Security News > 2020 > May

Arizona has filed suit against Google over tracking users' locations even after they've turned tracking off, claiming that the advertising-fueled tech titan has a "Complex web of settings and purported 'consents'" that enable it to furtively milk us for sweet, sweet ad dollars. This is the way location tracking works: Android users can turn it off with a slider button in the Location section under Settings supposedly.

NTT Communications, a subsidiary of Japanese tech giant NTT Corp, on Thursday disclosed a data breach impacting hundreds of customers. In a post on its Japanese-language website, NTT Com, a provider of information and communications technology solutions, said it detected unauthorized access to some systems on May 7 and over the following week it determined that some files may have been stolen.

The NSA has raised the alarm over what it says is Russia's active exploitation of a remote-code execution flaw in Exim for which a patch exists. The American surveillance super-agency said [PDF] on Thursday the Kremlin's military intelligence hackers are actively targeting some systems vulnerable to CVE-2019-10149, a security hole in the widely used Exim mail transfer agent that was fixed last June.

The NSA has raised the alarm over what it says is Russia's active exploitation of a remote-code execution flaw in Exim for which a patch exists. The American surveillance super-agency said [PDF] on Thursday the Kremlin's military intelligence hackers are actively targeting some systems vulnerable to CVE-2019-10149, a security hole in the widely used Exim mail transfer agent that was fixed last June.

Modern vishing attacks use research-based social engineering to attack targets with convincing scams. On the surface, it might seem like vishing attacks are a consumer problem only.

The number of vulnerabilities disclosed in Q1 2020 has decreased by 19.8% compared to Q1 2019, making this likely the only true dip observed within the last 10 years, Risk Based Security reveals. "Although the pandemic has already brought unprecedented changes to all walks of life, it is difficult to predict precisely how it will impact vulnerability disclosures this year," commented Brian Martin, Vice President of Vulnerability Intelligence at Risk Based Security.

Software Defined Perimeter is the most effective architecture for adopting a zero trust strategy, an approach that is being heralded as the breakthrough technology for preventing large-scale breaches, according to the Cloud Security Alliance. "Most of the existing zero trust security measures are applied as authentication and sometimes authorization, based on policy after the termination of Transport Layer Security certificates," said Nya Alison Murray, senior ICT architect and co-lead author of the report.

The global shift to remote working poses new security challenges for businesses and traditional security solutions are failing to curb the problem of the insider threat and accidental data loss. While 91% of IT leaders trust their staff to follow best security practices when working remotely, 52% of employees believe they can get away with riskier behavior when working from home.

The U.S. National Security Agency says the same Russian military hacking group that interfered in the 2016 presidential election and unleashed a devastating malware attack the following year has been exploiting a major email server program since last August or earlier. It took Williams about a minute of online probing on Thursday to find a potentially vulnerable government server in the U.K. He speculated that the NSA might have issued to advisory to publicize the IP addresses and a domain name used by the Russian military group, known as Sandworm, in its hacking campaign - in hopes of thwarting their use for other means.

Google this week announced an expansion for its Vulnerability Rewards Program to include critical open-source dependencies of Google Kubernetes Engine. The announcement builds on the bug bounty program for Kubernetes that the Cloud Native Computing Foundation, in partnership with Google and others, announced earlier this year, and which offers rewards of up to $10,000 for vulnerabilities in the project.