How to prevent accidental admin rights in your organization

Here's how to use Bitwarden to manage all of your passwords. No more "forgot my password" clicks. No more getting hacked.

𝐓𝐡𝐢𝐧𝐤 𝐙𝐞𝐫𝐨 𝐓𝐫𝐮𝐬𝐭 𝐍𝐞𝐭𝐰𝐨𝐫𝐤 𝐜𝐥𝐢𝐞𝐧𝐭𝐬 𝐚𝐫𝐞 𝐢𝐦𝐦𝐮𝐧𝐞 𝐭𝐨 𝐍𝐚𝐜𝐡𝐨𝐕𝐏𝐍? 𝐓𝐡𝐢𝐧𝐤 𝐚𝐠𝐚𝐢𝐧. We’ve identified CVE-2025-0309, a local privilege escalation vulnerability in Netskope Windows clients prior to version R129, allowing an attacker to gain SYSTEM access. This issue was disclosed as part of our research campaign: “Zero Trust, Total Bust: Breaking into Thousands of Cloud-Based VPNs with One Bug.” Today, we’re releasing a detailed technical write-up explaining how we discovered and exploited this vulnerability: 📄 Blog: https://lnkd.in/e7ueh5TD And for those who prefer batteries included, we’ve added the exploit to NachoVPN and published an IPC client for Netskope (UpSkope) that bypasses tamper protections: 🔹 NachoVPN: https://lnkd.in/e-U84ufn 🔹 UpSkope: https://lnkd.in/ejXePdkh

I was asked to help a friend who works at a high end company a while back. They were a frog hair away from sending a bad actor a quarter-million-dollar check. The threat was a fake invoice from a typosquatted domain. Their IT provider's fix? Buy a pricey piece of hardware and "perhaps consider" buying up all the look-alike domains. This, they were told, was the only way. Oddly, no one mentioned DMARC, DKIM, or SPF. No one talked about the fundamental tools that actually stop domain impersonation...tools that are cheaper and more effective than the hardware solution. There's a critical gap between basic IT support and real security. The answer isn't just to sell more boxes. It's to empower businesses with the right knowledge and put security first. It's not that complicated.

I get it—handing out admin rights feels easier in the moment. But that “*” permission is basically a hacker’s dream come true. Start small with access, add more if needed, and turn on MFA. It’s a little extra work now that saves you a nightmare later.

Nevada is working to recover from a cyberattack that disrupted state systems on Sunday, leading to office closures on Monday and Tuesday. The incident, described as a “network issue,” affected websites and phone lines but did not impact emergency services. https://lnkd.in/ehF-HG25

You’ve been breached. Don’t panic, but don’t wait either. Here are the first 3 steps to take: 🔌 Isolate the threat – Immediately disconnect affected devices or systems to prevent it from spreading. 🔍 Assess the damage – Figure out what data was compromised and who may be impacted. 📞 Call in reinforcements – Notify your IT/security team or provider ASAP. Don’t have a team or need additional crisis support? We got you covered! Having a plan in place makes a stressful situation way more manageable. Save this post, you might need it before you expect to.

Step 1: "We need to put age verification on websites to Protect The Kids(™)" Step 2: Everyone uses VPNs. Step 3: "We need to put age verification of VPNs to Protect The Kids(™)" Step 4: Everyone switches to shady VPN providers that don't require age verification. Step 5: Nobody can actually protect any kids because half the nation's traffic is routed through shady bulletproof VPN services and investigating online crimes now takes 10x more resources. Step 6: Achievement Unlocked - you've just made everything worse because you couldn't separate your dumb moral panic from actual rational safety policy (again).

There's a lot of conversation right now about children's safety on the internet. One platform currently getting some heat is Roblox. The best way I can describe the the relationship between our kids and the internet is through a popular quote: "We don't give our children access to the internet, we give the internet access to our children" I have always believed that Cybersecurity is more than just a profession, it is something we all do in our daily lives. We are not all Gordon Ramsay, but we all can learn to cook for ourselves and others. Cybersecurity can work the same way. Most people, if not everyone, are already practicing Cybersecurity already! - Using a phone PIN or Face ID - Choosing different passwords for different accounts - Ignoring scam calls or suspicious texts - Updating your phone or apps - Using tap-to-pay instead of swiping your card You can do the same for your kids! - Teach them your every day Cybersecurity habits - Talk to them about what not to share online - Play with your kids and get familiar with their play environment - Let them teach you how they interact with the internet If you don't understand something, ask other parents! Maybe they know or maybe they know someone who does! (I don't mind being asked either, in case you are wondering) Yes some games are weird and the lingo is odd, but it is much better to know so that if you need to step in, you at least have an idea of what you are looking at and it also helps keep the conversation open.

Active Directory Tip of the Week — #1: Limit Machine Account Quota Too many orgs leave this default setting wide open. ⚠️ Tip: Set ms-DS-MachineAccountQuota to 0. Authenticated users can add up to 10 computers to the domain by default. Why it matters: Attackers abuse this to gain a foothold, enumerate the domain, and perform various attacks that can lead to lateral movement and domain privilege escalation. ✅ Check your environment today. Is this locked down?

Coming out of SHARE Cleveland, there was an important message. How secure is your z/OS system? - do you have MFA on z/OS? - how secure are your HMCs? HMCs must be secured with strict access rules. If not, a hacker can delete your entire system and DASD. - How secure are your CryptoCards? Are the three keys secure, with three different people? - do you have all your UACC set to NONE? Don’t fall into the fallacy that z/OS can’t be hacked. Zero trust should be used at all levels of your systems.