09-02-202111-02-2021

Security daily (10-02-2021)

Mitigate data leakage through the use of AppStream 2.0 and end-to-end auditing

Customers want to use AWS services to operate on their most sensitive data, but they want to make sure that only the right people have access to that data. Even when the right people are accessing data, customers want to account for what actions those users took while accessing the data. In this post, we […] (AWS Security Blog)

Ex-government officials urge US to take action to avoid another SolarWinds-style hack

The U.S. government requires dramatic updates to its current approach toward cybersecurity if Americans want to avoid the kind of cyber-espionage campaigns that have recently rocked the national security establishment, a panel of security practitioners told Congress Wednesday.   During testimony in front of the House Homeland Security Committee, former top intelligence official Sue Gordon likened the state of data protection in the U.S. to the stock market crash of 1929, which triggered the Great Depression. The government responded to reckless behavior on Wall Street by creating oversight in the form of the U.S. Securities and Exchange Commission and requiring regular financial filings from publicly-listed companies. Recent events in cyberspace — such as an alleged Russian espionage campaign involving the federal contractor SolarWinds and a Feb. 5 hack at a Florida water treatment facility — are proof that the U.S. faces a similar moment of reckoning in 2021, Gordon said.  “We […] The post Ex-government officials urge US to take action to avoid another SolarWinds-style hack appeared first on CyberScoop. (CyberScoop)

Federal election agency adopts updated voting security standards. Not everyone is happy.

The Election Assistance Commission on Wednesday voted to adopt the first comprehensive update to its voting system security guidelines in more than 15 years, concluding a lengthy process that ended with a mixed reception from some election security experts. The security community largely greeted the update as a security upgrade to standards that most states rely upon at least partially for their own equipment testing and certification. A significant number of academics, activists and even some in Congress, though, voiced displeasure in particular for how the so-called Voluntary Voting System Guidelines 2.0 would handle wireless connections on voting systems. The update stands to shape the next generation of voting systems that election vendors produce for use around the country during a period of sinking trust in the electoral process. Regardless, the more than five-year drafting process and resulting EAC vote won’t immediately transform election security because states, equipment manufacturers and […] The post Federal election agency adopts updated voting security standards. Not everyone is happy. appeared first on CyberScoop. (CyberScoop)

Florida hack highlights security shortages in US water sector

A hack that apparently affected a Florida water facility’s chemical setting is emblematic of a water sector that’s short on money, cybersecurity personnel and often reliant on the practices of vendors, experts say. The Feb. 5 incident in Oldsmar, a Florida town of 15,000 people, involved a still-unidentified hacker infiltrating the local water treatment facility’s computer system and trying to increase the amount of sodium hydroxide to a potentially dangerous level, local authorities said. The substance is used in the water purification process but can be toxic at higher levels. No harm was done to public health — the facility had safety checks in place — but the level of access obtained by the attacker has prompted calls for tighter security in the sector. The breach is an uncomfortable reminder that water facilities struggle to invest as much money in effective security as other industrial organizations, even as they face “an […] The post Florida hack highlights security shortages in US water sector appeared first on CyberScoop. (CyberScoop)

SIM-swapping gang busted for targeting 'influencers, sports stars, musicians'

International police say 10 suspects have been arrested for fraudulently accessing the phones of celebrities to steal about $100 million cryptocurrency as well as personal data throughout 2020. The sting included eight arrests in the United Kingdom as well as one in Malta and another in Belgium, according to Europol. The U.S. Secret Service, Department of Homeland Security and FBI were all involved in the operation, the U.K.’s National Crime Agency (NCA) said Wednesday. As of Wednesday morning, it was unclear who the victims were, but the NCA said they included “well-known influencers, sports stars, musicians, and their families.” Neither Europol nor the NCA named the suspects. Victims’ phones were targeted via SIM swapping, police said. Unlike a direct hack on a person’s device, SIM swapping — also known as SIM hijacking — typically involves a little help from other humans. Scammers often take over a person’s digital profile by […] The post SIM-swapping gang busted for targeting 'influencers, sports stars, musicians' appeared first on CyberScoop. (CyberScoop)

Patch now to stop hackers blindly crashing your Windows computers

Patch early, patch often. In fact, patch now if you haven't already. Here's why. (Naked Security)

Actively Exploited Windows Kernel EoP Bug Allows Takeover

(News ≈ Packet Storm)

Attackers Exploit Critical Adobe Flaw To Target Windows Users

(News ≈ Packet Storm)

Bitcoin Consumes More Electricity Than Argentina

(News ≈ Packet Storm)

Authorities Arrest SIM Swapping Gang That Targeted Celebrities

(News ≈ Packet Storm)

SAP Commerce Critical Security Bug Allows RCE

The critical SAP cybersecurity flaw could allow for the compromise of an application used by e-commerce businesses. (Threatpost)

Hacker Sets Alleged Auction for Witcher 3 Source Code

The ransomware gang behind the hack of CD Projekt Red may be asking for $1 million opening bids for the company's valuable data. (Threatpost)

Hybrid, Older Users Most-Targeted by Gmail Attackers

Researchers at Google and Stanford analyzed a 1.2 billion malicious emails to find out what makes users likely to get attacked. 2FA wasn't a big factor. (Threatpost)

Intel Squashes High-Severity Graphics Driver Flaws

Intel is warning on security bugs across its graphics drivers, server boards, compute modules and modems. (Threatpost)

The time for Insider Risk Management is now: Code42 2021 Data Exposure Report Reveals a Perfect Storm

The Code42 2021 Data Exposure Report highlights the need to adopt a new approach to data security and invest in modern Insider Risk technology. (Threatpost)

09-02-202111-02-2021

/security-daily/ 11-02-2021 23:44:23