Hello and welcome to TSD, your regular blog post with top of mind security issues. TSD began as an internal newsletter that our Security Lead, Daniel Tobin, would circulate to the team each Tuesday. It proved to be a great resource for all of us so we thought, why not share it with all of you? Our hope is that it helps make you just a bit more secure.
Check back here every Tuesday for more TSD or sign up below to stay in the loop!
Please reach out to us directly, via security@cyral.com or on Twitter at @dant24 if you have any questions, concerns, tips or anything else!
- I am giving back to the community so began one of the worst days for Twitter, as hackers, according to Vice, convinced insiders to help them take over the accounts of Joe Biden, Jeff Bezos, Elon Musk, OG accounts, and many more all for a Bitcoin scam that netted them about $100K. In light of this incident, there is renewed pressure from Senator Ron Wyden and the EFF are asking why Twitter still doesn’t have end-to-end encryption for direct messages. KrebsOnSecurity has seemingly tracked down at least one of the people responsible.
- The UK National Cyber Security Centre (NCSC) announced along with US and Canadian government officials that the “Russian government hacking group known as Cozy Bear or APT29 has been targeting coronavirus vaccine research”.
- The AP is reporting this morning the US Justice Department announced indictments against 2 individuals working in connection with the Chinese government and they also targeted firms working on Coronavirus vaccines. The indictment actually lays out that the individuals charged have been working together for over 10 years, and also passing information to the government. The headlines for both of these scream Coronavirus, but the content really is about continued industrial and academic espionage. The actual crimes committed related to the Coronavirus are that they “conducted reconnaissance on the computer network of a Massachusetts biotech firm known to be researching a potential vaccine and searched for vulnerabilities on the network of a Maryland firm less than a week after it said it was conducting similar scientific work.”
- Wired has a new story about how “IBM’s X-Force security team obtained five hours of APT35 hacking operations, showing exactly how the group steals data from email accounts—and who it’s targeting.” This just goes to show you that even government backed groups can accidentally leave data repos unprotected. Also, the group depicted in the video is known as Charming Kitten!
- Keeping with what seems the theme this week, there’s a new report from Yahoo! News that President Trump signed a secret order authorizing “the spy agency more freedom in both the kinds of operations it conducts and who it targets, undoing many restrictions that had been in place under prior administrations.” In March, Qihoo 360 published a report naming the CIA APT-C-39 and claiming that they had evidence of 11 years of attacks against China (via InfoSecurity Magazine)
Owl fun and facts:
Owlets lie down on their stomachs, turned their heads to the side, and fell asleep. A young owl doesn’t fall out of the tree while it snoozes, because its back toe, the hallux, holds onto the branch. The hallux will not open or let go until the bird bends its leg. (via Audubon.org)
A Shout Out:
The OWASP project Defect Dojo just announced their 1.7.0 release! One of the key features in this release is a GitHub vulnerability parser. Defect Dojo is an “open source application security management” tool that allows you to have a central repository for any vulnerability found in your applications or pipeline with support for a number of different parsers.
That’s owl for now!
