Security News > 2020 > March

While we wait for Microsoft to provide fixes for the two new Windows RCE zero-days that are being exploited in "Limited targeted Windows 7 based attacks," ACROS Security has released micropatches that can prevent remote attackers from exploiting the flaws. In a blog post published on Thursday, ACROS Security CEO Mitja Kolsek explained which attack vectors can be used to exploit the vulnerabilities and why Windows 10 users are at a lower risk of attack.

Roid apps are snooping on other software on your device - and that could tell shady advertising companies more about you than you'd like. The researchers studied 14,342 free Android apps in the Google Play Store, along with 7,886 open-source Android apps.

Converting websites from HTTP to HTTPS over the last decade must count as one of the most successful quiet security upgrades ever to affect web browsing. There are some HTTPS security caveats worth mentioning, but before getting to them we'll start with the news that that Mozilla's Firefox will, from May's version 76, offer the option to browse in an HTTPS-only mode.

GitHub this week announced that it has paid out over $1 million in rewards to the security researchers participating in its bug bounty program on HackerOne. The security bug bounty program was launched on the hacker-powered platform in 2016, but GitHub has been accepting vulnerability reports since February 2014.

The majority of primary campaign websites of United States presidential candidates run code that can pose security and privacy risks to consumers, The Media Trust has discovered. The security firm has monitored 11 websites during September and December 2019, and discovered that 81% of them execute code from third-party entities unmanaged by the candidate teams.

One of the most popular Dark Web hosting services, Daniel's Hosting, has been slaughtered. Daniel Wizen, the German software developer who runs DH, said that this time, the provider of free hosting services is kaput at least for the foreseeable future which he also said, more or less, last time, in September 2018, when hackers rubbed 6,500 sites off the Dark Web in one fell swoop.

ACROS Security's 0patch service has developed unofficial patches for two actively exploited Windows vulnerabilities for which Microsoft has yet to release fixes. Hackers can exploit the flaws by convincing users to open specially crafted documents or viewing them in the Windows preview pane.

This is a long and fascinating article about Gus Weiss, who masterminded a long campaign to feed technical disinformation to the Soviet Union, which may or may not have caused a massive pipeline...

The FBI on Tuesday shut down Deer.io, a Russia-based platform catering to cybercrooks that offered turnkey online storefront design and hosting and a place where they could sell and advertise their wares, including ripped-off credentials, hacked servers, hacking services, gamer accounts and more. Up until the FBI jammed a stick in its spokes, the platform was doing brisk business, with sales exceeding $17 million, selling hacked accounts for video streaming services like Netflix and Hulu and social media platforms such as Facebook, Twitter and Vkontakte.

Since the start of the year, journalists and news outlets have become preferred targets of government-backed cyber attackers, Google's Threat Analysis Group has noticed. Attackers impersonate a journalist to seed false stories with other reporters to spread disinformation. In other cases, attackers will send several benign emails to build a rapport with a journalist or foreign policy expert before sending a malicious attachment in a follow up email," shared Toni Gidwani, a security engineering manager at TAG. Government-backed attackers also target foreign policy experts - for their research, access to the organizations they work with, and connection to fellow researchers or policymakers for subsequent attacks - as well as government officials, dissidents and activists.