Update Chrome ASAP, compilers are vulnerable to unicode attacks, NRA has Grief, 2FA bots and location data harvesting despite opt outs. In owl news, researchers have found place cells in barn owls and finally a new tool to threat model in HCL.
- Are you using Chrome with an angry red update button in the corner? Do so ASAP as this contains patches from the zero days demonstrated at Tianfu Cup mentioned in TSD-83. Read more at Security Week.
- A novel theoretical attack on compliers using unicode, Trojan Source, has been published by researchers at the University of Cambridge. The researchers searched public open source projects and have found no compromises yet, but with their publication and lack of universal patches, we may see exploits soon. Read more at KrebsOnSecurity
- The NRA is the latest victim of Grief ransomware. Grief, thought to be mostly just a rebrand of Evil Corp, posted about the NRA on their leak site and eventually The NRA responded. Read more at ZDNet
- Motherboard delves into the booming business of 2FA bots, now that 2FA is becoming integrated into many apps and websites. Always keep an eye out for these scams.
- And finally Motherboard has published research about a company that sells location data that still received data even after users opted out of the collection.
Owl fun and facts:
New research from a team in Israel has concluded that barn owls have “place cells” like humans allowing them to make mental maps and possibly aid in flying.
Place cells are known to exist not only in humans, but also other mammals like rodents and bats. They have also been detected in tufted titmice as they walk.
However, this is the first time that evidence for place cells — which fire at a high rate when an animal visits a particular location — has ever been seen in birds in flight.
Read more at The Daily Mail or The New Scientist
A Shout Out:
Christian Frichot has released hcltm, an open source project that uses HashiCorp’s HCL. Love to see this as an extension of security and policy as code using a common language that your DevOps and AppSec teams are probably already using. Add in HCL parsing from Semgrep as suggested by Daniel Bilar and we have a complete ecosystem for creating and parsing threat models. As for the future, “TF asset consumption is on the roadmap.” h/t to TLDRsec
About:
TSD began as an internal newsletter that our Security Lead, Daniel Tobin, would circulate to the team each Tuesday. It proved to be a great resource for all of us so we thought, why not share it with all of you? Our hope is that it helps make you just a bit more secure.
Check back here every Tuesday for more TSD or sign up below to stay in the loop!
Please reach out to us directly, via security@cyral.com or on Twitter at @dant24 if you have any questions, concerns, tips or anything else!
That’s owl for now!
.jpg){kind=link}