TLDR Information Security 2024-04-29

According to research done by Akamai, fake USPS smishing attacks delivered traffic to fake USPS sites that were on par, or even exceeding, traffic to the legitimate USPS website. Akamai conducted a fairly conservative analysis by deriving a malicious domain list from one smishing text that an employee received. The attacks have been successful, despite many public awareness campaigns to protect users from them.

A critical zero-day vulnerability (CVE-2024-4040) in CrushFTP, a managed file transfer software, remains unpatched in over 1,400 instances. The flaw allows remote code execution by escaping the VFS sandbox. CrushFTP is urging customers to update after disclosing in-the-wild exploitation.

Kaiser is notifying 13.4 million current and former members and patients of a data breach. After conducting an investigation, Kaiser found that certain online technologies previously installed on its websites and mobile apps may have transmitted personal information to third-party advertisers. The data shared includes member names and IP addresses, whether the members were signed into a Kaiser Permanente account, how members navigated the website and mobile apps, and search terms used in the health encyclopedia.

S3 Bucket Encryption options all equate to access control more than encryption. In nearly every S3 encryption option (default SSE, KMS, and SSE-C), the user can either download the decrypted file if they have permissions to the encryption material or cannot download the file. Since a user never actually interacts with the encrypted file, the encryption feels more like access control.

This article provides an overview of the benefits of IMDSv2 vs IMDSv1. It covers detection methods to identify EC2 instances with IMDSv1 enabled and CloudWatch queries to identify access to the service. It also details how to disable the service and place guardrails to prevent instances being launched with it enabled.

This blog post discusses automating API vulnerability testing using Postman Workflows, a feature that streamlines the process of demonstrating API vulnerabilities without programming. By creating sequences of HTTP requests within Postman, users can automate tasks like identifying Broken Object-Level Authorization (BOLA) vulnerabilities and retrieving sensitive data. Postman Workflows offer a visual drag-and-drop approach to building automated flows for API testing and exploitation.

Prophet AI for Security Operations filters incoming alerts and, for each of them, gathers, correlates, and analyzes data from multiple sources to provide a determination and a detailed summary of the investigation.

A collection of Slack bots from OpenAI that integrate with OpenAI's APIs to streamline security teams' workflows.

Know the exact crate versions used to build your Rust executable. Audit binaries for known bugs or security vulnerabilities in production, at scale, with zero bookkeeping.

This blog post from Google Security describes how the Find My feature was built with privacy and end-to-end encryption while utilizing crowdsourcing. Safety-first protections, such as aggregation by default and at-home protection, help prevent unwanted tracking and ensure user safety. Users also have full control over their device participation in the network, providing options to contribute to aggregated location reporting or opt-out completely.

The UK's controversial Investigatory Powers (Amendment) Bill 2024, dubbed the "snooper's charter", has received royal assent and will expand the digital surveillance capabilities of intelligence agencies, police, and others under the existing Investigatory Powers Act 2016. The amendments allow authorities to gather more data from citizens, including telecoms activity, to tackle "modern threats", including national security and child abuse. Critics have raised privacy concerns over the widened powers.

Microsoft is grappling with a series of high-profile security incidents that have undermined trust in the tech giant. Hackers have spied on Microsoft's senior leadership emails, exploited Microsoft Exchange and Cloud services to access business and government email accounts, and stolen source code despite efforts to improve defenses. The company's security culture is inadequate and requires an overhaul.

Cloudflare describes the lessons its team learned from building an automated OpenAPI SDK pipeline for Typescript, Go, and Python.

PCI DSS 4.0 now requires Certificate Transparency Monitoring to ensure all trusted certificates are accounted for.

Simple guide on how to get your data off Google.