04-08-202006-08-2020

Security daily (05-08-2020)

Top voting vendor ES&S publishes vulnerability disclosure policy

Election Systems & Software, the biggest vendor of U.S. voting equipment, on Wednesday announced a policy to work more closely with security researchers to find software bugs in the company’s IT networks and websites. “Hackers are going to hack, researchers are going to research, whether or not there’s a policy in place,” Chris Wlaschin, ES&S’s vice president of systems security, told CyberScoop. “We think it’s important to have that safe harbor language out there to set expectations.” The policy allows researchers to probe ES&S’s corporate systems and public-facing websites, but not the election systems in place at jurisdictions around the country, which are subject to different testing regimes. The ES&S policy gives the company 90 days to fix vulnerabilities before researchers can report on them publicly — a standard timeline in the research community. For ES&S, the policy marks another step in collaborating with a white-hat hacking community with which it […] The post Top voting vendor ES&S publishes vulnerability disclosure policy appeared first on CyberScoop. (CyberScoop)

Researchers found another way to hack Android cellphones via Bluetooth

Attackers looking to steal sensitive information like contacts, call history, and SMS verification codes from Android devices only need to target Bluetooth protocols, according to new DBAPPSecurity research presented at the 2020 Black Hat conference Wednesday. These exploits, one of which takes advantage of a zero-day vulnerability, could also allow hackers to send fake text messages if manipulated properly, researchers found. It works by allowing attackers to disguise themselves as a trusted application, requesting permissions that allow one Bluetooth-enabled device to share data with another device, such as a headset or car’s “infotainment” system. For the attack to run successfully, Bluetooth must be enabled on the target device and victims must approve the attackers’ request for privileges. In the end, this action gives attackers access to data on the victim’s device, according to the California-based company. The other attack allows researchers to take advantage of an authentication bypass vulnerability, dubbed “BlueRepli.” Would-be attackers […] The post Researchers found another way to hack Android cellphones via Bluetooth appeared first on CyberScoop. (CyberScoop)

The long-lasting consequences of Coalfire's Iowa pentest fiasco

The two security pros who were arrested for doing their job are still angry. Gary DeMurcurio and Justin Wynn, who work as penetration testers for Colorado-based security firm Coalfire Labs, were charged with burglary in September 2019 after they broke into an Iowa courthouse. Unlike in a typical break-in, though, Iowa state officials had hired DeMercurio and Wynn to test the courthouse’s defenses, then alert the authorities about any vulnerabilities that actual thieves may try to exploit. While prosecutors eventually dropped charges against the two pen-testers, the case made national headlines and highlighted the risks that security professionals take as part of their employment. Now, DeMercurio and Wynn are breaking their silence with a presentation at Black Hat, the virtual cybersecurity conference where they plan to detail their experience, and may delve into how performative security tactics, like arresting people without grounds, doesn’t actually solve anything. “The citizens of Iowa […] The post The long-lasting consequences of Coalfire's Iowa pentest fiasco appeared first on CyberScoop. (CyberScoop)

Protect Your Privacy with This 2-Part Security Bundle

Although it's always been important to safeguard your data and private information in the digital age, privacy has recently taken on an entirely new meaning.

With more and more people working from home and using unsecured networks as a result of the coronavirus outbreak, hackers and even government agencies are taking advantage of unencrypted phones and laptops to access everything from your browsing history to your banking information.

The Premium Mobile Privacy Lifetime Subscription Bundle has everything you need to ensure that your most sensitive information and data is secure at all... more (Null Byte « WonderHowTo)

FBI Issues Warning Over Windows 7 End Of Life

(News ≈ Packet Storm)

295 Chrome Extensions Caught Hijacking Searches

(News ≈ Packet Storm)

Misconfigured Servers Contributed To More Than 200 Cloud Breaches

(News ≈ Packet Storm)

Levandowski Gets 18 Months For Google IP Theft

(News ≈ Packet Storm)

PHP Backdoor Obfuscated One Liner

In the past, I have explained how small one line PHP backdoors use obfuscation and strings of code in HTTP requests to pass attacker’s commands to backdoors. Today, I’ll highlight another similar injection example and describe some of the malicious behavior we’ve seen recently on compromised websites. Obfuscated PHP Backdoor Discovered by our Remediation team, this PHP backdoor variant uses a method to hide the create_function which requires the attacker to provide it in their request. Continue reading PHP Backdoor Obfuscated One Liner at Sucuri Blog. (Sucuri Blog)

Researcher Demonstrates 4 New Variants of HTTP Request Smuggling Attack

A new research has identified four new variants of HTTP request smuggling attacks that work against various commercial off-the-shelf web servers and HTTP proxy servers.

Amit Klein, VP of Security Research at SafeBreach who presented the findings today at the Black Hat security conference, said that the attacks highlight how web servers and HTTP proxy servers are still susceptible to HTTP (The Hacker News)

Case Study: How Incident Response Companies Choose IR Tools

Many companies today have developed a Cybersecurity Incident Response (IR) plan. It's a sound security practice to prepare a comprehensive IR plan to help the organization react to a sudden security incident in an orderly, rational manner. Otherwise, the organization will develop a plan while frantically responding to the incident, a recipe ripe for mistakes.

Heavyweight boxer Mike Tyson once (The Hacker News)

Apple Touch ID Flaw Could Have Let Attackers Hijack iCloud Accounts

Apple earlier this year fixed a security vulnerability in iOS and macOS that could have potentially allowed an attacker to gain unauthorized access to a user's iCloud account.

Uncovered in February by Thijs Alkemade, a security specialist at IT security firm Computest, the flaw resided in Apple's implementation of TouchID (or FaceID) biometric feature that authenticated users to log in to (The Hacker News)

Black Hat 2020: Linux Spyware Stack Ties Together 5 Chinese APTs

The groups, all tied to the Winnti supply-chain specialist gang, were seen using the same Linux rootkit and backdoor combo. (Threatpost)

Black Hat 2020: In a Turnaround, Voting Machine Vendor Embraces Ethical Hackers

Voting machine technology seller Election Systems & Software (ES&S) offered an olive branch to security researchers with new safe harbor terms and vulnerability disclosure policies at Black Hat USA 2020. (Threatpost)

Twitter Fixes High-Severity Flaw Affecting Android Users

A vulnerability in Twitter for Android could have allowed attackers to access private direct messages (DMs) and other data. (Threatpost)

04-08-202006-08-2020

/security-daily/ 06-08-2020 23:44:23