Amazon Dismisses Claims Alexa Skills Can Bypass Security Vetting Process
threatpost.com/amazon-dismisses-claims-alexa-skills-can-bypass-security-vetting/164316/ Our analysis shows that while Amazon restricts access to user data for skills and has put forth a number of rules, there is still room for malicious actors to exploit or circumvent some of these rules, said researchers this week. This can enable an attacker to exploit the trust they have built with the system.
The state of stalkerware in 2020
securelist.com/the-state-of-stalkerware-in-2020/100875/ Kasperskys data shows that the scale of the stalkerware issue has not improved much in 2020 compared to the last year:. The number of people affected is still high. In total, 53,870 of our mobile users were affected globally by stalkerware in 2020. Keeping in mind the big picture, these numbers only include Kaspersky users, and the total global numbers will be higher.
Former SolarWinds CEO blames intern for ‘solarwinds123’ password leak
edition.cnn.com/2021/02/26/politics/solarwinds123-password-intern/ The researcher who discovered the leaked password, Vinoth Kumar, previously told CNN that before the company corrected the issue in November 2019, the password had been accessible online since at least June 2018.. Emails between Kumar and SolarWinds showed that the leaked password allowed Kumar to log in and successfully deposit files on the company’s server. Using that tactic, Kumar warned the company, any hacker could upload malicious programs to SolarWinds.
An Exploration of JSON Interoperability Vulnerabilities
labs.bishopfox.com/tech-blog/an-exploration-of-json-interoperability-vulnerabilities As we’ve seen through attacks like HTTP request smuggling, discrepancies across parsers combined with multi-stage request processing can introduce serious vulnerabilities. In this research, I conducted a survey of 49 JSON parsers, cataloged their quirks, and present a variety of attack scenarios and Docker Compose labs to highlight their risks. Through our payment processing and user management . examples, we will explore how JSON parsing inconsistencies can mask serious business logic vulnerabilities in otherwise benign code.
Why You Should Stop Sending Texts From Your Android Messages App
www.forbes.com/sites/zakdoffman/2021/02/27/google-android-messages-update-apple-iphone-ipad-imessage-security-versus-sms-rcs-and-whatsapp-encryption/ Until Googles RCS offers end-to-end encryption by default and can provide that level of security for groups as well as 1:1 messaging, then its as much of a no-no as Facebook Messenger. And Samsungs alternative is exactly the same.
www.forbes.com/sites/thomasbrewster/2021/02/25/exclusive-hackers-break-into-biochemical-systems-at-oxford-uni-lab-studying-covid-19/ Oxford University confirmed on Thursday it had detected and isolated an incident at the Division of Structural Biology (known as Strubi) after Forbes disclosed that hackers were showing off access to a number of systems. These included machines used to prepare biochemical samples, though the university said it couldnt comment further on the scale of the breach. It has contacted the . National Cyber Security Center (NCSC), a branch of the British intelligence agency GCHQ, which will now investigate the attack.. The crew, according to [Hold Security’s Alex] Holden, is highly sophisticated and has been privately selling stolen data from a number of its victims, and has previously sold to advanced persistent threat groups, a term for nation-state-backed hackers. He noted that the hackers spoke Portuguese. Some of the groups other victims include Brazilian universities, Holden added, and they also . use ransomware to extort some victims.
Microsoft fixes Windows 10 drive corruption bug what you need to know
www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-10-drive-corruption-bug-what-you-need-to-know/ With this week’s release of Windows 10 Insider build 21322, Microsoft has included an undocumented fix that prevents the path from being accessed.
Google shares PoC exploit for critical Windows 10 Graphics RCE bug
www.bleepingcomputer.com/news/security/google-shares-poc-exploit-for-critical-windows-10-graphics-rce-bug/ Project Zero, Google’s 0day bug-hunting team, shared technical details and proof-of-concept (PoC) exploit code for a critical remote code execution (RCE) bug affecting a Windows graphics component.. They reported the bug to the Microsoft Security Response Center in November. The company released security updates to address it on all vulnerable platforms on February 9, during this month’s Patch Tuesday.