Security daily (22-06-2020)

Accreditation models for secure cloud adoption

Today, as part of its Secure Cloud Adoption series, AWS released new strategic outlook recommendations to support decision makers in any sector considering or planning for secure cloud adoption. “Accreditation Models for Secure Cloud Adoption” provides best practices with respect to cloud accreditation to help organizations capitalize on the security benefits of commercial cloud computing, […] (AWS Security Blog)

Moroccan journalist targeted by NSO Group spyware, Amnesty International says

Amnesty International said Sunday its security team found evidence of abuse on a Moroccan journalist’s cell phone that can be tied back to spyware developed by NSO Group. The journalist, Omar Radi, was targeted by surveillance software capable of tracking texts, calls, emails, camera, and more — just days after NSO Group, the Israeli surveillance software company, announced it would stop its products from being used to perpetuate human rights abuses, according to Amnesty International. Although the attackers behind the targeting are unconfirmed, Amnesty says evidence indicates the Moroccan government is behind the surveillance. NSO Group has repeatedly said it only sells its technology to governments. The targeting of Radi came at a time when he was being repeatedly harassed by the Moroccan government between January 2019 and January 2020. Radi was targeted by a series of network injection attacks, which allowed attackers to intercept and manipulate targets’ internet traffic, Amnesty International said. […] The post Moroccan journalist targeted by NSO Group spyware, Amnesty International says appeared first on CyberScoop. (CyberScoop)

Feds aim to bolster data encryption practices for .gov websites

The Trump administration is urging domain operators to include an extra layer of security on federal websites in an attempt to reduce the risk that hackers will spy on site visitors. The goal, which officials said could take “a few years” to achieve, is to get all websites with the .gov internet domain to use a standard that always encrypts a user’s connection to that site. Using that encryption by default is a way for agencies to boost security for a swath of public data being routed through internet domains they control. The security benefits of doing that “are meaningful and necessary to continue meeting the public’s expectation of safety on .gov services,” the General Services Administration, which oversees top-level domains for the U.S. government, said in a blog post published Sunday. The initiative builds on use of the HTTPS, a security protocol that internet users have come to expect from websites. HTTPS is meant to ensure that websites are legitimate, and protects […] The post Feds aim to bolster data encryption practices for .gov websites appeared first on CyberScoop. (CyberScoop)

Here's what John Bolton had to say about cybersecurity policy in his new book

In his new book, former national security adviser John Bolton says that squabbling amongst Trump administration officials hobbled the White House’s efforts to issue new policies that shaped the U.S. government’s offensive and defense cyber-operations. The book, “The Room Where It Happened: A White House Memoir,” which CyberScoop obtained, provides an insider’s view of the U.S. government’s largely secretive approach to revamping cyber policy in the last two years. Aside from cyber-operations, Bolton paints President Donald Trump as preoccupied and angered by cybersecurity-related issues, as well as all too willing to use hacking to prop up his political goals in negotiations with China and Ukraine. “We needed to do two things: first, we needed a Trump Administration cyber strategy, and second, we needed to scrap the Obama-era [offensive cyber-operations] rules and replace them with a more agile, expeditious decision-making structure,” Bolton writes of his time negotiating new policies with national security and intelligence officials in 2018. […] The post Here's what John Bolton had to say about cybersecurity policy in his new book appeared first on CyberScoop. (CyberScoop)

'Distributed Denial of Secrets' publishes 'Blue Leaks,' a trove of law enforcement records

An anonymous hacktivist group says it’s published a trove of sensitive law enforcement data that originated with hundreds of police departments in an apparent effort to expose police abuses amid ongoing demonstrations through the U.S. The “Distributed Denial of Secrets” group marked Juneteenth, the June 19 holiday marking the end of slavery in the U.S., by publishing a searchable database containing 269 GB of data apparently stolen from more than 200 law enforcement agencies. The database, which the group has named “Blue Leaks,” appears to contain police training materials, police safety guidelines and protest containment strategies. The files also may contain names, email addresses, phone numbers and a large number of text and video files, according to a June 20 alert from the National Fusion Center Association obtained by security journalist Brian Krebs. The association reported that the data surfaced following an apparent breach at Netsential, a Houston-based web development […] The post 'Distributed Denial of Secrets' publishes 'Blue Leaks,' a trove of law enforcement records appeared first on CyberScoop. (CyberScoop)

Stalker Online hacked! Over one million gamers’ passwords made available for download

More than one million players of the video game Stalker Online have been put at risk after hackers offered them for sale on the darknet. (Graham Cluley)

Anatomy of a survey scam – how innocent questions can rip you off

We take part in a fraudulent survey so you don't have to. Show your friends and family how these scams unfold. (Naked Security)

Hacker indicted for stealing 65K employees’ PII in medical center hack

The Detroit man allegedly bragged about wanting to "play with Peoplesoft" - the HR management software he called "basically HR in a box." (Naked Security)

Monday review – the hot 16 stories of the week

Get yourself up to date with everything we've written in the last seven days - it's weekly roundup time. (Naked Security)

296 Gigs Of Police Data Published In BlueLeaks

(News ≈ Packet Storm)

Encrypted Phone Network Shutting Down After Police Hack

(News ≈ Packet Storm)

Microsoft Details How Sophisticated Attacks Can Move Quickly

(News ≈ Packet Storm)

Is Spyware Technology Helping Governments Hack Phones?

(News ≈ Packet Storm)

Cross Site Scripting in YITH WooCommerce Ajax Product Filter

During a routine research audit for our Sucuri Web Application Firewall, we discovered a cross-site scripting (XSS) vulnerability affecting 100,000+ users of the YITH WooCommerce Ajax Product Filter  plugin. Current State of the Vulnerability This security bug was fixed in the 3.11.1 release. We are not aware of any exploit attempts currently using this vulnerability. Disclosure / Response Timeline

Jun 4, 2020: Initial contact. Jun 22, 2020: Patch is live.

Continue reading Cross Site Scripting in YITH WooCommerce Ajax Product Filter at Sucuri Blog. (Sucuri Blog)

Hackers Leaked 269 GB of U.S. Police and Fusion Centers Data Online

A group of hacktivists and transparency advocates has published a massive 269 GB of data allegedly stolen from more than 200 police departments, fusion centers, and other law enforcement agencies across the United States.

Dubbed BlueLeaks, the exposed data leaked by the DDoSecrets group contains hundreds of thousands of sensitive documents from the past ten years with official and personal (The Hacker News)

Over 100 New Chrome Browser Extensions Caught Spying On Users

Google recently removed 106 more extensions from its Chrome Web Store after they were found illegally collecting sensitive user data as part of a "massive global surveillance campaign" targeting oil and gas, finance, and healthcare sectors.

Awake Security, which disclosed the findings late last week, said the malicious browser add-ons were tied back to a single internet domain registrar, (The Hacker News)

Report: ‘BlueLeaks’ Exposes Sensitive Data From Police Departments

DDoSecrets has published data from over 200 police departments, law enforcement training and support resources and fusion centers. (Threatpost)

Adobe Prompts Users to Uninstall Flash Player As EOL Date Looms

Adobe will prompt Flash Player users to uninstall the application before the Dec. 31, 2020 end of life date hits. (Threatpost)

AMD: Fixes For High-Severity SMM Callout Flaws Upcoming

AMD has fixed one high-severity vulnerability affecting its client and embedded processors; fixes for the other two will come out later in June. (Threatpost)


/security-daily/ 23-06-2020 23:44:23