13-09-202015-09-2020

Security daily (14-09-2020)

Integrating AWS CloudFormation security tests with AWS Security Hub and AWS CodeBuild reports

The concept of infrastructure as code, by using pipelines for continuous integration and delivery, is fundamental for the development of cloud infrastructure. Including code quality and vulnerability scans in the pipeline is essential for the security of this infrastructure as code. In one of our previous posts, How to build a CI/CD pipeline for container […] (AWS Security Blog)

Chinese intelligence-linked hackers are exploiting known flaws to target Washington, US says

Hackers connected to a Chinese intelligence agency have infiltrated U.S. government and the private sector entities in recent months by exploiting a series of common vulnerabilities, the FBI and Department of Homeland Security’s cybersecurity agency announced Monday. Attackers tied to China’s civilian intelligence and counterintelligence service, the Ministry of State Security (MSS), have been using phishing emails with malicious links to infiltrate victim organizations, according to the alert. By including malicious software in those messages, hackers are exploiting software flaws in commercial technologies and open-source tools, including services with known fixes. F5 Networks’ Big-IP Traffic Management User Interface, Citrix VPN Appliances, Pulse Secure VPN appliances, and Microsoft Exchange Server are among those affected, says the report from the FBI and DHS’ Cybersecurity and Infrastructure Security Agency (CISA). All of these are tools are open source and commercially available, making potentially high value espionage targets in the U.S. government relatively easy and low-cost for state-sponsored hackers […] The post Chinese intelligence-linked hackers are exploiting known flaws to target Washington, US says appeared first on CyberScoop. (CyberScoop)

Security researchers slam Voatz brief to the Supreme Court on anti-hacking law

A group of high-profile cybersecurity specialists doesn’t want mobile voting firm Voatz to have the last word before the Supreme Court takes up a case with major implications for computer research. The security practitioners, including computer scientists and vulnerability disclosure experts, on Monday criticized Voatz’s argument that a federal anti-hacking law should only authorize researchers with clear permission to probe computer systems for vulnerabilities. An amicus brief filed by Voatz earlier this month, the security specialists charged, “fundamentally misrepresents widely accepted practices in security research and vulnerability disclosure.” At issue is the Computer Fraud and Abuse Act (CFAA), a more than 30-year-old law that legal experts say could be abused to target good-faith researchers who break systems while trying to make them more secure. The Supreme Court is set to consider whether corporate terms of service can be considered an inviolable boundary under the CFAA when it resumes in October. Legal experts and […] The post Security researchers slam Voatz brief to the Supreme Court on anti-hacking law appeared first on CyberScoop. (CyberScoop)

Naked Security Live – “Should you worry about your wallpaper?”

Naked Security Live - here's the recorded version of our latest video. Enjoy. (Naked Security)

How to Use SUDO_KILLER to Identify & Abuse Sudo Misconfigurations

Sudo is a necessity on most Linux systems, most of which are probably being used as web servers. While the principle of least privilege is typically applied, sudo misconfigurations can easily lead to privilege escalation if not properly mediated. Which brings us to SUDO_KILLER, a tool used to identify sudo misconfigurations that can aid in privilege escalation.

The most glaring misconfiguration is running an outdated version of sudo, especially one that has known vulnerabilities. There is simply no excuse for it, and often the best course of action from a defensive point of view is just... more (Null Byte « WonderHowTo)

Zerologon Attack Lets Hackers Take Over Enterprise Networks

(News ≈ Packet Storm)

Feds Warn Nation-State Hackers are Actively Exploiting Unpatched Microsoft Exchange, F5, VPN Bugs

Monday's CISA advisory is a staunch reminder for federal government and private sector entities to apply patches for flaws in F5 BIG-IP devices, Citrix VPNs, Pulse Secure VPNs and Microsoft Exchange servers. (Threatpost)

Cloud Leak Exposes 320M Dating-Site Records

A misconfigured, Mailfire-owned Elasticsearch server impacted 70 dating and e-commerce sites, exposing PII and details such as romantic preferences. (Threatpost)

TikTok Fixes Flaws That Opened Android App to Compromise

The flaws are disclosed as Oracle reportedly partners with TikTok as concerns in the U.S. over spying continue. (Threatpost)

Magecart Attack Impacts More Than 10K Online Shoppers

Close to 2,000 e-commerce sites were infected over the weekend with a payment-card skimmer, maybe the result of a zero-day exploit. (Threatpost)

13-09-202015-09-2020

/security-daily/ 15-09-2020 23:44:22