TLDR Information Security 2024-06-19

Security positions are in high demand. They offer excellent compensation and stability amid a shakier tech ecosystem.

Whether you're already in infosec or looking to land your first role, a university degree can stand out on your resume and deepen your industry knowledge.

Get closer to your career goals with an online Bachelor of Science from Southern New Hampshire University (SNHU):

>> 24/7 online accessibility - attend class when and where it's convenient

>> One of the lowest online tuition rates in the nation

>> Transfer up to 90 credits toward an undergraduate degree

Request information and apply for free.

SNHU is currently only accepting US students for this program.

A hacker breached the systems behind Tile device trackers and stole customer data like names, addresses, emails, and phone numbers by accessing a law enforcement request tool. Tile's parent company Life360 confirmed the breach, stating that the hacker attempted extortion.

A researcher claims UK gym chain Total Fitness left a database containing over 474,000 member and staff images, including identity documents and payment info, publicly accessible without a password. Total Fitness stated the images were used for legitimate purposes and that only a small subset contained identifiable information. The issue highlights the potential risks of data exposure.

Asus has released updates patching multiple critical vulnerabilities in its routers. The first is an authentication bypass that allows remote attackers to log into the router with no authentication. The second vulnerability is a buffer overflow that could allow attackers with administrative access to execute arbitrary commands. The third vulnerability allows attackers to execute remote commands with no user interaction. Asus hasn't seen any exploitation of these vulnerabilities.

This blog post dives into a new malware campaign that targets exposed Docker API endpoints to deliver cryptocurrency miners and other payloads. The campaign uses a remote access tool to execute more malware and a utility to spread via SSH.

This blog post discusses architectural decisions that can be made by platforms offering custom domains to proactively prevent subdomain takeovers. The most common mitigation method employed is requiring domain verification, which is most commonly implemented as a TXT record with a verification string. Other mechanisms suggested are to add entropy to the underlying record to make it difficult to generate an identical record, preventing the re-registration of custom domains, and charging for custom domains.

AWS CISO, Chris Bentz, details some of the ideas driving AWS' security prioritization with a focus on generative AI. Bentz highlights some conventional wisdom such as focusing on the basics, security being everyone's job, and security requiring innovation and being necessary to innovation. He also touches on the importance of customers having control over their data and the potential value of generative AI in the AWS security strategy.

Hide data within JPG images using this steganography privacy tool. Post images on Mastodon and other hosting sites.

A command line tool that allows users to specify a list of allowed Terraform providers to verify whether they are the only providers in use.

Google Cloud's Privileged Access Manager (PAM) enhances security by granting on-demand access with just-in-time approvals. PAM helps organizations shift from always-on privileges to time-bound, approved access for improved security and operational efficiency. IAM admins can create entitlements for users to request specific access, promoting least privilege principles.

Google's Project Zero team discusses a vulnerability in an Android driver related to JPEG decoding. The vulnerability allows for a race condition that can lead to memory corruption and potential exploitation. Attackers can achieve arbitrary read and write capabilities in the system by exploiting this vulnerability.

A researcher found an unpatched bug allowing anyone to impersonate Microsoft corporate email accounts for credible phishing attempts. He reported the email spoofing bug to Microsoft, but the company dismissed it after failing to reproduce the issue, so he then publicized the vulnerability on X.

The CEO of Signal warned that the EU's proposed law to scan private messages for child exploitation material threatens web security. She argued it fundamentally undermines encryption by creating vulnerabilities that would have global implications beyond Europe.

In this blog post, Apple describes how it extends device security into the cloud by using Private Cloud Compute, ensuring user data privacy.

AWS has added passkeys to its list of supported MFA methods and has begun to enforce MFA for root users of organization management accounts.

The Los Angeles United School District banned students from using smartphones on campus to address mental health risks and distractions.