Tuesday, February 18, 2020

Lenovo, HP, Dell Peripherals Face Unpatched Firmware Bugs

A lack of proper code-signing verification and authentication for firmware updates opens the door to information disclosure, remote code execution, denial of service and more.

Huawei Controversy Highlights 5G Security Implications

Security experts say that 5G supply chain concerns should be taken seriously – whether it’s in the context of Huawei or not.

500 Malicious Chrome Extensions Impact Millions of Users

The malicious Chrome extensions were secretly collecting users' browser data and redirecting them to malware-laced websites.

Apple iPhone Users Targeted with Bogus Dating App for Valentine’s Day

The scam uses a range of themes, including tech-support scares and slot machines.

SMS Phishing Campaign Targets Mobile Bank App Users in North America

Customers of RBC, HSBC, TD, Meridian, BNC and Chase are targeted in latest attack.

News Wrap: Valentine’s Day Scams and Emotet’s Wi-Fi Hack

Top stories of this week include a new Emotet Wi-Fi hack and Robbinhood ransomware operators using a "bring your own bug" technique.

Hackers Can Seize Control of Ballots Cast Using the Voatz Voting App, Researchers Say

Flaws in the blockchain app some states plan to use in the 2020 election allow bad actors to alter or cancel someone’s vote or expose their private info.

Critical WordPress Plugin Bug Afflicts 700K Sites

Researchers are urging users of the GDPR Cookie Consent WordPress plugin to update as soon as possible.

Privacy Experts Skeptical of Proposed Data Protection Agency

A new Data Protection Agency would overhaul federal regulation efforts around data privacy - but experts are skeptical that the U.S. government can get it right.

Puerto Rico Gov Hit By $2.6M Phishing Scam

A recent phishing scam targeted Puerto Rico’s Industrial Development Company.

Google: Efforts Against Bad Android Apps on Play Store Are Working

The tech giant acknowledged some achievements in efforts to bolster mobile app security but recognized more needs to be done.

Mozilla Firefox 73 Browser Update Fixes High-Severity RCE Bugs

The release of Firefox 73 fixed high-severity memory safety bugs that could cause arbitrary code execution and missing bounds check that could enable memory corruption.

SoundCloud Tackles DoS, Account Takeover Issues

Among other issues, the music platform didn't limit the number of login attempts someone could make.

Katie Moussouris: The Bug Bounty Conflict of Interest

Katie Moussouris sounds off on the challenges behind creating successful bug bounty programs.

Report to Your Management with the Definitive ‘IR Management and Reporting’ Presentation Template

The IR Management and Reporting Template attempt to assist the CISO – not only perform a top edge response to cyberattacks but also ensure that this professional and critical work is understood and acknowledged.

FBI: $3.5B Lost in 2019 to Known Cyberscams, Ransomware

Cybercriminals double down on successful internet scams, with a focus on phishing, BEC and other defrauding schemes that have proven to work.

Microsoft Addresses Active Attacks, Air-Gap Danger with 99 Patches

There are 12 critical and five previously disclosed bugs in the February 2020 Patch Tuesday Update.

Intel Patches High-Severity Flaw in Security Engine

The high-severity vulnerability could enable denial of service, privilege escalation and information disclosure.

Estée Lauder Exposes 440M Records, with Email Addresses, Network Info

Middleware data was exposed, which can create a secondary path for malware through which applications and data can be compromised.

Adobe Addresses Critical Flash, Framemaker Flaws

Overall, Adobe patched flaws tied to 42 CVEs as part of its regularly scheduled updates.

Sensitive plastic surgery images exposed online

Researchers at VPN advisory company vpnMentor have found yet another online data exposure caused by a misconfigured cloud database.

Lenovo, HP, Dell Peripherals Face Unpatched Firmware Bugs

A lack of proper code-signing verification and authentication for firmware updates opens the door to information disclosure, remote code execution, denial of service and more.

12 hottest new cybersecurity startups at RSA 2020

Starting on February 24, the RSA Conference (RSAC) 2020 gives security vendors old and new a chance to demonstrate their capabilities. The event has become an attractive venue for startups to make their debut. This year’s crop will be...

Hundreds of Millions of PC Components Still Have Hackable Firmware

The lax security of supply chain firmware has been a known concern for years—with precious little progress being made.

Remote Wipe Plugin Bug Hits 200,000+ WordPress Sites

Remote Wipe Plugin Bug Hits 200,000+ WordPress SitesSecurity researchers are warning of a new plugin vulnerability which is exposing over 200,000 WordPress sites to the risk of being remotely wiped by an attacker. The problem lies with versions 1.3.4 and...