Security News
DOUG. Emergency Apple patches, justice for the 2020 Twitter hack, and "Turn off your phones, please!". DOUG. As luck would have it, we have a long list of things you can do other than just turning off your phone for five minutes.
DUCK. I don't know whether that's true, but I like to think it is. Before we get to stuff that's in the news, we are pleased, nay thrilled, to announce the first of three episodes of Think You Know Ransomware?
As long as they don't choose password or secret or one of the Top Ten Cats' Names in the world, maybe it's OK if we force them to change it to another not-very-good password before the crooks would be able to crack it? The simple observation is that changing a bad password regularly doesn't make it a better password.
In what's a new kind of software supply chain attack aimed at open source projects, it has emerged that threat actors could seize control of expired Amazon S3 buckets to serve rogue binaries without altering the modules themselves. "Malicious binaries steal the user IDs, passwords, local machine environment variables, and local host name, and then exfiltrates the stolen data to the hijacked bucket," Checkmarx researcher Guy Nachshon said.
A UK agency for freelance doctors has potentially exposed personal details relating to 3,200 individuals via unsecured S3 buckets, which one expert said could be used to launch ID theft attacks or blackmail. In the process, it discovered the Lantum S3 bucket, which was accessible and indexed on some IoT search engines.
MOVEit zero-day exploit used by data breach gangs: The how, the why, and what to do. Amongst the things that they could do would be: finding out the structure of your internal databases, so they know what stored where; perhaps downloading and messing with your data; and, optionally for the crooks, injecting what's known as a webshell.
DOUG. Password manager cracks, login bugs, and Queen Elizabeth I versus Mary Queen of Scots of course! Our last story of the day: Don't panic, but there's apparently a way to crack the master password for open-source password manager KeePass.
If you are not aware that the Caller ID number that shows up on your phone is nothing more than a hint, that anybody can put in anything, and that anybody with your worst interests at heart who wants to stalk you can, for a modest monthly outlay, buy into a service that will help them do it automatically. If you don't know that that's the case, you're probably going to have your guard way, way down when that call comes through and says, "I'm calling from the bank. You can see that from the number. Oh dear, there's been fraud on your account", and then the caller talks you into doing a whole load of things that you wouldn't listen to for a moment otherwise.
You know your catchphrase, "We'll keep an eye on that"? Even worse, Doug, it seems that, when they became suspicious of him.
"We've hacked their stuff, including source code, development tools, and private keys. We will publish stolen data when timer expires," they said. One key that they referred to as an Intel OEM debugging key.