🕴 Shadow IT, IaaS & the Security Imperative 🕴

Organizations must strengthen their security posture in cloud environments. That means considering five critical elements about their infrastructure, especially when it operates as an IaaS.

📖 Read

via "Dark Reading: ".

ATENTION‼ New - CVE-2016-10739

In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.

📖 Read

via "National Vulnerability Database".

⚠ WhatsApp fights the spread of deadly fake news with recipient limit ⚠

WhatsApp has capped the number of people you can forward messages to, after India was seized by rumour-inspired mob lynchings.

📖 Read

via "Naked Security".

⚠ DNC targeted by Russian hackers beyond 2018 midterms, it claims ⚠

The Democratic National Committee has filed a civil complaint accusing Russia of trying to hack its computers as recently as November 2018.

📖 Read

via "Naked Security".

⚠ Bicycle-riding hitman convicted with Garmin GPS watch location data ⚠

Location data extracted from the athletic hitman's Garmin GPS watch and TomTom sat nav led to his conviction in two gangland murders.

📖 Read

via "Naked Security".

⚠ Rogue websites can turn vulnerable browser extensions into back doors ⚠

A researcher has found that websites can use some extensions to bypass security policies, execute code, and even install other extensions.

📖 Read

via "Naked Security".

🔐 Rushing to patch? Here's how to prioritize your security efforts 🔐

When addressing security vulnerabilities, enterprises should focus on those with publicly available exploit code, according to a Kenna Security report.

📖 Read

via "Security on TechRepublic".

❌ Adobe Issues Unscheduled Updates for Experience Manager Platform ❌

The patches are part of Adobe's second unscheduled update this month.

📖 Read

via "Threatpost | The first stop for security news".

🕴 How Cybercriminals Clean Their Dirty Money 🕴

By using a combination of new cryptocurrencies and peer-to-peer marketplaces, cybercriminals are laundering up to an estimated $200 billion in ill-gotten gains a year. And that's just the beginning.

📖 Read

via "Dark Reading: ".

🔐 Hackers turn to data theft and resale on the Dark Web for higher payouts 🔐

Selling personal information and compromised accounts of popular Instragram users has become more lucrative than ransomware and cryptojacking campaigns.

📖 Read

via "Security on TechRepublic".

❌ Google Fined $57M in Largest GDPR Slap Yet ❌

The French Data Protection Authority (DPA) found a lack of transparency when it comes to how Google harvests and uses personal data for ad-targeting purposes.

📖 Read

via "Threatpost | The first stop for security news".

ATENTION‼ New - CVE-2017-6923

In Drupal 8.x prior to 8.3.7 When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view. It is best practice to always include some form of access restrictions on all views, even if you are using another module to display them.

📖 Read

via "National Vulnerability Database".

ATENTION‼ New - CVE-2017-6922

In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system.

📖 Read

via "National Vulnerability Database".

🕴 Google Hit With $57 Million GDPR Fine in France 🕴

The fine represents the first major penalty for a US technology company under the new European regulations.

📖 Read

via "Dark Reading: ".

❌ How Web Apps Can Turn Browser Extensions Into Backdoors ❌

Researchers show how rogue web applications can be used to attack vulnerable browser extensions in a hack that gives adversaries access to private user data.

📖 Read

via "Threatpost | The first stop for security news".

🕴 Real-World Threats That Trump Spectre & Meltdown 🕴

New side-channel attacks are getting lots of attention, but other more serious threats should top your list of threats.

📖 Read

via "Dark Reading: ".

🕴 The Fact and Fiction of Homomorphic Encryption 🕴

The approach's promise continues to entice cryptographers and academics. But don't expect it to help in the real world anytime soon.

📖 Read

via "Dark Reading: ".

🕴 Security Talent Continues to Fetch Top Dollar on IT Job Market 🕴

IT and cybersecurity positions continue to rank near the top of the salary ranges paid to IT professionals, according to a new survey.

📖 Read

via "Dark Reading: ".

🕴 Hack of Plug-in Website Ruffles WordPress Community 🕴

An intruder thought to be a former employee used a backdoor into the WPML website to skim email addresses and send a mass email blast.

📖 Read

via "Dark Reading: ".

🕴 Stealthy New DDoS Attacks Target Internet Service Providers 🕴

Adversaries took advantage of the large attack surface of large communications networks to spread small volumes of junk traffic across hundreds of IP prefixes in Q3 2018, Nexusguard says.

📖 Read

via "Dark Reading: ".

<b>&#9000; Bomb Threat, Sextortion Spammers Abused Weakness at GoDaddy.com &#9000;</b>

<code>Two of the most disruptive and widely-received spam email campaigns over the past few months — including an ongoing sextortion email scam and a bomb threat hoax that shut down dozens of schools, businesses and government buildings late last year — were made possible thanks to an authentication weakness at GoDaddy.com, the world’s largest domain name registrar, KrebsOnSecurity has learned.</code><code>Perhaps more worryingly, experts warn this same weakness that let spammers hijack domains registered through GoDaddy also affects a great many other major Internet service providers, and is actively being abused to launch phishing and malware attacks which leverage dormant Web site names currently owned and controlled by some of the world’s most trusted corporate names and brands.</code><code>Media</code><code>In July 2018, email users around the world began complaining of receiving spam which began with a password the recipient used at some point in the past and threatened to release embarrassing videos of the recipient unless a bitcoin ransom was paid. On December 13, 2018, a similarly large spam campaign was blasted out, threatening that someone had planted bombs within the recipient’s building that would be detonated unless a hefty bitcoin ransom was paid by the end of the business day.</code><code>Experts at Cisco Talos and other security firms quickly drew parallels between the two mass spam campaigns, pointing to a significant overlap in Russia-based Internet addresses used to send the junk emails. Yet one aspect of these seemingly related campaigns that has been largely overlooked is the degree to which each achieved an unusually high rate of delivery to recipients.</code><code>Large-scale spam campaigns often are conducted using newly-registered or hacked email addresses, and/or throwaway domains. The trouble is, spam sent from these assets is trivial to block because anti-spam and security systems tend to discard or mark as spam any messages that appear to come from addresses which have no known history or reputation attached to them.</code><code>However, in both the sextortion and bomb threat spam campaigns, the vast majority of the email was being sent through Web site names that had already existed for some time, and indeed even had a trusted reputation. Not only that, new research shows many of these domains were registered long ago and are still owned by dozens of Fortune 500 and Fortune 1000 companies. </code><code>That’s according to Ron Guilmette, a dogged anti-spam researcher who has made a living suing spammers and helping law enforcement officials apprehend online scammers. Researching the history and reputation of more than 5,000 Web site names used in each of the extortionist spam campaigns, Guilmette made a startling discovery: Virtually all of them had at one time been registered via GoDaddy.com, a Scottsdale, Ariz. based domain name registrar and hosting provider.</code><code>Guilmette told KrebsOnSecurity he initially considered the possibility that GoDaddy had been hacked, or that thousands of the registrar’s customers perhaps had their GoDaddy usernames and passwords stolen.</code><code>But as he began digging deeper, Guilmette came to the conclusion that the spammers were exploiting an obscure — albeit widespread — weakness among hosting companies, cloud providers and domain registrars that was first publicly detailed in 2016.</code><code>EARLY WARNING SIGNS</code><code>In August 2016, security researcher Matthew Bryant wrote about spammers hijacking some 20,000 established domain names to blast out junk email. A few months later, Bryant documented the same technique being used to take over more than 120,000 trusted domains for spam campaigns. And Guilmette says he now believes the attack method detailed by Bryant also explains what’s going on in the more recent sextortion and bomb threat spams.</code><code>Grasping…