The Hacker News Logo
Subscribe to Newsletter
CrowdSec

The Hacker News - Cybersecurity News and Analysis

Code Execution Bug Affects Yamale Python Package — Used by Over 200 Projects

Code Execution Bug Affects Yamale Python Package — Used by Over 200 Projects

October 07, 2021Ravie Lakshmanan
A high-severity code injection vulnerability has been disclosed in 23andMe's Yamale, a schema and validator for YAML, that could be trivially exploited by adversaries to execute arbitrary Python code. The flaw, tracked as  CVE-2021-38305  (CVSS score: 7.8), involves manipulating the schema file provided as input to the tool to circumvent protections and achieve code execution. Particularly, the  issue  resides in the schema parsing function, which allows any input passed to be evaluated and executed, resulting in a scenario where a specially-crafted string within the schema can be abused for the injection of system commands. Yamale is a Python package that allows developers to validate YAML — a data serialization language often used for writing configuration files — from the command line. The package is used by at least  224 repositories  on GitHub.  "This gap allows attackers that can provide an input schema file to perform Python code injection that leads to code execut
Penetration Testing Your AWS Environment - A CTO's Guide

Penetration Testing Your AWS Environment - A CTO's Guide

October 07, 2021The Hacker News
So, you've been thinking about getting a Penetration Test done on your Amazon Web Services (AWS) environment. Great! What should that involve exactly?  There are many options available, and knowing what you need will help you make your often limited security budget go as far as possible. Broadly, the key focus areas for most penetration tests involving AWS: Your externally accessible cloud infrastructure Any application(s) you're building or hosting Your internal cloud infrastructure Your AWS configuration itself Secrets management  We'll look at each one, starting with the most important: External Infrastructure The good news here is that, by default, AWS does its best to help you stay secure. For example, the default security groups don't let your EC2 instances receive communication from the outside world unless you actively specify it by adding additional rules. That said, AWS still allows you plenty of rope to hang yourself with if you're not carefu
New U.S. Government Initiative Holds Contractors Accountable for Cybersecurity

New U.S. Government Initiative Holds Contractors Accountable for Cybersecurity

October 07, 2021Ravie Lakshmanan
The U.S. government on Wednesday announced the formation of a new Civil Cyber-Fraud Initiative that aims to hold contractors accountable for failing to meet required cybersecurity requirements in order to safeguard public sector information and infrastructure. "For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it,"  said  Deputy Attorney General Monaco in a press statement. "Well that changes today, [and] we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards — because we know that puts all of us at risk." The Civil Cyber-Fraud Initiative is part of the U.S. Justice Department's (DoJ) efforts to build resilience against cybersecurity intrusions and holding companies to task for deliberately providing deficient cybersecurity products or
Apple now requires all apps to make it easy for users to delete their accounts

Apple now requires all apps to make it easy for users to delete their accounts

October 07, 2021Ravie Lakshmanan
All third-party iOS, iPadOS, and macOS apps that allow users to create an account should also provide a method for terminating their accounts from within the apps beginning next year, Apple said on Wednesday. "This requirement applies to all app submissions starting January 31, 2022," the iPhone maker  said , urging developers to "review any laws that may require you to maintain certain types of data, and to make sure your app clearly explains what data your app collects, how it collects that data, all uses of that data, your data retention/deletion policies." While the feature could be convenient, it's worth noting that Apple only says the mechanism should have a provision for users to "initiate deletion of their account from within the app," meaning it's possible that apps could redirect users to a website or prompt them to send an email in order actually to purge their information. The reminder follows updates to  App Store Review Guideline
Twitch Suffers Massive 125GB Data and Source Code Leak Due to Server Misconfiguration

Twitch Suffers Massive 125GB Data and Source Code Leak Due to Server Misconfiguration

October 06, 2021Ravie Lakshmanan
Interactive livestreaming platform Twitch  acknowledged  a "breach" after an anonymous poster on the 4chan messaging board leaked its source code, an unreleased Steam competitor from Amazon Game Studios, details of creator payouts , proprietary software development kits, and other internal tools. The Amazon-owned service said it's "working with urgency to understand the extent of this," adding the data was exposed "due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party." "At this time, we have no indication that login credentials have been exposed," Twitch  noted  in a post published late Wednesday. "Additionally, full credit card numbers are not stored by Twitch, so full credit card numbers were not exposed." The forum user claimed the hack is designed to "foster more disruption and competition in the online video streaming space" because "their communi
Cyber Security WEBINAR — How to Ace Your InfoSec Board Deck

Cyber Security WEBINAR — How to Ace Your InfoSec Board Deck

October 06, 2021The Hacker News
Communication is a vital skill for any leader at an organization, regardless of seniority. For security leaders, this goes double. Communicating clearly works on multiple levels. On the one hand, security leaders and CISOs must be able to communicate strategies clearly – instructions, incident response plans, and security policies. On the other, they must be able to communicate the importance of security and the value of having robust defenses to the C-level.  For CISOs and other security leaders, this latter skill is crucial but often overlooked or not prioritized. A new webinar: " How to ace your Infosec board deck ," looks to shed light on both the importance of being able to communicate clearly with management, and key strategies to do so effectively. The webinar will feature a conversation with vCISO and Cybersecurity Consultant Dr. Eric Cole, as well as Norwest Venture Partners General Partner Dave Zilberman.  More so than just talking about the dollar value of a sec
Iranian Hackers Abuse Dropbox in Cyberattacks Against Aerospace and Telecom Firms

Iranian Hackers Abuse Dropbox in Cyberattacks Against Aerospace and Telecom Firms

October 06, 2021Ravie Lakshmanan
Details have emerged about a new cyber espionage campaign directed against the aerospace and telecommunications industries, primarily in the Middle East, with the goal of stealing sensitive information about critical assets, organizations' infrastructure, and technology while remaining in the dark and successfully evading security solutions. Boston-based cybersecurity company Cybereason dubbed the attacks " Operation Ghostshell ," pointing out the use of a previously undocumented and stealthy remote access trojan (RAT) called ShellClient that's deployed as the main spy tool of choice. The first sign of the attacks was observed in July 2021 against a handpicked set of victims, indicating a highly targeted approach. "The ShellClient RAT has been under ongoing development since at least 2018, with several iterations that introduced new functionalities, while it evaded antivirus tools and managed to remain undetected and publicly unknown," researchers Tom Fak
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.