Security News > 2020 > February

An update announced last week by Trend Micro for its Anti-Threat Toolkit addresses some additional attack methods related to a vulnerability initially patched in October 2019. Researcher Stefan Kanthak has also analyzed the vulnerability and discovered that Trend Micro has failed to patch it completely.

Apple engineers think they've come up with a simple way to make SMS two-factor authentication one-time codes less susceptible to phishing attacks: agree a common text format so their use can be automated without the need for risky user interaction. The concept proposed by the company's Safari WebKit team is that apps such as mobile browsers will automatically process SMS text codes as they are received, submitting them to the correct website.

Abstract: The absence of deployed vehicular communication systems, which prevents the advanced driving assistance systems and autopilots of semi/fully autonomous cars to validate their virtual perception regarding the physical environment surrounding the car with a third party, has been exploited in various attacks suggested by researchers. Since the application of these attacks comes with a cost, the delicate exposure vs. application balance has held, and attacks of this kind have not yet been encountered in the wild.

December 2019: the FTC sued a VoIP service provider in FTC v. Educare, where it alleged that defendant Globex Telecom Inc. facilitated a bunch of telemarketers allegedly selling sham credit card interest rate reduction services. Three VoIPs allegedly provided autodialers used to place billions of illegal robocalls, as well as allegedly supplying the technology used by robocallers in at least eight prior FTC cases.

The TrickBot trojan has evolved again to bolster its ability to elude detection, this time adding a feature that can bypass Windows 10 User Account Control to deliver malware across multiple workstations and endpoints on a network, researchers have discovered. Researchers at Morphisec Labs team said they discovered code last March that uses the Windows 10 WSReset UAC Bypass to circumvent user account control and deliver malware in recent samples of TrickBot, according to a report released last week.

"We got scammed!" said a London art dealer after business email compromise scammers inserted themselves into a months-long conversation about the sale of a £2.4 million John Constable painting, spoofing their emails to make it look like the messages came from Simon C. Dickinson Ltd. "No, we got scammed," said the Dutch museum Rijksmuseum Twenthe, which now has the work by the 19th century English landscape painter and whose money got whisked away by fraudsters who transferred the funds to a Hong Kong account. According to Claims Journal, lawyers for the two organizations have pointed fingers at each other's clients, telling a London High Court that it was the other guy's duty to maintain email security or to independently confirm that the bank details it received were legitimate.

The Wuhan coronavirus continues to spread and create anxiety across the globe, allowing malicious individuals and groups to exploit the situation to spread fake news, malware and phishing emails. IBM X-Force says that Japanese users have been receiving fake notifications about the coronavirus spreading in several prefectures, purportedly sent by a disability welfare service provider and a public health center.

EU companies aren't taking out insurance against attacks on online assets because the companies selling coverage aren't organised enough - while Brits are more likely to pay off ransomware crooks than others. The "What is covered" argument was sharply highlighted by a number of high-profile court cases brought by insurance companies against their own customers, in efforts to evade paying out in the aftermath of cyber incidents.

Interested in using hardware security keys to log into online services more securely? Well, now you can make your own from scratch, thanks to an open-source project that Google announced last week. Google has released an open-source implementation called OpenSK. It's a piece of firmware that you can install on a USB dongle of your own, turning it into a usable FIDO or U2F key.

Iowa prosecutors have dropped trespassing charges against a pair of penetration testers who were contracted to test the electronic and physical security of three judicial facilities. "The arrests raise national awareness on the quiet war being waged against cybercrime, and the critical role red team penetration testing plays in defending the integrity of public and private sector commerce."