From en.secnews.gr
The T-Mobile hack became known earlier this week has now been confirmed by the company itself. However, some of the information provided by the company differs from what the hacker claimed. T-Mobile admitted that 47,8 million files were exposed, which did not belong only to customers. One can take a risk even if one had applied for a T-Mobile account, regardless of whether one finally opened it or not.
From theregister.com
The US Securities and Exchange Commission (SEC) announced Wednesday it charged three former Netflix employees and two of their contacts with insider trading that resulted in a net profit of over US$3 million.
Netflix’s internal culture and policies have long been the stuff of intrigue and reflection. Founder Reed Hastings waxed lyrical about it in his book, No Rules Rules, with the tagline “Trust your team. Be radically honest. And never, ever try to please your boss.”
Netflix’s belief in openness, transparency, and personal accountability among its staff sees it share financial results internally before the numbers are revealed to the market.
From helpnetsecurity.com
Absolute Software announced a research revealing the significant management and security challenges faced by K-12 education IT teams with the rise in digital learning and widespread adoption of 1:1 device programs. The report underscores how increased device mobility and complexity are leaving schools increasingly vulnerable to security risks and potential attacks.
From theregister.com
BlackBerry this week issued a critical security advisory for past versions of its QNX Real Time Operating System (RTOS), used in more than 175m cars, medical equipment, and industrial systems.
BlackBerry QNX Software Development Platform (SDP) version 6.5.0SP1 and earlier, QNX OS for Medical 1.1 and earlier, and QNX OS for Safety 1.0.1 are affected by an integer overflow vulnerability in the calloc() function of the C runtime library.
From malware.news
The ASEC analysis team recently discovered that Azorult malware is being distributed through spam mails. Azorult is a kind of Infostealer that accesses a C&C server to receive DLL files and commands used to leak information, and steals information such as user data files and account information to leak it to the server. Besides account information of web browsers and email clients, screenshots, cryptocurrency information, and files designated by the attacker with certain paths and extensions can be collected as well.
From bleepingcomputer.com
Fortinet has delayed patching a zero-day command injection vulnerability found in the FortiWeb web application firewall (WAF) until the end of August.
Successful exploitation can let authenticated attackers execute arbitrary commands as the root user on the underlying system via the SAML server configuration page.
While attackers must be authenticated to the management interface of the targeted FortiWeb device to abused this bug, they can easily chain it with other vulnerabilities such as the CVE-2020-29015 authentication bypass to take full control of vulnerable servers.
“An attacker can leverage this vulnerability to take complete control of the affected device, with the highest possible privilege,” Rapid7 explained.
From securityboulevard.com
Zero-trust architecture is being adopted across all assets within network infrastructure—data, cloud, applications. And now, more frequently, developers are seeing zero-trust as a useful security approach for APIs. That’s because APIs are becoming a more frequent attack target, in part because they tend to be less mature in their identity and access protections while transmitting large amounts of sensitive data and because almost every organization has them.
“Zero-trust can be applied to API security to make sure that API’s are constructed in ways that allow for a robust security model to be applied easily and effectively, so API users only have access to what they need,” said Kevin Dunne, president at Pathlock, in an email interview.