03-09-202005-09-2020

Security daily (04-09-2020)

Introducing the AWS Best Practices for Security, Identity, & Compliance Webpage and Customer Polling Feature

The AWS Security team has made it easier for you to find information and guidance on best practices for your cloud architecture. We’re pleased to share the Best Practices for Security, Identity, & Compliance webpage of the new AWS Architecture Center. Here you’ll find top recommendations for security design principles, workshops, and educational materials, and […] (AWS Security Blog)

Ransomware hits two state-run organizations in the Middle East and North Africa

A strain of ransomware designed to disrupt computers’ booting processes hit government-run organizations in the Middle East and North Africa in July, researchers said Friday, in the latest example of data-wiping tools being aimed at key organizations in the region. The ransomware attacks used Thanos, a type of malware that surfaced earlier this year and has gained traction on underground forums, according to analysts at Palo Alto Networks. In an increasingly popular tactic among ransomware gangs, Thanos is sold “as a service” to other hackers interested in deploying it. That can make the attacks harder to trace, and allow users to develop their own custom features. The motives behind the attacks are mysterious. A hacker interested in getting paid typically doesn’t disrupt a machine to make it harder for a victim to hand over the ransom. Yet that’s exactly what the perpetrators of the July attacks attempted to do: Their […] The post Ransomware hits two state-run organizations in the Middle East and North Africa appeared first on CyberScoop. (CyberScoop)

Voatz urges Supreme Court to not protect ethical research from prosecution

If the mobile voting firm Voatz actually is interested in working with security researchers who can examine their technology, the company sure has an odd way of showing it. Massachusetts-based Voatz on Thursday filed an amicus brief to the Supreme Court, arguing that only security researchers with clear permission should be authorized to probe systems for vulnerabilities. The filing came as part of a Supreme Court case in which justices are poised to reconsider the Computer Fraud and Abuse Act, a 1986 federal law that prohibits access to computers without the owner’s consent. Researchers have said the anti-hacking law is overly vague, and could criminalize activities ranging from innocuous internet habits, like sharing passwords, to important anti-discrimination research. A group of law scholars previously asked the court to allow ethical security tests. Voatz, which advertises an internet-based voting platform in a market dominated by more established voting machine manufacturers, has […] The post Voatz urges Supreme Court to not protect ethical research from prosecution appeared first on CyberScoop. (CyberScoop)

Phishing tricks – the Top Ten Treacheries of 2020

Here's the Top Ten - or perhaps we mean The Worst Ten. How many would you fall for? (Naked Security)

Become an In-Demand Salesforce Pro with This $25 Bundle

As one of the world's largest and most powerful cloud computing platforms, Salesforce is used by countless companies to manage customer relations, deliver services, and innovate solutions to complex problems.

So it should go without saying that if you want to be truly successful and competitive in virtually any business or tech environment, you're going to need to have a thorough understanding of how this multifaceted platform functions in the real world.

The Complete Salesforce Trailhead 2020: From Zero to Hero 7-Course Bundle comes with 53 hours of expert-led content that will get you up... more (Null Byte « WonderHowTo)

Use Mitaka to Perform In-Browser OSINT to Identify Malware, Sketchy Sites, Shady Emails & More

Web browser extensions are one of the simplest ways to get starting using open-source intelligence tools because they're cross-platform. So anyone using Chrome on Linux, macOS, and Windows can use them all the same. The same goes for Firefox. One desktop browser add-on, in particular, makes OSINT as easy as right-clicking to search for hashes, email addresses, and URLs.

Mitaka, created by Manabu Niseki, works in Google Chrome and Mozilla Firefox. Once installed, it lets you select and inspect certain pieces of text and indicators of compromise (IoC), running them through a variety of... more (Null Byte « WonderHowTo)

WhatsApp Discloses 6 Bugs Via Dedicated Security Site

(News ≈ Packet Storm)

Warner Music Discloses Months-Long Web Skimming Incident

(News ≈ Packet Storm)

Firefox Will Add A New Drive-By Download Protection

(News ≈ Packet Storm)

Palantir Filed To Go Public. The Firm's Unethical Technology Should Horrify Us

(News ≈ Packet Storm)

Insufficient Privilege Validation in NextScripts: Social Networks Auto-Poster

NextScripts: Social Networks Auto-Poster is a plugin that  automatically publishes posts from your blog to your Social Media accounts such as Facebook, Twitter, Google+, Blogger, Tumblr, Flickr, LinkedIn, Instagram, Telegram, YouTube, WordPress, etc. During a routine research audit for our Sucuri Firewall, we discovered a post deletion, arbitrary posting in social networks, and arbitrary plugin settings update affecting over 100,000 users of the WordPress plugin. Disclosure / Response Timeline:

August 24, 2020: Initial contact attempt.

Continue reading Insufficient Privilege Validation in NextScripts: Social Networks Auto-Poster at Sucuri Blog. (Sucuri Blog)

Evilnum hackers targeting financial firms with a new Python-based RAT

An adversary known for targeting the fintech sector at least since 2018 has switched up its tactics to include a new Python-based remote access Trojan (RAT) that can steal passwords, documents, browser cookies, email credentials, and other sensitive information.

In an analysis published by Cybereason researchers yesterday, the Evilnum group has not only tweaked its infection chain but has (The Hacker News)

Social Media: Thwarting The Phishing-Data Goldmine

Cybercriminals can use social media in many ways in order to trick employees. (Threatpost)

Vulnerability Disclosure: Ethical Hackers Seek Best Practices

Cybersecurity researchers Brian Gorenc and Dustin Childs talk about the biggest vulnerability disclosure challenges in IoT and the industrial vertical. (Threatpost)

Facebook Debuts Third-Party Vulnerability Disclosure Policy

If the social-media behemoth finds a bug in another platform's code, the project has 90 days to remediate before Facebook goes public. (Threatpost)

Attackers Steal Outlook Credentials Via Overlay Screens on Legitimate Sites

A phishing campaign uses overlay screens and email 'quarantine' policies to steal targets' Microsoft Outlook credentials. (Threatpost)

WhatsApp Discloses 6 Bugs via Dedicated Security Site

The company committed to more transparency about app flaws, with an advisory page aimed at keeping the community better informed of security vulnerabilities. (Threatpost)

03-09-202005-09-2020

/security-daily/ 05-09-2020 23:44:22