Security

Link

DHS Releases Cybersecurity Rules for Pipeline Operators

Andrew Orr ·

Today, the Department of Homeland Security’s Transportation Security Administration (TSA) announced a Security Directive for critical pipeline companies.

The Security Directive will require critical pipeline owners and operators to report confirmed and potential cybersecurity incidents to the DHS Cybersecurity and Infrastructure Security Agency (CISA) and to designate a Cybersecurity Coordinator, to be available 24 hours a day, seven days a week.

It will also require critical pipeline owners and operators to review their current practices as well as to identify any gaps and related remediation measures to address cyber-related risks and report the results to TSA and CISA within 30 days.

Link

WebKit Flaw Crashes Safari, Could Lead to Further Exploits

Andrew Orr ·

A WebKit flaw on iOS and macOS can cause Safari to crash and could lead to further malicious attacks.

The vulnerability stems from what security researchers call a type confusion bug in the WebKit implementation of AudioWorklet, an interface that allows developers to control, manipulate, render, and output audio and decrease latency. Exploiting the vulnerability gives an attacker the basic building blocks to remotely execute malicious code on affected devices.

Link

LastPass Introduces Improved Multi-Factor Authenticator App

Andrew Orr ·

LastPass by LogMeIn announced on Wednesday that it enhanced its mobile authenticator app and integrates with VPN providers Cisco, Palo Alto Networks, and OpenVPN for businesses. However, the authenticator app is available to all LastPass users.

With this update, the LastPass Authenticator will offer a refreshed user interface that now offers search functionality to reduce user complexity and streamline the authentication experience.

Link

President Biden Signs Order to Improve U.S. Cybersecurity

Andrew Orr ·

After the attack on Colonial Pipeline, President Biden has signed an executive order to improve the nation’s cybersecurity.

The executive order requires IT service providers to share certain breach information with the government, modernizes and implements stronger cybersecurity standards in the federal government, establishes security standards for development of software sold to the government and will create an “energy star” label so that consumers can better determine whether software was developed securely.

Link

Security Researcher Hacks Apple’s ‘Find My’ Network

Andrew Orr ·

Researcher Fabian Bräunlein found that Apple’s Find My location network can be used to “upload arbitrary data to the internet.”

Being inherent to the privacy and security-focused design of the Find My Offline Finding system, it seems unlikely that this misuse can be prevented completely.

Link

CIDA Warns of New Ransomware ‘FiveHands’

Andrew Orr ·

FiveHands has been around since January but was recently used in a successful attack against an unknown organization.

Attackers were targeting unpatched SonicWall Secure Mobile Access SMA 100 remote access products, for which patches were released in February. The publicly available tools the group users including the SoftPerfect Network Scanner for Discovery and Microsoft’s own remote administration program, PsExec.exe and its related ServeManager.exe.

Link

Amazon Data Breach Exposes 200,000 Fake Reviewers

Andrew Orr ·

Security researchers at SafetyDetectives found an insecure ElasticSearch database that potentially uncovers over 200,000 fake Amazon reviewers.

These Amazon vendors send to reviewers a list of items/products for which they would like a 5-star review. The people providing the ‘fake reviews’ will then buy the products, leaving a 5-star review on Amazon a few days after receiving their merchandise.

Upon completion, the provider of the fake review will send a message to the vendor containing a link to their Amazon profile, along with their PayPal details.

Link

Tor Exit Nodes Were Attacked in February 2021

Andrew Orr ·

A new report from Hacker News says that an unknown attacker managed to control over 27% of Tor exit nodes in February 2021.

“The entity attacking Tor users is actively exploiting tor users since over a year and expanded the scale of their attacks to a new record level,” an independent security researcher who goes by the name nusenu said in a write-up published on Sunday. “The average exit fraction this entity controlled was above 14% throughout the past 12 months.”

Link

GitHub Adds Support for Security Keys Over SSH

Andrew Orr ·

GitHub announced on Monday that it enabled support for two-factor authentication security keys when members use them over SSH.

When used for SSH operations, security keys move the sensitive part of your SSH key from your computer to a secure external security key. SSH keys that are bound to security keys protect you from accidental private key exposure and malware. You perform a gesture, such as a tap on the security key, to indicate when you intend to use the security key to authenticate. This action provides the notion of “user presence.”

Link

Over 29,000 Databases Expose 19 Petabytes of Data

Andrew Orr ·

Many companies aren’t properly securing their databases, like the one I wrote about this morning. But we have some numbers. CyberNews quotes “29,000 unprotected databases worldwide exposing 19 petabytes (19,000 terabytes, 19,000,000 gigabytes, etc) of data.

To conduct this investigation, we used a specialized search engine to scan for open databases of three of the most popular database types: Hadoop, MongoDB, and Elasticsearch. While performing the search, we made sure that the open databases we found required no authentication whatsoever and were open for anyone to access, as opposed to those that had default credentials enabled.

Link

Finnish Mental Health Startup Vastaamo Leaked Patient Data

Andrew Orr ·

Vastaamo ran the largest network of private mental-health providers in Finland. William Ralston tells the story on WIRED, and how hackers used the data to threaten patients.

A security flaw in the company’s IT systems had exposed its entire patient database to the open internet—not just email addresses and social security numbers, but the actual written notes that therapists had taken. A group of hackers, or one masquerading as many, had gotten hold of the data.

What an incompetent company. No anonymization of patient records, no encryption of data. In other words, unfortunately common. Two developers hired at Vastaamo were even arrested in a previous security breach.

Encrypted Storage App ‘Boxcryptor’ Integrates Better With Files App
Cool Stuff Found

Encrypted Storage App ‘Boxcryptor’ Integrates Better With Files App

Andrew Orr ·

Boxcryptor received a major update for iOS and iPadOS that eliminates its own file browser. Instead, you’ll browse through your encrypted files completely within Apple’s Files app. Robert Freudenreich explains the decision: “By taking a ‘Files app first’ approach, we enable the best user experience for working with encrypted files in Apple’s Files app.” The integration with the Files app has been in place since iOS 11. But by eliminating the additional Boxcryptor-owned file browser, the Files app now becomes the exclusive file manager. For users, this primarily means an even simpler workflow.

Link

IRS Asks For Help to Hack Hardware Cryptocurrency Wallets

Andrew Orr ·

The IRS is asking for help to hack into hardware cryptocurrency wallets that could be useful in criminal investigations.

The decentralization and anonymity provided by cryptocurrencies has fostered an environment for the storage and exchange of something of value, outside of the traditional purview of law enforcement and regulatory organizations. There is a portion of this cryptographic puzzle that continues to elude organizations—millions, perhaps even billions of dollars, exist within cryptowallets.

Link

Experian’s API Exposed Credit Scores for Anyone to Discover

Andrew Orr ·

Credit bureau Experian recently fixed a flaw in its API that let anyone find a credit score of a person by typing in their name and mailing address.

Demirkapi declined to share with Experian the name of the lender or the website where the API was exposed. He refused because he said he suspects there may be hundreds or even thousands of companies using the same API, and that many of those lenders could be similarly leaking access to Experian’s consumer data.