Patch Tuesday rundown. Microsoft integrates post-quantum cryptography (PQC) algorithms into its SymCrypt cryptographic library.The FTC finalizes rules to combat fake reviews and testimonials. A payment card thief pleads guilty. On our latest CertByte segment, N2K’s Chris Hare and George Monsalvatge share questions and study tips from the Microsoft Azure Fundamentals (AZ-900) Practice Test. Hard Drive Heaven: How Iconic Music Sessions Are Disappearing.
Remember to leave us a 5-star rating and review in your favorite podcast app.
Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.
CertByte Segment
Welcome to CertByte! On this bi-weekly segment hosted by Chris Hare, a content developer and project management specialist at N2K.
In each segment, Chris is joined by an N2K Content Developer to help illustrate the learning. This week, Chris is joined by resident Microsoft SME George Monsalvatge to break down a question from N2K’s Microsoft Azure Fundamentals (AZ-900) Practice Test.
Have a question that you’d like to see covered? Email us at certbyte@n2k.com. If you're studying for a certification exam, check out N2K’s full exam prep library of certification practice tests, practice labs, and training courses by visiting our website at n2k.com/certify.
Reference:
What is public cloud? (RedHat)
Please note: The questions and answers provided here, and on our site, are not actual current or prior questions and answers from these certification publishers or providers.
Remembering 9/11
In today’s episode, we pause to honor and remember the lives lost on September 11, 2001. We pay tribute to the courageous first responders, the resilient survivors, and the families whose lives were forever altered by that tragic day. Amidst the profound loss, the spirit of unity and compassion shone brightly, reminding us of our shared humanity.
Additionally, you can check out our special segment featuring personal remembrances from N2K CyberWire’s very own Rick Howard, who was in the Pentagon on that fateful day. His reflections provide a heartfelt perspective on the events and are well worth your time. Tune in to hear his poignant insights.
Special Edition Podcast
In today’s special edition of Solution Spotlight, we welcome Mary Haigh, Global CISO of BAE Systems, as she sits down with N2K’s Simone Petrella. Together, they discuss moving beyond the technical aspects of cybersecurity to build and lead a high-performing security team.
Selected Reading
Microsoft Fixes Four Actively Exploited Zero-Days (Infosecurity Magazine)
Adobe releases september 2024 patches for flaws in multiple products, including critical (Beyond Machines)
Chrome 128 Update Resolves High-Severity Vulnerabilities (SecurityWeek)
ICS Patch Tuesday: Advisories Published by Siemens, Schneider, ABB, CISA (SecurityWeek)
Ivanti fixes maximum severity RCE bug in Endpoint Management software (Bleeping Computer)
Microsoft Adds Support for Post-Quantum Algorithms in SymCrypt Library (SecurityWeek)
Federal Trade Commission Announces Final Rule Banning Fake Reviews and Testimonials (Federal Trade Commission)
Hacker pleads guilty after arriving on plane from Ukraine with a laptop crammed full of stolen credit card details (Bitdefender)
Inside Iron Mountain: It’s Time to Talk About Hard Drives (Mixonline)
Share your feedback.
We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.
Want to hear your company in the show?
You too can reach top security leaders. Explore our network sponsorship opportunities and build your brand where industry leaders get their daily news.
The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.
Learn more about your ad choices. Visit megaphone.fm/adchoices
You're listening to the CyberWire network, powered by N2K. Defense contractors face immense pressure to comply with CMMC 2.0 security standards needing a secure user-friendly file sharing solution. KiteWorks, a FedRAP moderate authorized solution, supports nearly 90% of CMMC 2.0 level 3 requirements, reducing compliance effort and cost. KiteWorks leverages a zero-trust framework for swift compliance and offers a secure platform for defense data protection needs with advanced security features and ease of use. It's intuitive UI, mobile apps and centralized policy management simplify administration. Accelerate your CMMC 2.0 compliance and address federal zero-trust requirements with KiteWorks universal secure file sharing platform made for defense contractors. Visit kiteworks.com to get started. We've got our patch Tuesday rundown. Microsoft integrates post-quantum cryptography algorithms into its sim-crip cryptographic library. The FTC finalizes rules to combat fake reviews and testimonials. A payment card thief pleads guilty on our latest CertBite segment and N2K's Chris Hare and George Montsovacci share questions and study tips from the Microsoft Azure Fundamentals Practice Test and hard drive heaven. It's Wednesday, September 11th, 2024. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Today we pause to remember the lives lost on September 11th, 2001. We honor the courage of the first responders, the resilience of the survivors and the strength of the families forever changed by that tragic day. In the face of unimaginable loss, the spirit of unity and compassion shown brightly reminding us of our shared humanity. As we reflect, may we continue to seek peace, understanding and hope for a better future. We will never forget. My Cyberwire colleague and friend Rick Howard was working in the Pentagon on that fateful day and will be running a special edition of his personal remembrances in your Cyberwire feed. It is worth your time and I hope you'll check it out. Moving on, yesterday was Patch Tuesday and Microsoft patched four actively exploited zero day vulnerabilities, creating additional work for system administrators. The most severe is a remote code execution flaw in Windows Update, scoring 9.8 on the CVSS scale caused by a rollback of a previous fix due to a servicing stack defect. A privileged escalation bug in Windows installer poses a serious threat by granting attackers full system control. A Windows mark of the web bypass could facilitate ransomware attacks and a Microsoft publisher security bypass enables exploitation of embedded macros in documents. Adobe has released security updates across multiple products to address critical important and moderate vulnerabilities, potentially leading to arbitrary code execution, memory leaks and denial of service attacks. Affected applications include Photoshop, Cold Fusion, Acrobat, Illustrator, Premiere Pro, After Effects, Audition and Media Encoder with versions on both Windows and Mac OS impacted. Key vulnerabilities include a critical RCE in Photoshop and a critical flaw in Cold Fusion. Adobe urges users to apply the updates promptly to mitigate risks of exploitation. Google released a Chrome 128 update addressing five vulnerabilities, four of which were high severity memory safety issues reported by external researchers. These include a heap buffer overflow in SCIA, use after free flaws in media router and autofill and a type confusion bug in the V8 JavaScript engine. Google awarded $26,000 in bug bounties and is rolling out the update for Windows, Mac OS and Linux. Others are advised to update their browsers promptly. Yvanti has patched a critical vulnerability in its Endpoint Management software, which could allow unauthenticated attackers to remotely execute code on the core server. The flaw caused by deserialization of untrusted data is addressed in EPM 2024 hot patches and EPM 2022 service update 6. Yvanti stated that no known exploitations of the vulnerability have occurred so far. The company also fixed nearly two dozen other high severity vulnerabilities in its EPM workspace control and cloud service appliance products. Turning to industrial control systems, the September 2024 patch Tuesday includes security advisories from Siemens, Schneider Electric, ABB and CISA. Siemens issued 17 advisories, including a critical authentication bypass in industrial edge management and unauthenticated remote code execution flaws in Sematic and Scalance products. Schneider Electric addressed a high severity privilege escalation in the Heyo designer and a medium severity cross-site scripting flaw, ABB published an advisory for two medium severity DDoS issues in Releon Relays, CISA highlighted critical flaws in visement systems and high severity vulnerabilities in spider control, Rockwell automation and BPL medical technologies products. Elsewhere, in preparation for the quantum computing era, Microsoft has integrated post-quantum cryptography PQC algorithms into its sim-crypt cryptographic library. Quantum computers threatened to break current encryption methods, but PQC algorithms are designed to resist such attacks. These algorithms, based on complex mathematical problems, have trade-offs like larger key sizes and longer computation times, requiring careful optimization. Microsoft's Quantum Safe Program aims to ensure quantum readiness and recent updates to sim-crypt include support for MLKEM and XMSS algorithms. Microsoft emphasizes that PQC is an evolving field and not a definitive solution, but integrating these algorithms marks a crucial step toward a quantum safe future, enhancing security in products like Azure, Windows and Microsoft 365. The Federal Trade Commission has introduced a new rule to combat fake reviews and testimonials targeting deceptive practices in the marketplace. The rule prohibits the creation, sale or dissemination of fake reviews, including AI-generated or false testimonials. It also bans businesses from paying for reviews with specific positive or negative sentiments and ensures that insider reviews must disclose material connections to the company. The rule also addresses review suppression, misrepresentation of review sites and misuse of fake social media metrics. Violators may face civil penalties. The rule, effective 60 days after publication, strengthens the FTC's enforcement capabilities which were previously hindered by a Supreme Court decision. Vitaly Antonenko, a 32-year-old from New York City, pleaded guilty to hacking and stealing hundreds of thousands of payment card details, selling the data on the dark net. Antonenko used SQL injection attacks to breach vulnerable systems, targeting organizations such as a hospitality business and a non-profit research institution. He and his associates laundered the proceeds through cryptocurrency and traditional bank transactions. Antonenko was arrested in 2019 at JFK Airport, carrying computer equipment with stolen data. Investigators linked him to Bitcoin wallets involved in transactions totaling $94 million. Following his arrest, Antonenko's defense team requested a psychiatric evaluation after he claimed to be working for the CIA. He faces up to 25 years in prison, hefty fines, asset seizures and restitution, with sentencing scheduled for December 10th of this year. Coming up after the break on our latest cert-bite segment, questions and study tips from the Microsoft Azure Fundamentals Practice Test. Stay with us. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by Databrokers. So I decided to try to delete me. I have to say delete me is a game changer. Within days of signing up, they started removing my personal information from hundreds of Databrokers. I finally have peace of mind knowing my data privacy is protected. Delete me's team does all the work for you with detailed reports, so you know exactly what's been done. Take control of your data and keep your private life private by signing up for delete me. Now at a special discount for our listeners, today get 20% off your delete me plan when you go to joindeleteme.com/n2k and use promo code N2K at checkout. The only way to get 20% off is to go to joindeleteme.com/n2k and enter code N2K at checkout. That's joindeleteme.com/n2k When it comes to ensuring your company has top notch security practices, things can get complicated fast. Vanta automates compliance for SOC 2, ISO 27001, HIPAA and more, saving you time and money. With Vanta, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center. Over 7,000 global companies like Atlassian, Flow Health and Quora use Vanta to manage risk and prove security in real time. Our listeners can claim a special offer of $1,000 off Vanta at vanta.com/cyber. That's V-A-N-T-A.com/cyber for $1,000 off Vanta. Chris Hare is a content developer and project management specialist here at N2K. And on our bi-weekly Certified segment, she shares practice questions from our suite of industry leading content and a study tip to help you achieve the professional certifications you need to fast track your career growth. Hi everyone, it's Chris. I'm a content developer and project management specialist here at N2K Networks. I'm also your host for this week's edition of CERTBITE, where I share a practice question from our suite of industry leading content and a study tip to help you achieve the professional certifications you need to fast track your career growth. Today's question targets the Microsoft AZ-900 exam. I've got our resident Microsoft sme here, George. He's going to help us out today. Hey George, how are you? I'm good. Thanks for having me. Absolutely. So today, it's going to be a little different. We're going to turn the tables and George is going to be asking me this week's question. But first, George, before you ask me the question, can you please share a 10 second study bit for this test? And what do you have for us? Well, for this particular test, AZ-900 is a fundamental test. And I would always tell someone who's taking this exam to go through the flash questions. Flashcard questions basically hit on concepts. And there are a lot of flash questions. And especially this is a fundamental exam. And you want to make sure that you go through and understand all the concepts that will help you with practice test questions. But make sure you go through the flash questions. That's a great tip. All right, I'm nervous, but I'm ready for my question, George, whenever you are. Okay, you'll do fine. You'll do fine. Okay. So here's the question. Thank you. Thank you for the vote of confidence. All right. What do the following are characteristics of a public cloud? And there are three correct answers out of this. So listen carefully. Okay. A, is it virtually unlimited storage? B, resource pooling? C, provider manages the network and virtualization software? D, only one tenant is supported. In E, the services are always free. So got to pick three of those. Wow. I have to pick three. Can you please repeat my choices again? Sure. Virtually unlimited storage, resource pooling, provider manages the network and virtualization software. Only one tenant is supported. And the last one is services are always free. So in this case, we're have three correct answers. I'm going to use the process of elimination. And I'm pretty certain that foundationally, a public cloud is built on the principle of having multiple tenants supported. So I'm going to roll that one out first. The other one that is not ringing true is that services are always free. And since it's got an absolute in there, it that always makes me suspect in an exam and usually false. So do you find that to be the case in these types of exams, George? Absolutely. So anytime there's an absolute, you got to look at it. You got to look at it cross side and you're correct. Ain't nothing in this world free. So services are not free. All right. So then my answer is A, B and C. My answer is virtually unlimited storage, resource pooling and the provider manages the network and virtualization software. And you are correct. And you were worried about this. I know you did it. Yes. Thank you. Whoo. All right. Excellent. So and thank you for walking us through that because those types of questions, I'm sure, are pretty typical for the AZ 900. You're going to have three choices that are going to be correct out of five that you're going to have to guess. You will have you will have what we call multiple answer, multiple choice where there'll be multiple multiple choices that you have to pick from. So it can be a little daunting. But if you certainly go through and understand the concepts, then you can certainly master them and make a question easy. And process of elimination that also would that work for Microsoft type? It always works. It always works. Great. That's a great tip. Another great tip. Bonus tip for everybody out there. So thank you so much, George. Are there any other Microsoft exam updates coming out soon that you'd like to promote here? Well, Microsoft's always updating their exams, but we have recently put out our Power BI practice exams for the PL 900, which is the foundation Power BI exam and the PL 300 exam. Great. Thank you so much. Appreciate your time today. Thanks for having me. Anytime. And thank you for joining me for this week's CERTBITE. If you're actively studying for this certification and have any questions about study tips or even future certification questions you'd like to see, please feel free to email me at CERTBITE@N2K.com. That's C-E-R-T-B-Y-T-E @N number2K.com. If you'd like to learn more about N2K's practice tests, visit our website at N2K.com/certify. For sources and citations for this question, please check out our show notes. Happy certifying, everyone. That's N2K's Chris Haier and George Monselwachi. If you want to learn more about the Microsoft Azure Fundamentals practice test, check out the link in our show notes. And finally, our old-time rock and roll desk pointed us to a story from Mix Online, a publication focused on the music production industry that serves as a good reminder for cyber folks tasked with managing backups and long-term storage. Iron Mountain Media and Archive Services discovered that about 20 percent of hard drives archived from the 1990s are now unreadable, raising concerns about the preservation of historic music sessions. Robert Cozzella, Global Director of Studio Growth, notes that many iconic recordings from the early 1990s are at risk of being lost. The problem emerged when record labels revisited vaults for remixing and repurposing only defined deteriorating tapes and obsolete formats. Hard drives like magnetic tapes are proving to be vulnerable despite following best practices for storage. Emergency formats, unsupported connections and physical damage complicate recovery efforts. Iron Mountain offers specialized services to retrieve data from these drives, but stresses that action is needed now as assets may be irretrievable in the future. Cozzello highlights the challenges of identifying the correct version of a track due to poor metadata or incomplete digital workflows. He warns that without proactive efforts, many assets could be permanently lost, especially for smaller entities with limited preservation budgets. It's a good reminder that just because it's stored doesn't mean it's secure, whether it's music archives or historical data, neglect leads to decay. And that's the Cyberwire. A quick program note, we've released a full version of our solution spotlight conversation of Dr. Mary Haig, CISO of BAE Systems, and N2K's Simone Patrellas. For links to all of today's stories, check out our daily briefing at TheCyberwire.com. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@N2K.com. We're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's pre-eminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your team smarter. Learn how at N2K.com. This episode was produced by Liz Stokes, our mixer is Trey Hester, with original music and sound design by Elliot Heltsman. Our executive producer is Jennifer Ivan. Our executive editor is Brandon Karp. Simone Patrella is our president, Peter Kilti is our publisher, and I'm Dave Bitner. Thanks for listening. We'll see you back here, tomorrow. This September 18th and 19th in Denver, a tight community of leading experts is gathering to tackle the toughest cybersecurity challenges we face. It's happening at MYs, the unique conference built by practitioners for practitioners. Brought to you by Mandiant, now part of Google Cloud, MYs features one-to-one access with industry experts and fresh insights into the topics that matter most right now to frontline practitioners. Register early and save at MYs.io/Cyberwire. That's MYs.io/Cyberwire. [Music]
