Security daily (14-07-2020)

New IRAP reports for Australian customers are now available in AWS Artifact

Following our Information Security Registered Assessors Program (IRAP) assessment in December 2019, we are excited to announce that we have additional new IRAP documents now available in AWS Artifact as a result of the recent IRAP assessment at the PROTECTED level that was finished in June 2020. This includes an IRAP compliance report for 33 […] (AWS Security Blog)

The case for a National Cyber Director

Although the aftershocks of COVID-19 will last for years, one result is already clear — shifting more activity online has increased our society’s digital dependence even faster than expected. The federal government’s cybersecurity capabilities need to keep pace. Although some Federal agencies, particularly the Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security (DHS), have made significant improvements over the last few years, at least three factors impede government-wide progress. First, cybersecurity’s cross-cutting nature does not fit with the U.S. government’s bureaucratic structure. Second, agencies are not incentivized to sustain the degree of coordination required for effective cybersecurity. Third, a lack of central leadership hinders effective incident response. No single policy action will solve these problems, but creating a National Cyber Director along the lines of what the Cyberspace Solarium Commission recommends would be a good start. Bureaucracies prefer issues that fit neatly into one organization’s mission. […] The post The case for a National Cyber Director appeared first on CyberScoop. (CyberScoop)

After Assange indictment, DDoSecrets publishes old WikiLeaks chats, strategy sessions

Every anti-secrecy group operates in the long shadow of WikiLeaks. But that doesn’t mean WikiLeaks is off limits. Distributed Denial of Secrets, a semi-anonymous group of transparency activists, on Tuesday released the AssangeLeaks. It’s a collection of files that DDoSecrets says is meant to “illustrate how WikiLeaks operates behind closed doors” at a time when WikiLeaks founder Julian Assange is facing criminal charges in the U.S. in connection with a series of disclosures that contained information stolen from the U.S. military and other sources. DDoSecrets on June 19 published an unrelated database called #BlueLeaks, a collection of files including police training materials, police safety guidelines, covert data collection techniques and protest containment strategies. Upon that release, scholars who have followed the past generation of information activism, in which groups like Anonymous and WikiLeaks publish hacked information, suggested that DDoSecrets had emerged as a leading group of digital demonstrators. The AssangeLeaks cover […] The post After Assange indictment, DDoSecrets publishes old WikiLeaks chats, strategy sessions appeared first on CyberScoop. (CyberScoop)

Microsoft issues patch for wormable Windows DNS Server flaw

Microsoft is issuing a patch for a severe and wormable Windows Domain Name System Server vulnerability that could allow attackers to execute arbitrary code against targets and gain control of targets’ entire IT infrastructure. The vulnerability, which was uncovered by a researcher at Check Point, would allow hackers to intercept and interfere with users’ emails and network traffic, tamper with services, and steal users’ credentials, by exploiting Windows’ Domain Name System (DNS) Server; DNS is essentially the protocol that translates between website names and their corresponding IP addresses. The vulnerability can be triggered by a malicious DNS response, which could lead to a heap-based buffer overflow, according to Check Point. The vulnerability, which Check Point has dubbed SigRed, is widespread as it affects all Windows Server versions, according to Microsoft. It’s the third serious vulnerability Microsoft has addressed just this month, following the emergency disclosure and patching of two critical vulnerabilities affecting Windows […] The post Microsoft issues patch for wormable Windows DNS Server flaw appeared first on CyberScoop. (CyberScoop)

In about-face, UK bans Huawei from 5G networks

The United Kingdom on Tuesday said it was banning Huawei equipment from the country’s high-speed 5G networks in a dramatic reversal and a blow to the Chinese technology giant. Starting in January 2021, U.K. telecommunications operators will be barred from buying Huawei 5G technology, and all Huawei equipment will be removed from 5G networks by the end of 2027, said Digital, Culture, Media and Sport Secretary Oliver Dowden. Citing both security concerns with Huawei and supply-chain restrictions from recent U.S. sanctions on the Chinese company, Dowden told British lawmakers that in the coming years, Britain “will have implemented in law an irreversible path for the complete removal of Huawei equipment from our 5G networks.” The decision is a victory for the Trump administration, which has for years pressured U.S. allies to abandon Huawei, one of the world’s top suppliers of 5G equipment. U.S. officials charge that the Chinese government could […] The post In about-face, UK bans Huawei from 5G networks appeared first on CyberScoop. (CyberScoop)

US cyber officials urge patching of bug affecting up to 40K SAP customers

A critical vulnerability in applications made by software giant SAP could affect up to 40,000 SAP customers, offering a pathway for hackers to remotely steal or alter data, researchers warned Tuesday. At least 2,500 SAP systems with the vulnerability were exposed to the internet, making life easier for anyone who would want to exploit the bug, said researchers from Boston-based security company Onapsis. Exploiting the vulnerability could give a hacker administrative access to SAP software housing business and financial data, they said. The scope of the affected organizations and the importance of the SAP software to businesses prompted the Department of Homeland Security’s cybersecurity arm to issue an alert late Monday urging organizations to address the issue. “Due to the criticality of this vulnerability, the attack surface this vulnerability represents, and the importance of SAP’s business applications, the Cybersecurity and Infrastructure Security Agency strongly recommends organizations immediately apply patches,” CISA told affected organizations. […] The post US cyber officials urge patching of bug affecting up to 40K SAP customers appeared first on CyberScoop. (CyberScoop)

Chinese banks require clients to use tax programs laced with backdoors, report says

When a Chinese bank asked a new client to use a specific kind of tax software as a condition of doing business, the company didn’t know that the tax technology came with a backdoor that would give hackers a new way in, according to research from Trustwave. The Chinese bank had told the U.K.-based defense contractor that the Chinese government required firms to use that specific software tool to pay local taxes. However, findings published Tuesday by the security vendor Trustwave spotlight how the tax software’s developer has relied on a number of subcontractors to build software flaws into other software tools for years. The programs are required to be used through the Chinese government’s Chinese Golden Tax Project, a tax system launched in the 1990s meant to streamline tax administration, according to Trustwave. The security company did not identify the Chinese bank nor the U.K.-based defense contractor. The revelation that Beijing mandates […] The post Chinese banks require clients to use tax programs laced with backdoors, report says appeared first on CyberScoop. (CyberScoop)

Taking steps to break down systemic racism in cybersecurity

Racism, like cybersecurity, is a national security issue. Systemic racism prevents diverse perspectives from informing policy and security. As a result, it hampers our ability to understand and combat misinformation and to address our society’s vulnerabilities so as to prevent our adversaries from exploiting them. Systemic racism also blinds us from seeing and leveraging the diverse experiences before us, undermining our ability to understand how all communities use technology and to ensure different voices are welcomed, heard, and protected in our national security institutions. We all have a role to play in the security of our nation, and there are so many institutional, systemic, and overt racial biases that make this problem so complex. So how do we start to dismantle them? We must start by acknowledging that these problems exist in our industry and begin taking tangible steps to educate ourselves on the impact of slavery and systemic racism […] The post Taking steps to break down systemic racism in cybersecurity appeared first on CyberScoop. (CyberScoop)

RATicate malware gang goes commercial

O, what tangled code we weave, when first we practise to deceive! (Naked Security)

EFF's New Database Reveals What Tech Local Police Are Using To Spy On You

(News ≈ Packet Storm)

Critical SAP Bug Allows Full Enterprise System Takeover

(News ≈ Packet Storm)

Malware In China Mandated Software More Extensive Than Thought

(News ≈ Packet Storm)

Infosec Burnout Is A Thing

(News ≈ Packet Storm)

Details For 142 Million MGM Hotel Guests For Sale On Dark Web

(News ≈ Packet Storm)

Web Professional Security Survey 2020

According to recent statistics, the web design industry in the United States is now worth more than $40 billion each year. It’s why our annual survey of agencies and web pros is so eagerly anticipated — and we hope you’ll participate in the Sucuri Web Professional Security Survey 2020. If you provide services like website development or online marketing, your insights will be invaluable. You can help shape a better experience for your peers and yourself, as these unique challenges become the subject of meaningful discussions around the world. Continue reading Web Professional Security Survey 2020 at Sucuri Blog. (Sucuri Blog)

Adobe Issues July 2020 Critical Security Patches for Multiple Software

Adobe today released software updates to patch a total of 13 new security vulnerabilities affecting 5 of its widely used applications.

Out of these 13 vulnerabilities, four have been rated critical, and nine are important in severity.

The affected products that received security patches today include:

Adobe Creative Cloud Desktop Application Adobe Media Encoder Adobe Genuine Service Adobe (The Hacker News)

New Highly-Critical SAP Bug Could Let Attackers Take Over Corporate Servers

SAP has patched a critical vulnerability impacting the LM Configuration Wizard component in NetWeaver Application Server (AS) Java platform, allowing an unauthenticated attacker to take control of SAP applications.

The bug, dubbed RECON and tracked as CVE-2020-6287, is rated with a maximum CVSS score of 10 out of 10, potentially affecting over 40,000 SAP customers, according to cybersecurity (The Hacker News)

Microsoft Tackles 123 Fixes for July Patch Tuesday

Eighteen critical bugs, impacting Windows Server, Office and Outlook, were fixed as part of the patch roundup. (Threatpost)

Critical DNS Bug Opens Windows Servers to Infrastructure Hijacking

Microsoft gives the ‘wormable’ flaw a security rating of 10 – the most severe warning possible. (Threatpost)

Adobe Discloses Critical Code-Execution Bugs in July Update

The software giant released patches for four critical vulnerabilities and five different platforms. (Threatpost)

DMARC Adoption Spikes, Higher Ed Remains Behind

As colleges and universities prepare for the fall semester, email protections against surging threats like BEC and phishing are lagging. (Threatpost)

Most Companies Are Ignoring Your Most Vulnerable Endpoint…and It’s Not the Laptop

Cybercriminals know that mobile devices are less secure, so it’s no surprise that last year Verizon found that 4 in 10 companies were breached through a mobile device. (Threatpost)

Leaked Details of 142 Million MGM Hotel Guests Found for Sale on Dark Web

Last summer’s data leak at the hotel chain appears to be far more expansive than previously thought -- or the credentials could come from a hack of DataViper. (Threatpost)

Critical SAP Bug Allows Full Enterprise System Takeover

Exploitation of the bug can allow an attacker to lift sensitive information, delete files, execute code, carry out sabotage and more. (Threatpost)


/security-daily/ 15-07-2020 23:44:23