Security daily (23-11-2020)

Zero Trust architectures: An AWS perspective

Our mission at Amazon Web Services (AWS) is to innovate on behalf of our customers so they have less and less work to do when building, deploying, and rapidly iterating on secure systems. From a security perspective, our customers seek answers to the ongoing question What are the optimal patterns to ensure the right level […] (AWS Security Blog)

Suspected Chinese hackers impersonate Catholic news outlets to gather intel about Vatican diplomacy

After months of public reporting on a suspected Chinese hacking campaign targeting entities linked with diplomacy between the Vatican and Beijing, the hackers are still trying their luck. Researchers at the security firm Recorded Future first called out hackers affiliated with a group called Mustang Panda in July for their efforts to conduct espionage against targets involved in negotiations about the operations of the Catholic Church in China, a historically fraught topic. After Recorded Future published its research on the hacking spree, attackers briefly paused their activity only to resume two weeks later with the same toolset. Now the same group is back at it, with an effort to evade detection, according to Proofpoint research published Monday. This time, attackers updated their technique to deliver malware in order to avoid being noticed, according to Proofpoint researchers. While earlier this year the hackers targeted the diplomatic entities using a remote access trojan, a PlugX variant […] The post Suspected Chinese hackers impersonate Catholic news outlets to gather intel about Vatican diplomacy appeared first on CyberScoop. (CyberScoop)

Biden’s DHS pick was a ‘quick study’ of cybersecurity issues as the department’s deputy

Alejandro Mayorkas, President-elect Joe Biden’s choice to run the Department of Homeland Security, gained an appreciation for how cyberthreats factor into national security challenges when he was deputy of the department from 2013 to 2016, former U.S. officials who know Mayorkas told CyberScoop. As DHS’s No. 2, the Cuban-American lawyer took a close interest in the department’s work on cyberthreat-sharing with the private sector, and was involved in negotiations with China over a 2015 agreement forbidding intellectual property theft. Mayorkas also witnessed the U.S. response to major state-sponsored hacking operations, from China’s alleged breach of the Office of Personnel Management to Russia’s probing of election infrastructure in 2016. Mayorkas is now poised to be a central figure in how the incoming Biden administration responds to such threats. “He clearly understood [cybersecurity] issues and why they were important and was a good advocate for DHS’s part in that,” said Christopher Painter, […] The post Biden’s DHS pick was a ‘quick study’ of cybersecurity issues as the department’s deputy appeared first on CyberScoop. (CyberScoop)

'Smart' doorbells for sale on Amazon, eBay came stocked with security vulnerabilities

Holiday shoppers looking for a wireless-connected doorbell might want to take a closer look at the device’s security features. The U.K.-based security company NCC Group and consumer advocacy group Which? have found vulnerabilities in 11 “smart” doorbells sold on popular platforms like Amazon and eBay. One flaw could allow a remote attacker to break into the wireless network by swiping login credentials. Another critical bug, which has been around for years, could enable attackers to intercept and manipulate data on the network. The investigation focused on doorbells made by often obscure vendors, but which nonetheless earned top reviews and featured prominently on Amazon and eBay. The researchers raised concerns that some of the devices were storing sensitive data, including location data and audio and video captured by the doorbell’s camera, on insecure servers. One device made by a company called Victure, for example, sent a user’s wireless name and password, […] The post 'Smart' doorbells for sale on Amazon, eBay came stocked with security vulnerabilities appeared first on CyberScoop. (CyberScoop)

After years of work, Congress passes 'internet of things' cybersecurity bill — and it's kind of a big deal

Congress last week did something that it rarely does: It passed a meaningful cybersecurity bill. The legislation is aimed at enhancing the safeguards of internet-connected devices — also known as the internet of things (IoT) — such as smart sensors that monitor water quality or control ships in waterway locks. The bill is also a major step toward the federal government encouraging vulnerability disclosure policies that implement programs for organizations to work with security researchers to fix software flaws. “It is arguably the most significant U.S. IoT-specific cybersecurity law to date, as well as the most significant law promoting coordinated vulnerability disclosure in the private sector to date,” said Harley Geiger, director of public policy at Rapid7, a cybersecurity company. All it took to get across the finish line was more than three years of bipartisan work, encroaching state and foreign government IoT rules, a ticking legislative clock, goodwill toward […] The post After years of work, Congress passes 'internet of things' cybersecurity bill — and it's kind of a big deal appeared first on CyberScoop. (CyberScoop)

Another 'Minecraft' lesson for kids: Beware of deceitful adware apps

Part of the appeal of “Minecraft” is that the in-game experience is highly customizable with thousands of bits of third-party software. For mobile versions of the game, those “mods” can be downloaded as separate apps. If you pay attention to app-store security, you can probably guess where this is going, especially if you have kids. More than 20 of the “Minecraft” mods recently available in the Google Play Store didn’t do much for the game at all, and instead displayed ads on smartphones and tablets “in an extremely intrusive manner,” according to researchers at Kaspersky. The cybersecurity company says the store has taken down most of the apps since the researchers reported them, but a handful were still available as of Monday morning. Kaspersky’s findings are the latest reminder that mobile devices remain attractive targets for nuisance adware. And the makers of those sneaky apps aren’t really worried about customer […] The post Another 'Minecraft' lesson for kids: Beware of deceitful adware apps appeared first on CyberScoop. (CyberScoop)

Naked Security Live – Beat the Threat!

Here's the latest Naked Security Live video - how to beat the crooks! Watch now... (Naked Security)

13 Black Friday Deals on Courses That Will Beef Up Your Hacking & Programming Skill Set

It's Black Friday time, and in 2020, that means a lot of online deals to make up for more stores closing on Thanksgiving, as well as everyone avoiding in-person shopping because of the coronavirus. But while you may wish to grab a better 65-inch 4K TV, the new PlayStation 5, or some hacker hardware on sale, Black Friday is also the best time to invest in your programming and cybersecurity education.

Whether you're a new Null Byte reader, IT specialist, professional pentester, amateur white hat, or anyone interested in programming languages, coding, and ethical hacking, we've got some great... more (Null Byte « WonderHowTo)

Save 50% on a Lifetime Subscription to the #1 Top-Grossing Language-Learning App in the World

There's no denying that adding more programming languages to your arsenal is crucial to boosting your career, but learning a new language in the literal sense is just as enriching and mentally stimulating. Not only will you be smarter — those who know more than one language are known to have better reasoning, problem-solving skills, and creativity — but it'll also open you up to more job opportunities.

Contrary to popular belief, it isn't as tough as you think. Not when you have access to Babbel, the #1 top-grossing language-learning app in the world. For a limited time, you can snag a... more (Null Byte « WonderHowTo)

Attackers Dupe GoDaddy Staff Into Helping Them Take Down Cryptocurrency Services

(News ≈ Packet Storm)

GitHub Fixes High Severity Security Flaw Spotted By Google

(News ≈ Packet Storm)

TikTok Patches XSS And Account Takeover Exploit

(News ≈ Packet Storm)

Smart Doorbells Are Easy Targets For Hackers

(News ≈ Packet Storm)

Hidden SEO Spam Link Injections on WordPress Sites

Often when a website is injected with SEO spam, the owner is completely unaware of the issue until they begin to receive warnings from search engines or blacklists. This is by design — attackers intentionally try to prevent detection by arranging injected links so they are not visible to average human traffic. One of the techniques attackers use is to “push” the injected SEO spam links off the visible portion of the website. Continue reading Hidden SEO Spam Link Injections on WordPress Sites at Sucuri Blog. (Sucuri Blog)

Critical VMware Zero-Day Bug Allows Command Injection; Patch Pending

VMware explained it has no patch for a critical escalation-of-privileges bug that impacts both Windows and Linux operating systems and its Workspace One. (Threatpost)

GoDaddy Employees Tricked into Compromising Cryptocurrency Sites

‘Vishing’ attack on GoDaddy employees gave fraudsters access to cryptocurrency service domains NiceHash, Liquid. (Threatpost)

TA416 APT Rebounds With New PlugX Malware Variant

The TA416 APT has returned in spear phishing attacks against a range of victims - from the Vatican to diplomats in Africa - with a new Golang version of its PlugX malware loader. (Threatpost)

Spotify Users Hit with Rash of Account Takeovers

Users of the music streaming service were targeted by attackers using credential-stuffing approaches. (Threatpost)


/security-daily/ 24-11-2020 23:44:23