Inside Security - December 4th, 2017

Inside Security (Dec 4th, 2017)

Another AWS S3 data leak, Dirty Cow hack, PayPal Canadian kiosk supplier breach, funding and mergers of the week

New blank template
Subscribe | View in browser

David’s Take

Some annual security predictions are short and sweet and this one will take you about three minutes to review. It is from Service Now and suggests that security haves and have-nots will emerge (the difference being automated detection and response and guess who sells such a solution), better ways to articulate threats to management, and there are now threats of physical harm from connected devices. It gets my nod for today’s report of note.

The usual collection of today’s threats along with funding events of the past week and a recap of the new AWS security announcements are here for your reading pleasure.

-- David Strom, editor of Inside Security

Top Story

PayPal says that one of the companies it acquired this past July suffered a security incident during which an attacker appears to have accessed servers that stored information for 1.6M customers. The victim is TIO Networks, a Canadian company that runs a network of over 60,000 utility and bills payment kiosks across North America, and is resold by City Utilities. Customers will eventually be notified via postal mail and email.  – BLEEPING COMPUTER

Attacks and vulnerabilities

Another exposed storage bucket on AWS, this time containing tens of thousands of individuals’ credit apps for the National Credit Federation based in Tampa. Chris Vickery found them, and while no malicious actors have claimed any access, this is another example of public storage containers found by Vickery. – ON GUARD BLOG

A flaw in the original patch for the notorious Linux-based Dirty COW vulnerability could allow an adversary to run local code on affected systems and perform a privilege escalation attack. The Dirty COW patch was released in October 2016, and one analyst said, “The real deal here is the astonishing fact that such a hyped vulnerability was patched incompletely.” -- THREATPOST

Those of us that have keyless entry fobs for our cars might be interested in this story, that recounts how quickly a pair of thieves were able to steal a car in the UK with specialized RFID repeaters. My colleague Lisa Vaas links to several surveillance videos that show cars being stolen using this method from several cities. The solution is to use a steering wheel lock and keep your fob in the fridge, a makeshift Faraday cage.  – NAKED SECURITY

This post by my colleague Erica Chickowski reviews the past GitHub security lapses, in the hopes that you might not make them again. The morals: use the GitHub security tools to ensure you aren’t exposing anything you shouldn’t be, and make sure you control access to your files appropriately. – DARK READING

Two different vulnerabilities were found in the RSA Authentication SDK. The first has to do with the Apache Authentication Agent, the second with the C programming agent interface. Patches are available and should be applied asap. – SECURITY AFFAIRS

New products: AWS Services galore

Amazon announced dozens of new services for AWS last week at its annual conference. We’ll just highlight the security-related ones, you can find the entire comprehensive list here. The biggest announcement was its GuardDuty family. This is a fully managed intelligent threat detection service that helps AWS customers safeguard their accounts and workloads against malicious or unauthorized behavior. It applies machine learning techniques to various threat feeds and your traffic to identify threats. It has a free 30-day trial available. Also announced last week were a series of IoT-related services, including security, a real-time OS for devices and analytics.

Funding events of the week

Qualys has announced it is acquiring assets from NetWatcher to incorporate into the Qualys Cloud Platform to boost its threat intelligence capabilities. Terms were not disclosed.

Terbium Labs completed a $6M funding round, with Glasswing Ventures in the lead. The Baltimore-based firm uses the dark web to find potential threat actors and has Danny Rogers as its CEO.

Pwnie Express raised a $8K round led by 406 Ventures. The Boston-area firm has continuous IoT device monitoring solution and its CEO is Todd DeSisto.

ReversingLabs raised a $25M A round led by Trident Capital. The Boston-area firm has various threat detection products and its CEO is Mario Vuksan.

Google Nest and Apple iPod creator Tony Fadell has launched CashShield, a cybersecurity company that uses high-speed algorithms to combat online fraud, Bloomberg notes.

Self-promotions dep’t

Iovation subscribers have experienced lower credit card fraud this holiday season when compared to last year with almost a third decrease. – IOVATION


WhatsApp has rolled out two-step verification to all of its user base, the company quietly announced through an updated FAQ on its website. Once you turn it on, any request to verify your phone number (which is how WhatsApp authenticates you) will require a separate passcode.  -- TECHCRUNCH

Just for fun

I became a fan of the board game Catan a few years ago when my daughter introduced me to it and I highly recommend it. It combines the best elements of game play from Monopoly and Risk into something that your whole family can enjoy. It was only a matter of time until a VR port of the game became available, according to Ars. -- ARS

Copyright ©, All rights reserved.

Our mailing address is:
767 Bryant St. #203
San Francisco, CA 94107

Did someone forward this email to you? Head over to to get your very own free subscription!

You received this email because you subscribed to Inside Security. Click here to unsubscribe from Inside Security list or manage your subscriptions.

Subscribe to Inside Security