Lack of secure defaults for Power Apps exposed records, Apple is fighting on all fronts after announcing their CSAM scanner, UPS.com had a vulnerability enabling devious phishing, Pegasus is back in the news with the latest zero click iOS bug, Iranian hacktivists leak video footage and 1 ransomware operator reached out directly to employees. In owl news, we check in on some night owls playing on camera and finally a new SAST security as code scanner for Golang.
- UpGuard found that the defaults for Microsoft Power Apps exposed 38 million+ records across 47 different firms including a number of major companies and government entities.
- Apple’s child sexual abuse material (CSAM) scanner is all over the news for multiple reasons as 2 university researchers posted an op-ed in The Washington Post arguing against it. Meanwhile 90 policy groups from 6 continents cosigned a letter against it according to ArsTechnica. And in the ongoing on again, off again, definitely on again battle with Corellium, things are definitely on again as Corellium announced a $15K grant for testing the scanning technology conveniently followed by an appeal from Apple against their own settlement with Corellium according to The Register.
- An XSS vulnerability in UPS.com was used to push out a phishing campaign to distribute malware. The phishing email did not originate from UPS.com, but the XSS vulnerability made it appear that the download was coming from UPS.com. There were indicators that this was malicious, but using a legitimate site for malware distribution keeps me up at night. Read more at Bleeping Computer.
- Citizen Lab has identified a new iOS zero click exploit that was used to target Bahrani human rights activists with NSO’s Pegasus malware according to Ryan Naraine Security Week. Naraine also highlights that this is 61st documented zero-day in 2021 alone. To be clear though, this type of vulnerability is possible, but for most are not a concern unless you have your own or other governments in your threat model as Zack Whittaker digs into at TechCrunch.
- Kim Zetter is reporting on the latest of what appear to be Iranian hactkivists who have now released footage from a notorious Iranian prison. This is the latest hack purportedly from activists after the Iranian Railway attack we mentioned last week in TSD-74.
- KrebsOnSecurity has a story on the latest way one ransomware operator attempted to gain access, disgruntled employees…
Owl fun and facts:
BoingBoing posted this wonderful video of, I think, burrowing owls playing:
“Once the humans are tucked away, these owls in Yuma, Arizona know where to play. Arriving at a large playground, er, porch at 10:30 pm, they spent their time munching on bugs, preening, exploring, and exuding great charm as they posed for the camera.”
A Shout Out:
As fans of Security as Code, we’re excited for the latest release from Praetorian, a new SAST scanner called GoKart, “a smarter security scanner for Go”. Praetorian started with gosec, but wished to extend the features to include taint tracking and data flow analysis. Read more about the differences and limitations of GoKart on the Praetorian blog and then take GoKart for a spin by downloading GoKart on GitHub.
TSD began as an internal newsletter that our Security Lead, Daniel Tobin, would circulate to the team each Tuesday. It proved to be a great resource for all of us so we thought, why not share it with all of you? Our hope is that it helps make you just a bit more secure.
Check back here every Tuesday for more TSD or sign up below to stay in the loop!
That’s owl for now!