Cyber Security News April 2020

This posting is here to collect cyber security news in April 2020.

I post links to security vulnerability news with short descriptions to comments section of this article.

If you are interested in cyber security trends, read my Cyber security trends 2020 posting.

You are also free to post related links to comments.

218 Comments

  1. Tomi Engdahl says:

    Mozilla Says Many Popular Video Call Apps Meet Its Minimum Security Standards
    https://www.securityweek.com/mozilla-says-many-popular-video-call-apps-meet-its-minimum-security-standards

    Mozilla’s latest “*Privacy Not Included” report shows that twelve out of fifteen popular video call applications and platforms meet the organization’s minimum security standards.

    What Mozilla’s researchers discovered was that twelve of the analyzed apps meet Mozilla’s Minimum Security Standards. These include Zoom, Google Hangouts, Apple FaceTime, Skype, Facebook Messenger, WhatsApp, Jitsi Meet, Signal, Microsoft Teams, BlueJeans, GoTo Meeting, and Cisco WebEx.

    Apps that meet the standards use encryption, have an automatic security update system, use strong passwords, employ bug bounty programs and clear points of contact for reporting and managing security vulnerabilities, and have clear privacy policies.

    The three applications that did not meet the standards are Houseparty, Discord, and Doxy.me.

    https://foundation.mozilla.org/en/privacynotincluded/categories/video-call-apps/

    Reply
  2. Tomi Engdahl says:

    CVE-2020-12271: Sophos XG Firewall Pre-Auth SQL Injection
    Vulnerability Remediation Guidance and Exposure Overview
    https://blog.rapid7.com/2020/04/27/cve-2020-12271-sophos-xg-firewall-pre-auth-sql-injection-vulnerability-remediation-guidance-and-exposure-overview/
    We crafted a lightweight study (a more thorough one is in the works)
    to grab any accessible user and/or admin pages from the discovered
    nodes and extract that ver= build string. Just over 65, 500 appliances
    happily gave up their version information as noted in the figure at
    the top of the post, with a fairly inexcusably sizable corpus (~25%)
    of unpatched (as of Monday, April 27, 2020) systems. What’s next?. The
    Rapid7 Labs team is refining the Sophos version identification studies
    and will continue to monitor Project Heisenberg for opportunistic
    exploitation attempts. We’ll update this blog post as more information
    surfaces. Again, any service provider or individual organization
    running a Sophos XG appliance should remediate as quickly as possible.

    Reply
  3. Tomi Engdahl says:

    Remote spring: the rise of RDP bruteforce attacks
    https://securelist.com/remote-spring-the-rise-of-rdp-bruteforce-attacks/96820/
    With the spread of COVID-19, organizations worldwide have introduced
    remote working, which is having a direct impact on cybersecurity and
    the threat landscape. Alongside the higher volume of corporate
    traffic, the use of third-party services for data exchange, and
    employees working on home computers (and potentially insecure Wi-Fi
    networks), another headache for infosec teams is the increased number
    of people using remote-access tools.

    Reply
  4. Tomi Engdahl says:

    Google discloses zero-click bugs impacting several Apple operating
    systems
    https://www.zdnet.com/article/google-discloses-zero-click-bugs-impacting-several-apple-operating-systems/
    Apple needs to follow in Google and Mozilla’s footsteps and secure its
    multimedia processing libraries. Multimedia processing components are
    one of today’s most dangerous attack surfaces in any operating system.
    When it comes to managing multimedia files, all operating systems work
    the same. Any new multimedia file — image, audio, video — that
    reaches a device is automatically transferred to a local OS library
    that parses the file to know what it is and what to do with it next.
    Read also:
    https://www.tivi.fi/uutiset/tv/a60314f3-26b4-4e57-88e5-890b2cf6f5c5

    Reply
  5. Tomi Engdahl says:

    Two Usenet providers blame data breaches on partner company
    https://www.zdnet.com/article/two-usenet-providers-blame-data-breaches-on-partner-company/
    Two companies that provide Usenet services have disclosed security
    breaches today. The two companies, UseNeXT and Usenet.nl, blamed the
    breaches on “a security vulnerability at a partner company.”

    Reply
  6. Tomi Engdahl says:

    Security experts warn: Don’t let contact-tracing app lead to
    surveillance
    https://www.zdnet.com/article/security-experts-warn-dont-let-contact-tracing-app-lead-to-surveillance/
    More than 170 UK researchers and scientists working in information
    security and privacy have signed a joint statement about their
    concerns over NHS plans to use a contact-tracing app to help contain
    the coronavirus outbreak, warning that the government must not create
    a tool that could be used for the purposes of surveillance.

    Reply
  7. Tomi Engdahl says:

    Microsoft, Google Announce Wider Availability of Secure VMs
    https://www.securityweek.com/microsoft-google-announce-wider-availability-secure-vms

    Microsoft this week announced the general availability of DCsv2-series virtual machines (VMs), and Google informed customers that Shielded VM is now the default for Google Compute Engine users.

    Microsoft has announced the general availability of DCsv2-series VMs for Azure customers in three regions, with plans to expand the offer to other regions before the end of the year.

    DCsv2 VMs, part of the Azure confidential computing offering, are designed to allow customers to protect data while it’s being processed by running on servers that implement a hardware-based trusted execution environment (TEE) that uses Intel’s Software Guard Extensions (SGX).

    Reply
  8. Tomi Engdahl says:

    Android Phone Makers Improve Patching Practices
    https://www.securityweek.com/android-phone-makers-improve-patching-practices

    Android smartphone manufacturers have significantly improved their patching hygiene over the past couple of years, a new report from Security Research Labs reveals.

    “We found that on average, for official firmwares released in 2019 missed only about half as many patches as comparable firmwares released in 2018,” the security firm says.

    Monthly security updates are being integrated into firmware builds 15% faster than in 2018. Last year, 90% of unique firmware builds for major Android vendors arrived within 38 days of Google’s security patches.

    Reply
  9. Tomi Engdahl says:

    Exclusive: Warning Over Chinese Mobile Giant Xiaomi Recording Millions Of People’s ‘Private’ Web And Phone Use
    https://www.forbes.com/sites/thomasbrewster/2020/04/30/exclusive-warning-over-chinese-mobile-giant-xiaomi-recording-millions-of-peoples-private-web-and-phone-use/

    “It’s a backdoor with phone functionality,” quips Gabi Cirlig about his new Xiaomi phone. He’s only half-joking.

    Cirlig is speaking with Forbes after discovering that his Redmi Note 8 smartphone was watching much of what he was doing on the phone. That data was then being sent to remote servers hosted by another Chinese tech giant, Alibaba, which were ostensibly rented by Xiaomi. 

    The seasoned cybersecurity researcher found a worrying amount of his behavior was being tracked, whilst various kinds of device data were also being harvested, leaving Cirlig spooked that his identity and his private life was being exposed to the Chinese company.

    Meanwhile, at Forbes’ request, cybersecurity researcher Andrew Tierney investigated further. He also found browsers shipped by Xiaomi on Google Play—Mi Browser Pro and the Mint Browser—were collecting the same data. Together, they have more than 15 million downloads, according to Google Play statistics.
    In response to the findings, Xiaomi said, “The research claims are untrue,” and “Privacy and security is of top concern,” adding that it “strictly follows and is fully compliant with local laws and regulations on user data privacy matters.” But a spokesperson confirmed it was collecting browsing data, claiming the information was anonymized so wasn’t tied to any identity. They said that users had consented to such tracking. 

    It’s the second time in two months that a huge Chinese tech company has been seen watching over users’ phone habits. A security app with a “private” browser made by Cheetah Mobile, a public company listed on the New York Stock Exchange, was seen collecting information on Web use, Wi-Fi access point names and more granular data like how a user scrolled on visited Web pages. Cheetah argued it needed to collect the information to protect users and improve their experience.

    Reply
  10. Tomi Engdahl says:

    Trump bans acquisition of foreign power grid equipment, citing hacking threats
    https://www.zdnet.com/article/trump-bans-acquisition-of-foreign-power-grid-equipment-citing-hacking-threats/

    White House says foreign-made equipment “augments the ability of foreign adversaries to create and exploit vulnerabilities” in the US power grid.

    President Donald Trump signed today an executive order barring US power grid entities from buying and installing electrical equipment that has been manufactured outside the US.

    Trump said that “foreign adversaries are increasingly creating and exploiting vulnerabilities in the United States bulk-power system.”

    Reply
  11. Tomi Engdahl says:

    China is installing surveillance cameras outside people’s front doors … and sometimes inside their homes
    By Nectar Gan, CNN Business
    Updated 1142 GMT (1942 HKT) April 28, 2020
    https://www.cnn.com/2020/04/27/asia/cctv-cameras-china-hnk-intl/index.html

    “(Having a camera outside your door is) an incredible erosion of privacy,” said Lahiffe. “It just seems to be a massive data grab. And I don’t know how much of it is actually legal.”

    Although there is no official announcement stating that cameras must be fixed outside the homes of people under quarantine, it has been happening in some cities across China since at least February

    Reply
  12. Tomi Engdahl says:

    Senator questions Clearview AI over coronavirus tracking plans
    https://www.cnet.com/news/senator-questions-clearview-ai-over-coronavirus-tracking-plans/

    Sen. Edward Markey says COVID-19 contact tracing can’t be “used as cover by companies like Clearview to build shadowy surveillance networks.”

    Reply
  13. Tomi Engdahl says:

    NSO Employee Abused Phone Hacking Tech to Target a Love Interest
    https://www.vice.com/en_us/article/bvgwzw/nso-group-employee-abused-pegasus-target-love-interest

    The previously unreported news is a serious abuse of NSO’s products, which are typically used by governments and authoritarian regimes.

    An employee of controversial surveillance vendor NSO Group abused access to the company’s powerful hacking technology to target a love interest, Motherboard has learned.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*