Microsoft Office 2024 to Disable ActiveX Controls by Default, Major Data Breach Affects 1.7 Million Credit Card Owners, Is CrowdStrike going to Dodge the Bullet, Ford’s Patent Application Raises Privacy Concerns in Connected Vehicles
Welcome to Cyber Security Today. I’m your host Jim Love.
Microsoft is set to make a significant security change in Office 2024, disabling ActiveX controls by default. This move aims to enhance security but may impact some users’ workflows.
Starting October 2024, ActiveX controls will be disabled by default in Word, Excel, PowerPoint, and Visio desktop apps
The change will affect both Office 2024 and Microsoft 365 apps (by April 2025).
Users will no longer be able to create or interact with ActiveX objects in Office documents.
Existing ActiveX objects will appear as static images.
For IT professionals, this change represents a critical step in reducing attack surfaces. ActiveX has been a target for malicious actors, with recent examples including zero-day exploits by North Korean hackers and the deployment of TrickBot malware.
While enhancing security, this change may require adjustments for organizations relying on ActiveX. IT teams should assess their current use of ActiveX and plan for alternatives or implement the provided methods to re-enable ActiveX if absolutely necessary.
This move aligns with Microsoft’s ongoing efforts to improve Office security, following similar measures like disabling VBA macros and Excel 4.0 macros by default.
Sources include: BleepingComputer
A significant data breach at payment gateway provider Slim CD has exposed the personal and financial information of nearly 1.7 million individuals. This incident highlights the ongoing challenges in securing payment processing systems.
Hackers had access to Slim CD’s network for almost a year, from August 2023 to June 2024 although Slim CD says credit card data was only accessed for two days in June 2024.
Compromised information includes names, addresses, card numbers, and expiration dates, but not CVV numbers.
Slim CD provides payment services to various industries, including retail and hospitality.
While the absence of CVV numbers limits the risk of immediate fraudulent transactions, the exposed data still poses a significant threat. Credit card fraud and identity theft remain real possibilities for those affected.
For IT professionals, especially those in the financial sector, this breach underscores the critical need for robust, continuous network monitoring and rapid incident response. The year-long access period before detection is particularly concerning.
Slim CD claims to have strengthened its security measures, but notably, hasn’t offered free identity theft protection to affected individuals. That, to say the least, is unusual
While every service can potentially be hacked, it’s particularly troubling when that service is a payment gateway. We assume that PCI compliance ensures the security of our online credit card transactions. Hopefully this company is an outlier and can be pressured to up their game on cyber security. But if the same weaknesses exist throughout the industry, it could have negative impacts on merchants and financial institutions.
Sources include: Bleeping Computer
Cybersecurity giant CrowdStrike continues to grapple with the fallout from July’s worldwide IT disruption, offering insights into the challenges companies face after major security incidents. While CrowdStrike certainly faced huge criticism for its error, it has received at least passing grades and some praise for how it has handled the incident. It’s been up front about acknowledging the mistake and it’s CEO has even appeared in public to accept an award for the “Most Epic Fail” at Defcon.
So, will they dodge the bullet on this one?
On the plus side, CrowdStrike’s CFO reports no customer lawsuits filed yet, but legal threats loom.
The company has seen some financial impact, including a cut to its full-year forecast but we have not heard of significant customer defections, other than Delta Airlines’ threatened lawsuit.
There is still a long road ahead of them in terms of public exposure. A CrowdStrike VP is set to testify before the US House Homeland Security Committee.
But ultimately, we can all learn a lot from this.
For IT and security professionals, this situation underscores the far-reaching consequences of even a single misconfiguration. It highlights the need for rigorous testing and fail-safe mechanisms, especially for widely deployed security solutions.
CrowdStrike’s approach of focusing on business discussions rather than legal ones offers a lesson in crisis management. However, the persistence of this issue months after the incident demonstrates how long-lasting the impact of major outages can be on a company’s reputation and bottom line.
Sources include: The Register
We’ve covered stories recently about the potential for devices to listen in our conversations and use that for marketing purposes. We’ve also covered stories about data being gathered from devices in our cars and sold to outside parties.
It appears that Ford Motor Company wants to go for the trifecta on this. Ford has filed a patent application for technology that could
Listen to in-car conversations to serve targeted ads.
Analyze vehicle location, speed, and predicted routes for ad customization.
Maximize “ad-based monetization” opportunities
And Ford defends the application as a normal part of building intellectual property.
Naturally this raises significant concerns about data protection and privacy. The patent application doesn’t detail how the collected data would be secured, and leaves questions about potential vulnerabilities and data misuse.
This move by Ford follows other controversial patent applications, including one for technology to report speeding vehicles to law enforcement.
While social media has been criticized for the way it gathers and uses our data, this patent is another step towards the auto industry gathering and leveraging customer data often without the knowledge or informed consent from people who think they are simply purchasing a car.
Sources include: The Record
That’s our show. You can find the show notes with links at technewsday.com or .ca – take your pick.
I’m your host, Jim Love, thanks for listening.
