An Apple a day, does not keep the hackers away.

Hi and welcome to another Security weekly. Where we laugh, we cry and share the latest and greatest in security and tech news.

Did you know? The the shortest war in history lasted for only 38 minutes? That still gives you plenty of time to read this newsletter while being stuck in the trenches.

In this week's edition:

🍏 An Apple a day, does not keep the hackers away.⏩ LastPass gets hacked, again..❤️‍🩹 A personal touch.🔥 the quick and dirty

Reading time: 04:17

An Apple a day, does not keep the hackers away

Who had Apple in their big-tech-security-incident bingo card? You can cross that off and shout BINGO!

Fun to play with the entire family! (disclaimer: only applies if you're a family of nerds)

Apple released a security update - iOS 16.1.2 - on November 30th, fixing an exploited zero-day vulnerability.The vulnerability made it possible for malicious sites to abuse Apple's WebKit.

Apple's WebKit is a browser engine used by all browsers installed on iOS devices. So not only Safari.So don't be stubborn or lazy, update to the latest version and be safe-to-surf.

What a year it's been aye? This vulnerability marks the 10th zero-day for Apple this year. Is it me or has their been a major increase in vulnerabilities this year?That either implies;

• there are more vulnerabilities 

• there are more vulnerabilities found (by the good guys)

I'm afraid it's a combination of both though.

LastPass gets hacked, again..

For those unaware, LastPass is a popular password management tool that allows users to store and manage their passwords in a "secure", encrypted vault. - why I used "" next to secure will become painfully obvious further below.Lastpass was hacked earlier this year, around August, when hackers were able to get away with source code and other technical information. This all through a hacked developer account.Now, LastPass detected unusual activity in a 3rd party cloud service, which led them to investigate. Soon a statement followed.

"We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture."There are some things to be said about this I think. Here's my two cents:

• good - at least they noticed. According to a report by IBM, the average breach life cycle takes 287 days, with organizations taking 212 days to initially detect a breach and 75 days to contain it.

• bad - as an it company, ESPECIALLY in security, your reputation is all you have. There are a lot of password managers out their with the same functionality. In the end people will shop for a) price b) functionality c) reputation

• good - they did the rights things. Hired an external security firm to aid them in the investigation, write a clear statement for the press, ... I think that's especially admirable knowing this is the 2nd hack in a short period of time.

• bad - is zero-knowledge really zero-knowledge? They keep hammering on their zero knowledge architecture and that customer data is safe. But this hack shows how far a hacker can go. And even if a hacker can't access your data through admin accounts, they may be able to get crucial information on your organisation and work their way from there.

I think they could/should have done more after the last hack to prevent this.

Live from LastPass office

A personal touch

I was doubting whether to write this or not. But why not, it's my blog, right?A personal blog. One I can use to send out a message. Even if it's not security related.

Last week I didn't put out a Security Weekly. I thought about doing it, but I just couldn't get one word out.A few days prior to the deadline, I've gotten word that a good friend of mine died of suicide.

The days following, I took some time out of to think, feel but mostly spend time with my wife and son.I tried to write a couple of times, but after 2 words my thoughts spiraled elsewhere.Harsh times.

But.

In recent times I see a lot of people trying to get a message out about suicide prevention and help. And while I'm mostly not known to be the most emphatic person on this planet, I think that's really important.There's still a stigma on this topic, especially for men.

There is no shame in getting help. You're not less manly if you speak to others about how you feel.So if you're ever get stuck with yourself and your thoughts, and maybe dark thoughts.. please find help.

• Talk to your friends - I bet any one of them would rather have you call them at night, than losing you.

• Talk to your family - while they may not always understand you, it's better to talk to those who don't fully understand than to keep it all to yourself.

• Call a hotline - they're free and occupied with compassionate people. People who really want to listen

• Get professional help - no harm in consulting a psychologist

Stay safe people.

The quick and dirty

• LockBit claims attack on California's Department of Finance - LockBit ransomware gang still on the rise. Should we get scared?

• Play ransomware claims attack on Belgium city of Antwerp - it's all fun and games until somebody targets my hometown. *puts on ghilly suit and goggles* Go time, bitches.

• World-record fusion experiment produced even more energy than expected - not really tech but awesome nonetheless. Humans are smart man, don't let anyone tell you otherwise. Worth the read.

• meme of the week

Dang, that's cold.

Security like I'm five

Don't have time for hours of research? Don't have 20 years of experience in security? Me neither, but I gotchu fam.In Security like I'm five I cover a range of security topics. I do all the hard work, and explain it to you in a practical matter. Lot's of meme's too. Good stuff, good stuff.This and Security weekly conveniently delivered to your mailbox a couple of times a week, for free.Pretty sweet deal if you ask me.

So sign up for the newsletter and be enlightened! (don't set the bar too high tho)