Blog

Verifiable design in modern systems (Google Online Security Blog)

Sécurité
Posted by Ryan Hurst, Production Security TeamThe way we design and build software is continually evolving. Just as we now think of security as something we build into software from the start, we are also increasingly looking for new ways to minimize trust in that software. One of the ways we can do that is by designing software so that you can get cryptographic certainty of what the software has done.In this post, we'll introduce the concept of verifiable data structures that help us get this cryptographic certainty. We'll describe some existing and new applications of verifiable data structures, and provide some additional resources we have created to help you use them in your own applications. A verifiable data structure is a class of data structure that lets people efficiently…
Read More

Microsoft Patch Tuesday, July 2021 Edition (Krebs on Security)

Sécurité
Microsoft today released updates to patch at least 116 security holes in its Windows operating systems and related software. At least four of the vulnerabilities addressed today are under active attack, according to Microsoft. Thirteen of the security bugs quashed in this month’s release earned Microsoft’s most-dire “critical” rating, meaning they can be exploited by malware or miscreants to seize remote control over a vulnerable system without any help from users. Another 103 of the security holes patched this month were flagged as “important,” which Microsoft assigns to vulnerabilities “whose exploitation could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources.” Among the critical bugs is of course the official fix for the PrintNightmare print spooler flaw in…
Read More

Spike in “Chain Gang” Destructive Attacks on ATMs (Krebs on Security)

Sécurité
Last summer, financial institutions throughout Texas started reporting a sudden increase in attacks involving well-orchestrated teams that would show up at night, use stolen trucks and heavy chains to rip Automated Teller Machines (ATMs) out of their foundations, and make off with the cash boxes inside. Now it appears the crime — known variously as “ATM smash-and-grab” or “chain gang” attacks — is rapidly increasing in other states. Four different ATM “chain gang” attacks in Texas recently. Image: Texas Bankers Association. The Texas Bankers Association documented at least 139 chain gang attacks against Texas financial institutions in the year ending November 2020. The association says organized crime is the main source of the destructive activity, and that Houston-based FBI officials have made more than 50 arrests and are actively tracking…
Read More

Kaseya Left Customer Portal Vulnerable to 2015 Flaw in its Own Software (Krebs on Security)

Sécurité
Last week cybercriminals deployed ransomware to 1,500 organizations that provide IT security and technical support to many other companies. The attackers exploited a vulnerability in software from Kaseya, a Miami-based company whose products help system administrators manage large networks remotely. Now it appears Kaseya’s customer service portal was left vulnerable until last week to a data-leaking security flaw that was first identified in the same software six years ago. On July 3, the REvil ransomware affiliate program began using a zero-day security hole (CVE-2021-30116) to deploy ransomware to hundreds of IT management companies running Kaseya’s remote management software — known as the Kaseya Virtual System Administrator (VSA). According to this entry for CVE-2021-30116, the security flaw that powers that Kaseya VSA zero-day was assigned a vulnerability number on April 2,…
Read More

Microsoft Issues Emergency Patch for Windows Flaw (Krebs on Security)

Sécurité
Microsoft on Tuesday issued an emergency software update to quash a security bug that’s been dubbed “PrintNightmare,” a critical vulnerability in all supported versions of Windows that is actively being exploited. The fix comes a week ahead of Microsoft’s normal monthly Patch Tuesday release, and follows the publishing of exploit code showing would-be attackers how to leverage the flaw to break into Windows computers. At issue is CVE-2021-34527, which involves a flaw in the Windows Print Spooler service that could be exploited by attackers to run code of their choice on a target’s system. Microsoft says it has already detected active exploitation of the vulnerability. Satnam Narang, staff research engineer at Tenable, said Microsoft’s patch warrants urgent attention because of the vulnerability’s ubiquity across organizations and the prospect that attackers…
Read More

Another 0-Day Looms for Many Western Digital Users (Krebs on Security)

Sécurité
Some of Western Digital’s MyCloud-based data storage devices. Image: WD. Countless Western Digital customers saw their MyBook Live network storage drives remotely wiped in the past month thanks to a bug in a product line the company stopped supporting in 2015, as well as a previously unknown zero-day flaw. But there is a similarly serious zero-day flaw present in a much broader range of newer Western Digital MyCloud network storage devices that will remain unfixed for many customers who can’t or won’t upgrade to the latest operating system. At issue is a remote code execution flaw residing in all Western Digital network attached storage (NAS) devices running MyCloud OS 3, an operating system the company only recently stopped supporting. Researchers Radek Domanski and Pedro Ribeiro originally planned to present their…
Read More

Intuit to Share Payroll Data from 1.4M Small Businesses With Equifax (Krebs on Security)

Sécurité
Financial services giant Intuit this week informed 1.4 million small businesses using its QuickBooks Online Payroll and Intuit Online Payroll products that their payroll information will be shared with big-three consumer credit bureau Equifax starting later this year unless customers opt out by the end of this month. Intuit says the change is tied to an “exciting” and “free” new service that will let millions of small business employees get easy access to employment and income verification services when they wish to apply for a loan or line of credit. “In early fall 2021, your QuickBooks Online Payroll subscription will include an automated income and employment verification service powered by The Work Number from Equifax,” reads the Intuit email, which includes a link to the new Terms of Service. “Your…
Read More

Measuring Security Risks in Open Source Software: Scorecards Launches V2 (Google Online Security Blog)

Sécurité
Posted by Kim Lewandowski, Azeem Shaikh, Laurent Simon, Google Open Source Security TeamContributors to the Scorecards project, an automated security tool that produces a “risk score” for open source projects, have accomplished a lot since our launch last fall. Today, in collaboration with the Open Source Security Foundation community, we are announcing Scorecards v2. We have added new security checks, scaled up the number of projects being scored, and made this data easily accessible for analysis.With so much software today relying on open-source projects, consumers need an easy way to judge whether their dependencies are safe. Scorecards helps reduce the toil and manual effort required to continually evaluate changing packages when maintaining a project’s supply chain. Consumers can automatically assess the risks that dependencies introduce and use this data to…
Read More

We Infiltrated a Counterfeit Check Ring! Now What? (Krebs on Security)

Sécurité
Imagine waking up each morning knowing the identities of thousands of people who are about to be mugged for thousands of dollars each. You know exactly when and where each of those muggings will take place, and you’ve shared this information in advance with the authorities each day for a year with no outward indication that they are doing anything about it. How frustrated would you be? A counterfeit check image [redacted] that was intended for a person helping this fraud gang print and mail phony checks tied to a raft of email-based scams. One fraud-fighting group is intercepting hundreds to thousands of these per day. Such is the curse of the fraud fighter known online by the handles “Brianna Ware” and “BWare” for short, a longtime member of a…
Read More

MyBook Users Urged to Unplug Devices from Internet (Krebs on Security)

Sécurité
Hard drive giant Western Digital is urging users of its MyBook Live brand of network storage drives to disconnect them from the Internet, warning that malicious hackers are remotely wiping the drives using a previously unknown critical flaw that can be triggered by anyone who knows the Internet address of an affected device. One of many similar complaints on Western Digital’s user forum. Earlier this week, Bleeping Computer and Ars Technica pointed to a heated discussion thread on Western Digital’s user forum where many customers complained of finding their MyBook Live and MyBook Live Duo devices completely wiped of their data. “Western Digital has determined that some My Book Live and My Book Live Duo devices are being compromised through exploitation of a remote command execution vulnerability,” the company said…
Read More