Security News > 2020 > June

An unprotected Amazon Web Services S3 bucket exposed the details of 2,700 users who signed up for the Joomla Resources Directory, Joomla's Incident Response Task Group reported last week. An internal website audit revealed that a third-party company owned by a former leader of the Joomla Resource Directory team - they are still a member of the JRD team - stored full JRD backups in an AWS S3 bucket.

An attacker exploiting the vulnerability could have taken over user accounts on the affected third-party applications, regardless of whether the victim was using a valid Apple ID or not, security researcher Bhavuk Jain explains. In the second step, the user is provided with the option to share the Apple Email ID with the third-party app.

Two researchers have discovered a new timing channel attack technique that remains effective even if multiple processes are running on a system. Called DABANGG, the newly proposed technique improves the effectiveness of flush-based attacks such as Flush+Reload and Flush+Flush, researchers Anish Saxena and Biswabandan Panda from the Indian Institute of Technology Kanpur claim in a research paper.

This study shows that most people don't change their passwords after a breach, and if they do they change it to a weaker password. Abstract: To protect against misuse of passwords compromised in a breach, consumers should promptly change affected passwords and any similar passwords on other accounts.

U.S. passenger railroad service Amtrak last week started informing some customers that their personal information may have been compromised as a result of unauthorized access to Guest Reward accounts. The company determined that hackers gained access to some customers' Guest Reward accounts using compromised usernames and passwords, which likely means that the attackers relied on the fact that many users have set the same username and password combination for multiple online accounts and their credentials were stolen in a previous breach.

In its write-up of the attack, the GitHub Security Labs team explains how the malware lurks in source code repositories uploaded to its site, activating when a developer downloads an infected repository and uses it to create a software program. Most of the variants that GitHub found in its scans also infect a project's source code, meaning that any other newly-infected projects mirrored to remote repositories would spread the malware further on GitHub.

Facebook announced on Thursday that it's going to be verifying the identity of some US profiles that pump out posts that reach a mass of people. The platform's doing it to spare us from the blathering of bots and fake accounts, or what Facebook calls "People who have a pattern of inauthentic behavior on Facebook and whose posts start to rapidly go viral in the US.".

Trickbot infections of Domain Controller servers has become more difficult to detect due to a new propagation module that makes the malware run from memory, Palo Alto Networks researchers have found. Trickbot is also often dropped by Emotet as a secondary payload or is delivered via booby-trapped email attachments, but its lateral propagation mechanism is a big reason why it's become the bane of many a company's existence.

Get yourself up to date with everything we've written in the last seven days - it's weekly roundup time. Latest Naked Security podcast News, straight to your inbox.

British companies have been offered access to a £400k pot of cash to design a UK-specific "Kitemark" assurance scheme for Internet of Things products. The government grant scheme is intended to complement previous announcements, making it a legal requirement that IoT devices ship with unique, non-default passwords and for vendors to "Explicitly state" for how long security updates will be published.