Security Newsletter
20 May 2019
Cybersecurity's Week From Hell
Two years after WannaCry ransomware was unleashed, the cybersecurity realm isn't any calmer. This week, multiple flaws - all serious, all exploitable and some already being actively exploited in the wild - have come to light. Big names - including Cisco, Facebook, Intel and Microsoft - build the software and hardware at risk. And fixes for some of the flaws are not yet available.
A buffer overflow flaw in WhatsApp has been used to target individuals and apparently to install Pegasys spyware, built by Israel's NSO Group and sold to governments and law enforcement agencies.
Side-channel speculative execution flaws continue to be discovered in CPUs. This week, a team of researchers as well as Intel confirmed that they'd found more flaws in processors along the lines of the Spectre and Meltdown flaws that came to light in early 2018. Dubbed ZombieLoad, the vulnerabilities would allow an attacker to retrieve private data from a processor's buffers.
To block another WannaCry-type worm, Microsoft is urging many users to update Remote Desktop Services - formerly known as Terminal Services - to fix CVE-2019-0708 (see: To Prevent Another WannaCry, Microsoft Patches Old OSs).
Thangrycat: Research published this week shows that secure boot functionality built into many Cisco devices isn't secure.
Hence organizations will have to patch. But in the meantime, in some cases they're still waiting for patch release dates, and thus having to track when they might be able to start testing and then planning to roll out future fixes.
Read More BankInfoSecurity
 
Bluetooth Flaw Found in Google Titan Security Keys; Get Free Replacement
A team of security researchers at Microsoft discovered a potentially serious vulnerability in the Bluetooth-supported version of Google's Titan Security Keys that could not be patched with a software update. However, users do not need to worry as Google has announced to offer a free replacement for the affected Titan Security Key dongles.
In a security advisory published Wednesday, Google said a "misconfiguration in the Titan Security Keys Bluetooth pairing protocols" could allow an attacker who is physically close to your Security Key (~within 30 feet) to communicate with it or the device to which your key is paired. Launched by Google in August last year, Titan Security Key is a tiny low-cost USB device that offers hardware-based two-factor authentication (2FA) for online accounts with the highest level of protection against phishing attacks.
Microsoft originally discovered the vulnerability and disclosed it to Google, as well as Feitian, the company that makes Titan Keys for Google and also sells the same product (ePass) under its own brand. Feitian also made a coordinated disclosure about this vulnerability the same day as Google and is offering a free replacement program for its users. Google also says that the Bluetooth security key is still more secure than turning it off altogether or relying on other two-factor authentication methods like SMS or phone call.
Read More on TheHackerNews
Replacement programme for Feitian Keys
 
More #News
 
#Patch Time!
 
#Tech and #Tools
Kingred Group is growing, so does the Group Security team! We're looking for new talented professionals to come join us: Kindred is one of the largest online gambling companies in the world with over 24 million customers across 100 markets. You can find all our open vacancies on our career page.
This content was created by Kindred Group Security. Please share if you enjoyed!
Kindred Group in brief
Kindred is one of the largest online gambling companies in the world with over 24 million customers across 100 markets. We offer pre-game and live Sports betting, Poker, Casino and Games through 11 brands across our markets. We are committed to offer our customers the best deal and user experience possible, while ensuring a safe and fair gambling environment. Kindred is a pioneer in the online gambling industry and as an innovation driven company that builds on trust.
You can access the previous newsletters at https://news.infosecgur.us
If you no longer wish to receive this newsletter, you can unsubscribe from this list.