Security daily (29-06-2020)

How to build a CI/CD pipeline for container vulnerability scanning with Trivy and AWS Security Hub

In this post, I’ll show you how to build a continuous integration and continuous delivery (CI/CD) pipeline using AWS Developer Tools, as well as Aqua Security‘s open source container vulnerability scanner, Trivy. You’ll build two Docker images, one with vulnerabilities and one without, to learn the capabilities of Trivy and how to send all vulnerability […] (AWS Security Blog)

041| The Ethics of Red Teaming

Red team testing is somewhat intrusive by nature, as it involves breaking into companies - albeit at their request - to help them improve their security. Red teamers must bluff their way past receptionists and hack into employee computers, things that would put anyone else in a lot of trouble. At what point do red teaming activities cross the line into being unethical, or even criminal? F-Secure's veteran red teamer Tom Van de Wiele stopped by to share what a red teamer is not willing to do in the name of security, why cyber security experts need a sense of ethics, and how red teamers and companies alike can make sure that their own ethical concerns are addressed. Links: Episode 41 transcript The F-Secure Guide to Rainbow Teaming (Cyber Security Sauna)

Senate Democrats push feds to stand up disinformation 'response center' ordered in NDAA

With the presidential election just four months away, 15 Senate Democrats have asked national security agencies to step up their efforts to counter foreign disinformation aimed at undermining the vote. The Trump administration should ensure that political candidates and the public are promptly notified of foreign efforts to interfere in U.S. politics — and set up a congressionally mandated federal office for countering foreign influence, the senators wrote in a letter Friday to the heads of the Department of Defense, Homeland Security, the FBI, the National Security Agency and the Office of the Director of National Intelligence. “[W]e urge you to take additional measures to fight influence campaigns aimed at disenfranchising voters, especially voters of color,” wrote the senators, including Amy Klobuchar of Minnesota and Cory Booker of New Jersey. After the sweeping Russian effort to interfere in the 2016 elections, U.S. officials have tried to do more to combat foreign […] The post Senate Democrats push feds to stand up disinformation 'response center' ordered in NDAA appeared first on CyberScoop. (CyberScoop)

California university pays $1 million ransom amid coronavirus research

A university in California previously reported to be conducting COVID-19 research has paid $1.14 million to digital scammers who locked the schools’ systems and demanded an extortion fee. The University of California, San Francisco said on Friday it paid the ransom after malicious software infected a “limited number of servers” in an attack detected on June 1 at the university’s School of Medicine. While it remains unclear what, exactly, was affected, the school said the incident did not affect its patient care system, the campus network or the school’s research on the coronavirus. Scientists at the university are conducting trials into whether anti-malarial drugs may help mitigate the COVID-19 pandemic, as Bloomberg first reported. “Our investigation is ongoing but, at this time, we believe that the malware encrypted our servers opportunistically, with no particular area being targeted,” university officials said in an announcement Friday. “The attackers obtained some data as […] The post California university pays $1 million ransom amid coronavirus research appeared first on CyberScoop. (CyberScoop)

Watching a $1.14 million ransomware negotiation between hackers and scientists searching for COVID-19 treatments

An anonymous tip-off to BBC News enabled them to watch in real-time as an American medical university attempted to negotiate with the hackers who had infected its systems with ransomware. (Graham Cluley)

Voice recordings from domestic violence alerting app exposed on the internet

A smartphone app, disguised as a regular app delivering the top world, sports, and entertainment news, containing a secret feature that allows victims of domestic abuse to send a covert distress call for help at the touch of a button. What could possibly go wrong? Read more in my article on the Hot for Security blog. (Graham Cluley)

Beware “secure DNS” scam targeting website owners and bloggers

If you run a website or a blog, watch out for emails promising "DNSSEC upgrades" - these scammers are after your whole site. (Naked Security)

Satori IoT botnet author sentenced to 13 months in prison

Kenneth Schuchman, the creator of the massive Satori botnet of enslaved devices, will be spending 13 months behind bars. (Naked Security)

Monday review – the hot 10 stories of the week

Get yourself up to date with everything we've written in the last seven days - it's weekly roundup time. (Naked Security)

The Null Byte Guide to 3D Printing for Hackers

3D printers allow hackers and makers alike to create something from nothing. They're an incredible technology that lets you build protective cases and covers for gear such as a wardriving phone and Raspberry Pi-Hole. 3D printers can even help you out in a bind when something breaks, and it's impossible to get the part, since you can just print one out yourself.

And with 3D printers being relatively cheap these days, there's little reason not to get one if you think you'd have many uses for it. Anyone with $200 to $300 can get started 3D printing simple or sophisticated plastic objects at home... more (Null Byte « WonderHowTo)

WikiLeaks Mantle Picked Up By Embattled Group of Leakers

(News ≈ Packet Storm)

Russian Leader Of Infraud Stolen ID, Credit Card Ring Pleads Guilty

(News ≈ Packet Storm)

HackerOne's 2020 Top 10 Public Bug Bounty Programs

(News ≈ Packet Storm)

How Hackers Extorted $1.14 Million From University Of California, San Francisco

(News ≈ Packet Storm)

Sucuri Academy: Free Website Security Courses

We are happy to announce that we have launched Sucuri Academy to offer free website security courses. Our main goal at Sucuri is to make the internet a safer place. One of our investments is creating the best educational content about website security to share our knowledge with the community. With that in mind, we have decided to launch our free courses. You can learn about website security, test your knowledge with our quizzes, and get a free certificate at the end of each course. Continue reading Sucuri Academy: Free Website Security Courses at Sucuri Blog. (Sucuri Blog)

Russian Hacker Gets 9-Year Jail for Running Online Shop of Stolen Credit Cards

A United States federal district court has finally sentenced a Russian hacker to nine years in federal prison after he pleaded guilty of running two illegal websites devoted to facilitating payment card fraud, computer hacking, and other crimes.

Aleksei Yurievich Burkov, 30, pleaded guilty in January this year to two of the five charges against him for credit card fraud—one count of access (The Hacker News)

REvil Ransomware Gang Adds Auction Feature for Stolen Data

An anonymous bidding mechanism enhances the REvil group's double-extortion game. (Threatpost)

Tuesday’s Magento 1 EOL Leaves Clock Ticking on 100K Online Stores

Adobe and payment-card companies are making last-minute pleas for e-commerce sites to update to Magento 2, to avoid Magecart attacks and more. (Threatpost)

AWS Facial Recognition Platform Misidentified Over 100 Politicians As Criminals

Comparitech’s Paul Bischoff found that Amazon’s facial recognition platform misidentified an alarming number of people, and was racially biased. (Threatpost)

Unpatched Wi-Fi Extender Opens Home Networks to Remote Control

The Homeplug device, from Tenda, suffers from web server bugs as well as a DoS flaw. (Threatpost)


/security-daily/ 30-06-2020 23:44:23