Security News

Amazon Web Services has resolved a cross-tenant vulnerability in its platform that could be weaponized by an attacker to gain unauthorized access to resources. "This attack abuses the AppSync service to assume roles in other AWS accounts, which allows an attacker to pivot into a victim organization and access resources in those accounts," Datadog researcher Nick Frichette said in a report published last week.

Amazon Web Services has resolved a cross-tenant vulnerability in its platform that could be weaponized by an attacker to gain unauthorized access to resources."This attack abuses the AppSync service to assume roles in other AWS accounts, which allows an attacker to pivot into a victim organization and access resources in those accounts," Datadog researcher Nick Frichette said in a report published last week.

Amazon Web Services fixed a cross-tenant flaw in AWS AppSync that could allow miscreants to abuse that cloud service to assume identity and access management roles in other AWS accounts, and then gain access to and control over those resources. No customers were affected by the vulnerability and no customer action is required, according to AWS. In a statement posted on Monday, the cloud services provider thanked Datadog for reporting the "Case-sensitivity parsing issue" in AppSync.

Five steps to designing a futureproof asset intelligence program. While many factors play into the longevity and success of any cybersecurity initiative, there are five standout elements for building a cyber asset intelligence program to scale with an organization's size and evolving maturity.

5 Kali Linux tools you should learn how to useKali Linux is a specialized Linux distribution developed by Offensive Security, designed for experienced Linux users who need a customized platform for penetration testing. Stop audience hijacking and defend against redirection to malicious websitesIn this Help Net Security video, Patrick Sullivan, CTO of Security Strategy at Akamai, talks about the threat of audience hijacking and offers protection tips.

A novel attack method has been disclosed against a crucial piece of technology called time-triggered ethernet that's used in safety-critical infrastructure, potentially causing the failure of systems powering spacecraft and aircraft. Dubbed PCspooF by a group of academics and researchers from the University of Michigan, the University of Pennsylvania, and the NASA Johnson Space Center, the technique is designed to break TTE's security guarantees and induce TTE devices to lose synchronization for up to a second, a behavior that can even lead to uncontrolled maneuvers in spaceflight missions and threaten crew safety.

Given that 2021 was a record year for new vulnerabilities published and threat actors became better at weaponizing vulnerabilities, timely and well-judged vulnerability prioritization and remediation are a goal all organizations should aspire to achieve. Using automation - and the Common Security Advisory Framework, which "Provides a standardized format for ingesting vulnerability advisory information and simplify triage and remediation processes for asset owners." Clarifying the impact of vulnerabilities.

A critical unauthenticated remote code execution vulnerability in Spotify's Backstage project has been found and fixed, and developers are advised to take immediate action in their environments. Oxeye researchers reported the vulnerability through Spotify's bug bounty program, and Spotify rapidly patched the vulnerability and released Backstage version 1.5.1, which fixes the issue.

GitHub is offering a scheme for security researchers to privately report vulnerabilities found in public repositories. Being able to privately report code flaws is important to researchers who are often left with choices that can lead to more security problems, GitHub said in a blog post.

Bishop Fox collected and analyzed publicly disclosed reports from January to July 2022 to better understand the most frequently reported vulnerability types, the highest-disclosed bounties, and more. In this Help Net Security video, Carlos Yanez, Security Consultant at Bishop Fox, talks about the most frequently reported vulnerability types and severities.