Security daily (02-09-2021)

How US federal agencies can authenticate to AWS with multi-factor authentication

This post is part of a series about how AWS can help your US federal agency meet the requirements of the President’s Executive Order on Improving the Nation’s Cybersecurity. We recognize that government agencies have varying degrees of identity management and cloud maturity and that the requirement to implement multi-factor, risk-based authentication across an entire […] (AWS Security Blog)

Top 10 security best practices for securing data in Amazon S3

With more than 100 trillion objects in Amazon Simple Storage Service (Amazon S3) and an almost unimaginably broad set of use cases, securing data stored in Amazon S3 is important for every organization. So, we’ve curated the top 10 controls for securing your data in S3. By default, all S3 buckets are private and can […] (AWS Security Blog)

WhatsApp hit with $267 million GDPR fine for bungling user privacy disclosure

Ireland’s Data Protection Commission fined Facebook-owned messenger WhatsApp for $225 million for failing to provide users enough information about the data it shared with other Facebook companies. The fine is the largest penalty that the Irish regulator has waged since the European Union data protection law, the General Data Protection Regulation, or GDPR, went into effect in 2018. The watchdog, which kicked off its probe in 2018, ruled that Facebook failed to fully explain what “legitimate interests” the company used personal data for or how that data was processed. In addition to the fine, the ruling requires WhatsApp to take “corrective measures” in order to come into compliance with GDPR. WhatsApp plans to appeal the fine, according to a spokesperson. “WhatsApp is committed to providing a secure and private service. We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so,” the […] The post WhatsApp hit with $267 million GDPR fine for bungling user privacy disclosure appeared first on CyberScoop. (CyberScoop)

Hacker, money launderer sentenced to prison for scamming tax preparers and COVID-19 relief programs

A federal judge sentenced two men to prison for a coordinated scheme to hack into tax preparation firms, steal personal information, file fraudulent unemployment claims and income tax returns and then launder the money. The fraudulent unemployment claims aimed to exploit a COVID-19 relief program that netted $280,000 in improper benefits from the state of Washington, the Justice Department announced Thursday. They also included attempts to seek $2.6 million in tax refunds. Bamidele Muraina, a Nigerian national whom DOJ said led the effort to steal identities, received five years and 10 months in prison, as well as three years of supervised release and an order to pay more than $500,000 in restitution. For leading the money laundering leg of the operation, Gabriel Kalembo received four years and two months in prison, along with two years of supervised release and an order to pay nearly $300,000. Starting at least in January […] The post Hacker, money launderer sentenced to prison for scamming tax preparers and COVID-19 relief programs appeared first on CyberScoop. (CyberScoop)

SolarWinds hackers targeted Autodesk in latest confirmed fallout from cyber-espionage campaign

The list of victims keeps growing for the suspected Russian hackers who breached a U.S. federal contractor in order to gather intelligence from throughout the federal government. Autodesk, an American software and security company, said in a recent filing to the U.S. Securities and Exchange Commission that hackers had targeted the firm with the Sunburst malicious software. Cozy Bear, a state-sponsored Russian hacking group, relied on Sunburst to carry out an attack against SolarWinds, an IT firm that spies used as a foothold into targets throughout the government and private sector. In a 10-Q filing to the SEC, Autodesk said it discovered that one of its servers had been compromised, and that it had taken steps to remediate the fallout. The California-based firm makes design software and 3D technology tools for American customers in the architecture, engineering and education sectors. It is only the latest publicly listed company to confirm […] The post SolarWinds hackers targeted Autodesk in latest confirmed fallout from cyber-espionage campaign appeared first on CyberScoop. (CyberScoop)

Pwned! The home security system that can be hacked with your email address

The alarm system that can be turned off with your email address. (Naked Security)

NPM Package With 3 Million Weekly Downloads Had A Severe Vuln

(News ≈ Packet Storm)

WhatsApp Patches Vulnerability Related To Image Filter Functionality

(News ≈ Packet Storm)

Comcast RF Attack Leveraged Remotes For Surveillance

(News ≈ Packet Storm)

WhatsApp Issued Second Largest GDPR Fine Of 225 Million Euro

(News ≈ Packet Storm)

This Lightning Cable Will Leak Everything You Type

(News ≈ Packet Storm)

Cisco Issues Patch for Critical Enterprise NFVIS Flaw — PoC Exploit Available

Cisco has patched a critical security vulnerability impacting its Enterprise Network Function Virtualization Infrastructure Software (NFVIS) that could be exploited by an attacker to take control of an affected system. Tracked as CVE-2021-34746, the weakness has been rated 9.8 out of a maximum of 10 on the Common Vulnerability Scoring System (CVSS) and could allow a remote attacker to circumvent (The Hacker News)

What is AS-REP Roasting attack, really?

Microsoft's Active Directory is said to be used by 95% of Fortune 500. As a result, it is a prime target for attackers as they look to gain access to credentials in the organization, as compromised credentials provide one of the easiest ways for hackers to access your data. A key authentication technology that underpins Microsoft Active Directory is Kerberos. Unfortunately, hackers use many (The Hacker News)

New BrakTooth Flaws Leave Millions of Bluetooth-enabled Devices Vulnerable

A set of new security vulnerabilities has been disclosed in commercial Bluetooth stacks that could enable an adversary to execute arbitrary code and, worse, crash the devices via denial-of-service (DoS) attacks.  Collectively dubbed "BrakTooth" (referring to the Norwegian word "Brak" which translates to "crash"), the 16 security weaknesses span across 13 Bluetooth chipsets from 11 vendors such (The Hacker News)

WhatsApp Photo Filter Bug Could Have Exposed Your Data to Remote Attackers

A now-patched high-severity security vulnerability in WhatApp's image filter feature could have been abused to send a malicious image over the messaging app to read sensitive information from the app's memory. Tracked as CVE-2020-1910 (CVSS score: 7.8), the flaw concerns an out-of-bounds read/write and stems from applying specific image filters to a rogue image and sending the altered image to (The Hacker News)

Is Traffic Mirroring for NDR Worth the Trouble? We Argue It Isn't

Network Detection & Response (NDR) is an emerging technology developed to close the blind security spots left by conventional security solutions, which hackers exploited to gain a foothold in target networks. Nowadays, enterprises are using a plethora of security solutions to protect their network from cyber threats. The most prominent ones are Firewalls, IPS/IDS, SIEM, EDR, and XDR (which (The Hacker News)

Chinese Authorities Arrest Hackers Behind Mozi IoT Botnet Attacks

The operators of the Mozi IoT botnet have been taken into custody by Chinese law enforcement authorities, nearly two years after the malware emerged on the threat landscape in September 2019. News of the arrest, which originally happened in June, was disclosed by researchers from Netlab, the network research division of Chinese internet security company Qihoo 360, earlier this Monday, detailing (The Hacker News)

Cybercriminals Abusing Internet-Sharing Services to Monetize Malware Campaigns

Threat actors are capitalizing on the growing popularity of proxyware platforms like Honeygain and Nanowire to monetize their own malware campaigns, once again illustrating how attackers are quick to repurpose and weaponize legitimate platforms to their advantage. "Malware is currently leveraging these platforms to monetize the internet bandwidth of victims, similar to how malicious (The Hacker News)

Linphone SIP Stack Bug Could Let Attackers Remotely Crash Client Devices

Cybersecurity researchers on Tuesday disclosed details about a zero-click security vulnerability in the Linphone Session Initiation Protocol (SIP) stack that could be remotely exploited without any action from a victim to crash the SIP client and cause a denial-of-service (DoS) condition. Tracked as CVE-2021-33056 (CVSS score: 7.5), the issue concerns a NULL pointer dereference vulnerability in (The Hacker News)

QNAP Working on Patches for OpenSSL Flaws Affecting its NAS Devices

Network-attached storage (NAS) appliance maker QNAP said it's currently investigating two recently patched security flaws in OpenSSL to determine their potential impact, adding it will release security updates should its products turn out to be vulnerable. Tracked as CVE-2021-3711 (CVSS score: 7.5) and CVE-2021-3712 (CVSS score: 4.4), the weaknesses concern a high-severity buffer overflow in SM2 (The Hacker News)

Attackers Can Remotely Disable Fortress Wi-Fi Home Security Alarms

New vulnerabilities have been discovered in Fortress S03 Wi-Fi Home Security System that could be potentially abused by a malicious party to gain unauthorized access with an aim to alter system behavior, including disarming the devices without the victim's knowledge. The two unpatched issues, tracked under the identifiers CVE-2021-39276 (CVSS score: 5.3) and CVE-2021-39277 (CVSS score: 5.7), (The Hacker News)

NFT Collector Tricked into Buying Fake Banksy 

An attacker breached the site of famed street artist Banksy to host a fraudulent NFT auction but then gave back the money. (Threatpost)

SpyFone & CEO Banned From Stalkerware Biz

The FTC's first spyware ban nixes a company whose "slipshod" security practices led to exposure of thousands of victims' illegally collected personal data. (Threatpost)

Bluetooth Bugs Open Billions of Devices to DoS, Code Execution

The BrakTooth set of security vulnerabilities impacts at least 11 vendors' chipsets. (Threatpost)

Google Play Sign-Ins Allow Covert Location-Tracking

A design flaw involving Google Timeline could allow someone to track another device without installing a stalkerware app. (Threatpost)

Cisco Patches Critical Authentication Bug With Public Exploit

There's proof-of-concept code out for the near-maximum critical – rated at 9.8 – authentication bypass bug, but Cisco hasn't seen any malicious exploit yet. (Threatpost)

7 Ways to Defend Mobile Apps, APIs from Cyberattacks

David Stewart, CEO, Approov, discusses the top mobile attack routes the bad guys use and the best defenses organizations can deploy against them. (Threatpost)

WhatsApp Photo Filter Bug Allows Sensitive Info to Be Lifted

Users should be careful whose pics they view and should, of course, update their apps. (Threatpost)


/security-daily/ 03-09-2021 23:44:23