and future connections.
Eurecom suggests the following to protect against BLUFFS:
-
Introduce a new "Key Derivation Function" (KDF) for Legacy Secure Connections (LSC) that involves mutual nonce exchange and verification, adding minimal overhead.
-
Devices should use a shared pairing key for the mutual authentication of key diversifiers, ensuring the legitimacy of session participants.
-
Enforce Secure Connections (SC) mode where possible.
-
Maintain a cache of session key diversifiers to prevent reuse.
Read the full published paper on BLUFFS from Eurecom here.
The Idaho National Laboratory Facing Surprising Demands
If you thought that comedians were the only ones with a sense of humor, you have yet to meet the hacker group SiegedSec, though their brand of humor is certainly an acquired taste. SiegedSec is a group of self-proclaimed “gay furry” hackers who pick targets based on black hat principles, hacktivism, and sometimes just their own entertainment.
Recently, the group infiltrated the Idaho National Laboratory (INL), which is one of the largest nuclear research facilities in the United States. After posting sensitive information to their telegram, verified by both the INL and East Idaho News, the group posted their ransom. However, this ransom wasn’t monetary.
SiegedSec stated that they would only take down the information if the Idaho National Laboratory began research into real-life cat-girls.
Since this absurd statement, the group has admitted that this is a joke demand. The group has been quoted saying,
“Our motivation for hacking is purely personal. We hack because we can, and because it's funny to see our exploits in the news."
They then explained further,
“Often, we go after organizations for hacktivist reasons because we see what they are doing in the news and decide that they deserve to be punished.”
While they have admitted that their cat-girl research ransom is a joke and that they understand the difference between nuclear engineers and bio-engineers, it seems the real motivation behind this hack is still in the shadows.
IT Leaders Tackling Compliance
In a new report from AppDirect, 45% of IT managers have reported a data security breach in the past year, which is less than ideal. On the bright side, however, 92% of respondents believe they have since taken the appropriate corrective action and have made the proper investments into their cybersecurity posture.
Even more encouraging is that 88% of respondents report that they are fully compliant with industry standards.
The increased emphasis on cybersecurity preparedness across industries shows a growing dedication to keeping organizations safe with cybersecurity and a better understanding of the full implications of a successful cyberattack.
Keeping up with compliance regulations is going to be critical in the coming years as more industries adopt security regulations and data privacy standards.
The State of Mississippi: Most Spam Calls per Capita
In a new report from the world’s leading telecommunications platform, Truecaller, Mississippi is identified as the state with the most spam and scam calls per month per capita with an annual estimate of 31,538,494 spam calls against a population of just over 3.025 million. Meanwhile, South Carolina and Oklahoma come in second and third at 52,468,248 against a population of 5.95 million and 39,338,243 against 4.05 million respectively.
These numbers show the sheer volume of spam that exists through just one channel in just one state.
Incredibly, the Truecaller report estimates that,
“Throughout 2023, Americans wasted approximately 195 million hours answering these incoming [spam] calls.”
Following Up on the Okta Saga
We covered the Okta data breaches in the October cybersecurity news recap as well, but there have been a few noteworthy developments that warrant an update.
Namely, while the identity and authentication management firm initially stated that the breach only affected about 1% of their client base, or 134 out of 18,400 clients, in November, they reported that the threat actor has actually downloaded information about every Okta customer support system user.
"The threat actor downloaded the names and email addresses of all Okta customer support system users," the company said in a statement shared with The Hacker News.”
In the wake of the grand data breach, Okta has pushed new security updates to their systems, have alerted affected parties, offered security suggestions, and have even enlisted the help of a digital forensics firm to mitigate the scope of the damage as much as possible.
While no data is currently being misused, as far as Okta knows, this is sure to be an ongoing story for the next few months at least, so be sure to check back for updates.
Closing Thoughts on Cybersecurity News from November
With new research coming out of Eurecom, the wacky ransom demand against the Idaho National Laboratory, and the additional scope of the Okta data breach, November marked yet another busy month full of cybersecurity news.
With such a rapidly evolving industry, it’s vital for organizational leadership to keep their thumb on the pulse of the biggest headlines and stories that are shaping the future of security solutions.
When it comes to something as technical as cybersecurity it’s good to rely on the experts. DOT Security can help you get started on building a comprehensive cybersecurity strategy today.