The Security Digest: #80

by Daniel Tobin on September 28, 2021

A high level movie plot worthy discussions about WikiLeaks, record breaking year for zero days, another major issue with Exchange and a brute force bug in Azure AD, update Chrome ASAP, Good Samaritan flaw in AirTags and a possible update to bolster CISA. In owl news, they’re replacing doves in the peace process and finally Truffle Security has a Chrome extension to find keys in front end JavaScript.

Yahoo News is reporting on a high level CIA discussion to kidnap or even assassinate Julian Assange in retaliation for the publication of the Vault 7 hacking tools in 2017. An official relates some of the concerns related to Assange to like a “prison break movie”. Read more at Yahoo News.
MIT Technology Review looks at the record year of zero days with 66 announced so far. The reasons are varied from more flashlights finding bugs that were already there to the exploit market and more. Software clearly needs less zero days, but the I’d rather have known zero days than the unknown zero days already out there.
Amit Serper from Guardicore has discovered a major flaw in Exchange that has been leaking hundreds of thousands of credentials for years. Someone has also setup a page to monitor for people registering these domains at autodiscover-v ulnerable-tlds.com. Read more about this issue at The Register
Secureworks has published an advisory for what they have deemed a brute force bug in Azure Active Directory that is not logged. Microsoft has yet to respond. Read more at ArsTechnica
Update Chrome ASAP as Google has released an emergency fix for a zero-day actively being exploited. I just had to manually check today to get 94.0.4606.61 Read more at Bleeping Computer
Researchers have discovered a flaw in Apple AirTags that could lead to a phishing attack against a Good Samaritan who finds one. Read more at KrebsOnSecurity
In a key area to watch, Senators are developing legislation that would update the Federal Information Security Modernization Act (FISMA) and bolster the role of CISA. The legislation is still in committee so it will be interesting to what shakes out and will be passed by Congress. Read more at SC Magazine.

Owl fun and facts:

A professor in Israel has been working with authorities in Cyprus, Greece, Jordan and the Palestinian Authority and now Morocco to substitute owls for pesticides for biological management for crops.

“We are seeing the owl is replacing the dove as the harbinger of peace and is proving once again that birds do not have geographical borders,” the professor said. “I am happy to see that the vision is taking shape”
So far, some 5,000 nesting boxes have been placed in the Golan Heights, Galilee, Hula Valley, Jezreel Valley, Beit Shean Valley, the Sharon region, Judea and the South.
The project has been a success in minimizing the use of poisonous chemicals in Israeli agriculture and is expected to reduce it further in the future.

Read more about the history of the program at Nature and about this new development from The Jerusalem Post

A Shout Out:

Truffle Security has released a Chrome extension to find keys in JavaScript to build out on their Truffle Hog suite of tools for finding secrets. Read more about the Chrome extension and check out the TruffleHog suite of tools at Truffle Security.

About:

TSD began as an internal newsletter that our Security Lead, Daniel Tobin, would circulate to the team each Tuesday. It proved to be a great resource for all of us so we thought, why not share it with all of you? Our hope is that it helps make you just a bit more secure.