News – Page 2 – BU-CERT

Apple’s iPadOS will have to comply with EU’s Digital Markets Act too

Posted on 29 April 2024

From techcrunch.com

The European Union will apply its flagship market fairness and contestability rules to Apple’s iPadOS, the Commission announced today — expanding the number of Apple-owned platforms regulated under the Digital Markets Act (DMA) to four and amping up regulatory risk for the tech giant by bringing its tablet ecosystem in scope.

Apple has six months to ensure iPadOS is compliant with the DMA.

The development could force significant changes on how it operates the tablet platform in the EU as Apple will have to ensure it’s complying with a sweep of DMA mandates, such as a ban on so-called “gatekeepers” being able to self-preference their own services and requirements to allow third party app stores, the sideloading of apps and support for third party payment options.

Apple will also need to open up access to non-WebKit versions of Safari to iPadOS in the next six months, as it has already done on iOS in another DMA compliance step. While business users reaching customers via the tablet platform will have a legal right to FRAND (fair, reasonable and non-discriminatory) terms.

Okta Warns of Credential Stuffing Attacks Using Tor, Residential Proxies

Posted on 29 April 2024

From securityweek.com

Okta over the weekend warned of a spike in credential stuffing attacks that use various anonymizing services, such as The Onion Router (Tor) network.

In credential stuffing attacks, usernames and passwords obtained from previous data breaches at third-parties, phishing, and other types of attacks are used to compromise valid accounts at the targeted organizations.

“Over the last month, Okta has observed an increase in the frequency and scale of credential stuffing attacks targeting online services, facilitated by the broad availability of residential proxy services, lists of previously stolen credentials, and scripting tools,” Okta says.

PoC Exploit Released For Windows Kernel EoP Vulnerability

Posted on 29 April 2024

From gbhackers.com

Microsoft released multiple product security patches on their April 2024 Patch Tuesday updates.

One of the vulnerabilities addressed was CVE-2024-26218, associated with the Windows Kernel Privilege Escalation vulnerability, which had a severity of 7.8 (High).

This vulnerability relates to a TOCTOU (Time-of-Check Time-of-Use)Race Condition that could be exploited.

Successful exploitation of this vulnerability could allow a threat actor to gain SYSTEM privileges.

This vulnerability existed in multiple versions of Windows 10, Windows 11, and Windows Server (2019, 2022).

However, Microsoft has patched this vulnerability, and users are advised to update their Operating Systems accordingly.

MULTIPLE BROCADE SANNAV SAN MANAGEMENT SW FLAWS ALLOW DEVICE COMPROMISE

Posted on 29 April 2024

From securityaffairs.com

Multiple flaws in Brocade SANnav storage area network (SAN) management application can allow to compromise impacted appliances.

Multiple vulnerabilities found in the Brocade SANnav storage area network (SAN) management application could potentially compromise affected appliances.

Closing the cybersecurity skills gap with upskilling programs

Posted on 29 April 2024

From helpnetsecurity.com

The list of skills technologists and organizations need to succeed grows with each new tech advancement, according to Pluralsight. But for many organizations, budgets and staff continue to shrink.

This survey asked 1,400 executives and IT professionals how organizations can leverage technology to drive business value in a world where budgets and headcount are decreasing and technology is evolving at a rapid pace.

Discord dismantles Spy.pet site that snooped on millions of users

Posted on 29 April 2024

From theregister.com

INFOSEC IN BRIEF They say sunlight is the best disinfectant, and that appears to have been true in the case of Discord data harvesting site Spy.pet – as it was recently and swiftly dismantled after its existence and purpose became known.

The site, which has been slurping up public data on Discord users since November of last year, was outed to the world last week after it was discovered the platform contained messages belonging to nearly 620 million users from more than 14,000 Discord servers.

Any and all of the data was available for a price – Spy.pet offered to help law enforcement, people spying on their friends, or even those training AI models.

When Spy.pet was discovered, Discord told us that it was working to take action against anyone that’s violated its terms of service, but that it couldn’t share more.

Things are a bit clearer now.

No more 12345: devices with weak passwords to be banned in UK

Posted on 29 April 2024

From theguardian.com

Tech that comes with weak passwords such as “admin” or “12345” will be banned in the UK under new laws dictating that all smart devices must meet minimum security standards.

Measures to protect consumers from hacking and cyber-attacks come into effect on Monday, the Department for Science, Innovation and Technology said.

It means manufacturers of phones, TVs and smart doorbells, among others, are now legally required to protect internet-connected devices against access by cybercriminals, with users prompted to change any common passwords.

Brands have to publish contact details so that bugs and issues can be reported, and must be transparent about timings of security updates.

It is hoped the new measures will help give customers confidence in buying and using products at a time when consumers and businesses have come under attack from hackers at a soaring rate.