Security daily (06-07-2020)

How to use G Suite as an external identity provider for AWS SSO

Do you want to control access to your Amazon Web Services (AWS) accounts with G Suite? In this post, we show you how to set up G Suite as an external identity provider in AWS Single Sign-On (SSO). We also show you how to configure permissions for your users, and how they can access different […] (AWS Security Blog)

Cyber Command backs 'urgent' patch for F5 security vulnerability

One of the largest providers of enterprise networking equipment in the world, F5 Networks, has issued a security fix for a major vulnerability that, if exploited, could result in a “complete system compromise.” F5’s BIG-IP is among the most popular networking gear in use today in government systems, internet service providers and cloud computing data centers. If security administrators fail to patch the new vulnerability, though, attackers could wreak havoc on their networks, according to a information security specialists. Mikhail Klyuchnikov, the senior web application security researcher at Positive Technologies who uncovered the flaw, estimates that there are approximately 8,000 vulnerable devices exposed to the internet. The remote code execution vulnerability, designated CVE-2020-5902, affects the BIG-IP product’s Traffic Management User Interface (TMUI), which can enable load balancers, firewalls, rate limiters and web traffic shaping systems. Attackers who exploit the weakness can execute arbitrary system commands, create files, delete files or disable services, according to F5. The vulnerability […] The post Cyber Command backs 'urgent' patch for F5 security vulnerability appeared first on CyberScoop. (CyberScoop)

Ex-Yahoo employee avoids jail, despite hacking 6000 accounts, and stealing nude photos and videos

A former employee of Yahoo has been sentenced and ordered to pay a fine after exploiting his privileged access to hack into the personal accounts of thousands of Yahoo users, in his hunt for naked photographs and videos of young women. Read more in my article on the Hot for Security blog. (Graham Cluley)

Appearing on the Hacker Valley Studio podcast

Early last month Ron Eddings and Chris Cochran were kind enough to invite me back on their podcast, “Hacker Valley Studio” – and now the episode has been published! Take a listen. (Graham Cluley)

Boston bans government use of facial recognition

To help end systemic racism, we'll stay away from an error-prone technology that's been shown to have racial bias, the city council said. (Naked Security)

Monday review – the hot 11 stories of the week

Get yourself up to date with everything we've written in the last seven days - it's weekly roundup time. (Naked Security)

Learn Java, C#, Python, Redux & More with This $40 Bundle

If you're a frequent Null Byte reader, chances are you're already up to speed with at least one or two programming languages or development platforms. But in a world that's becoming increasingly reliant on high-powered apps and responsive websites, knowing the fundamentals of just a few go-to programming languages isn't going to cut it if you want to be competitive and successful.

The Software Developer Certification Bundle can help round out your programming and development knowledge by introducing you to some of the industry's most relied-upon and in-demand coding languages and tools, and... more (Null Byte « WonderHowTo)

Purple Fox EK Adds Microsoft Exploits To Arsenal

(News ≈ Packet Storm)

Tech Companies Suspend Processing Hong Kong Data Requests

(News ≈ Packet Storm)

US Secret Service Reports An Increase In Hacked MSPs

(News ≈ Packet Storm)

Yahoo Engineer Hacks 6k Accounts for Porn, But Gets No Jail Time

(News ≈ Packet Storm)

Vulnerabilities Digest: June 2020

Highlights for June 2020

Cross site scripting is still the most common vulnerability in WordPress Plugins. Bad actors are taking advantage of the lack of restrictions in critical functions and issues surrounding user input data sanitization. Massive local file inclusion (LFI) attempts have been discovered attempting to harvest WordPress and Magento credentials. Attackers continue to target old plugins with known vulnerabilities in an ongoing malware campaign targeting WordPress websites.

Continue reading Vulnerabilities Digest: June 2020 at Sucuri Blog. (Sucuri Blog)

Cato MDR: Managed Threat Detection and Response Made Easy

Lately, we can't help noticing an endless cycle where the more enterprises invest in threat prevention; the more hackers adapt and continue to penetrate enterprises.

To make things worse, detecting these penetrations still takes too long with an average dwell time that exceeds 100 (!) days.

To keep the enterprise protected, IT needs to figure out a way to break this endless cycle without (The Hacker News)

Android Users Hit with ‘Undeletable’ Adware

Researchers say that 14.8 percent of Android users who were targeted with mobile malware or adware last year were left with undeletable files. (Threatpost)

Admins Urged to Patch Critical F5 Flaw Under Active Attack

Security experts and the U.S. Cyber Command are urging admins to update a critical flaw in F5 Networks, which is under active attack. (Threatpost)

Lazarus Group Adds Magecart to the Mix

North Korea-based APT is targeting online payments made by American and European shoppers. (Threatpost)

Purple Fox EK Adds Microsoft Exploits to Arsenal

Two exploits for Microsoft vulnerabilities have been added to the Purple Fox EK, showing ongoing development. (Threatpost)


/security-daily/ 07-07-2020 23:44:21