On August 31st, 2019, an Amazon AWS US-EAST-1 datacenter in North Virginia experienced a power failure at 4:33 AM, which led to the datacenter’s backup generators to kick on. Unfortunately, these generators started failing at approximately 6:00 AM , which led to 7.5% of the EC2 instances and EBS volumes becoming unavailable. ‘1:30 PM PDT At 4:33 AM PDT one of ten data centers in one of the six Availability Zones in the US-EAST-1 Region saw a failure of utility power.

…

A security flaw in Exim mail servers could be exploited by local or remote attackers to execute arbitrary code with root privileges. The Exim development team has addressed a vulnerability in Exim mail server, tracked as CVE-2019-15846, that could be exploited by local and remote attackers to execute arbitrary code with root privileges. The vulnerability is a heap overflow that affects version 4.92.1 and prior of Exim mail server that accept TLS connections.

…

Maintainers of the RubyGems package repository have yanked 18 malicious versions of 11 Ruby libraries that contained a backdoor mechanism and were caught inserting code that launched hidden cryptocurrency mining operations inside other people’s Ruby projects. The malicious code was first discovered yesterday inside four versions of rest-client, an extremely popular Ruby library. According to an analysis by Jan Dintel, a Dutch Ruby developer, the malicious code found in rest-client would collect and send the URL and environment variables of a compromised system to a remote server in Ukraine.

…

An eagle-eyed developer has discovered a backdoor recently sneaked into a library (or ‘gem’) used by Ruby on Rails (RoR) web apps to check password strength. A close shave, then. While the Ruby scripting language and RoR aren’t as popular as they once were, they’re still embedded in numerous enterprise development environments, an unknown number of which might have used the library, strong_password, in its infected version 0.0.7.

…

Today, Wikipedia was hit with a malicious attack that has taken it offline in several countries for intermittent periods. The attack is ongoing and our Site Reliability Engineering team is working hard to stop it and restore access to the site.

As one of the world’s most popular sites, Wikipedia sometimes attracts “bad faith” actors. Along with the rest of the web, we operate in an increasingly sophisticated and complex environment where threats are continuously evolving. Because of this, the Wikimedia communities and Wikimedia Foundation have created dedicated systems and staff to regularly monitor and address risks.

…

The CEO of an energy firm based in the UK thought he was following his boss’s urgent orders in March when he transferred funds to a third-party. But the request actually came from the AI-assisted voice of a fraudster. The Wall Street Journal reports that the mark believed he was speaking to the CEO of his businesses’ parent company based in Germany.

…

If you are thinking about tweeting about clouds, pork, exercise or even Mexico, think again. Doing so may result in a closer look by the U.S. Department of Homeland Security. The list was posted by the Electronic Privacy Information Center who filed a request under the Freedom of Information Act, before suing to obtain the release of the documents.

…

An Israeli company licenses software around the world that can crack just about any smartphone, but is its use always on the side of good? CEO of Israeli spyware-maker NSO on fighting terror, Khashoggi murder, and Saudi Arabia An Israeli company licenses software around the world that can crack just about any smartphone, but is its use always on the side of good?

…

Tulsi Gabbard’s email account went down right after the Democratic Debate and I believe I can provide assistance on where to focus your discovery efforts because I saw how other accounts, such as Jordan B. Peterson, was taken down. I’m going to recount how this happened to him so as to assist you in your legal discovery process.

Source: minds.com

…

Speakers are everywhere, whether it’s expensive, standalone sound systems, laptops, smart home devices, or cheap portables. And while you rely on them for music or conversation, researchers have long known that commercial speakers are also physically able to emit frequencies outside of audible range for humans. At the Defcon security conference in Las Vegas on Sunday, one researcher is warning that this capability has the potential to be weaponized.

…

The threat of ransomware is becoming more prevalent and severe as attackers’ focus has now moved beyond computers to smartphones and other Internet-connected smart devices. In its latest research, security researchers at cybersecurity firm CheckPoint demonstrated how easy it is for hackers to remotely infect a digital DSLR camera with ransomware and hold private photos and videos hostage until victims pay a ransom.

…

Hackers could crack open high-security electronic locks by monitoring their power, allowing thieves to steal cash in automated teller machines, narcotics in pharmacies and government secrets, according to research to be presented Friday at the annual Def Con hacking conference in Las Vegas. Mike Davis, a researcher with security firm IOActive, discovered the vulnerability last year and alerted government officials and Swiss company DormaKaba Holding (DOKA.S), the distributor of multiple brands of locks at issue. In an interview with Reuters, Davis said he used an oscilloscope worth about $5,000 to detect small changes in the power consumption, through what is known as a side-channel attack.

…

Zoncolan helps security engineers scale their work by using static analysis to examine code and detect security or privacy issues. Facebook’s web codebase currently contains more than 100 million lines of Hack code, and changes thousands of times per day. To handle the sheer volume of code, we build sophisticated systems that help our security engineers review code.

…

Finite State located significant security issues in Huawei firmware images, including memory corruption, hardcoded encryption keys, and unsafe functions used in place of the secure alternatives.

Source: infoq.com

…

It looks like an Apple lightning cable. It works like an Apple lightning cable. But it will give an attacker a way to remotely tap into your computer.

I plugged the Apple lightning cable into my iPod and connected it to my Mac, just as I normally would. My iPod started charging, iTunes detected the device, and my iPod produced the pop-up asking if I wanted to trust this computer. All expected behaviour.

…

A new piece of advanced espionage malware, possibly developed by a nation-supported attacker, targeted three US companies in the utilities industry last month, researchers from security firm Proofpoint reported on Thursday. Employees of the three unnamed companies, Proofpoint reported, received emails purporting to come from the National Council of Examiners for Engineering and Surveying. This non-profit group develops, administers, and scores examinations used in granting licenses for US engineers.

…

The Ring doorbell surveillance camera sits squarely in the center of a Tiffany-blue online flyer, which provides details about a “Security Product Subsidy Event” in Arcadia, California. This isn’t an ad from Best Buy or an electronics store. It’s an ad from the Arcadia city government.

The local city government is selling discounted surveillance cameras directly to its residents, and the ‘discount’ is subsidized by the city. In other words, taxpayer money is being paid to Ring, Amazon’s home surveillance company, in exchange for hundreds of surveillance cameras. Cities and towns around the country are paying Ring up to $100,000 to subsidize the purchase of the company’s surveillance cameras for private residents.

…

The United States military is now testing high-altitude surveillance balloons across the Midwest, according to documents a military contractor filed with the Federal Communications Commission. The news was first reported by The Guardian.

The filing states the intent of military contractor Sierra Nevada Corporation is to ‘provide a persistent surveillance system to locate and deter narcotics trafficking and homeland security threats.” The Guardian reported these have been launched and tested across South Dakota, Minnesota, Iowa, Wisconsin, Missouri, and Illinois.

…

Earlier this year in April, two security researchers disclosed details about five vulnerabilities (collectively known as Dragonblood) in the WiFi Alliance’s recently launched WPA3 WiFi security and authentication standard. Yesterday, the same security researchers disclosed two new additional bugs impacting the same standard. The two researchers — Mathy Vanhoef and Eyal Ronen — found these two new bugs in the security recommendations the WiFi Alliance created for equipment vendors in order to mitigate the initial Dragonblood attacks.

…

Capital One and GitHub have been sued this week as part of a class-action lawsuit filed in California on allegations of failing to secure or prevent a security breach during which the personal details of more than 106 million users were stolen by a hacker. While Capital One is named in the lawsuit because it was its data that the hacker stole, GitHub was also included because the hacker posted details about the hack on the code-sharing site. The lawsuit claims that ‘decisions by GitHub’s management […] allowed the hacked data to be posted, displayed, used, and/or otherwise available.’

…