Security daily (03-06-2020)

Google updates anti-phishing tools by streamlining iOS capabilities

Google is making it easier to use physical security keys on iOS devices. The company says that Apple product owners will now be able to use Titan Security Keys, which fend off phishing and other threats, on personal and professional Google accounts. Google’s Advanced Protection Program, dedicated to protecting users at risk of targeted malicious software attacks, announced the update in a blog post Wednesday. It’s the latest move from Google to expand protection after the Advanced Protection Program unit said in January that users could utilize iPhone or Android devices as a unique security key to access their accounts. Now, by using near-field communication protocols, users should be able to sign in by tapping a security key on the back of an iPhone. “This capability….simplifies your security key experience on compatible iOS devices and allows you to use more types of security keys for your Google Account and the […] The post Google updates anti-phishing tools by streamlining iOS capabilities appeared first on CyberScoop. (CyberScoop)

Zoom has partially fixed two new flaws, with other security hurdles ahead

Cisco Talos researchers recently uncovered two new flaws in Zoom that could allow attackers to execute arbitrary code on users’ computers, according to research published Wednesday. Zoom has partially fixed the vulnerabilities, according to Cisco Talos. The cybersecurity company said it worked with Zoom on addressing the flaws. It’s the latest set of security bugs discovered in Zoom, a teleconferencing company whose software has come under heightened scrutiny in recent months as the coronavirus pandemic forced people around the world to telework and rely on videoconference platforms. Competitors include Cisco WebEx, Microsoft Teams, and GoToMeeting. Zoom fixed one of the issues, dubbed TALOS-2020-1056, in May, . And while Zoom addressed the other flaw, dubbed TALOS-2020-1055, in a server-side update, Cisco Talos’ Jon Munshaw said in a blog he believes that a client-side update will be necessary to fully mitigate any risk. Zoom claimed in a statement shared with CyberScoop that it updated the bugs in April. […] The post Zoom has partially fixed two new flaws, with other security hurdles ahead appeared first on CyberScoop. (CyberScoop)

Denial of service attacks against advocacy groups skyrocket

Distributed denial-of-service attacks against advocacy organizations increased by 1,120% since a Minneapolis police officer killed George Floyd by kneeling on his neck, sparking demonstrations throughout the U.S. In figures published Tuesday, the internet security firm Cloudflare said it blocked more than 135 billion malicious web requests against advocacy sites, compared to less than 30 million blocked requests against U.S. government websites, such as police and military organizations. The company did not disclose which websites were affected, specifically. “As we’ve often seen in the past, real world protest and violence is usually accompanied by attacks on the internet. This past week has been no exception,” Cloudflare chief executive Matthew Prince and chief technology officer John Graham-Cumming said in a blog post. DDoS attacks occur when anonymous web users flood a site with fabricate traffic in an attempt to knock it offline, thus silencing its web presence until the site recovers. Web […] The post Denial of service attacks against advocacy groups skyrocket appeared first on CyberScoop. (CyberScoop)

This matters more: How cyber pros are confronting racism in their own ranks, and beyond

The police killing of George Floyd in Minneapolis last week prompted Leroy Terrelonge to do something he had never done: vividly recall all of his experiences with racism since youth. “I was surprised by how incidents that I had buried deep suddenly surged back to my memory and hurt all over again,” said Terrelonge, 34, a black cyber-risk analyst at Moody’s. “I imagined how they could have taken a wrong turn under certain circumstances and I, too, could be dead.” Terrelonge is one of millions of black Americans experiencing Floyd’s death in visceral ways. He’s also one of many cybersecurity professionals searching for the right balance between work and advancing social justice. The daily grind of reverse-engineering malware feels trivial when police are teargassing peaceful protesters, neighborhoods are in flames and opportunists unaffiliated with black social-justice causes are violently exploiting the unrest. “Information security is not often a matter of life or death, even for those […] The post This matters more: How cyber pros are confronting racism in their own ranks, and beyond appeared first on CyberScoop. (CyberScoop)

Smashing Security podcast #181: Anti-cybercrime ads, tricky tracing, and a 5G Bioshield

Police are hoping to stop kids becoming cybercriminals by bombarding them with Google Ads, phishers rub their hands in glee at the NHS track and trace service, and just how does a nano-layer of quantum holographic catalyzer technology make a USB stick cost hundreds of pounds? All this and much much more is discussed in the latest edition of the “Smashing Security” podcast. (Graham Cluley)

Coincheck cryptocurrency exchange targeted by hackers, customer emails exposed

Japanese cryptocurrency exchange Coincheck has announced that earlier this week hackers managed to access some emails sent to the firm by its customers, after its domain name registrar account was compromised. Read more in my article on the Hot for Security blog. (Graham Cluley)

Firefox fixes cryptographic data leakage in latest security update

How time flies - the latest four-weekly Firefox update is out. (Naked Security)

VMware flaw allows takeover of multiple private clouds

VMWare’s VMware Cloud Director has a security flaw that researchers believe could be exploited to compromise multiple customer accounts using the same cloud infrastructure. (Naked Security)

Amtrak breached, some customers’ logins and PII potentially exposed

The US rail service hasn't disclosed the number of passengers affected in a 16 April breach.

(Naked Security)

We won! Naked Security scoops “Legends of security” award

We're absolutely delighted - delighted and proud! - to report that we won not one but two awards at last night's European Security Blogger Awards 2020. (Naked Security)

Python 2 vs. Python 3 — Important Differences Every Hacker Should Know

Python is commonly touted as one of the best programming languages for beginners to learn, and its straightforward syntax and functionality makes that hard to argue with. But a lot of tutorials still use Python 2, which is outdated now. Python 3 introduces many new features, and it's important to be aware of them going forward, as well as the key differences between Python 3 and its predecessor.

Python 2 was first released in 2000. It improved upon earlier versions of the language and introduced features common to other programming languages such as garbage collection, list comprehension, and... more (Null Byte « WonderHowTo)

Become an In-Demand IT Pro with This Cisco Training

There are countless ways in which a talented and trained programmer and tech pro can earn a lucrative living in an increasingly data-driven age — from writing and creating apps and games to working for a cybersecurity firm or even the federal government.

But you can also opt for a stable and high-paying career in the world of IT, where avid tech enthusiasts are being employed to perform a wide range of lucrative jobs ranging from server installation and maintenance to white-hat hacking and security implementation.

If you want to be competitive in this demanding field, you're going to need to... more (Null Byte « WonderHowTo)

Google Opens Up Advanced Protection Program To Nest Devices

(News ≈ Packet Storm)

Zoom Won't Add End-To-End Encryption For Free Calls So It Can Spy

(News ≈ Packet Storm)

US Cop Hits Australian Cameraman Live On National Television

(News ≈ Packet Storm)

Enterprise Mobile Phishing Attacks Skyrocket With Pandemic

(News ≈ Packet Storm)

Labs Notes Monthly Recap – May/2020

In 2020, we doubled up our research efforts to report on many new attacks and hacks that we see in the wild. We believe that being informed is a big part of having a good website security posture. Sucuri Labs provides website malware research updates directly from our teams on the front line. Our Labs Notes are usually shorter than blog posts and they focus on a highly technical audience. This month, our Malware Research and Incident Response teams disclosed a WordPress plugin vulnerability and wrote about a web shell packer. Continue reading Labs Notes Monthly Recap – May/2020 at Sucuri Blog. (Sucuri Blog)

Two Critical Flaws in Zoom Could've Let Attackers Hack Systems via Chat

If you're using Zoom—especially during this challenging time to cope with your schooling, business, or social engagement—make sure you are running the latest version of the widely popular video conferencing software on your Windows, macOS, or Linux computers.

No, it's not about the arrival of the most-awaited "real" end-to-end encryption feature, which apparently, according to the latest news, (The Hacker News)

Newly Patched SAP ASE Flaws Could Let Attackers Hack Database Servers

A new set of critical vulnerabilities uncovered in SAP's Sybase database software can grant unprivileged attackers complete control over a targeted database and even the underlying operating system in certain scenarios.

The six flaws, disclosed by cybersecurity firm Trustwave today, reside in Sybase Adaptive Server Enterprise (ASE), a relational database management software geared towards (The Hacker News)

New Skill Testing Platform For 6 Most In-Demand Cybersecurity Jobs

Building a security team is a necessity for organizations of all industries and sizes. It makes selecting the right person for the job a critical task in which testing candidates' domain knowledge is a core component of the hiring process.

A common practice is for each organization to put together a dedicated set of questions for each role.

Today, Cynet launches the Cybersecurity Skill Tests (The Hacker News)

Sophisticated Info-Stealer Targets Air-Gapped Devices via USB

The newly discovered USBCulprit malware is part of the arsenal of an APT known as Cycldek, which targets government entities. (Threatpost)

Attackers Target 1M+ WordPress Sites To Harvest Database Credentials

An attack over the weekend unsuccessfully targeted 1.3 million WordPress websites, in attempts to download their configuration files and harvest database credentials. (Threatpost)

TrickBot Adds BazarBackdoor to Malware Arsenal

The stealthy backdoor is delivered via mass-market phishing emails that are well-crafted to appear convincing. (Threatpost)


/security-daily/ 04-06-2020 23:44:21