Cyber Security Headlines – May 26, 2022

Popular open source libraries leaked keys for “research”

Several developers reported that two popular open source libraries, Python’s “ctx” and PHP’s “PHPass” had been altered to steal AWS credentials and keys. Combined these libraries have been downloaded over 3 million times. The actor behind the change came forward to Bleeping Computer as security researcher Yunus Aydın, who goes by SockPuppets online. He said he made the alternation to show the “maximum impact” of such an attack, claiming it was ethical research. Aydin claims all data received has been deleted and not used. He was able to take over the libraries by using a bot to crawl open source registries looking for maintainers with custom domain names that had expired, letting him buy the domain and reset the password. 

(Bleeping Computer)

DuckDuckGo gives Microsoft a pass on trackers

After being discovered by security researchers, DuckDuckGo CEO Gabriel Weinberg confirmed that its privacy-focused mobile browser allows Microsoft trackers on third-party sites due to the terms of a search agreement with the company. Weinberg said DuckDuckGo is working with Microsoft to try to remove this restriction and that Microsoft does not associate ad-click behavior with a user profile. This agreement does not impact the DuckDuckGo search engine. In a statement to Bleeping Computer, DuckDuckGo claimed its browser still offered better tracking protection compared to other browsers, as it blocks trackering scripts prior to loading. 

(Bleeping Computer)

Microsoft weathers the vulnerability storm

An analysis of NIST’s National Vulnerability Database by the pentesting firm Redscan found that 2021 broke all records for reported vulnerabilities with 18,439 recorded, or about 50 flaws per day. Of this, Microsoft saw 1,212 vulnerabilities reported, down 5% on the year, the first time Microsoft saw vulnerabilities decrease. More significantly, critical vulnerabilities decreased 47% on the year, and Windows Server vulnerabilities down 50%. This was somewhat balanced by a 280% increase in Microsoft browser vulnerabilities across Internet Explorer and Edge. Remote Code Execution and Privilege Elevation vulnerabilities accounted for 75% of those reported. 

(The Register)

Researchers find way to search for hidden cameras

A new paper by researchers at Carnegie Mellon University outlines a system called Lumos that could use a phone or laptop to visualize hidden cameras in an AR interface. Lumos collects encrypted wireless packets over the air to detect concealed devices, estimating location by combining signal strength with relative user position. Changes in signal strength are monitored as a user moves, increasing the accuracy of the prediction. It can also identify devices based on MAC addresses. In a 1000 square foot apartment, the researchers claim to be able to identify hidden devices with 95% accuracy with a median error of 1.5 meters within 30 minutes. 

(Hacker News)

Thanks to today’s episode sponsor, Optiv

Need a guide on your Zero Trust journey? Jerry Chapman, Engineering Fellow at Optiv and author of “Zero Trust Security: An Enterprise Guide” shares the following takeaways:
– The key elements of Zero Trust
– How to visualize your Zero Trust journey and place it in the proper context
– Integrated technologies to drive adaptive processes and a mature security model
Learn more at www.optiv.com/zerotrust.

Senate panels votes to advance intelligence sharing bill

The Senate Homeland Security Committee voted to advance the Intragovernmental Cybersecurity Information Sharing Act, which now heads to the Senate floor for a vote. This bill would require that officials in both chambers of Congress receive “direct and timely” information about digital threats and network vulnerabilities from the executive branch. This would likely require formal data sharing agreements with the Department of Homeland Security with both the House and Senate. 

(The Record)

Legal sector fighting the impacts of insider threats

According to official figures from the UK’s Information Commissioner’s Office, 68% of data breaches at UK law firms were the result of insiders in Q3 2021, with the rest coming from outside threats. The analysts at NetDocuments estimate this number to be inflated as a result of the so-called “Great Resignation” with workers changing jobs at increased rates since the start of the COVID-19 pandemic. 54% of these insider threat data breaches were caused by human error, like forwarding information to the wrong parties. 10% of breaches were due to data loss, while 25% were the result of phishing attacks, which really feels like a more specialized instance of human error. 

(InfoSecurity Magazine)

ProtonMail unifies its products

The privacy-focused email and VPN provider rebranded as Proton, updating its tiers to combine encrypted mail, calendar, and VPN access. A free tier now offers 1GB of storage and access to one calendar, a Mail Plus tier costs €5 a month with 15GB of storage and support for 20 calendar. The Unlimited tier cost €12 a month, offers 500GB of storage, gets you three custom domains, as well as full access to Proton VPN’s network with Tor over VPN features. Proton VPN will continue to be offered as a standalone product as well.

(Engadget)

Terra blockchain restart approved 

The proposal from Terraform Labs CEO Do Kwon to relaunch the embattled blockchain received approval from 65.5% of governance votes, with 13.2% voting no and the rest abstaining. This new blockchain will airdrop tokens proportionately to those impacted by the sudden collapse of the TerraUST algorithmic stablecoin, with many of these initial drops subject to vesting periods. Based on the proposal, this Terra 2.0 blockchain will hit the mainnet by the end of the week. This rebooted blockchain will exist without the UST token, which was the primary purpose of the original. 

(The Block)

Rich Stroffolino
Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. Since 2015, he's worked in technology news podcasting and media. He dreams of someday writing the oral history of Transmeta.