Security News > 2022
While this new report outlines authentication requirements for government agencies, they are also excellent guidelines for all fields and user levels. On the strength of passwords, NIST underlines that the requirements of using special characters, for example !$#%&, are obsolete since users still tend to add something that will keep the password memorable.
Gaming giant SEGA Europe recently discovered that its sensitive data was being stored in an unsecured Amazon Web Services S3 bucket during a cloud-security audit, and it's sharing the story to inspire other organizations to double-check their own systems. The laundry list of SEGA's potentially exposed data is nauseating - API keys, internal messaging systems, cloud systems, user data and more.
A supply-chain campaign infecting Sotheby's real-estate websites with data-stealing skimmers was recently observed being distributed via a cloud-video platform. "In skimmer attacks, cybercriminals inject malicious JavaScript code to hack a website and take over the functionality of the site's HTML form page to collect sensitive user information," researchers explained in a Monday posting.
The US Federal Trade Commission has warned today that it will go after any US company that fails to protect its customers' data against ongoing Log4J attacks. "The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future," the US government agency said.
"The Microsoft Pluton is a security processor, pioneered in Xbox and Azure Sphere, designed to store sensitive data, like encryption keys, securely within the Pluton hardware, which is integrated into the die of a device's CPU and is therefore more difficult for attackers to access, even if they have physical possession of a device," explained David Weston, Director of Enterprise and OS Security at Microsoft. In November 2020, Microsoft announced it would integrate its Pluton security processor into Intel, AMD, and Qualcomm CPUs as an on-die chip to reduce the available attack surface on Windows PCs. First introduced with the XBOX One and Azure Sphere, Pluton emulates a Trusted Platform Module to protect the boot process, encryption keys, and credentials directly on the CPU with the end goal of blocking threat actors from gaining access to such sensitive data.
The bug affects the Home app, Apple's home automation software that lets you control home devices - webcams, doorbells, thermostats, light bulbs, and so on - that support Apple's HomeKit ecosystem. Wiping your data is quick and reliable because Apple mobile devices always encrypt your data, even if you don't set a lock code of your own, using a randomly chosen passphrase kept in secure storage.
Hackers used a cloud video hosting service to perform a supply chain attack on over one hundred real estate sites that injected malicious scripts to steal information inputted in website forms. In a new supply chain attack discovered by Palo Alto Networks Unit42, threat actors abused a cloud video hosting feature to inject skimmer code into a video player.
Using real data is a good way to ensure that development code is working as expected before live deployment, but when you are dealing with sensitive information such as bank account details, great care must be taken not to fall foul of data protection regulations. In a later data breach notification, the firm disclosed more details on the security incident, including the number of people and the type of personal data affected by the data breach.
A malicious Telegram instant-messaging app installer scurries past a slew of antivirus engines to deliver Purple Fox malware, evading detection by separating the attack into bite-sized morsels that fly under the radar. "We have often observed threat actors using legitimate software for dropping malicious files," analysts wrote.
UScellular, self-described as the fourth-largest wireless carrier in the US, has disclosed a data breach after the company's billing system was hacked in December 2021. "On December 13, 2021, UScellular detected a data security incident in 'which unauthorized individuals illegally accessed our billing system and gained access to wireless customer accounts that contain personal information," the carrier explained.