Beyond the Hack /January 2025

Hey folks,

After a year where cyber threats grew more complex and regulatory pressures kept mounting, it's clear that cybersecurity needs to be more accessible – not just for enterprises but for everyone serious about staying secure.

That's why, in 2025, Blaze is simplifying how you engage with security testing. This quarter, we'll be launching an e-commerce platform where you'll be able to purchase pentests with just a few clicks, making it easier to meet standards like SOC2 and ISO 27001.

We're also launching a Pentest as a Service (PTaaS) platform this year to give you even more flexibility and visibility in your security testing process.

Speaking of regulations, the EU DORA will start applying on 17 January 2025. If you're in the financial sector, now is the time to make sure your security testing program is up to speed.

Let's make 2025 a year where strong security becomes simpler for everyone.

Cheers, Julio Fort

Proposed HIPAA Amendments Will Close Healthcare Security Gaps

HHS proposed significant HIPAA security rule amendments, effective 6 January 2025, to strengthen protections for electronic protected health information. Key changes include mandatory MFA, encryption for PHI at rest and in transit, annual penetration tests, vulnerability scans every six months, and network segmentation. Public comments will be accepted for 60 days, with compliance expected within 180 days after finalization.

Cyber Resilience Act | Shaping Europe's digital future

The Cyber Resilience Act (CRA) entered into force on 10 December 2024, with obligations starting 11 December 2027. It mandates manufacturers and retailers of digital products to ensure cybersecurity throughout their lifecycle. The act requires CE-marked compliance, third-party assessments for critical products, and lifecycle care. Exemptions include medical devices, aviation, and cars.

UN General Assembly approves cybercrime treaty despite industry backlash

The UN General Assembly adopted the Cybercrime Convention, effective in 2025, to enhance international cooperation against cybercrime. While it addresses issues like online fraud and child exploitation, it faces criticism for enabling authoritarian misuse, privacy violations, and potential harm to cybersecurity researchers. Tech firms and activists warn it could hinder security research and create complex data-sharing requests.

AT&T and Verizon say networks are secure after being breached by China-linked Salt Typhoon hackers

Verizon and AT&T confirmed they secured their networks after breaches by the China-linked Salt Typhoon cyberespionage group, which targeted U.S. telecoms to spy on high-profile government customers. Salt Typhoon reportedly compromised nine telecom providers, with one breach involving admin access to over 100,000 routers.

Are you curious about what grabbed the most attention in the world of penetration testing this year? These were our most-read articles of 2024 – packed with practical insights and expert guidance to help you stay secure:

Pricing insights – How much does penetration testing cost?

What Are SOC 2 Penetration Testing Requirements In 2025?

ISO 27001 Penetration Testing - The Complete Guide

Stealing NTLM Hashes Via Webapp Vulnerabilities - Blaze Labs

Mobile Application Penetration Testing - Everything About It

EU DORA - Navigating The Digital Operational Resilience Act

?? Check out these articles and more on our blog for expert insights you can act on.

ShmooCon 2025

Washington, D.C., USA

10-12 January

BSides Dublin

Dublin, Ireland

16 January

Cybersec Asia 2025

Bangkok, Thailand

22-23 January

Cyber culture: Best talks of The 38th Chaos Communication Congress (38C3).

?? Wir wissen wo dein Auto steht - Volksdaten von Volkswagen (We know where your car is - Volkswagen data) by Flüpke and Michael Kreil.

?? ACE up the sleeve: Hacking into Apple's new USB-C Controller by Thomas Roth, aka stacksmashing.?

?? Hacking the RP2350 by Aedan Cullen.

?? We've not been trained for this: life after the Newag DRM disclosure by Micha? Kowalczyk, q3k, and Jakub St?pniewicz.?

?? BlinkenCity: Radio-Controlling Street Lamps and Power Plants by Fabian Br?unlein and Luca Melette.?

?? MacOS Location Privacy Red Pill: A Rabbit Hole Resulting in 24 CVEs by Adam M.

From Pegasus to Predator - The Evolution of Commercial Spyware on iOS by Matthias Frielingsdorf.

?? Dialing into the Past: RCE via the Fax Machine – Because Why Not? by Rick de Jager.

?? All the talks are available on the official channel of the CCC: https://www.youtube.com/@mediacccde

Being aware of threats is not enough – take action!

Discover special offers, explore our services and find the right penetration testing solution for your organization's cybersecurity needs.