Security News > 2020 > March

Let's Encrypt said it will give users of its Transport Layer Security certificates more time to replace 1 million certificates that are still active and potentially affected by a Certificate Authority Authorization bug before it revokes them. The popular free certificate authority had given users until Wednesday, March 4, 9:00 p.m. EST to replace 3 million certificates because the bug in its Boulder software-discovered and patched this past Sunday-impacted the way its software checked domain ownership before issuing certificates.

Zynga - maker of addictive online social games such as FarmVille, Mafia Wars, Café World and Zynga Poker - is facing a potential class action lawsuit over the September 2019 breach in which hackers got access to more than 218 million Words with Friends accounts. Zynga admitted to the breach at the time, saying that hackers got their hands on "Certain player account information" but that, at least during the early stages of its investigation, it didn't think any financial information was accessed.

Out of the blue over Skype, someone I hadn't communicated with in nearly a year reaches out. The worst part isn't my reply of, "Goodness I'm afraid I cannot help," with the horrible feeling of guilt that accompanies my reply - a feeling the scammer relies upon, necessary for their hacking of the social bond.

Of course, the WHO website wouldn't ask for your email password - it's a public information website, after all, not a webmail service, so it has no need for your email details. The crooks were hoping that because their website looked exactly like the real thing - in fact, it contained the real website, running in a background browser frame with the illicit popup on top - you might just put in your email details out of habit.

There are more than 600 legitimate Microsoft subdomains that can be hijacked and abused for phishing, malware delivery and scams, researchers warned this week. Researchers at Vullnerability, a company that specializes in exploit and vulnerability alerting services, have created an automated system that scanned all the subdomains of some important Microsoft domains.

US-based telecom giant T-Mobile has suffered yet another data breach incident that recently exposed personal and accounts information of both its employees and customers to unknown hackers. What happened? In a breach notification posted on its website, T-Mobile today said its cybersecurity team recently discovered a sophisticated cyberattack against the email accounts of some of its employees that resulted in unauthorized access to the sensitive information contained in it, including details for its customers and other employees.

VAPs therefore must be prioritised for training, with additional attention given to checking their accounts for potential compromise, but they are not the only ones you should train. The problem training must address is employees do not consider themselves responsible for detecting and avoiding phishing.

Cybercriminals were able to register malicious generic top-level domains and subdomains imitating legitimate, prominent sites due to Verisign and several IaaS services allowing the use of specific characters that look very much like Latin letters, according to Matt Hamilton, principal security researcher at Soluble. To demonstrate the danger of these policies, he registered 25+ domains that resemble a variety of popular domains by using a mix of Latin and Unicode Latin IPA homoglyph characters.

"As more enterprises embrace cloud transformation, IT and data teams face increased pressure to harness the power of data and analytics for business intelligence," said Christopher Lynch, executive chairman and CEO at AtScale. "Hybrid cloud and multi-cloud strategies are key to big data analytics. New data regulations and cybersecurity vulnerabilities are creating roadblocks for IT teams looking to use data for business intelligence, which is why data virtualization and data governance are top priorities in 2020.".

More than 200 million records containing a wide range of property-related information on US residents were left exposed on a database that was accessible on the web without requiring any password or authentication. According to security firm Comparitech, the database, which was hosted on Google Cloud, is said to have been first indexed by search engine BinaryEdge on 26th January and discovered a day later by cybersecurity researcher Bob Diachenko.