Security Leftovers

posted by Roy Schestowitz on May 04, 2023,
updated May 04, 2023

• Weak banking security is leaving customers vulnerable to fraud on stolen phones, Which? warns

  Losses to mobile banking fraud have risen by 16%, but there are steps that banks and customers can take to make life harder for criminals

• Court Rules in Favor of Merck in $1.4 Billion Insurance Claim Over NotPetya Cyberattack

  Court says insurers must pay Merck for losses related to the Russia-linked NotPetya cyberattack.

• Infostealer Embedded in a Word Document, (Thu, May 4th)

  When attackers design malicious documents, one of their challenges is to make the potential victim confident to perform dangerous actions: click on a link, disable a security feature, etc. The best example is probably VBA macros in Microsoft Office documents.

• Russian national charged for role in stolen credit card verification scheme

  Prosecutors say Denis Kulkov earned at least $18 million in Bitcoin through his service that checked the status of stolen credit cards.

• Netgear Vulnerabilities Lead to Credentials Leak, Privilege Escalation

  Vulnerabilities in Netgear network management system allow attackers to retrieve cleartext passwords and escalate privileges.

• Passkeys Support Added to Google Accounts for Passwordless Sign-Ins [Ed: The companies behind it were never interested in true security, so the devil is in the details]

  Google has added passkeys support to Google accounts on all major platforms as part of the company’s passwordless sign-in efforts.

• Linux Kernel Use-After-Free Vuln Could lead to Privilege Escalation, Malware Attacks

  A use-after-free vulnerability (CVE-2023-1829) has been discovered in the Linux Kernel traffic control index filter (tcindex). It was discovered that the tcindex_delete function does not properly deactivate filters in case of a perfect hashes while deleting the underlying structure, which can later lead to double freeing the structure.

• Hackers Promise AI, Install Malware Instead [Ed: Media hyping up a bunch of proprietary rubbish from Microsoft (spyware with very low returns) is costing people]

  Facebook parent Meta warned that hackers are using the promise of generative artificial intelligence like ChatGPT to trick people into installing malware on devices.

• Chrome 113 Released With 15 Security Patches [Ed: It's not designed for security because sites (remote) can execute all sort of malicious scripts on the client side]

  Chrome 113 was released to the stable channel with 15 security fixes, including 10 that address vulnerabilities reported by external researchers.

• Ubuntu Blog: Big data security foundations in five steps

  We’ve all read the headlines about spectacular data breaches and other security incidents, and the impact that they have had on the victim organisations. From LastPass to SolarWinds, “data security” seems to be the phrase on the lips of every CTO these days. And in some ways there’s no place more vulnerable to attack than a big data environment like a data lake.

  From the vault

  Data intensive systems have been the target of countless attacks. Some of the most memorable technical exploits include Log4Shell, Heartbleed and ShellShock.