TLDR Information Security 2024-04-26

Open Devin, an AI software tool, had path traversal and DNS rebinding vulnerabilities that could lead to data exfiltration. The community swiftly fixed these issues. Mitigations include using authentication, enforcing host header value, and employing TLS for protection.

A highly sophisticated cyber-attack on Leicester City Council has left some street lights illuminated day and night as an ongoing effect, weeks after the initial disruption to council services. The council was forced to take IT systems offline after the incident.

A report from Citizen Labs assessing the security of nine major cloud-based pinyin keyboard apps. The researchers found critical vulnerabilities in eight out of the nine assessed apps that would allow a passive network eavesdropper to decipher the user's keystrokes. Together with a previous report on Sogou, Citizen Labs estimates that up to one billion users are affected by these vulnerabilities.

This post describes how the author achieved unauthenticated remote code execution on a Mitel IP phone. They gained full root access to the device by exploiting vulnerabilities like command injection. Through careful exploitation and debugging, they successfully crafted an exploit payload for remote control of the device.

This post explains how you can prevent executable file uploads in PHP by calling a free API during the upload process that verifies file formats. By setting $allow_executables to false and optionally providing a $restrict_file_types whitelist, the API checks against 17+ million virus/malware signatures and rigorously verifies accepted formats, blocking executables and other threatening file types.

GitHub CSO Mike Hanley writes about their journey to implement a 2FA initiative to enhance software supply chain security by requiring developers to enable 2FA. The results showed a significant increase in 2FA adoption and a focus on secure authentication methods like passkeys. GitHub continues to prioritize user experience and aims to further improve account security measures in the future.

IBM announced it will acquire HashiCorp in a $6.4 billion deal to expand its cloud software offerings and tap into surging AI-driven demand. IBM will pay $35 per share, a 42.6% premium, for HashiCorp. HashiCorp is well known for Terraform, as well as Vault, Boundary, and Consul for security.

Nagomi Security has developed a proactive defense platform that enables security teams to optimize their existing cybersecurity solutions to identify risks, threats, and adversaries and their techniques.

BforeAI monitors most of the internet to establish a baseline for anomaly detection and stay ahead of cyber threats and prevent attacks before they happen. It autonomously maps and predicts malicious infrastructure to provide customers with preemptive defense and safeguard data, digital assets, users, and IT and OT networks.

Google is further postponing its plan to phase out third-party cookies on Chrome, citing ongoing challenges in reconciling feedback from the industry, regulators, and developers. The long-delayed move to remove the small data files used for cross-site user tracking and ad targeting was originally announced in 2020 but has faced multiple delays due to significant considerations raised by various stakeholders.

More than 1,000 samples of the prolific Godfather mobile banking Trojan are circulating worldwide, targeting hundreds of banking apps across dozens of countries. First spotted in 2022, Godfather can record screens, intercept 2FA, initiate transfers, and more. Its developers are automatically generating new samples at scale to evade detection.

Postman's Public API Network is unknowingly leaking thousands of live credentials from popular SaaS and cloud providers. The exposure of sensitive information is due to an unclear UI, ambiguous taxonomy, and the practice of publicly forking collections containing live API keys. Despite Postman's basic secret scanner, there is a significant risk of leaking secrets due to insufficient scanning and misleading terminology like "secret" environment variables.

Gartner reports that 63% of organizations globally have partially or fully implemented a zero-trust strategy into their operations.

The FTC is sending $5.6 million in refunds to Ring customers due to security failures

Google Meet now allows external participants, even those without Google accounts, to join encrypted calls through client-side encryption.