News – Page 172

Evotec SE Provides Update on Cyber Attack

Posted on 11 April 2023

From finance.yahoo.com

Evotec noticed unusual activity in one of the Company’s IT systems and immediately took steps to maintain IT security and remediate the impact. As a proactive and preventive measure, all IT systems were taken offline to secure them from data corruption or breaches. Since then, a forensic examination is being conducted together with external IT specialists and other experts to ascertain the extent and potential impact. Evotec has informed the relevant authorities about the incident.

South Korea fines Google $32M for blocking developers from releasing games on rival’s platform

Posted on 11 April 2023

From techcrunch.com

South Korea’s Fair Trade Commission (KFTC) has fined Alphabet’s Google 42.1 billion won (~ $32 million) for blocking developers from releasing mobile video games on a Korean competitor platform called One Store.

On Tuesday, the KFTC said that Google allegedly required Korean video game companies to exclusively release their new games in the Play Store from June 2016 to April 2018. That means Google banned the local game makers from releasing their content on One Store in return for offering Google’s in-app exposure and further support for global expansion.

One Store, a local peer of Google’s Play Store, was founded in June 2016 by South Korea’s three telcos — SK Telecom, KT and LG Uplus — and internet giant Naver.

Why it’s time to move towards a passwordless future

Posted on 11 April 2023

From helpnetsecurity.com

Adversaries don’t need to use sophisticated methods to gain access to enterprise systems or to deploy ransomware – they can just buy or steal credentials and log in.

By burdening users with the near-impossible task of maintaining “secure passwords,” businesses ultimately give people a huge and unfair level of responsibility for security. As a result, many organizations are relying on what amounts to a roll of the dice to protect themselves and their customers from attackers.

Apple Releases Updates to Address Zero-Day Flaws in iOS, iPadOS, macOS, and Safari

Posted on 11 April 2023

From thehackernews.com

Apple on Friday released security updates for iOS, iPadOS, macOS, and Safari web browser to address a pair of zero-day flaws that are being exploited in the wild.

The two vulnerabilities are as follows –

CVE-2023-28205 – A use after free issue in WebKit that could lead to arbitrary code execution when processing specially crafted web content.
CVE-2023-28206 – An out-of-bounds write issue in IOSurfaceAccelerator that could enable an app to execute arbitrary code with kernel privileges.

Apple said it addressed CVE-2023-28205 with improved memory management and the second with better input validation, adding it’s aware the bugs “may have been actively exploited.”

CAN do attitude: How thieves steal cars using network bus

Posted on 6 April 2023

From theregister.com

Automotive security experts say they have uncovered a method of car theft relying on direct access to the vehicle’s system bus via a smart headlamp’s wiring.

It all started when a Toyota RAV4 belonging to one of the tech gurus suffered suspicious damage to the front wing and headlight housing, and was eventually successfully stolen. Some sleuthing and reverse engineering revealed how the motor was finally nicked.

Ken Tindell, CTO of Canis Automotive Labs, said the evidence pointed to thieves’ successful execution of a so-called CAN injection.

A Controller Area Network (CAN) bus is present in nearly all modern cars, and is used by microcontrollers and other devices to talk to each other within the vehicle and carry out the work they are supposed to do.

Identity and Access Management (IAM) in Payment Card Industry (PCI) Data Security Standard (DSS) environments.

Posted on 6 April 2023

From cybersecurity.att.com

This is the first of a series of consultant-written blogs around PCI DSS.

Many organizations have multiple IAM schemes that they forget about when it comes to a robust compliance framework such as PCI DSS.

There are, at minimum, two schemes that need to be reviewed, but consider if you have more from this potential, and probably incomplete, list:

Cloud service master account management AWS (Amazon Web Services), Microsoft Azure, Google Cloud Platform (GCP), Oracle Cloud Architecture (OCA),
Name Service Registrars (E.g., GoDaddy, Network Solutions)
DNS service (E.g., Akamai, CloudFront)
Certificate providers (E.g., Entrust, DigiCert)
IaaS (Infrastructure as a Service) and SaaS (Software as a Service)) accounts (E.g.: Digital Realty, Equinix, Splunk, USM Anywhere (USMA), Rapid7)

Criminal records office yanks web portal offline amid ‘cyber security incident’

Posted on 6 April 2023

From theregister.com

ACRO, the UK’s criminal records office, is combing over a “cyber security incident” that forced it to pull its customer portal offline.

As the name implies, the government agency manages people’s criminal record information, running checks as needed on individuals for any convictions, cautions, or ongoing prosecutions. It doesn’t just work with British police and businesses: it exchanges this data with other countries.

This data, used by employers vetting potential hires and embassies processing visa applications, is drawn from UK’s Police National Computer via an information sharing agreement ACRO has with the Cabinet Office.