Security daily (09-10-2020)

How to add authentication to a single-page web application with Amazon Cognito OAuth2 implementation

In this post, I’ll be showing you how to configure Amazon Cognito as an OpenID provider (OP) with a single-page web application. This use case describes using Amazon Cognito to integrate with an existing authorization system following the OpenID Connect (OIDC) specification. OIDC is an identity layer on top of the OAuth 2.0 protocol to […] (AWS Security Blog)

Researchers' experience with Apple offers peek at 'confusing' vulnerability award process

Five researchers who found 55 vulnerabilities in Apple’s online services and assets, some of which were critical vulnerabilities, received nearly $300,000 from the Silicon Valley giant Thursday – but it was a journey to get there. At first, the researchers were only paid a fraction of that, and the road to a larger payment — which appears to align more with typical Apple vulnerability research rewards — has been frustrating and confusing, according to one of the researchers involved. The experience offered a window into Apple’s relatively nascent bug bounty initiative, in its infancy compared to other major tech companies’ programs after just fully opening to the public just last year. The vulnerabilities, which the researchers investigated over the last three months, included 11 critical and 29 high-severity flaws. One would allow attackers to compromise victims’ iCloud accounts without any user interaction. Another would allow remote code execution via authorization and authentication bypass. Apple said it does not appear that […] The post Researchers' experience with Apple offers peek at 'confusing' vulnerability award process appeared first on CyberScoop. (CyberScoop)

Twitter to limit politicians' premature claims of victory, remove calls for violence

With less than a month until Election Day in the U.S., Twitter said it would limit politicians’ ability to claim premature electoral victories, and remove calls for violence or interference in election results. Tweets claiming false victories will be flagged and users will be directed to credible information about the election, the company announced Friday. Any tweet intended to incite electoral interference, whether in the presidential or congressional races, will be removed. The policy change comes amid a contentious election in which President Donald Trump has repeatedly questioned the integrity of the vote and made unfounded claims about fraud. Twitter has been labeling Trump’s tweets about mail-in voting and directing users to factual information, but critics have called on the platform to do more. In the unrest following the killing of George Floyd, an unarmed Black man, in May, Trump tweeted, “when the looting starts, the shooting starts,” a message […] The post Twitter to limit politicians' premature claims of victory, remove calls for violence appeared first on CyberScoop. (CyberScoop)

Negligent data center shutdowns bring $60 million fine for Morgan Stanley

Investment bank Morgan Stanley is paying a $60 million fine to the U.S. government for mishandling the decommissioning of two data centers in 2016, and potentially exposing customer information. The bank reported the problem to wealth management customers this summer, saying that pieces of hardware from the facilities still had some customer data on them after they reached a recycler. In 2019, a similar situation arose during the decommissioning of network devices that stored customer data, according to Office of the Comptroller of the Currency, the Treasury Department agency that announced the fine Thursday. The case is a reminder that potential data breaches come in many forms beyond the usual concepts of cybercriminals hacking into networks to or using business email compromise to trick employees. In both cases at Morgan Stanley, the bank “failed to adequately assess the risk of subcontracting the decommissioning work, including exercising adequate due diligence in […] The post Negligent data center shutdowns bring $60 million fine for Morgan Stanley appeared first on CyberScoop. (CyberScoop)

S3 Ep1: Ransomware – is it really OK to pay? – Naked Security Podcast

Our podcast is back for Series 3 - here's Episode 1! (Naked Security)

Apple Pays $288,000 To White Hat Hackers

(News ≈ Packet Storm)

Facebook Removes Hundreds Of Fake Profiles Tied To Pro-Trump Group

(News ≈ Packet Storm)

Facebook Debuts Bug Bounty Loyalty Program

(News ≈ Packet Storm)

Wormable Apple iCloud Bug Allows Automatic Photo Theft

(News ≈ Packet Storm)

Chrome Changes How Its Cache Works To Improve Privacy

(News ≈ Packet Storm)

Opening the Conversation about Website Security

The responsibility of ensuring that a website is protected falls on the website owner, but the security expectation may fall on the web service provider too. As a professional, you are the trusted party and first point of contact. Much of what your clients learn about web technology and security specifically comes from you. In other words, you have the ability to impact your client’s online security posture. Continue reading Opening the Conversation about Website Security at Sucuri Blog. (Sucuri Blog)

55 New Security Flaws Reported in Apple Software and Services

A team of five security researchers analyzed several Apple online services for three months and found as many as 55 vulnerabilities, 11 of which are critical in severity. The flaws — including 29 high severity, 13 medium severity, and 2 low severity vulnerabilities — could have allowed an attacker to "fully compromise both customer and employee applications, launch a worm capable of (The Hacker News)

Fitbit Spyware Steals Personal Data via Watch Face

Immersive Labs Researcher takes advantage of lax Fitbit privacy controls to build a malicious spyware watch face. (Threatpost)

Sophisticated Android Ransomware Executes with the Home Button

The malware also has a unique machine-learning module. (Threatpost)

Facebook Debuts Bug-Bounty ‘Loyalty Program’

Facebook bounty hunters will be placed into tiers by analyzing their score, signal and number of submitted bug reports -- which will dictate new bonus percentages. (Threatpost)

Wormable Apple iCloud Bug Allows Automatic Photo Theft

Ethical hackers so far have earned nearly $300K in payouts from the Apple bug-bounty program for discovering 55 bugs, 11 of them critical, during a three-month hack. (Threatpost)


/security-daily/ 10-10-2020 23:44:24