4 days ago

Privileged Access Management Company Thycotic Has Acquired Employee Credential Management Start-Up Onion ID

Privileged access management company Thycotic has acquired fellow cybersecurity provider Onion ID Inc. and its three flagship products. Washington D.C.-based Thycotic is best known for its flagship Secret Server platform. Onion ID helps companies control what employees do with those login credentials. The three primary products Onion ID currently offers will relaunch under the names Thycotic Database Access Controller, Thycotic Cloud Access Controller and Thycotic Remote Access Controller. (Silicon Angle)
4 days ago

Members of Congress Introduce Bipartisan Bill to Regulate Contact Tracing and Exposure Notification Apps So They Don’t Pose Privacy Violations

Members of Congress introduced yesterday a bipartisan bill, the Exposure Notification Privacy Act, to regulate contact tracing and exposure-notification apps so that they don’t pose privacy violations to users. The draft law requires companies developing contact-tracing applications to do so in collaboration with public-health authorities. The tools must also obtain consent before they can begin tracking a user’s location to determine the spread of the coronavirus. Moreover, under the bill, any data collected as part of coronavirus monitoring technology could not be used for commercial purposes, and users could request at any time to delete it. (Washington Post)
4 days ago

Vulnerability Impacting VMWare’s vCloud Director Could Have Allowed Attackers to Take Over Multiple Enterprise Clouds

Ethical hacking firm Citadelo discovered a flaw, CVE-2020-3956, which allowed the complete takeover of multiple VMware-powered clouds. Patched in mid-May, the vulnerability impacted vCloud Director, the tool VMware recommends service providers use to run various clouds for their customers or significant users run to manage multiple private clouds. Breaching vCloud Director would allow attackers to gain entry to hundreds of organizations. Citadelo researchers discovered during a penetration test that using ${7*7} as a hostname for the SMTP server in vCloud Director produced an error. They then placed some Java code in the ${ } construct in the hostname, found that executed, too, and were able to go deeper and deeper until they owned one cloud. They then devised a way to take over multiple clouds. (The Register)
4 days ago

Apple Releases Security Fixes for iOS and iPadOS 13.5.1, Kills Jailbreak in the Process

Apple has released an iOS 13.5.1 and iPadOS 13.5.1 bug-fixing software update for all iPhones compatible with iOS 13, which is now available via the OTA system. The new version fixes a zero-day vulnerability in iPhones that allows jailbreaking them. Users that have jailbroken the iOS 13.5 running iPhone using Unc0ver should not install the iOS 13.5.1 software update. Apple has also released the macOS Catalina 10.15.6 Developer Beta 1, tvOS 13.4.6, and watchOS 6.2.6 updates. (iPhone Hacks)
4 days ago

REvil Ransomware Attackers Publish Files Stolen From UK Power Company Elexon After Ransom Demands Were Ignored

The REvil/Sodinokibi ransomware gang published what it claimed were files stolen from UK power grid middleman Elexon two weeks after the company announced it had been hacked. The data was published on REvil’s Tor webpage as a cache of 1,280 files, which reportedly include documents that appeared to be passports of Elexon staff members and an apparent business insurance application form. It seems Elexon shrugged off the ransomware demands of the attackers and simply rebuilt its IT infrastructure from backups. (The Register)
4 days ago

Only One in Three People With Accounts on Breached Domains Change Their Passwords and Even Those Who Do Frequently Use Weaker Passwords, Researchers

Only one in three people who had accounts on breached domains changed their passwords, according to a recent study by researchers at Carnegie Mellon University. Only 13 percent of people with accounts on these domains changed their password within three months of the breach announcement, according to the researchers. The authors based their findings on observations of the security practices of 249 willing participants through the Security Behavior Observatory (SBO), a group of participants consenting to have their daily computing behaviors observed. Even those users who changed their passwords often used weaker passwords than their previous passwords, the study found. (Carnegie Mellon University)
5 days ago

Amtrak Says Unauthorized Party Gained Access to Its Guest Rewards Accounts, Personal Information May Have Been Viewed

In a data breach notice filed with Office of the Vermont Attorney General, Amtrak said that “On the evening of April 16, 2020, Amtrak determined that an unknown third party gained unauthorized access to certain Amtrak Guest Rewards accounts.” The U.S. railroad transportation company said it had determined compromised usernames and passwords were used to access certain accounts and some personal information may have been viewed. No financial data, credit card info, or Social Security numbers were compromised during this incident. Amtrak said it blocked the unauthorized third party from accessing the compromised Amtrak Guest Rewards accounts within a few hours after detecting suspicious activity. (Bleeping Computer)
5 days ago

Joomla Announces Security Breach, Unencrypted Backup File Left on Amazon S3 Bucket Exposing Details on 2,700 Registered Users

The team behind the Joomla open source content management system (CMS) announced a security breach that took place after a member of the Joomla Resources Directory (JRD) team left a full backup of the JRD site (resources.joomla.org) on an Amazon Web Services S3 bucket the company owned. The backup file was not encrypted and contained details for around 2,700 users who registered and created profiles on the JRD website, a portal where professionals advertise their Joomla site-making skills. Among the data that could have been exposed were names, addresses, email addresses, phone numbers, company URLs, encrypted passwords (hashed), and more. The Joomla team said that once it learned of this accidental leak of the JRD site backup, they carried out a full security audit of the JRD portal. (ZDNet)
5 days ago

Apple Paid Indian Researcher $100,000 for Finding Critical Vulnerability in ‘Sign in With Apple System’

Apple paid Indian vulnerability researcher Bhavuk Jain a $100,000 bug bounty for reporting a highly critical vulnerability affecting its ‘Sign in with Apple’ system. The vulnerability could have allowed remote attackers to bypass authentication and take over targeted users’ accounts on third-party services and apps that have been registered using ‘Sign in with Apple’ option. The flaw could have allowed remote attackers to bypass authentication and take over targeted users’ accounts on third-party services and apps that have been registered using ‘Sign in with Apple’ option. Bhavuk reported the issue to the Apple security team last month, and the company has now patched the vulnerability. (The Hacker News)
5 days ago

Database for Formerly Top Dark Web Service Hosting Provider Leaked Online, Data Can Be Used to Identify Owners of Dark Web Portals

A hacker who goes by the name of KingNull uploaded a copy of Daniel’s Hosting (DH) database online. DH had been the largest free web hosting provider for dark web services until shortly after the hacker breached DH earlier this year, on March 10, 2020. Two weeks after the breach, DH shut down its service for good, urging users to move their sites to new dark web hosting providers. Around 7,600 websites, a third of all dark web portals, went down following DH’s shutdown. The leaked data includes 3,671 email addresses, 7,205 account passwords, and 8,580 private keys for .onion (dark web) domains. Threat intelligence firm Under the Breach, which examined the database, said the leaked data can be used to tie the owners of leaked email addresses to certain dark web portals. (ZDNet)
5 days ago

Likely DDoS Attack Took Down Minneapolis Police Department and City of Minneapolis Websites, Hacktivist Group Anonymous Said to Be Attacker

In what was likely a DDoS attack, the website of the Minneapolis Police Department, as well as the website of the City of Minneapolis, became inaccessible on Saturday night with the decentralized hacker collective Anonymous widely considered to be the source of the assault. The outage of the sites came after a Facebook page claiming affiliation with Anonymous posted a video on May 28 warning the Minneapolis PD that it “will be exposing your many crimes to the world” and that “this week’s brutal killing of George Floyd… is merely the tip of the iceberg in a long list of high-profile cases of wrongful death at the hands of officers in your state.” (Variety)
7 days ago

Popular Indian TikTok Imitator Mitron Contains Critical Software Vulnerability That Easily Allows Anyone to Bypass Authorization

One of the copycats of the popular short video app TikTok is an Android app called Mitron, which means “friends” in Hindi. Promoted as a homegrown Indian alternative to TikTok, Mitron gained over 5 million installations, and 250,000 5-star ratings in just 48 days after being released on the Google Play Store. However, Indian vulnerability researcher Rahul Kankrale discovered that Mitron contains a critical and easy-to-exploit software vulnerability that could let anyone bypass account authorization for any Mitron user within seconds. The flaw resides in the fact that any user can log into any targeted Mitron user profile just by knowing his or her unique user ID, which is a piece of public information available in the page source, and without entering any password. Rahul discovered that Mitron is actually a re-packaged version of the TicTic app created by a Pakistani software development company Qboxus who is selling it as a ready-to-launch clone for TikTok, musical.ly or Dubsmash like services. Aside from Mitron, 250 other developers have purchased the TicTic code. Until the flaw is patched, users should not install Mitron, or if they have already installed it, they should revoke the Google access from their profiles. (The Hacker News)
7 days ago

Zoom Plans to Strengthen Encryption of Video Calls Hosted by Paying Clients

Massively popular video conferencing provider Zoom plans to strengthen the encryption of video calls hosted by paying clients and institutions such as schools but not by users of its free consumer accounts, Zoom security consultant Alex Stamos confirmed. Stamos said the plan was subject to change, and it was not yet clear which, if any, nonprofits or other users, such as political dissidents, might qualify for accounts allowing more secure video meetings. (Reuters)
1 week ago

New York Man Charged With Computer Hacking, Payment Card Trafficking and Money Laundering After Authorities Seize His Computers at Kennedy Airport

A New York City man, Vitalii Antonenko, was charged in the U.S District Court for the District of Massachusetts with conspiracy to engage in computer hacking, payment card trafficking, and money laundering, according to a federal indictment. Authorities found hundreds of thousands of stolen payment cards on Vitalii Antonenko’s computers after arresting the Ukraine native at Kennedy International Airport in March 2019. Prosecutors say that as part of a multi-pronged money laundering scheme, Antonenko worked with two co-conspirators to allegedly receive at least 114 bitcoin from one, sending about as much bitcoin to the other, and then received nearly $40,000 in cash bank deposits 10% below market rate. Antonenko also allegedly hacked an unnamed “non-profit scientific research institution” in Massachusetts. (Coindesk)
1 week ago

GitHub Warns of New Malware Strain ‘Octopus Scanner’ Spread on the Site via Boobytrapped Java Projects

GitHub issued a security alert on warning about a new malware strain, which GitHub’s security team has named Octopus Scanner, that’s been spreading on its site via boobytrapped Java projects. The malware has been found in 26 repositories managed using the Apache NetBeans IDE (integrated development environment), a tool used to write and compile Java applications. GitHub says that when other users would download any of the 26 projects, the malware would behave like a self-spreading virus and infect their local computers. When fully executed, the malware would allow the Octopus Scanner operator to rummage through an infected victim’s computer, looking for sensitive information. Although GitHub found only 26 infected projects, it believes many other projects were infected. (ZDNet)