All about Security, News, Events and Incidents

Discussion in 'Security and Anti-Virus Software' started by Dr. AMK, Apr 26, 2018.

  1. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    6,904
    Messages:
    20,284
    Likes Received:
    25,105
    Trophy Points:
    931
    2:17 - Samsung spilled SmartThings app source code and secret keys

    Samsung spilled SmartThings app source code and secret keys

    Zack Whittaker @zackwhittaker / 1 week ago
    https://techcrunch.com/2019/05/08/samsung-source-code-leak/

    "A development lab used by Samsung engineers was leaking highly sensitive source code, credentials and secret keys for several internal projects — including its SmartThings platform, a security researcher found.
    The electronics giant left dozens of internal coding projects on a GitLab instance hosted on a Samsung-owned domain, Vandev Lab. The instance, used by staff to share and contribute code to various Samsung apps, services and projects, was spilling data because the projects were set to “public” and not properly protected with a password, allowing anyone to look inside at each project, access and download the source code.

    Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk who discovered the exposed files, said one project contained credentials that allowed access to the entire AWS account that was being used, including more than 100 S3 storage buckets that contained logs and analytics data.

    Many of the folders, he said, contained logs and analytics data for Samsung’s SmartThings and Bixby services, but also several employees’ exposed private GitLab tokens stored in plaintext, which allowed him to gain additional access from 42 public projects to 135 projects, including many private projects.

    Samsung told him some of the files were for testing but Hussein challenged the claim, saying source code found in the GitLab repository contained the same code as theAndroid app, published in Google Play on April 10.

    The app, which has since been updated, has more than 100 million installs to date.

    “I had the private token of a user who had full access to all 135 projects on that GitLab,” he said, which could have allowed him to make code changes using a staffer’s own account.

    Hussein shared several screenshots and a video of his findings for TechCrunch to examine and verify.

    The exposed GitLab instance also contained private certificates for Samsung’s SmartThings’ iOS and Android apps.

    Hussein also found several internal documents and slideshows among the exposed files.

    “The real threat lies in the possibility of someone acquiring this level of access to the application source code, and injecting it with malicious code without the company knowing,” he said.
    Through exposed private keys and tokens, Hussein documented a vast amount of access that if obtained by a malicious actor could have been “disastrous,” he said.

    Hussein, a white-hat hacker and data breach discoverer, reported the findings to Samsung on April 10. In the days following, Samsung began revoking the AWS credentials, but it’s not known if the remaining secret keys and certificates were revoked.

    Samsung still hasn’t closed the case on Hussein’s vulnerability report, close to a month after he first disclosed the issue.

    “Recently, an individual security researcher reported a vulnerability through our security rewards program regarding one of our testing platforms,” Samsung spokesperson Zach Dugan told TechCrunch when reached prior to publication. “We quickly revoked all keys and certificates for the reported testing platform and while we have yet to find evidence that any external access occurred, we are currently investigating this further.”

    Hussein said Samsung took until April 30 to revoke the GitLab private keys. Samsung also declined to answer specific questions we had and provided no evidence that the Samsung-owned development environment was for testing.

    Hussein is no stranger to reporting security vulnerabilities. He recently disclosed a vulnerable back-end database at Blind, an anonymous social networking site popular among Silicon Valley employees — and found a server leaking a rolling list of user passwords for scientific journal giant Elsevier.

    Samsung’s data leak, he said, was his biggest find to date.

    “I haven’t seen a company this big handle their infrastructure using weird practices like that,” he said."
     
    Papusan likes this.
  2. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    6,904
    Messages:
    20,284
    Likes Received:
    25,105
    Trophy Points:
    931
    Chief Privacy Officers: The Unicorns of K-12 Education
    By Emily Tate, Feb 25, 2019
    https://www.edsurge.com/news/2019-02-25-chief-privacy-officers-the-unicorns-of-k-12-"

    "Last month, the nonprofit Center for Democracy and Technology (CDT) published a report arguing schools and districts should go the way of other industries and hire a Chief Privacy Officer to oversee their organization’s privacy policies and practices.

    Page by page, the report explains what a CPO is, why the role is necessary and even provides a two-page sample job description districts can use to begin the hiring process for a CPO.

    The intent here is good, says Linnette Attai, a K-12 privacy expert and founder of the global compliance consulting firm PlayWell, LLC. Schools and districts collect, manage and analyze more data now than ever before. That data can be used to improve K-12 decision-making, tailor instruction to each student and flag when one student needs extra attention or assistance.

    But because data can also be misused, abused, exposed and manipulated, it must be protected. Thus, the need for a Chief Privacy Officer—someone who can establish and enforce privacy policies, train staff on privacy procedures and ensure that all data is collected and shared safely.

    But the reality is that Chief Privacy Officers in K-12 education are about as common as unicorns. EdSurge contacted education nonprofits, a technology association and a handful of privacy experts, and none could identify a single school district with a K-12 CPO.

    In fact, it is still extremely rare for districts to hire even one full-time employee dedicated to privacy—leadership or otherwise—says Attai, who frequently advises K-12 districts on privacy issues.

    “It should be a leadership position, but it’s not,” she tells EdSurge. “We’re a really long way off from it ever being there, and we may never be there.”

    It's fun watching change in motion... :)

    Please use the URL to see the rest of the article...
     
    Last edited: May 18, 2019
  3. Papusan

    Papusan JOKEBOOK's Sucks! Dont waste your $$$ on FILTHY

    Reputations:
    24,361
    Messages:
    24,365
    Likes Received:
    42,643
    Trophy Points:
    931
    jclausius likes this.
  4. Papusan

    Papusan JOKEBOOK's Sucks! Dont waste your $$$ on FILTHY

    Reputations:
    24,361
    Messages:
    24,365
    Likes Received:
    42,643
    Trophy Points:
    931
    RAMBleed Exploit Inflicts Rowhammer-Style Attack On Private Data From PC Memory hothardware.com | Jun 13, 2019
    Sometimes it feels as though nary a day goes by without someone sounding the alarm on a new security vulnerability. More recently, there has been a lot of hoopla over side-channel exploits, such as Spectre and Meltdown, and various other variants. Here is another one to add to your mental catalog of exploits—RAMBleed....

    "While this sounds frightening, the good news is attackers are not able to leverage RAMBleed remotely—it is a local attack. It is being tracked under advisory CVE-2019-0174 and has been assigned a Common Vulnerability Scoring System (CVSS) rating of 3.8 out of 10. Researchers also say it is "unlikely" that RAMBleed has ever been exploited in the wild up to this point"
     
  5. Papusan

    Papusan JOKEBOOK's Sucks! Dont waste your $$$ on FILTHY

    Reputations:
    24,361
    Messages:
    24,365
    Likes Received:
    42,643
    Trophy Points:
    931
    Yeah... Is Dell Taking their Customer Security Seriously? As we know, Dell don't make much of it's own hardware, firmware and Software Bloatware by themself. Almost everything is created/made by outsourced tech team or third-party company. This is a good reminder why you shouldn't install all sorts of software from the ODM manufacturers. Be safe... Skip everything that doesn't smells as needed drivers...

    Dell Discovers Yet Another SupportAssist Security Flaw Tomshardware.com | June 21, 2019

    In May, Dell’s SupportAssist troubleshooting PC utility was found to be vulnerable to attacks that could compromises all Dell laptops and desktops. This week Dell disclosed a second flaw (CVE-2019-12280) that could allow both malware and rogue logged-in users to gain administrative privileges and take over victims’ computers. SupportAssist ships with all Dell desktops, laptops and tablets.


    Is Dell Taking Customer Security Seriously?
    More than one serious vulnerability that hackers could exploit to take over Dell PCs has been found in recent years. At this point we have to wonder if Dell is taking cybersecurity seriously...

    ----------------------------------------------

    [​IMG]
    Cybersecurity company finds worrying vulnerability affecting millions of Dell laptops and desktops


    Dell has published a security advisory, which can be accessed here. It offers a straightforward resolution for the potential threat, which involves updating the relevant software that now includes a fix provided by PC-Doctor.
     
    Ashtrix and maffle like this.
  6. Dr. AMK

    Dr. AMK Living with Hope

    Reputations:
    3,029
    Messages:
    1,951
    Likes Received:
    4,134
    Trophy Points:
    281
    10 Ways The Government Is Secretly Spying On You
     
    hmscott and Papusan like this.
  7. jclausius

    jclausius Notebook Virtuoso

    Reputations:
    4,028
    Messages:
    3,037
    Likes Received:
    2,072
    Trophy Points:
    231
    "Billions of Records Including Passwords Leaked by Smart Home Vendor"

    - A publicly accessible ElasticSearch cluster owned by Orvibo, a Chinese smart home solutions provider, leaked more than two billion user logs containing sensitive data of customers from countries all over the world.

    - The vpnMentor research team found that "the video feed from the smart cameras is easily accessible by entering the owner’s account with the credentials found in the database" for users who added security cameras to their Orvibo smart home management accounts.

    - Also, unlocking the users' smart door locks combined with precise geolocation and schedules swiped from built-in calendar displays exposes them to home break-ins.

    https://www.bleepingcomputer.com/ne...luding-passwords-leaked-by-smart-home-vendor/


    This is why my house remains (and forever will be) a 'dumb' house with lock and deadbolt. My doors, lights, etc., do not need to be exposed to hackers.
     
  8. jclausius

    jclausius Notebook Virtuoso

    Reputations:
    4,028
    Messages:
    3,037
    Likes Received:
    2,072
    Trophy Points:
    231
    "120M users at risk from serious vulnerability in Microsoft Excel"

    - Security researchers have uncovered a serious vulnerability in Microsoft Corp.’s Excel that exposes around 120 million users to attack.

    - A would-be hacker is able to use Power Query to dynamically launch a remote Dynamic Data Exchange attack into an Excel spreadsheet to actively control the payload.

    - The vulnerability can also be exploited to launch sophisticated, hard-to-detect attacks that combine several attack surfaces, embed malicious content in a separate data source and even load the content into the spreadsheet when it is opened to compromise the user’s machine.

    https://siliconangle.com/2019/06/27/120m-users-risk-serious-vulnerability-microsoft-excel/


    Seems like a quite involved attack, but we also have NBR users using Excel in a multitude of ways.
     
    Papusan, hmscott and Dr. AMK like this.
  9. Dr. AMK

    Dr. AMK Living with Hope

    Reputations:
    3,029
    Messages:
    1,951
    Likes Received:
    4,134
    Trophy Points:
    281
    How Does "Sign in With Apple" Work?
     
    Papusan likes this.
  10. Papusan

    Papusan JOKEBOOK's Sucks! Dont waste your $$$ on FILTHY

    Reputations:
    24,361
    Messages:
    24,365
    Likes Received:
    42,643
    Trophy Points:
    931
    Dr. AMK likes this.
Loading...

Share This Page