Security daily (30-06-2020)

Code signing using AWS Certificate Manager Private CA and AWS Key Management Service asymmetric keys

In this post, we show you how to combine the asymmetric signing feature of the AWS Key Management Service (AWS KMS) and code-signing certificates from the AWS Certificate Manager (ACM) Private Certificate Authority (PCA) service to digitally sign any binary data blob and then verify its identity and integrity. AWS KMS makes it easy for […] (AWS Security Blog)

FCC officially names Huawei, ZTE as national security risks

The U.S. Federal Communications Commission has designated Chinese telecommunication providers Huawei and ZTE as national security risks, a decision that officially prohibits American phone companies from purchasing their equipment with government subsidies. The announcement Tuesday comes after U.S. intelligence agencies have repeatedly warned that Huawei and ZTE could conduct espionage against the U.S. and its allies on Beijing’s behalf. The FCC’s decision takes effect immediately. It prevents U.S. companies regulated by the agency from spending federal funds obtained through the $8.3 billion Universal Service Fund (USF) — which is designed to promote universal access to phone services — on equipment or services from Huawei or ZTE. The companies are subject to a Chinese law that requires firms to provide authorities with sensitive data, even if they’re unwilling to do so. FCC Chairman Ajit Pai said in a statement that both companies “have close ties to the Chinese Communist Party and China’s military apparatus,” […] The post FCC officially names Huawei, ZTE as national security risks appeared first on CyberScoop. (CyberScoop)

During a pandemic, stalkerware becomes even more sinister

When public health experts started recommending social distancing to reduce the spread of COVID-19, the goal was to place people out of harm’s way. But the policy has forced many domestic violence victims to possibly face a far more insidious danger: isolating with an abuser. Security researchers tell CyberScoop that data show a rise in invasive surveillance software known as stalkerware — applications that can spy on partners’ texts, calls, social media use and geolocation information — since the coronavirus pandemic began, despite the fact that abusers are much more likely to be sharing the same living space as their victims. Three antivirus companies tracking stalkerware globally told CyberScoop they saw an increase in stalkerware detections just after governments at all levels put social distancing measures in place. Between January and May, for instance, California-based Malwarebytes and Germany-based Avira said stalkerware detections on their respective customers’ devices spiked by 190% and […] The post During a pandemic, stalkerware becomes even more sinister appeared first on CyberScoop. (CyberScoop)

How agency leaders can prepare a future-ready government

A collection of stories illustrates ways to reimagine a new approach to modernization - with an emphasis on speed, security and scale to respond to crisis and achieve the mission. The post How agency leaders can prepare a future-ready government appeared first on CyberScoop. (CyberScoop)

US Cyber Command highlights Palo Alto Networks security patch, citing foreign espionage

U.S. cyber officials are urging American companies and individuals who rely on a popular security product to update their systems immediately, before foreign hackers can exploit a flaw in the technology to steal protected information. The Department of Homeland Security and U.S. Cyber Command said Monday that a “critical” flaw in technology from Palo Alto Networks, a multinational security firm based in California, could enable attackers “with network access” to obtain sensitive information. The flaw exists in PAN-OS, the operating system on firewalls and corporate virtual private network application products. Cyber Command said in a tweet that advanced hacking groups “will likely attempt exploit soon.” Palo Alto Networks issued a patch on Monday for the security flaw, the start of a weeks or months-long process in which corporate security teams will start updating their technologies to fend off hacking groups. The software flaw, officially dubbed CVE-2020-2021, was designated a 10.0 […] The post US Cyber Command highlights Palo Alto Networks security patch, citing foreign espionage appeared first on CyberScoop. (CyberScoop)

Internet freedom activists are concerned a Trump appointee could threaten pro-democracy work abroad

Internet freedom advocates are urging U.S. lawmakers to protect a small government-backed nonprofit that’s funded a generation of secure technologies meant to safeguard data in repressive countries. The organization, the Open Technology Fund, is an 8-year-old outfit that helps develop open and accessible technologies with an eye on promoting human rights abroad. It’s a subsidiary of the U.S. Agency for Global Media, overseer of the government operations designed to beam American news into foreign countries via outlets like Voice of America and Radio Free Asia. After a generation of quietly investing in technologies like encrypted messaging app Signal and anonymity tools like Tails and Tor, the future of the Open Technology Fund suddenly is in doubt. The new CEO of the Agency for Global Media, Michael Pack, a Trump administration appointee and a longtime ally of Steve Bannon, has fired the head of the OTF and the heads of four […] The post Internet freedom activists are concerned a Trump appointee could threaten pro-democracy work abroad appeared first on CyberScoop. (CyberScoop)

Google joins Apple in limiting web certificates to one year

Is it fair to expect everyone to renew all their web certificates every year? Apple says yes, and now Google does too. (Naked Security)

iOS 14 flags TikTok, 53 other apps spying on iPhone clipboards

TikTok, for one, promised to knock this off months ago but was caught red-handed, still at it, by the new clipboard notification in iOS 14. (Naked Security)

Harness the Power of Big Data with This 10-Course Bundle

We're living in a world that runs on Big Data. As the driving force behind everything from self-driving cars and Google algorithms to the latest medical technology and financial platforms, massive sets of increasingly complex data lie at the heart of today's most exciting and important innovations.

That means that if you want to be successful in virtually any field, you'll want to have more than just a baseline understanding of how to work with numbers and information. The 2020 Master Microsoft Excel & Power BI Certification Bundle will teach you how to harness the power of two ubiquitous... more (Null Byte « WonderHowTo)

New EvilQuest Ransomware Discovered Targeting macOS Users

(News ≈ Packet Storm)

Australia To Spend Nearly $1 Billion To Boost Cyber Security

(News ≈ Packet Storm)

CISA: Nation State Attackers Likely To Exploit Palo Alto Networks Bug

(News ≈ Packet Storm)

AWS Facial Recognition Platform Misidentified Over 100 Politicians As Criminals

(News ≈ Packet Storm)

Advanced StrongPity Hackers Target Syria and Turkey with Retooled Spyware

Cybersecurity researchers today uncovered new details of watering hole attacks against the Kurdish community in Syria and Turkey for surveillance and intelligence exfiltration purposes.

The advanced persistent threat behind the operation, called StrongPity, has retooled with new tactics to control compromised machines, cybersecurity firm Bitdefender said in a report shared with The Hacker (The Hacker News)

e-Commerce Site Hackers Now Hiding Credit Card Stealer Inside Image Metadata

In what's one of the most innovative hacking campaigns, cybercrime gangs are now hiding malicious code implants in the metadata of image files to covertly steal payment card information entered by visitors on the hacked websites.

"We found skimming code hidden within the metadata of an image file (a form of steganography) and surreptitiously loaded by compromised online stores," Malwarebytes (The Hacker News)

Verizon Media, PayPal, Twitter Top Bug-Bounty Rankings

Verizon Media has paid nearly $10 million to ethical hackers via HackerOne's platform. (Threatpost)

EvilQuest Mac Ransomware Has Keylogger, Crypto Wallet-Stealing Abilities

A rare, new Mac ransomware has been discovered spreading via pirated software packages. (Threatpost)

StrongPity APT Back with Kurdish-Aimed Watering Hole Attacks

The spy malware is being delivered via a complex infrastructure with multiple layers, in an effort to avoid analysis. (Threatpost)

UCSF Pays $1.14M After NetWalker Ransomware Attack

UCSF has paid more than $1 million after a ransomware attack encrypted data related to "important" academic research on several servers. (Threatpost)


/security-daily/ 01-07-2020 23:44:21