Malwarebytes breached by the group that attacked Solarwinds
The company is the fourth prominent security firm to announce being targeted by the group, after Microsoft, FireEye, and CrowdStrike. The firm wasn’t victim to the supply chain attack as it doesn’t use SolarWinds’ solutions, but rather found the attackers accessed internal systems by exploiting a dormant email protection product within its Office 365 tenant. Malwarebytes was notified by Microsoft about suspicious activity on a dormant Office 365 security app on December 15th. After an investigation, the company found the group only gained access to a limited subset of internal company emails, with no evidence that any products or production systems were compromised.
Google researcher finds security flaws impacting popular chat apps
Google Project Zero researcher Natalie Silvanovich recently published a report about a common theme of vulnerabilities in messaging apps, centered around the “calling state machine” mechanism used by apps like Signal, Google Duo, Facebook Messenger, JioChat and Mocha. She found these vulnerabilities commonly allow attackers to force transmission of video or audio from another client, and are an underappreciated attack surface. These apps all communicate using WebRTC, utilizing the Session Description Protocol for signalling. While the bugs covered in her report were already patched, Silvanovich found they were the result of developer errors in understanding how WebRTC applications required user consent mechanism to prevent these state-machine implementation errors.
Executive Order addresses malicious use of public clouds
One of the last executive orders from the outgoing Trump administration gives the Commerce Department authority to write rules that could bar foreign entities from using US cloud Infrastructure as a Service offerings if they are used for a cyber attack. The rules would apply to jurisdictions as well as people and companies. The order gives the Commerce Department six months to create rules for US cloud providers, which would require verifying identification of foreign customers and keeping other records. No word on if the order will be kept in place by the new Biden administration.
Chrome will start looking for weak passwords
The feature will start rolling out to Chrome 88 users in the stable channel in the coming weeks, after being tested as an optional feature in Chrome Canary builds since December. The browser will look at passwords stored in its built-in password manager, allowing users to generate a strong random password and instantly swap it out. Users can run a check on all saved passwords in settings. Chrome already warns users of passwords tied to data breaches, proactively offering to reset these. A Google study from August estimated that 1.5% of all logins have been compromised by data breaches.
Thanks to our episode sponsor Armis
Brave browser offers the first native IPFS integration
IPFS, or InterPlanetary File System, is a decentralized version of HTTPS. While HTTPS lets browsers access files on a central server in order to get their web pages, IPFS lets the browser access content on a network of distributed nodes. IPFS points to a Content ID or CID, rather than IP address. When you type in an address IPFS uses a cryptographic hash to find the nodes that are storing the content for each file. This means the server is not under any one company’s control, but you can still type in a web address like you normally would. This makes the content faster, because it can be stored closer to an endpoint. It also is more resilient to failures like DDos or censorship. Brave now resolves URIs that start with ipfs:// instead of https:// and Brave users can choose to let their browser act as a node on the network, helping improve overall performance.
Report finds API abuse is a leading cyber threat
The finding comes from Radware’s State of Web Application Security Report, which found that organizations already struggling to maintain consistent application security across multiple platforms have seen challenges explode with the mass adoption of remote work in 2020. In surveys, the report found that 40% of organizations had more than half of applications exposed over the internet through APIs, with monthly denial of service attacks, injection attacks, and element manipulation hitting 55%, 49%, and 42% of respondents, respectively. Bot-based denial of service attacks were a major part of this, with 86% saying they experience at least one, 33% seeing weekly attempts, and 5% seeing daily ones. Despite that, only 24% of respondents had solutions to distinguish bot vs human API access.
Hacker leaks 77 million Nitro PDF user records
Information from the leak included email addresses, full names, bcrypt hashed passwords, titles, company names, IP addresses, and system-related information. Nitro initially disclosed a “low impact security incident” to the Australian Stock Exchange on October 21, 2020, but later that month BleepingComputer found the 70+million record database for auction online. Now the threat actor ShinyHunters has published the full database on a hacker forum. The leaked information could be used as fodder for phishing attacks, or as part of a credential stuffing campaign.
The security challenges of fitness tech in the White House
A new Presidential administration usually brings in some security concerns about what consumer-grade tech the incoming administration wants to keep using. Obama had his Blackberry, Trump had an iPhone. Now the question is if President Biden can keep using his Pelaton, a connected fitness bike. According to former deputy NSA director Richard Ledgett, the bike could be a manageable risk, but would require disabling the mics and cameras, as well as a nondescript and frequently changing users name by the President. Probably keeping sensitive conversations away from the bike is a good idea too.