Information Technology

Rust, the programming language hatched at Mozilla, has found a major fan in Amazon Web Services (AWS). 
AWS has announced its intention to hire more Rust developers in coming months as part of its plan to support the open-source community behind the young language, which has become popular for systems programming. 

Open-source Rust only reached version 1.0 five years ago. It was created with a prime goal of eradicating memory-related security bugs in Firefox’s Gecko rendering engine. Many of these security issues were because the engine was written in C++, which Mozilla described as having “an unsafe memory model”. 
Microsoft is also a big fan of Rust has been exploring its use in search of a way of reducing memory-related vulnerabilities in Windows components written in C and C++. But while Rust is well liked, not many developers are familiar with it, Stack Overflow found in its 2020 survey of 65,000 developers.  
AWS, last year became a sponsor of Rust, and has written several products in Rust. One of the latest is Bottlerocket, a Linux-based container operating system. 
Beyond providing sponsorship, the cloud company AWS is using its hiring power to support the language.  
It recently started hiring contributors to Rust and Tokio, a runtime for writing applications in Rust for all kinds of devices. AWS says it is building a Rust and Tokio team to support its long-term plans. 

“Given our dependence on Rust, we need deep in-house Rust expertise, just as we have with Java and other foundational technologies,” said Matt Asay, an open-source exec at AWS. 
Shane Miller, a senior software engineering manager at AWS, is tasked with hiring Rust engineers. She explains the importance of Rust to AWS.  
“Rust is a critical component of our long-term strategy, and we’re investing to deliver Rust engineering at Amazon scale. That includes developer tools, infrastructure components, interoperability, and verification,” Miller says.
There are about 120 Rust-related vacancies spanning software development, hardware development, support engineering, and systems and security engineer.  
Amazon Lab126, the R&D unit behind the Amazon Echo and Kindle devices, has several vacancies for engineers who know Rust along with C, C++ and Java. AWS is also looking for engineers for Lambda, its serverless compute service, as well as its Ring home security service, and more. 
The hiring effort is both good for AWS and for the Rust community because it will encourage more people to learn the language and then contribute, notes Marc Brooker, a senior principal engineer at AWS. 
“Hiring engineers to work directly on Rust allows us to improve it in ways that matter to us and to our customers, and help grow the overall Rust community,” said Brooker.  
More on Rust and programming languages More

State-backed hackers and criminal gangs are now actively using a vulnerability in mobile device management (MDM) software to successfully gain access to networks across government, healthcare and other industries.
The UK’s National Cyber Security Centre (NCSC) has issued an alert warning that a number of groups are currently using a vulnerability in MDM software from MobileIron.

Networking

MDM systems allow system administrators to manage an organisation’s mobile devices from a central server, making them a valuable target for criminals or spies to break into.
SEE: Network security policy (TechRepublic Premium)
In June 2020, MobileIron released security updates to address several vulnerabilities in its products. This included CVE-2020-15505, a remote code execution vulnerability. This critical-rated vulnerability affects MobileIron Core and Connector products, and could allow a remote attacker to execute arbitrary code on a system.
The NCSC is aware that nation-state groups and cyber criminals “are now actively attempting to exploit this vulnerability to compromise the networks of UK organisations”.
While the UK report doesn’t provide any information as to the identity of these groups, this vulnerability has already become popular with Chinese state-backed hackers.

While MobileIron made security updates available for all impacted versions on 15 June 2020, not every organisation has yet updated their software.
“In some cases, when the latest updates are not installed, they have successfully compromised systems. The healthcare, local government, logistics and legal sectors have all been targeted but others could also be affected,” NCSC said.
A proof-of-concept version of the exploit became available in September 2020, and since then both hostile state actors and cyber criminals have attempted to exploit this vulnerability in the UK and elsewhere.
These attackers typically scan victims’ networks to identify vulnerabilities, including CVE-2020-15505, to be used during targeting, NCSC said. It noted that sophisticated hackers are using this vulnerability in combination with the Netlogon/Zerologon vulnerability CVE-2020-1472 in a single intrusion attempt.
SEE: Keeping data flowing could soon cost billions, business warned
NCSC notes that it’s also important for organisations using affected versions to ensure they are following other best-practice cybersecurity advice, such as scanning their own networks and undertaking continual audits. This will help identify suspicious activity in the event that this vulnerability has already been exploited.
“In the case of this MobileIron vulnerability, the most important aspect is to install the latest updates as soon as practicable,” NCSC said. More

YouTube has temporarily suspended OANN for promoting a fake COVID-19 cure on its channel. 

A spokesperson for the video platform told Axios on Tuesday that One America News Network (OANN), a conservative news outlet, will not be able to post any new content on its YouTube channel for a week — and is also no longer able to monetize video content.
The one-week ban is considered a ‘strike’ under YouTube’s COVID-19 misinformation policy. 
See also: GitHub reinstates youtube-dl library after EFF intervention
The policy was implemented by Google in an attempt to stem a wave of fake news across social media and video services at the time of the first coronavirus outbreak, including fake COVID-19 cures and treatments, conspiracy theories concerning the origin of the virus, and stories claiming COVID-19 is a bioweapon. 
YouTube removes content deemed to “pose a serious risk of egregious harm,” including videos peddling COVID-19 prevention, treatment, diagnoses, and transmission information that contradicts the World Health Organization (WHO) and local healthcare authorities.
The company has provided examples of content that violates these policies, including:
Claims that COVID-19 doesn’t exist or that people do not die from it 
Content that encourages the use of home remedies in place of medical treatment 
Other content that discourages people from consulting a medical professional or seeking medical advice
Content that claims that any group or individual has immunity to the virus or cannot transmit the virus

The first time a YouTube channel goes against YouTube’s stance on COVID-19 content, the company will send an emailed warning. Afterward, YouTube will ‘strike’ a channel up to three times to bring the message home, before deleting a repeat offender’s channel entirely.  
CNET: Debunking the election’s most widespread voter fraud claims
OANN’s video claimed there was a guaranteed cure, and this content has now been taken down by YouTube. 
According to Axios, the outlet has also been suspended from the YouTube Partner Program, which allows content creators to monetize their videos through adverts. In order to rejoin and monetize content in the future, OANN will have to reapply.
“After careful review, we removed a video from OANN and issued a strike on the channel for violating our COVID-19 misinformation policy, which prohibits content claiming there’s a guaranteed cure,” YouTube spokesperson Ivy Choi said. 
The suspension comes at the same time US Senator Bob Menendez, together with Democrat colleagues, wrote and published a letter to YouTube, urging the company to take a stronger stance against election misinformation. 
TechRepublic: Baidu Android apps caught leaking sensitive data from devices
The letter, sent to YouTube CEO Susan Wojcicki, asks for “aggressive steps” to be taken to prevent election outcome misinformation from spreading across the platform — ahead of upcoming Georgia run-off elections — and says that “YouTube and its industry peers must take responsibility and immediately stop the spread of misinformation and manipulated media on their platforms.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Home Depot has agreed to a $17.5 million settlement in a multi-state investigation of a data breach suffered by the company in 2014.

Delaware Attorney-General Kathy Jennings announced the settlement on Tuesday, in which a total of 46 states, as well as the District of Columbia, have reached a resolution with the US retailer. 
In 2014, Home Depot confirmed that a cyberattack had occurred on its payment systems, impacting customers across the US and Canada.
See also: How Home Depot navigated a demand boom during COVID-19
Starting in April 2014 and detected in September of the same year, the cyberattack mirrored what was also experienced by rival retailer Target in 2013, in which point-of-sale (PoS) systems were infected with malware designed to steal payment card data. 
Approximately 40 million Home Depot customers were impacted by the PoS malware, which remained hidden on the company’s self-checkout systems for months.  
This information can be used to make fraudulent purchases online or for the creation of clone cards, potentially leading to consumer bank accounts being pilfered and creditworthiness becoming impacted. 

CNET: Debunking the election’s most widespread voter fraud claims
Alongside the settlement, Home Depot has agreed to implement and maintain new security practices in the future. These include employing a chief information security officer (CISO), providing security awareness training, and rolling out network access security improvements, two-factor authentication (2FA) standards, and more. 
“Retailers must take meaningful steps to protect consumers’ credit and debit card information from theft when they shop,” said Massachusetts AG Maura Healey. “This settlement ensures Home Depot complies with our state’s strong data security law and requires the company to take steps to protect consumer information from illegal use or disclosure.”
TechRepublic: Baidu Android apps caught leaking sensitive data from devices
At the time of Home Depot’s breach, online customers were not involved. Six years on, and we now commonly see payment card information being harvested across e-commerce websites in what is known as Magecart attacks. 
Instead of infiltrating corporate networks in order to strike PoS systems, Magecart operators exploit vulnerabilities in online platforms and deploy JavaScript code able to skim and steal payment information submitted by customers when they make a purchase.  
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Bringing the total number of banned Chinese mobiles apps since June to 220. More

Security researchers have discovered a major security flaw in cPanel, a popular software suite used by web hosting companies to manage websites for their customers.

The bug, discovered by security researchers from Digital Defense, allows attackers to bypass two-factor authentication (2FA) for cPanel accounts.
These accounts are used by website owners to access and manage their websites and underlying server settings. Access to these accounts is critical, as once compromised, they grant threat actors full control over a victim’s site.
On its website, cPanel boasts that its software is currently used by hundreds of web hosting companies to manage more than 70 million domains across the world.
But in a press release today, Digital Defense says that the 2FA implementation on older cPanel & WebHost Manager (WHM) software was vulnerable to brute-force attacks that allowed threat actors to guess URL parameters and bypass 2FA — if 2FA was enabled for an account.
While brute-forcing attacks, in general, usually take hours or days to execute, in this particular case, the attack required only a few minutes, Digital Defense said today.
Exploiting this bug also requires that attackers have valid credentials for a targeted account, but these can be obtained from phishing the website owner.

While this might make some website owners think the bug is not important, it’s actually the opposite since 2FA solutions were invented in the first place to protect against the use of phished credentials, and, as a result, any 2FA bypass like this bug needs to be treated with the utmost urgency and attention.
The good news is that Digital Defense has privately reported the bug, tracked as SEC-575, to the cPanel team, which has already released patches last week.
Website owners who use 2FA on their cPanel login can see if their web hosting provider has rolled out the update to their cPanel installation by checking the platform’s version number.
Per cPanel’s security advisory, the 2FA bypass issue has been patched in cPanel & WHM software 11.92.0.2, 11.90.0.17, and 11.86.0.32.
Users should not disable 2FA for their cPanel accounts because of this bug, but should instead request that their web hosting providers update the cPanel installation to the latest version.
A cPanel spokesperson was not immediately available for comment. More

Stantinko, one of the oldest malware botnets still operating today, has rolled out updates to its class of Linux malware, upgrading its trojan to pose as the legitimate Apache web server process (httpd) in order to make detection harder on infected hosts.
The upgrades, spotted by security firm Intezer Labs, come to confirm that despite a period of inactivity in regards to code changes, the Stantinko botnet continues to operate even today.
A short history of Stantinko

The Stantinko botnet was first detected in 2012. The group behind this malware began operating by distributing the Stantinko trojan as part of app bundles or via pirated apps.
Only Windows users were targeted in the beginning, with the malware using infected hosts to show unwanted ads or for installing a hidden cryptocurrency miner.
As the botnet grew in size and started generating more profits, its code evolved across the years. A considerable update was discovered in 2017 [see PDF report] when Slovak security firm ESET spotted Stantinko also deploying special versions of its malware for Linux systems.
This Linux version acted as a SOCKS5 proxy, with Stantinko turning infected Linux systems into nodes into a larger proxy network.
Each of these Linux systems would be used to launch brute-force attacks against content management systems (CMSs) and various web-based systems, such as databases. Once it compromised these systems, the Stantinko gang would elevate its access to the underlying server OS (Linux or Windows) and then deployed a copy of itself and a crypto-miner to generate even more profits for the malware authors.
New Stantinko Linux version

But crypto-mining botnets like Stantinko are a dime a dozen, and they aren’t usually tracked with the same vigor as ransomware gangs or botnets like Emotet or Trickbot.
The last version of Stantinko’s Linux malware was spotted back in 2017, having a version number of 1.2. But in a report released today and shared with ZDNet, Intezer Labs said that after three years, they have recently discovered a new version of Stantinko’s Linux malware, having a version number of 2.17 — a huge jump from the previous known release.
However, despite the huge version gap between the two releases, the Intezer team notes that the new version is actually leaner and contains fewer features than the older release, which is odd, as malware tends to bulk up as years go by.
One reason behind this odd move is that the Stantinko gang might have removed all the chaff from its code and left only the features they need and use on a daily basis. This includes the proxy feature, still present in the newer release, and crucial for its brute-forcing operations.
Another reason might also be that the Stantinko gang was attempting to reduce the malware’s fingerprint against antivirus solutions. Fewer lines of code mean less malicious behavior to detect.
And Intezer notes that Stantinko almost pulled it off, as the newer version had a very low detection rate on the VirusTotal aggregated virus scanner, almost going by undetected.
Posing as Apache’s web server
Furthermore, the Stantinko gang appears to have put a primer on stealth in this newer release because they also modified the process name its Linux malware uses, choosing to go with httpd, the name usually used by the more famous Apache web server.
This was obviously done to prevent server owners from spotting the malware at a regular visual inspection, as the Apache web server is often included by default in many Linux distros, and this process is usually running on Linux systems that Stantinko generally infects.
Either way, Linux system administrators need to realize that as the Linux OS becomes more widespread in enterprise environments today, more and more malware operations will begin targeting Linux, and many gangs will also bring over all their expertise and trickery from years of developing Windows malware.
What Linux server owners need to know is that despite Linux being a secure OS, malware often burrows deep inside systems because of misconfigurations. In Stantinko’s case, this botnet goes after server administrators who use weak passwords for their databases and CMSs.
In fact, this is how all malware operates, regardless of operating system.
Malware rarely exploits OS-level vulnerabilities to gain a foothold on a system. In most cases, malware gangs usually focus on:
app misconfigurations that have left open ports or admin panels exposed online;
outdated apps left without security patches;
systems/apps that use weak passwords for internet-facing services;
tricking users into taking dangerous actions (social engineering);
or exploiting bugs in the apps that run on top of the operating system.
Exploits in the Linux OS itself are rarely used, and usually after the malware has already gained access to a system through one of the methods above.
These exploits, employed as second-stage payloads, are usually employed to elevate privileges from low-level to admin accounts, so the malware can take full control of the attacked system. This is why, even if Linux (or other OS) isn’t targeted directly, it still needs to run up-to-date versions to prevent these user-to-root elevations once attackers gain a foothold on infected hosts.
Keeping systems safe from attacks is easy, as most system administrators need to keep apps up-to-date and to use strong passwords. Yet, this is always hard work because, in most cases, companies run hundreds or thousands of systems at the same time, and attackers only need to find one weak link to get in. More

Spotify has issued a rolling password reset of some user accounts following the discovery of an open database containing user credentials. 

This week, vpnMentor researchers Noam Rotem and Ran Locar made their findings public, in which an open Elasticsearch database was found during the firm’s web mapping project.
The 72GB database contained over 380 million records, “including login credentials and other user data being validated against the Spotify service,” the team said. 
See also: Unsecured database exposes 85GB in security logs of major hotel chains
According to vpnMentor, the origins of the database are unknown, but it does not belong to the music streaming service itself. Instead, the third-party that created the database may have collated the records from other sources — such as stolen data dumps or another platform — for later use to hijack user accounts. 
“These credentials were most likely obtained illegally or potentially leaked from other sources that were repurposed for credential stuffing attacks against Spotify,” Rotem and Locar said. 
Some, but not all, Spotify users have been impacted. It is estimated that roughly 300,000 to 350,000 accounts were embroiled in the leak, in which email addresses, Personally Identifiable Information (PII), countries of residence, and login credentials — both usernames and passwords — were available to view. 

CNET: Best Android VPNs for 2020
The information was not encrypted. As a result, these records could be used to access and take over accounts, as well as perform credential-stuffing attacks should the password and email combinations be used on other platforms or to access other applications. 
However, it should be noted that the leaked data only relates to a tiny fraction of Spotify’s 299 million active monthly user base. 
vpnMentor discovered the database on July 3, and following a review, contacted Spotify on July 9. Between July 10 and July 21, the music streaming service initiated a rolling reset of passwords for the users identified in the database, ensuring the password and username combinations — at least on the Spotify platform — would become useless. 
TechRepublic: Study finds 31% of third-party vendors could cause significant damage to organizations if breached
ZDNet has reached out to Spotify and will update when we hear back. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More