Roundup This week at The Regsecurity roundup of notable items beyond what we have already covered, the Tor project downsized its core team, Zoom used the big security guns, US tech companies take their Congress – and more.
First, it was a bad weekend for 13 nonprofit Tor project staff after their layoffs as the team was reduced to basic operations only.
“Like many other nonprofits and small businesses, the crisis has hit us hard and we have had to make tough decisions,” he said in a statement. declaration.
“We had to give up 13 great people who have helped make Tor available to millions of people around the world. We will progress with a team of 22 people and will remain determined to continue our work on the Tor browser and the Tor software ecosystem. “
These drastic cuts are surprising, given the relatively low overhead costs of Tor and its main supporters, including the U.S. government and DARPA. Tor hasn’t released more details yet.
Zoom calls big guns to fix security concerns
After spending the last month or so as the clown at the top of the dunk tank in the world of computer security, Zoom has asked for help with his bug bounty program.
Luta Security has been exploited to help the video conferencing giant set up a bug bounty program so that it can clean up and reward future security vulnerabilities before they become public. In fact, this has been in the works for some time – Luta founder and CEO Katie Moussouris, said The register the project started months before the coronavirus epidemic.
It’s not just an empty gesture either. Luta’s boss, Moussouris, is a kind of legend in the area of bug bonuses, having helped launch programs at Microsoft and the US Department of Defense. Her too don’t do half-baked bonus programs, so you can bet there will be a well-trained team on the Zoom side to deal with bug reports and resolve issues.
Earlier in the month Zoom too recruited Alex Stamos, former Yahoo CSO! and Facebook, as well as leading security specialists Matthew Green, professor of computer science at the Johns Hopkins Information Security Institute and Lea Kissner, former head of privacy technology at Google.
Tech companies seek infosec funding with next US stimulus package
A group of tech groups are calling on the US Congress to allocate money for IT spending in the next Coronavirus Pandemic Stimulation Bill. Local, state and federal computer systems are in desperate need of modernization, they say.
“The COVID19 pandemic highlights the need to redouble our efforts to digitize federal forms and reduce the dependence on paperwork for manual processing of priorities and assistance. the letter [PDF] bed.
“In addition, the rapid transition to remote telework during the pandemic has also created new challenges for many government agencies, including increased threats of cybersecurity, an inability to leverage commercial capabilities (which reduces the effectiveness of program) and significant continuity of government operations. “
Equifax sets up with Massachusetts and Indiana
Two of the states that have chosen to go it alone in their Equifax data theft lawsuit will receive a total of $ 37.7 million in settlement payments.
Indiana says the colony’s money will go to citizens for restitution, while Massachusetts plans to divest a portion for consumer assistance programs.
Taiwan’s chip makers under attack from foreign hackers
Semiconductor manufacturers in Taiwan are targeted by a foreign hacking operation aimed at lifting intellectual property.
CyCraft Security Company said he was called in to investigate the matter, and quickly concluded that what was going on was a sophisticated and highly organized APT operation which used, among other things, a particularly “nasty skeleton key” attack to infiltrate networks and gain access to sensitive documents.
“The main objective of these attacks was the exfiltration of intellectual property, such as documents on integrated circuits (IC), software development kits (SDK), designs of integrated circuits, source code, etc.”, writes the company.
“The motive for these attacks likely stems from competitors (or perhaps even from nation states due to the advanced nature of the attacks) seeking a competitive advantage.”
Clearview exposes code in security breach
As a misconfigured database left a Clearview AI database containing, among other things, source code and secret keys, was left accessible to the general public.
The Middle Eastern security store SpiderSilk located the database, which was password protected. However, the firm says anyone can log in as a new user and access company gems, including access to its online storage compartments.
The exhibit was spotted by a researcher and has since been deleted, although the researchers and ClearView appear to disagree on how the disclosure was handled.
Docker image security dissected
Larry Cashdollar, Akamai’s security research ace (yes, that’s his real name) delivered a thought-provoking look what type of attacks your typical Docker image will target in a given day.
Cashdollar’s Docker image honey jar, left out for 24 hours, has been exposed to a number of automated intrusion attempts and has been infected with things like a Mirai botnet payload and crypto malware -mining.
Windows security crash
A recent update to Windows Defender is believed to be causing some problems, as users report that their security software crashes while attempting to perform scans.
The security software can be restarted manually and hopefully an update from Microsoft to fix the bug is already in the works.
Inside glimpse of a Linux bug
Have you ever wondered what a Linux kernel flaw does? the security team at ZDI provided an overview of CVE-2020-8835, a kernel privilege escalation vulnerability.
Fortunately, there should not be a lot of risk for users and administrators, as the flaw has been known for months and has been fixed some time ago. But it’s worth checking out how easy it is sometimes to topple systems. ®
Webcast: Build the Next Generation of Your Business in the Public Cloud