Another case of an exposed AWS Bucket (okay... three, actually)
Chris Vickery of UpGuard, who has discovered open and publicly accessible AWS shares, has found three buckets belonging to the U.S. Department of Defence intelligence-gathering operations CENTCOM and PACOM. Three S3 buckets were configured to allow anyone with an Amazon Web Services account to access them and were labelled "centcom-backup," "centcom-archive" and "pacom-archive." https://www.upguard.com/breaches/cloud-leak-centcom
Android found to be sending tracking info to Google without permission
Throughout all of 2017, Android devices with all location tracking permissions disabled and even without a carrier SIM card installed, have been sending the IDs of all cell towers within range back to Google for analysis. Google has confirmed this after the guys at Quartz observed the behaviour and asked Google why this was occurring when all location tracking had disabled.
Princeton publishes websites that monitor our actions
Spain facing chaos over chip crypto flaws
With the security of its 60 million national ID smartcards in question, Spain faces some tough choices. The trouble presented by even little-used security cards: once they cannot be trusted, none can be used. Estonia had "only" issued 760,000 Infineon cards which are now known to be generating insecure private key. By comparison, Spain has issued 60 MILLION similar -- and similarly insecure -- identity smartcards.
Uber concealed data breach that exposed 57 million records in 2016
Uber CEO Dara Khosrowshahi announced on Tuesday that hackers broke into the company database and accessed the personal data of 57 million of its users. The bad news is that the company covered up the hack for more than a year. The attackers accessed also the names and driver license numbers of roughly 600,000 of its drivers in the United States. http://securityaffairs.co/wordpress/65868/data-breach/uber-data-breach.html
Firefox to notify users who visit sites that suffer a data breach
Firefox browser is going to introduce a new security feature to make the users’ experience online more secure, it will warn users if they visit websites that have experienced data breaches. The news was revealed by the Mozilla developer Nihanth Subramany and was confirmed by the presence of a recently-released GitHub repo titled “Breach Alerts Prototype.” http://securityaffairs.co/wordpress/65959/digital-id/firefox-notification-data-breach.html
Amazon, Microsoft launch secret Cloud servers for the US intelligence community
Amazon announced a new offering named "AWS Secret Region," which is a cloud server region for use only by US intelligence agencies and their third-party contractors. "With the launch of this new Secret Region, AWS becomes the first and only commercial Cloud provider to offer regions to serve government workloads across the full range of data classifications, including Unclassified, Sensitive, Secret, and Top Secret. By using the cloud, the U.S. Government is better able to deliver necessary information and data to mission stakeholders," said Amazon in a press release. https://aws.amazon.com/blogs/publicsector/announcing-the-new-aws-secret-region/
Facebook: which Russian propaganda accounts were you following?
By the end of the year, Facebook plans to create a Help Centre page that will display a list of these now-suspended accounts. The page will be customized for each user and will list only the accounts they personally followed. The company has released a mock-up of this page.
Intel firmware flaws found
US-CERT yesterday issued an alert in response to newly discovered vulnerabilities in Intel's Management Engine (ME), Server Platform Services (SPS), and Trusted Execution Engine (TXE) firmware that could allow an attacker to wrest control of machines running Intel processors. https://www.us-cert.gov/ncas/current-activity/2017/11/21/Intel-Firmware-Vulnerability
Samsung pay leaks mobile device information
Mobile users installing Samsung Pay on their devices could have sensitive information stolen by attackers due to a newly discovered weakness in the app that leaks the digital tokens that secure transactions and other technical information such as network traffic logs. An attacker could capture this information without having to authenticate to the device, according to a Tencent researcher who goes by the name of HC, who will present his findings on the Samsung Pay security weaknesses at Black Hat Europe 2017.
24 November 2017