June 1, 2020
David Redekop

This Week In Nerd News – June 1, 2020

Your weekly top 5 technical and security issues Nerds should pay attention to:

Zero-day in Sign in with Apple.

Glad this is fixed, glad Apple paid out $100,000 to a responsible researcher, but this is a good lesson in slow adoption of anything new that claims security at the outset.

What if I say, your Email ID is all I need to takeover your account on your favorite website or an app. Sounds scary, right? This is what a bug in Sign in with Apple allowed me to do.

In the month of April, I found a zero-day in Sign in with Apple that affected third-party applications which were using it and didn’t implement their own additional security measures. This bug could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not.

 

Read More: Zero-day in Sign in with Apple

 

Cisco security breach hits corporate servers that ran unpatched software.

Cisco is one of many to get bitten by vulnerabilities in open source Salt manager.

Six servers Cisco uses to provide a virtual networking service were compromised by hackers who exploited critical flaws contained in unpatched versions the open source software service relies on, the company disclosed on Thursday.

 

Read More: Cisco security breach hits corporate servers that ran unpatched software

 

Russian hackers are exploiting bug that gives control of US servers.

Sandworm group uses emails to send root commands to buggy Exim servers. Exim servers are often used “behind the scenes” for mail security products, and not publicly exposed. Those are vulnerable as well.

A Russian hacking group tied to power-grid attacks in Ukraine, the world’s most destructive data wiper worm, and other nefarious Kremlin operations is exploiting a vulnerability that allows it to take control of computers operated by the US government and its partners.

 

Read More: Russian hackers are exploiting bug that gives control of US servers

 

Dangerous SHA-1 crypto function will die in SSH linking millions of computers.

Lagging far behind others, SSH developers finally deprecate aging hash function.. We’ve seen the writing on the walls for SHA-1 for years, but now there’s a number. Under $50,000 of computing power to break into an SHA-1 protected system.

Developers of two open source code libraries for Secure Shell—the protocol millions of computers use to create encrypted connections to each other—are retiring the SHA-1 hashing algorithm, four months after researchers piled a final nail in its coffin.

 

Read More: Dangerous SHA-1 crypto function will die in SSH linking millions of computers

 

Career Choice Tip: Cybercrime is Mostly Boring.

The economics of illegal hacking appear attractive to some people, but thankfully Brian Krebs exposes how mostly boring it is to be involved in cybercrime.

When law enforcement agencies tout their latest cybercriminal arrest, the defendant is often cast as a bravado outlaw engaged in sophisticated, lucrative, even exciting activity. But new research suggests that as cybercrime has become dominated by pay-for-service offerings, the vast majority of day-to-day activity needed to support these enterprises is in fact mind-numbingly boring and tedious, and that highlighting this reality may be a far more effective way to combat cybercrime and steer offenders toward a better path.

 

Read More: Career Choice Tip: Cybercrime is Mostly Boring

 

Did you know?

The Guided Access Escape is not fixed in iOS 13.5 so I blogged about it here: No bounty for Guided Access Escape. It is an almost-hidden feature in iOS, but Guided Access is a powerful tool.

Need an IT professional? Request service today.