Security Newsletter

13 Dec 2021

A Simple Exploit is Exposing the Biggest Apps on the Internet

Several popular websites, apps, and services such as Minecraft, iCloud, Twitter, and Steam are reportedly vulnerable to a powerful bug that could allow hackers to take control of their servers and clients, according to several security researchers.

On Thursday, researchers noticed that a popular Java logging library (log4j) had a bug that allows for Remote Code Execution or RCE, hacker lingo for one of the most dangerous types of vulnerabilities, one that essentially allows hackers to take control of the target. GitHub labeled the vulnerability as “critical severity,” and many researchers, as well as the Director of Cybersecurity at the NSA, are sounding the alarm.

“This log4j (CVE-2021-44228) vulnerability is extremely bad. Millions of applications use Log4j for logging, the act of keeping a log of any event or action that happens on a server. And all the attacker needs to do is get the app to log a special string,” Marcus Hutchins, a well-known researcher, wrote on Twitter.

 

AWS Is the Internet's Biggest Single Point of Failure

On Monday, several services on the internet ground to a halt because of an outage at some Amazon Web Services cloud servers. The outage affected Netflix, Disney Plus, PUBG, League Of Legends, Ring security cameras, as well as Amazon products and delivery infrastructure.

People were not able to see pictures of their favorite McDonald’s coffee, nor use their Roomba vacuum cleaners. On Reddit, users reported they were not able to charge their electric vehicles. Even here at Motherboard, we were briefly unable to post new stories, or share them on social media because the outage impacted some of the tools we use.

The outage lasted just a few hours, but it showed the world just how much the internet depends on Amazon’s infrastructure. Steven Bellovin, a computer science professor at Columbia University, said that one of the issues with the internet’s dependency on AWS is that there is now a single point of failure for thousands of websites. “If an attacker can gain control of AWS infrastructure, they could do very great damage. It's likely that that's much harder than penetrating individual companies, because AWS is very, very good at running a secure shop, but of course it's not impossible,” Bellovin told Motherboard in an email.

 

More #News

#Breach Log

 

#Patch Time!

 

#Tech and #Tools

This content was created by Kindred Group Security. Please share if you enjoyed!

Kindred Group in brief

Kindred Group is one of the world’s leading online gambling operators with business across Europe, US and Australia, offering 30 million customers across 9 brands a great form of entertainment in a safe, fair and sustainable environment. The company, which employs about 1,600 people, is listed on Nasdaq Stockholm Large Cap and is a member of the European Gaming and Betting Association (EGBA) and founding member of IBIA (Sports Betting Integrity Association). Kindred Group is audited and certified by eCOGRA for compliance with the 2014 EU Recommendation on Consumer Protection and Responsible Gambling (2014/478/EU). Read more on www.kindredgroup.com.