GitHub Introduces Private Vulnerability Reporting for Public Repositories | SecurityWeek.Com
In summary, the article is about GitHub, which Microsoft owned, announced a direct channel for security researchers to report vulnerabilities in public repositories. This vulnerability reporting is private so that adequate information can be reported about vulnerabilities. The issue right now with public reporting via social media is that the details are always adequate or correct. The functionality of private reporting can be enabled by anyone with admin permissions to a public vulnerability reporting repository. Private reporting allows the opportunity to discuss the details in private and receives the reports directly on the same platform where the issue is discussed and addressed, which lowers the risk from public interruption.
The article I have chosen to highlight speaks on Googles 392-million-dollar lawsuit settlement. The settlement was brought about due to google continuing to track people’s location even after opting out. Per the article Google generates 200 billion dollars in Ad Revenue and geographical data is among one of the most sought-after data points for consumers. The article goes on to state “The privacy issue with location tracking affected some 2 billion users of devices that run Google’s Android operating software and hundreds of millions of worldwide iPhone users who rely on Google for maps or search.” With this being the “the largest multistate settlement in U.S history dealing with privacy.”
A $392 million dollar fine sounds like a lot, but when you consider that the fine is less than 2 percent of the revenue that Google is pulling in from this data, it really doesn’t feel like it is going to have any meaningful effect. Absorbing a 2% hit is easily “cost of business”. Until fines have real teeth to hurt offenders, they are not effective.
The article i have chosen this week shows how foreign interference in elections has become a power tool used by cyber criminals to sow conflict and bolster claims that election results are less credible. Although i am not a politician but i find news like this very interesting because they are oft used as rhetoric to make claims about interference in election. In this article the Mississippi election website was knocked out by a DDoS attack during the recent midterm election. A pro-Russian hacking group took credit for the attack although CISA officials said they were aware of the attack but did not attribute the attack to any specific actor. In recent time interference in electioneering process has been a very rampant gimmicks used by adversaries to sow disunity and doubts in election process.
Cybersecurity researcher David Schutz accidentally found a way to bypass the lock screen on his patched Google Pixel 6 and Pixel 5 smartphones, enabling anyone with physical access to the device to unlock it. This has already been patched last week, but the exploit had been available for at least six months. This flaw was discovered after his Pixel 6 ran out of battery, entered his pin wrong three times, and recovered the locked SIM card through the personal unblocking code. Surprisingly, after unlocking the SIM and selecting a new PIN, the device did not ask for the lock screen password and only the fingerprint scan. Android devices usually ask for a lock screen password or pattern after rebooting, so this was unusual behavior. After continuous experimentation, he discovered that it was possible to go straight to the home screen as long as the device was unlocked by the owner at least once since reboot. This issue was caused by the keyguard being wrongfully dismissed after a SIM PUK unlock due to a conflict in dismissing calls. When entering the correct PUK number, a “dismiss” function was called twice: once for a component monitoring the SIM state and once by the PUK component. This caused not only the PUK security to be dismissed, but also the keyguard. If no other security screens were in place, this would result in direct access to the home screen. A new parameter has since been implemented as of November 7th, 2022 that adds an additional parameter to “dismiss” calls so that it only dismisses specific types of security screens and not just go to the next one.
The article I chose for this week talks about MFA Fatigue attacks how they put organizations at risk and the solutions to mitigate the potential risk. MFA fatigue attack is a technique where a cybercriminal attempts to gain access to a corporate network by bombarding a user with MFA prompts until they finally accept one. According to the article, “cybercriminals bombard theirs victims with repeated 2FA push notifications to lure them into authenticating their login attempts to increase theirs chances of gaining access to sensitive information.” This tactic usually works when the targeted victims are distracted by the notifications which leads them to thinking that they are legitimate authentication requests.
Solutions to Mitigate MFA Fatigue:
TRUE MFA
This solution can prevent MFA fatigue since it helps confirm a user’s identity by using at least two factors. These include knowledge(something you know), possession (something you own), or inheritance (something you are).
Limit requests
The strategy here is to limit the number of MFA requests per user. Once a certain threshold has been passed, the account is locked and the issue is raised to the domain administrator.
Gamifying the system
This can be achieved using systems such as Specops uReset Active Directory self-service password reset solution. This system gives users a self-service portal where they can reset their passwords or unlock their accounts with a star-based system that gamifies the verification process in a way that makes end-users more likely to opt into use.
Woosh a Russian scooter-sharing service confirmed a data breach after hackers have begun to sell a database containing records of 7.2 million of their customers on a hacking forum. Whoosh is Russia’s leading urban mobility service platform, with more than 75,000 scooters in 40 cities. The hacker started selling data on the ‘Breached’ hacking forum containing partial information related to user identification and payment card data along with promo codes which can be used to use the service for free. This attack was covered in the media weeks prior, but the company’s IT spokesperson falsely claimed that the attack was thwarted and under control. Interestingly the hacker made a post claiming to only sell the data to only five buyers at $4,200 each or for 0.214909 bitcoin, however, no one has yet to buy the data. Such a breach is nothing new in Russia, Roskomnadzor, Russia’s internet watchdog, confirmed that there have been at least 40 other company breaches this year. Group-IB published a report claiming that this year alone they have observed 140 databases stolen exposing 304 million records.
This week’s article from Brian Krebs shines light on a particularly insidious bit of fraud that is the result of ensuring that non-English languages can display properly. Punycode is a term for using similar looking characters in another language to create a URL or other bit of text that looks like the real thing but is functionally different when interpreted by the computer.
The article then goes a bit deeper in how a bit of banking fraud is committed by a Russian malware team calling themselves Disneyland Team. In addition to using fake URLs. they create copycate fake websites to harvest user data.
Jill Brummer says
GitHub Introduces Private Vulnerability Reporting for Public Repositories | SecurityWeek.Com
In summary, the article is about GitHub, which Microsoft owned, announced a direct channel for security researchers to report vulnerabilities in public repositories. This vulnerability reporting is private so that adequate information can be reported about vulnerabilities. The issue right now with public reporting via social media is that the details are always adequate or correct. The functionality of private reporting can be enabled by anyone with admin permissions to a public vulnerability reporting repository. Private reporting allows the opportunity to discuss the details in private and receives the reports directly on the same platform where the issue is discussed and addressed, which lowers the risk from public interruption.
Nicholas Foster says
https://www.securityweek.com/40-states-settle-google-location-tracking-charges-392m
The article I have chosen to highlight speaks on Googles 392-million-dollar lawsuit settlement. The settlement was brought about due to google continuing to track people’s location even after opting out. Per the article Google generates 200 billion dollars in Ad Revenue and geographical data is among one of the most sought-after data points for consumers. The article goes on to state “The privacy issue with location tracking affected some 2 billion users of devices that run Google’s Android operating software and hundreds of millions of worldwide iPhone users who rely on Google for maps or search.” With this being the “the largest multistate settlement in U.S history dealing with privacy.”
David Vanaman says
A $392 million dollar fine sounds like a lot, but when you consider that the fine is less than 2 percent of the revenue that Google is pulling in from this data, it really doesn’t feel like it is going to have any meaningful effect. Absorbing a 2% hit is easily “cost of business”. Until fines have real teeth to hurt offenders, they are not effective.
Abayomi Aiyedebinu says
The article i have chosen this week shows how foreign interference in elections has become a power tool used by cyber criminals to sow conflict and bolster claims that election results are less credible. Although i am not a politician but i find news like this very interesting because they are oft used as rhetoric to make claims about interference in election. In this article the Mississippi election website was knocked out by a DDoS attack during the recent midterm election. A pro-Russian hacking group took credit for the attack although CISA officials said they were aware of the attack but did not attribute the attack to any specific actor. In recent time interference in electioneering process has been a very rampant gimmicks used by adversaries to sow disunity and doubts in election process.
https://therecord.media/mississippi-election-websites-knocked-out-by-ddos-attack/?web_view=true
Kenneth Saltisky says
https://www.bleepingcomputer.com/news/security/android-phone-owner-accidentally-finds-a-way-to-bypass-lock-screen/
Cybersecurity researcher David Schutz accidentally found a way to bypass the lock screen on his patched Google Pixel 6 and Pixel 5 smartphones, enabling anyone with physical access to the device to unlock it. This has already been patched last week, but the exploit had been available for at least six months. This flaw was discovered after his Pixel 6 ran out of battery, entered his pin wrong three times, and recovered the locked SIM card through the personal unblocking code. Surprisingly, after unlocking the SIM and selecting a new PIN, the device did not ask for the lock screen password and only the fingerprint scan. Android devices usually ask for a lock screen password or pattern after rebooting, so this was unusual behavior. After continuous experimentation, he discovered that it was possible to go straight to the home screen as long as the device was unlocked by the owner at least once since reboot. This issue was caused by the keyguard being wrongfully dismissed after a SIM PUK unlock due to a conflict in dismissing calls. When entering the correct PUK number, a “dismiss” function was called twice: once for a component monitoring the SIM state and once by the PUK component. This caused not only the PUK security to be dismissed, but also the keyguard. If no other security screens were in place, this would result in direct access to the home screen. A new parameter has since been implemented as of November 7th, 2022 that adds an additional parameter to “dismiss” calls so that it only dismisses specific types of security screens and not just go to the next one.
Shepherd Shenjere says
The article I chose for this week talks about MFA Fatigue attacks how they put organizations at risk and the solutions to mitigate the potential risk. MFA fatigue attack is a technique where a cybercriminal attempts to gain access to a corporate network by bombarding a user with MFA prompts until they finally accept one. According to the article, “cybercriminals bombard theirs victims with repeated 2FA push notifications to lure them into authenticating their login attempts to increase theirs chances of gaining access to sensitive information.” This tactic usually works when the targeted victims are distracted by the notifications which leads them to thinking that they are legitimate authentication requests.
Solutions to Mitigate MFA Fatigue:
TRUE MFA
This solution can prevent MFA fatigue since it helps confirm a user’s identity by using at least two factors. These include knowledge(something you know), possession (something you own), or inheritance (something you are).
Limit requests
The strategy here is to limit the number of MFA requests per user. Once a certain threshold has been passed, the account is locked and the issue is raised to the domain administrator.
Gamifying the system
This can be achieved using systems such as Specops uReset Active Directory self-service password reset solution. This system gives users a self-service portal where they can reset their passwords or unlock their accounts with a star-based system that gamifies the verification process in a way that makes end-users more likely to opt into use.
https://www.bleepingcomputer.com/news/security/mfa-fatigue-attacks-are-putting-your-organization-at-risk/
Maxwell ODonnell says
Woosh a Russian scooter-sharing service confirmed a data breach after hackers have begun to sell a database containing records of 7.2 million of their customers on a hacking forum. Whoosh is Russia’s leading urban mobility service platform, with more than 75,000 scooters in 40 cities. The hacker started selling data on the ‘Breached’ hacking forum containing partial information related to user identification and payment card data along with promo codes which can be used to use the service for free. This attack was covered in the media weeks prior, but the company’s IT spokesperson falsely claimed that the attack was thwarted and under control. Interestingly the hacker made a post claiming to only sell the data to only five buyers at $4,200 each or for 0.214909 bitcoin, however, no one has yet to buy the data. Such a breach is nothing new in Russia, Roskomnadzor, Russia’s internet watchdog, confirmed that there have been at least 40 other company breaches this year. Group-IB published a report claiming that this year alone they have observed 140 databases stolen exposing 304 million records.
https://www.bleepingcomputer.com/news/security/whoosh-confirms-data-breach-after-hackers-sell-72m-user-records/
David Vanaman says
https://krebsonsecurity.com/2022/11/disneyland-malware-team-its-a-puny-world-after-all/
This week’s article from Brian Krebs shines light on a particularly insidious bit of fraud that is the result of ensuring that non-English languages can display properly. Punycode is a term for using similar looking characters in another language to create a URL or other bit of text that looks like the real thing but is functionally different when interpreted by the computer.
The article then goes a bit deeper in how a bit of banking fraud is committed by a Russian malware team calling themselves Disneyland Team. In addition to using fake URLs. they create copycate fake websites to harvest user data.