Security daily (19-08-2021)

Access token security for microservice APIs on Amazon EKS

In this blog post, I demonstrate how to implement service-to-service authorization using OAuth 2.0 access tokens for microservice APIs hosted on Amazon Elastic Kubernetes Service (Amazon EKS). A common use case for OAuth 2.0 access tokens is to facilitate user authorization to a public facing application. Access tokens can also be used to identify and […] (AWS Security Blog)

New York man sentenced to 3 years for stealing students' nude photos after hacking their accounts

A federal judge sentenced a New York man to three years in federal prison for hacking the accounts of dozens of female college students to access private nude photos, the Justice Department said Thursday. Nicholas Farber, of Rochester, pleaded guilty in February to working with a co-conspirator between 2017 to 2019 to access the school emails of dozens of female SUNY Plattsburgh students. He then leveraged access to those accounts in order to access students’ Facebook, Snapchat and cloud accounts from which he stole private nude photographs and movies. Farber then traded the images online with an unnamed number of individuals. He was charged with computer fraud and aggravated identity theft for the hacking. Farber, a SUNY Plattsburgh graduate, is also ordered to pay $35,430 in restitution to the school for the costs of investigating and resetting the compromised accounts and then notifying victims. Farber’s accomplice, Michael Fish, pleaded guilty […] The post New York man sentenced to 3 years for stealing students' nude photos after hacking their accounts appeared first on CyberScoop. (CyberScoop)

Researchers nab wannabe ransomware scammer trying to convince victims to help hack their employer

Ransomware operators have taken their profession’s profitability to new heights in the last couple years by outsourcing their work with the “ransomware-as-a-service” model, in which hackers lease out their malware  in exchange for shares of the resulting extortion payments. Now, a cyber firm has found a ransomware operator going one step further: asking prospective victim companies’ personnel to deploy ransomware on their behalf, then take a cut of the proceeds. Abnormal Security on Thursday said it recently blocked a batch of emails to its customers that solicited recipients to infect their employers’ networks with ransomware. Researchers set up a fake identity to communicate with the would-be ransomware/insider scheme mastermind — who went by the screen name “Pablo” — under the ruse that the persona would do Pablo’s criminal bidding. The incident, which occurred in mid-August, marks another tactical swerve in the ever-shifting world of ransomware techniques, and if Pablo’s to […] The post Researchers nab wannabe ransomware scammer trying to convince victims to help hack their employer appeared first on CyberScoop. (CyberScoop)

S3 Ep46: Copyright scams, video snooping and Grand Theft Crypto [Podcast]

Lastest episode - listen, laugh and learn! This week, Chester Wisniewski joins us on the show. (Naked Security)

Friendly Hackers Save Ford From Potential Data Leak

(News ≈ Packet Storm)

Postmortem On U.S. Census Hack Exposes Cybersecurity Failures

(News ≈ Packet Storm)

Fortinet Slams Rapid7 For Disclosing Vulnerability

(News ≈ Packet Storm)

GitHub Pushes Users To Enable 2FA

(News ≈ Packet Storm)

What’s Next for T-Mobile and Its Customers? – Podcast

Hopefully not a hacked-up hairball of a “no can do” message when customers rush to change their PINs. In this episode: Corporate resilience vs. the opposite. (Threatpost)

How Ready Are You for a Ransomware Attack?

Oliver Tavakoli, CTO at Vectra, lays out the different layers of ransomware defense all companies should implement. (Threatpost)

Critical Cisco Bug in Small Business Routers to Remain Unpatched

The issue affects a range of Cisco Wireless-N and Wireless-AC VPN routers that have reached end-of-life. (Threatpost)

InkySquid State Actor Exploiting Known IE Bugs

The North Korea-linked APT group leverages known Internet Explorer vulns for watering-hole attacks. (Threatpost)

Windows EoP Bug Detailed by Google Project Zero

Microsoft first dismissed the elevation of privilege flaw but decided yesterday that attackers injecting malicious code is worthy of attention. (Threatpost)

COVID-19 Contact-Tracing Data Exposed, Fake Vax Cards Circulate

COVID-19-related exploitation and abuse is on the rise as vaccine data opens new frontiers for threat actors. (Threatpost)

Postmortem on U.S. Census Hack Exposes Cybersecurity Failures

Government says cybersecurity failures were many within failed January hack of U.S. Census Bureau systems. (Threatpost)


/security-daily/ 20-08-2021 23:44:22