Information

23 Nov

Cross-Tenant AWS Vulnerability Exposed Account Resources

Information, News

A cross-tenant vulnerability in Amazon Web Services (AWS) could have allowed attackers to abuse AWS AppSync to gain access to resources in an organization’s account. An attacker could exploit the AWS AppSync service to assume identity and access management (IAM) roles in other AWS accounts, gaining access to resources within those accounts, cloud security company Datadog Security Labs explains. The AppSync service allows developers to create GraphQL and Pub/Sub APIs, each with an associated data…

Read More
23 Nov

Facebook Parent Meta Links Influence Campaign to US Military

Information, News

Facebook parent Meta has tied a recent influence operation powered by tens of accounts, pages and groups to the United States military. The social media giant on Tuesday released its adversarial threat report for the third quarter of 2022. During Q3, in addition to disrupting operations linked to Chinese and Russian threat actors, the company disrupted an operation that has been connected to the United States. According to Meta, the operation that originated in the…

Read More
22 Nov

Life in pursuit of answers: In the words of Ada Yonath

Information

From a little girl financially helping her family in Jerusalem to a Nobel Prize laureate. That is the exceptional life of Ada Yonath in a nutshell. The first female Israeli Nobel Laureate and the fourth woman in the world to be awarded the Nobel Prize in Chemistry, Ada Yonath has dedicated her life to the pursuit of answers to the most crucial scientific questions and to advancing progress in her field. Her curiosity and her…

Read More
22 Nov

How to hack an unpatched Exchange server with rogue PowerShell code

Information, Uncategorized

by Paul Ducklin Just under two months ago, some worrying bug news broke: a pair of zero-day vulnerabilities were announced in Microsoft Exchange. As we advised at the time, these vulnerabilities, officially designated CVE-2022-41040 and CVE-2022-41082: [were] two zero-days that [could] be chained together, with the first bug used remotely to open enough of a hole to trigger the second bug, which potentially allows remote code execution (RCE) on the Exchange server itself. The first…

Read More
22 Nov

Leaked Algolia API Keys Exposed Data of Millions of Users

Information, News

Threat detection firm CloudSEK has identified thousands of applications leaking Algolia API keys, and tens of applications with hardcoded admin secrets, which could allow attackers to steal the data of millions of users. Organizations can use Algolia’s API to incorporate into their applications functions such as search, discovery, and recommendations. The API is used by over 11,000 companies, including Lacoste, Slack, Medium, and Zendesk. CloudSEK says it has identified 1,550 applications that leaked Algolia API…

Read More
21 Nov

How social media scammers buy time to steal your 2FA codes

Information

by Paul Ducklin Phishing scams that try to trick you into putting your real password into a fake site have been around for decades. As regular Naked Security readers will know, precautions such as using a password manager and turning on two-factor authentication (2FA) can help to protect you against phishing mishaps, because: Password managers associate usernames and passwords with specific web pages. This makes it hard for password managers to betray you to bogus…

Read More
21 Nov

California County Says Personal Information Compromised in Data Breach

Information, News

The County of Tehama, California, has started informing employees, recipients of services, and affiliates that their personal information might have been compromised in a data breach. The incident, Tehama County says, was identified on April 9, but the investigation into the matter stretched to August 19, when it was determined that personally identifiable information (PII) was compromised. The investigation revealed that an unauthorized third-party had access to the county’s systems between November 18, 2021, and…

Read More
19 Nov

Latest insights on APT activity – Week in security with Tony Anscombe

Information

What have some of the world’s most notorious APT groups been up to lately? A new ESET report released this week has the answers. What have advanced persistent threat (APT) groups been up to lately? This week, the ESET Research team published their inaugural APT Activity Report, which reviews the activities of selected APT threat actors as observed, investigated, and analyzed by ESET’s experts from May to August of this year. The report specifically looks…

Read More
18 Nov

Tor vs. VPN: Which should you choose?

Information

Both Tor and a VPN can greatly help you keep prying eyes away from your online life, but they’re also two very different beasts. Which suits your needs better? People who want to keep their online activities private are often faced with the question – should I use a virtual private network (VPN) or the Tor anonymity network? What are the advantages and downsides of each? There’s definitely a lot to go through before making a choice. Wait…

Read More
18 Nov

Atlassian Patches Critical Vulnerabilities in Bitbucket, Crowd

Information, News

Atlassian informed customers this week that it has patched critical vulnerabilities in its Crowd and Bitbucket products. In the Bitbucket source code repository hosting service, Atlassian fixed CVE-2022-43781, a critical command injection vulnerability that affects Bitbucket Server and Data Center version 7 and, in some cases, version 8. “There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue…

Read More