Ex-security chief accuses Twitter of cybersecurity negligence
Peiter Zatko,Twitter’s ex-security chief who was fired back in January 2022, has blown the whistle on Twitter’s cybersecurity practices. Zatko filed a complaint with the US Securities and Exchange Commission (SEC) on July 6, alleging that thousands of employee laptops contained full copies of Twitter’s source code. He claims that one-third of those devices blocked automatic security fixes, had firewalls turned off and had non-approved remote access enabled. He also alleges Twitter failed to reliably delete user data after account cancellation. The complaint further states that employees repeatedly installed spyware on their work computers at the request of external organizations. Zatko said Twitter experienced roughly one security incident per week during his two-year tenure and indicated that he “reasonably feared Twitter could suffer an Equifax-level hack.”
Ukraine and Poland join forces to counter Russian cyberattacks
On Monday, Ukraine and Poland signed an agreement to jointly combat cyber threats, including those from Russia. Poland has become a popular target for Russian hackers as more than 1.2 million Ukrainian refugees have fled to Poland from the war-torn country. The countries will jointly participate in cybersecurity conferences, work to prevent spread of Russian disinformation, and share digital documents in their e-government apps. Ukrainians who have moved to Poland will have access to their digital driver’s licenses, vehicle registrations, and residence permits. Ukraine plans to reciprocate by recognizing some Polish digital documents.
Hackers use Binance exec deepfake in crypto exchange scam
A group of hackers have managed to use an AI hologram to impersonate Binance chief communications officer (CCO) Patrick Hillmann. Using the deepfake over Zoom calls, the hackers fooled several cryptocurrency project representatives into thinking Hillmann was helping them get listed on the Binance crypto exchange. The listing scheme was discovered when some of the reps contacted Hillmann to thank him for the listing opportunities. Hillmann did not disclose which cryptocurrency projects were targeted, or the funds invested for the sham services.
Thousands of Hikvision cameras can be easily hacked
Researchers from CYFIRMA have discovered over 80,000 Hikvision cameras affected by a critical command injection vulnerability tracked as CVE-2021-36260. The bug allows attackers to send specially crafted messages to web servers running on vulnerable devices to gain an unrestricted root shell. This gives the hacker far more access than device owners who are restricted to running mostly informational commands. Since the vuln’s public disclosure, two exploits have been publicly released (in October 2021 and in February 2022). Hikvision issued a fix in September 2021, but tens of thousands of devices remain vulnerable, even if they are updated to the latest firmware version. The top nations using Hikvision camera products include China , US, and Vietnam.
Thanks to today’s episode sponsor, Code42
In fact, the Code42 Annual Data Exposure Report revealed there’s a 1 in 3 chance that your company will lose IP when an employee quits. To learn more about stopping data leaks with Insider Risk Management visit Code42.com/showme.
Bitcoin ATMs leeched by attackers with fake admin accounts
General Bytes, a Czech company that sells Bitcoin ATMs, is urging its users to patch a critical money-draining bug in its server software. Hackers leveraged the Coin ATM Server (CAS) administrative interface to remotely create their own admin account. Attackers identified potential victims by port scanning Digital Ocean’s cloud services, looking for CAS services on ports 7777 or 443. Using their admin access, the threat actors were able to reconfigure existing ATMs to divert all invalid payments to a wallet of their own. Because the attacks were limited to invalid transfers or withdrawals where the customer made a mistake, the overall financial impact was only roughly $16,000 (USD). General Bytes has published an 11-step process that its customers should follow to remediate this issue, including patching the CAS servers, restricting access, and reviewing security configurations and logs.
Phishing attacks abusing SaaS platforms sees massive growth
According to a new report by Palo Alto Networks Unit 42, researchers observed a colossal 1,100% increase in hackers abusing software-as-a-service (SaaS) platforms over the past year. SaaS platforms allow phishing actors to easily switch to different themes, scale up or diversify their operations, and quickly respond to reports and takedowns. Threat actors were observed either hosting credential stealing pages directly on the abused services or redirecting victims to alternate sites. They are also taking advantage of service providers that don’t respond to takedown requests to increase campaign uptime. Shutting down SaaS campaigns is difficult which means such campaigns likely aren’t going away any time soon.
DevSecOps gains traction but security still lags
According to a new survey from GitLab, DevSecOps results in better code quality, higher developer productivity, and improved operational efficiency. The report revealed an increase in agile development approaches as well as use of low-code or no-code APIs resulting in faster software deployment. However, integrating security still remains an issue. While more than half (57%) of those surveyed include security as a performance metric, nearly the same number said it was “difficult to get devs to actually prioritize fixing code vulnerabilities.” The survey highlighted a need for better communication among all teams participating in development and deployment processes. Johnathan Hunt, vice president of information security and cybersecurity at GitLab, noted, “Getting developers and security professionals to work better together requires a culture-first approach to software development through the creation of a DevOps culture.”
Judge rules university can’t scan student rooms during remote tests
Chemistry student Aaron Ogletree sat for an online test in his room at Cleveland State University in the spring 2021 semester. Ogletree was asked to show the virtual proctor his bedroom through his webcam prior to the test. A recording of the room scan as well as the testing process were retained by Honorlock, the university’s third-party vendor. Ogletree sued the university on the grounds that the practice violated his rights under the Fourth Amendment, which protects US citizens against “unreasonable searches and seizures.” While CSU argued that room scans are an industry-standard practice, an Ohio judge disagreed, ruling Monday that the university’s virtual scan was unconstitutional.
(Slashdot)