Security daily (04-08-2020)

Migrating your rules from AWS WAF Classic to the new AWS WAF

In November 2019, Amazon launched a new version of AWS Web Application Firewall (WAF) that offers a richer and easier to use set of features. In this post, we show you some of the changes and how to migrate from AWS WAF Classic to the new AWS WAF. AWS Managed Rules for AWS WAF is […] (AWS Security Blog)

Here's the NSA's advice for reducing the exposure of cellphone location data

Take it from the experts: There is no way to fully eliminate the risk that a mobile device is exposing location data to somebody trying to track it, but there are ways to limit what leaks and why. That’s the main theme from guidance issued Tuesday by the U.S. National Security Agency, which directed its advice to Department of Defense personnel and other national security programs but published the document publicly. The guidance explains the different kinds of location information that can be used to locate mobile devices and their users, provides an analysis of misconceptions about location data, and recommends way to help users protect themselves. The NSA warns, for instance, that in addition to mobile devices storing location data in their own mobile device logs, cellular networks receive real-time coordinates for cellphones every time they connect to the network. That communication with the network also can make location information vulnerable. “This means a provider can […] The post Here's the NSA's advice for reducing the exposure of cellphone location data appeared first on CyberScoop. (CyberScoop)

Twitter prepares to pay up to $250 million for using security data for advertising

Twitter acknowledged it could pay up to $250 million to the U.S. Federal Trade Commission for directing targeted advertising to users based off data submitted for security purposes. In a financial filing submitted to the Securities and Exchange Commission, Twitter estimated it would pay between $150 million and $250 million to the FTC. The penalty comes after the FTC drafted a complaint on July 28 alleging that Twitter used “phone number and/or email address data provided for safety and security purposes for targeted advertising during periods between 2013 and 2019,” Twitter said in the SEC filing. The complaint suggests Twitter violated a 2011 FTC consent order that required the company to establish a data security program, which required them to be transparent with users about the security and privacy measures in place. In October 2019, the company said it used email addresses and phone numbers to improve targeted advertising efforts. […] The post Twitter prepares to pay up to $250 million for using security data for advertising appeared first on CyberScoop. (CyberScoop)

GandCrab ransomware hacker arrested in Belarus

Suspect is alleged to have extorted more than 1000 people, mostly in India, US, Ukraine, UK, Germany, France, Italy and Russia. (Naked Security)

Hacking iOS: How to Embed Payloads into iPhone Packages with Arcane

It's a common misconception that iPhones are impervious to cyberattacks and "more secure" than Android. And when an iPhone does get hacked, it's nearly impossible to tell that it happened.

Vulnerabilities in iOS are common, and Apple tries to tackle them with each security update it releases. To get started, consider all of the CVEs disclosed in the last year. That we know of, Apple issued over 180 patches so far in 2020, and likely a lot more that weren't reported.

How to Hack into an iPhone?

Jailbreaks released over the last decade use an extensive range of iOS exploits. Government... more (Null Byte « WonderHowTo)

Netgear Won't Patch 45 Router Models Vulnerable To Serious Flaw

(News ≈ Packet Storm)

LG And Xerox Internal Data Published By Ransomware Gang

(News ≈ Packet Storm)

Operation North Star Attackers Appear To Be Hidden Cobra

(News ≈ Packet Storm)

British Dental Association Members Targeted By Hackers

(News ≈ Packet Storm)

Sucuri Sit-Down Episode 3: Phishing Attacks with Luke Leal

Phishing attacks are one of the most popular methods for bad actors to gain access to a website environment. On this month’s podcast, analyst Luke Leal is with us to talk about these attacks. Topics covered include the motivation bad actors have for these attacks, who is a likely target, and preventative measures. Plus, host Justin Channell breaks down more website security news from July – including new backdoors, a malicious WordPress plugin, and malware hiding in images and GitHub repositories. Continue reading Sucuri Sit-Down Episode 3: Phishing Attacks with Luke Leal at Sucuri Blog. (Sucuri Blog)

US Government Warns of a New Strain of Chinese 'Taidoor' Virus

Intelligence agencies in the US have released information about a new variant of 12-year-old computer virus used by China's state-sponsored hackers targeting governments, corporations, and think tanks.

Named "Taidoor," the malware has done an 'excellent' job of compromising systems as early as 2008, with the actors deploying it on victim networks for stealthy remote access.

"[The] FBI has (The Hacker News)

NetWalker Ransomware Rakes in $29M Since March

The ransomware has surged since moving to a RaaS model. (Threatpost)


/security-daily/ 05-08-2020 23:44:22