Security News > 2020 > March

It cannot be fixed without replacing the silicon, only mitigated, it is claimed: the design flaw is baked into millions of Intel processor chipsets manufactured over the past five years. Buried deep inside modern Intel chipsets is what's called the Management Engine, or these days, the Converged Security and Manageability Engine.

Cyber criminals have been trying out a new approach for delivering malware: fake alerts about outdated security certificates, complete with an "Install" button pointing to the malware. The malware peddlers behind this scheme are obviously counting on users not knowing exactly what a security certificate is and that they are not responsible for keeping it updated, as well as exploiting users' desire to keep themselves safe online.

On Tuesday, multiple reports suggested that Facebook has decided not to support its Libra virtual currency in its own products and will instead offer users the ability to make payments with government-issued currencies, or that the platform and its partners are weighing whether they should recast it as mostly a payments network that could operate with multiple coins. According to a report from The Information that cited three sources, Facebook has been mulling offering digital versions of currencies such as the US dollar and the euro, in addition to its proposed Libra token.

Hackers have started scanning the web in search of Apache Tomcat servers affected by a recently disclosed vulnerability tracked as CVE-2020-1938 and dubbed Ghostcat. Bad Packets told SecurityWeek on Wednesday that the scanning activity they have detected is designed to enumerate vulnerable servers by checking for the path "/WEB-INF/web.

Pandemic disease experts at the World Health Organization, the US Centers for Disease Control and Prevention, and other public-health agencies are gathering information to learn how and where the virus is spreading. States hostile to the West have a long track record of manipulating information about health issues to sow distrust.

Wireless carrier T-Mobile is sending notifications to its customers to inform them of a data breach that resulted in some of their personal information being compromised. Because some of these accounts contained account information for T-Mobile customers and employees, the attack essentially resulted in that data being accessed by a third-party.

Hackers are crawling all over the US Department of Defense's websites. Four years after it first invited white hat hackers to start hacking its systems, the Pentagon continues asking them to do their worst - and a report released this week says that they're submitting more vulnerability reports than ever.

First came 'fuzzing', a long-established technique for spotting bugs such as security flaws in real applications using automated tools. More recently, security fuzzing tools have expanded in number, and today there are hundreds of specialised open-source tools and online services designed to probe specific types of software.

Unwanted and malicious emails using political-themed lures has spiked as the presidential primary season cranks into high gear - with Donald Trump and Bernie Sanders representing the lion's share of subject line themes. "Overall UCE volumes mentioning individual candidates suggests that Donald Trump not only has the incumbent's advantage but also maintains the strongest brand as he did in 2016," researchers said in a posting issued on Super Tuesday.

Microsoft reckons 0.5 per cent of Azure Active Directory accounts as used by Office 365 are compromised every month. "About a half of a per cent of the enterprise accounts on our system will be compromised every month, which is a really high number. If you have an organisation of 10,000 users, 50 will be compromised each month," said Weinert.