ByteDance chooses Oracle’s bid to become TikTok’s trusted technology partner

Oracle confirmed that its bid for TikTok was selected, paving the way to become the platform’s “trusted technology platform.” The deal will reportedly not be structured as an outright sale. The South China Morning Post reports that according to sources, ByteDance would not sell or transfer TikTok’s sharing algorithms as part of any deal. Microsoft announced over the weekend that it was notified that its bid to acquire TikTok’s operations was rejected. US Treasury Secretary Steven Mnuchin confirmed the bid by Oracle, saying the Committee on Foreign Investment in the U.S will review the deal this week, maintaining the deadline for any deal was still September 20th. Walmart also issued a statement saying it is in talks with ByteDance, suggesting it was interested in joining Oracle’s bid. In an open letter to CIFUS, US Senator Josh Hawley calls on the committee to reject the bid on national security grounds, insisting on a full sale. 

(The Wall Street Journal)

Thousands of Magento stores compromised in a skimming campaign

This comes from security researchers at Sansec which saw over 2000 Magento stores compromised as part of a campaign to install skimming malware that seemed to begin on September 11th. The skimmer exfiltrated data entered in by customers at checkout, and sends it to a server hosted in Russia. Most of the impacted sites were running Magento 1, which is now end of life, although some sites running Megento 2 were impacted. Sansec estimates there are over 95,000 sites still running Magento 1. 

(Security Week)

CISA warns Chinese state hackers are targeting enterprise infrastructure

The warnings comes in a security advisory, which claims that over the past year, groups working with China’s Ministry of State Security scanned US government networks for the presence of F5 Big-IP load balancers, Citrix and Pulse Secure VPN appliances, and Microsoft Exchange email servers, looking to use new exploits to gain access to sensitive networks. Some of the vulnerabilities exploited are over 12 months old, with CISA advising public and private organizations to patch as soon as possible. The agency did say that even with patched systems, the groups have also used spear-phishing and brute-force attacks to gain access to networks. 

(ZDNet)

Study looks at phishing email click rates by business sector

The Keepnet Labs 2020 Phishing Trends Report found that email-based attacks account for 90% of successful cyberattacks, with 1 out of every 8 sharing information requested in phishing emails, and 1 in 2 people opening them. Overall the Consulting sector had the highest click rate with 63%, followed by Clothing and Accessories, Education, and Technology, with the Clothing and Accessories sector having the highest rate of data sharing.   

(Security Magazine)

Thanks to this week’s sponsor, Dtex Systems

Dtex Systems
Forget projects, get answers. Start preventing insider threats, stopping data loss, and monitoring remote employees in minutes, not days. And do it all without invading user privacy. DTEX Systems helps enterprises run safer and smarter with a first-of-its-kind human-centric approach to enterprise operational intelligence.
Learn more and start a free 30-day trial at
dtexsystems.com.

Personal information on 40% of South Africa’s population found on file-sharing sites

Last month, Experian advised that it sent personal data on 24 million South Africans to an entity fraudulently claiming to represent a legitimate client. The data included mobile phone numbers, state-issued personal ID numbers, home addresses, banking and work details and email addresses. At the time, Experian obtained a warrant to impound equipment from that entity, saying it secured and deleted the data. However The Register now reports that the information is available on the Swiss file-sharing site WeSendIt as a bulk download. The leaked data also includes information on 800,000 businesses. 

(The Register)

Cybersecurity leaders oppose amicus brief by Voatz

The move comes in response to a brief Voatz, a blockchain voting company, filed in a case before the US Supreme Court, Nathan Van Buren v. United States. In the brief, Voatz calls on a broad interpretation of the Computer Fraud and Abuse Act to classify independent security researchers looking for vulnerabilities as “a threat” to cybersecurity. In response, the Electronic Frontier Foundation, Professor Orin Kerr, Atlassian, Mozilla, Shopify, Jack Cable, and HackOne CTO Alex Rice were among those signing a letter opposing the brief, calling for an even narrower interpretation of the CFAA in order to “establish the proper protections” of those doing security research. 

(Info Security Magazine)

The UK releases “The Vulnerability Disclosure Toolkit”

The toolkit comes from the country’s National Cyber Security Centre and comes in three sections to describe what can be done to direct external vulnerability information to the right person, and ultimately get the vulnerability addressed. The NCSC recommends setting a dedicated easy to find contact with email and a web form for vulnerability disclosures, and encourages organizations to use the security.txt standard on websites. The toolkit also recommends communicating with security researchers who send in vulnerabilities and avoiding non-disclosure agreements.

(Bleeping Computer)

Windows 10 Updates Force Microsoft Edge Installs

Microsoft has previously communicated that it would roll out updates to replace legacy versions of Edge with the new Chromium-based version. Installing the two most recent Windows 10 updates, effective for versions 1803, 1809, 1903, 1909, and 2004, will install Microsoft Edge 84. Once installed, Edge can only be force uninstalled using the Windows command line. 

(Bleeping Computer)