{"id":46452,"date":"2024-09-10T22:42:18","date_gmt":"2024-09-11T02:42:18","guid":{"rendered":"https:\/\/www.technewsday.com\/?p=46452"},"modified":"2024-09-10T22:43:10","modified_gmt":"2024-09-11T02:43:10","slug":"will-crowdstrike-dodge-the-bullet-cyber-security-today-wednesday-september-11-2024","status":"publish","type":"post","link":"https:\/\/technewsday.com\/staging\/will-crowdstrike-dodge-the-bullet-cyber-security-today-wednesday-september-11-2024\/","title":{"rendered":"Will Crowdstrike &#8220;dodge the bullet?&#8221;  Cyber Security Today, Wednesday, September 11, 2024"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">Microsoft Office 2024 to Disable ActiveX Controls by Default, Major Data Breach Affects 1.7 Million Credit Card Owners, Is CrowdStrike going to Dodge the Bullet, Ford&#8217;s Patent Application Raises Privacy Concerns in Connected Vehicles<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Welcome to Cyber Security Today. I\u2019m your host Jim Love.<\/span><iframe title=\"Embed Player\" src=\"https:\/\/play.libsyn.com\/embed\/episode\/id\/33000582\/height\/192\/theme\/modern\/size\/large\/thumbnail\/yes\/custom-color\/2f3336\/time-start\/00:00:00\/playlist-height\/200\/direction\/backward\/font-color\/FFFFFF\" height=\"192\" width=\"100%\" scrolling=\"no\" allowfullscreen=\"\" webkitallowfullscreen=\"true\" mozallowfullscreen=\"true\" oallowfullscreen=\"true\" msallowfullscreen=\"true\" style=\"border: none;\"><\/iframe><br \/>\n<span style=\"font-weight: 400;\">Microsoft is set to make a significant security change in Office 2024, disabling ActiveX controls by default. This move aims to enhance security but may impact some users&#8217; workflows.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Starting October 2024, ActiveX controls will be disabled by default in Word, Excel, PowerPoint, and Visio desktop apps<\/span><span style=\"font-weight: 400;\">\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The change will affect both Office 2024 and Microsoft 365 apps (by April 2025).<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Users will no longer be able to create or interact with ActiveX objects in Office documents.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Existing ActiveX objects will appear as static images.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">For IT professionals, this change represents a critical step in reducing attack surfaces. ActiveX has been a target for malicious actors, with recent examples including zero-day exploits by North Korean hackers and the deployment of TrickBot malware.<\/span><span style=\"font-weight: 400;\">\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">While enhancing security, this change may require adjustments for organizations relying on ActiveX. IT teams should assess their current use of ActiveX and plan for alternatives or implement the provided methods to re-enable ActiveX if absolutely necessary.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">This move aligns with Microsoft&#8217;s ongoing efforts to improve Office security, following similar measures like disabling VBA macros and Excel 4.0 macros by default.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Sources include:<\/span><a href=\"https:\/\/www.bleepingcomputer.com\/news\/microsoft\/microsoft-office-2024-to-disable-activex-controls-by-default\/\"> <span style=\"font-weight: 400;\">BleepingComputer<\/span><\/a><span style=\"font-weight: 400;\">\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">A significant data breach at payment gateway provider Slim CD has exposed the personal and financial information of nearly 1.7 million individuals. This incident highlights the ongoing challenges in securing payment processing systems.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Hackers had access to Slim CD&#8217;s network for almost a year, from August 2023 to June 2024 although Slim CD says credit card data was only accessed for two days in June 2024.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Compromised information includes names, addresses, card numbers, and expiration dates, but not CVV numbers.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Slim CD provides payment services to various industries, including retail and hospitality.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">While the absence of CVV numbers limits the risk of immediate fraudulent transactions, the exposed data still poses a significant threat. Credit card fraud and identity theft remain real possibilities for those affected.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">For IT professionals, especially those in the financial sector, this breach underscores the critical need for robust, continuous network monitoring and rapid incident response. The year-long access period before detection is particularly concerning.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Slim CD claims to have strengthened its security measures, but notably, hasn&#8217;t offered free identity theft protection to affected individuals. That, to say the least, is unusual<\/span><span style=\"font-weight: 400;\">\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">While every service can potentially be hacked, it\u2019s particularly troubling when that service is a payment gateway. We assume that PCI compliance ensures the security of our online credit card transactions. Hopefully this company is an outlier and can be pressured to up their game on cyber security. But if the same weaknesses exist throughout the industry, it could have <\/span><span style=\"font-weight: 400;\">negative impacts on merchants and financial institutions.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Sources include:<\/span><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/payment-gateway-data-breach-affects-17-million-credit-card-owners\/\"> <span style=\"font-weight: 400;\">Bleeping Computer<\/span><\/a><span style=\"font-weight: 400;\">\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Cybersecurity giant CrowdStrike continues to grapple with the fallout from July&#8217;s worldwide IT disruption, offering insights into the challenges companies face after major security incidents.\u00a0 While CrowdStrike certainly faced huge criticism for its error, it has received at least passing grades and some praise for how it has handled the incident. It\u2019s been up front about acknowledging the mistake and it\u2019s CEO has even appeared in public to accept an award for the \u201cMost Epic Fail\u201d at Defcon.<\/span><span style=\"font-weight: 400;\">\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">So, will they dodge the bullet on this one?<\/span><\/p>\n<p><span style=\"font-weight: 400;\">On the plus side, CrowdStrike&#8217;s CFO reports no customer lawsuits filed yet, but legal threats loom.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The company has seen some financial impact, including a cut to its full-year forecast but we have not heard of significant customer defections, other than Delta Airlines\u2019 threatened lawsuit.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">There is still a long road ahead of them in terms of public exposure. A CrowdStrike VP is set to testify before the US House Homeland Security Committee.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">But ultimately, we can all learn a lot from this.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">For IT and security professionals, this situation underscores the far-reaching consequences of even a single misconfiguration. It highlights the need for rigorous testing and fail-safe mechanisms, especially for widely deployed security solutions.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">CrowdStrike&#8217;s approach of focusing on business discussions rather than legal ones offers a lesson in crisis management. However, the persistence of this issue months after the incident demonstrates how long-lasting the impact of major outages can be on a company&#8217;s reputation and bottom line.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Sources include: The Register<\/span><span style=\"font-weight: 400;\">\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">We\u2019ve covered stories recently about the potential for devices to listen in our conversations and use that for marketing purposes. We\u2019ve also covered stories about data being gathered from devices in our cars and sold to outside parties.<\/span><span style=\"font-weight: 400;\">\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">It appears that Ford Motor Company wants to go for the trifecta on this. Ford has filed a patent application for technology that could<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Listen to in-car conversations to serve targeted ads.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Analyze vehicle location, speed, and predicted routes for ad customization.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Maximize &#8220;ad-based monetization&#8221; opportunities<\/span><\/p>\n<p><span style=\"font-weight: 400;\">And Ford defends the application as a normal part of building intellectual property.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Naturally this raises significant concerns about data protection and privacy. The patent application doesn&#8217;t detail how the collected data would be secured, and leaves questions about potential vulnerabilities and data misuse.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">This move by Ford follows other controversial patent applications, including one for technology to report speeding vehicles to law enforcement.<\/span><span style=\"font-weight: 400;\">\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">While social media has been criticized for the way it gathers and uses our data, this patent is another step towards the auto industry gathering and leveraging customer data often without the knowledge or informed consent from people who think they are simply purchasing a car.<\/span><span style=\"font-weight: 400;\">\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Sources include:<\/span><a href=\"https:\/\/therecord.media\/ford-patent-application-in-vehicle-listening-advertising\"> <span style=\"font-weight: 400;\">The Record<\/span><\/a><\/p>\n<p><span style=\"font-weight: 400;\">That\u2019s our show. You can find the show notes with links at technewsday.com or .ca \u2013 take your pick.<\/span><span style=\"font-weight: 400;\">\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">I\u2019m your host, Jim Love, thanks for listening.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u00a0<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft Office 2024 to Disable ActiveX Controls by Default, Major Data Breach Affects 1.7 Million Credit Card Owners, Is CrowdStrike going to Dodge the Bullet, Ford&#8217;s Patent Application Raises Privacy Concerns in Connected Vehicles Welcome to Cyber Security Today. I\u2019m your host Jim Love. Microsoft is set to make a significant security change in Office [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":46454,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"video","meta":{"_acf_changed":false,"footnotes":""},"categories":[360],"tags":[741],"class_list":["post-46452","post","type-post","status-publish","format-video","has-post-thumbnail","hentry","category-podcasts","tag-podcasts-cyber-security-today","post_format-post-format-video"],"acf":[],"_links":{"self":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/46452","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/comments?post=46452"}],"version-history":[{"count":2,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/46452\/revisions"}],"predecessor-version":[{"id":46455,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/46452\/revisions\/46455"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media\/46454"}],"wp:attachment":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media?parent=46452"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/categories?post=46452"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/tags?post=46452"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}