Security Leftovers

posted by Roy Schestowitz on Sep 20, 2022

• Announcing the Launch of the Chrome Root Program [Ed: A prelude to Web censorship by Google]

  The Chrome Root Program ultimately determines which website certificates are trusted by default in Chrome, and enables more consistent and reliable website certificate validation across platforms.

  [...]

  As part of establishing a secure connection to a website, Chrome verifies that a recognized entity known as a “Certification Authority” (CA) issued its certificate. Certificates issued by a CA not recognized by Chrome or a user’s local settings can cause users to see warnings and error pages.

• High severity vulnerabilities found in Harbor open-source artifact registry - Help Net Security

  Oxeye security researchers have uncovered several new high severity variants of the IDOR (Insecure Director Object Reference) vulnerabilities (CVE-2022-31671, CVE-2022-31666, CVE-2022-31670, CVE-2022-31669, CVE-2022-31667) in CNCF-graduated project Harbor, the popular open-source artifact registry by VMware.

• iTWire - Uber admits breach, says it was effected through contractor's credentials

  Ride-sharing firm Uber says a recent compromise of its network was effected using stolen credentials of an external contractor, but claimed that there was no evidence that its production network had been accessed.

  In a statement, the company claimed it was likely that the attacker had bought the Uber contractor's corporate password on the dark web, after malware had been used to steal the credentials. It said the attacker was likely linked to a group known as Lapsus$ which has carried out a number of attacks this year.

  The attacker then repeatedly tried to log in to the contractor’s Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in.

• iTWire - Grand Theft Auto maker breached, next version footage stolen

  Rockstar Games has revealed that an attacker breached its network and accessed early development footage of the next version of its well-known video game Grand Theft Auto 6.

  In a statement, Rockstar said confidential information had also been taken by the attacker. "At this time, we do not anticipate any disruption to our live game services nor any long-term effect on the development of our ongoing projects," the company added.