04-05-202106-05-2021

Security daily (05-05-2021)

Use ACM Private CA for Amazon API Gateway Mutual TLS

Last year Amazon API Gateway announced certificate-based mutual Transport Layer Security (TLS) authentication. Mutual TLS (mTLS) authenticates the server to the client, and requests the client to send an X.509 certificate to prove its identity as well. This way, both parties are authenticated to each other. In a previous post, you can learn how to […] (AWS Security Blog)

DOD expands vulnerability disclosure program, giving hackers more approved targets

The Pentagon is letting outside hackers go after more Department of Defense targets than ever before, in an effort to find DOD’s vulnerabilities before foreign hackers do, DOD announced Wednesday. The program, “Hack the Pentagon,” is expanding the number of DOD targets that ethical hackers can go after to try to ferret out vulnerabilities, according to the announcement. The program, which launched in 2016, previously allowed cybersecurity professionals to test DOD systems when it involved public-facing websites and applications. Now interested hackers may go after all publicly-accessible DOD information systems, including publicly-accessible networks, Internet of Things devices and industrial control systems, according to DOD. “This expansion is a testament to transforming the government’s approach to security and leapfrogging the current state of technology within DOD,” said Brett Goldstein, the director of the Defense Digital Service (DDS). The DOD Cyber Crime Center, which oversees the program, said the expansion was always […] The post DOD expands vulnerability disclosure program, giving hackers more approved targets appeared first on CyberScoop. (CyberScoop)

UN cybercrime proposal could help autocrats stifle free speech, rights group says

Human rights advocates are warning that a controversial proposal at the United Nations to counter cybercrime could validate tactics that autocratic governments around the world have used to criminalize free speech and security research. The Russian and Chinese governments back the notion of establishing a new anti-cybercrime convention, a process that diplomats at the U.N. will begin considering next week. However, the wording of the proposal, which calls for curbs on the use of technologies for “criminal purposes,” is vague to the point of potentially enabling further government repression, critics say. A report issued Wednesday by Human Rights Watch, a New York-based advocacy group, details a growing list of so-called cybercrime laws that governments have allegedly used to target dissenters, or infringe on personal privacy. A Pakistani law, for example, enables authorities to block websites used to criticize government officials. In the Philippines, police can collect computer data without a […] The post UN cybercrime proposal could help autocrats stifle free speech, rights group says appeared first on CyberScoop. (CyberScoop)

CISA used new subpoena power to contact US companies vulnerable to hacking

The Department of Homeland Security’s cybersecurity agency used a new subpoena power for the first time last week to contact at least one U.S. internet service provider with customers whose software is vulnerable to hacking. It’s an authority that DHS’s Cybersecurity and Infrastructure Security Agency has long sought, as agency officials struggled to communicate with some technology firms before flaws in their equipment became public and risked exploitation by state-linked or criminal hackers. Congress granted CISA the subpoena power in a bill that became law in January, allowing the agency to obtain a list of an internet service provider’s vulnerable customers and notify them directly rather than relying on third party communication. CISA issued two such subpoenas last week, acting agency director Brandon Wales said. A CISA spokesperson declined to say which U.S. company or companies had been subpoenaed, or whether the vulnerabilities pertained to an ongoing hacking campaign. “The […] The post CISA used new subpoena power to contact US companies vulnerable to hacking appeared first on CyberScoop. (CyberScoop)

Dell fixes exploitable holes in its own firmware update driver – patch now!

These bugs date back to 2009, and they could give crooks who are already in your network access to sysadmin superpowers. (Naked Security)

BIOS PrivEsc Bugs Affect Hundreds of Millions of Dell PCs Worldwide

PC maker Dell has issued an update to fix multiple critical privilege escalation vulnerabilities that went undetected since 2009, potentially allowing attackers to gain kernel-mode privileges and cause a denial-of-service condition. The issues, reported to Dell by researchers from SentinelOne on Dec. 1, 2020, reside in a firmware update driver named "dbutil23.sys" that comes pre-installed on (The Hacker News)

ALERT — New 21Nails Exim Bugs Expose Millions of Email Servers to Hacking

The maintainers of Exim have released patches to remediate as many as 21 security vulnerabilities in its software that could enable unauthenticated attackers to achieve complete remote code execution and gain root privileges. Collectively named '21Nails,' the flaws include 11 vulnerabilities that require local access to the server and 10 other weaknesses that could be exploited remotely. The (The Hacker News)

New Crypto-Stealer ‘Panda’ Spread via Discord

PandaStealer is delivered in rigged Excel files masquerading as business quotes, bent on stealing victims' cryptocurrency and other info. (Threatpost)

Anti-Spam WordPress Plugin Could Expose Website User Data

'Spam protection, AntiSpam, FireWall by CleanTalk' is installed on more than 100,000 sites -- and could offer up sensitive info to attackers that aren't even logged in. (Threatpost)

Raft of Exim Security Holes Allow Linux Mail Server Takeovers

Remote code execution, privilege escalation to root and lateral movement through a victim's environment are all on offer for the unpatched or unaware. (Threatpost)

Peloton’s Leaky API Spilled Riders’ Private Data

On top of the privacy spill, Peloton is also recalling all treadmills after the equipment was linked to 70 injuries and the death of one child. (Threatpost)

Feds Shut Down Fake COVID-19 Vaccine Phishing Website

‘Freevaccinecovax.org’ claimed to be that of a biotech company but instead was stealing info from visitors to use for nefarious purposes. (Threatpost)

04-05-202106-05-2021

/security-daily/ 06-05-2021 23:44:24