Security News > 2020 > June

TechRepublic spoke to executives and experts to see if the US could avoid such supply chain issues by ramping up manufacturing to return to "Made in America" glory. "The US has been the richest target of cyberattacks from abroad aimed at capturing that knowledge to accelerate development of goods-both tangible and intangible-without having to pay the rents that have funded the US economy for decades of dwindling manufacturing," Ray of SecureAge said.

The phishing email leads recipients to a phony BOA landing page in an attempt to steal their banking credentials, according to Armorblox. A blog post published Thursday by security provider Armorblox explains how a recent phishing campaign impersonates Bank of America.

Cisco Webex suffered from a vuln that could have allowed an attacker to access any account by simply copy-pasting a unique session token into a browser string. Once the token was extracted from the dump file, researchers were able to make a crafted HTTP POST request to Webex's servers, mimicking a genuine connection attempt, which returned a one-time login ticket for live meetings.

Cisco is warning of three high-severity flaws in its popular Webex web conferencing app, including one that could allow an unauthenticated attacker to remotely execute code on impacted systems. "An attacker could exploit this vulnerability by sending crafted requests to a vulnerable Cisco Webex Meetings or Cisco Webex Meetings Server site," according to Cisco's security update.

Like testing parachutes or evaluating new safety harnesses, performing a live demonstration to show the power of a solution is not comfortable for any security professional. Until recently, proving the ROI of security investment has not been a significant issue.

Many organizations are still lacking key identity-related security controls and the few forward-thinking companies that have started applying proper access controls are typically focusing on human users. The sheer number of non-human identities far outweighs human users.

Microsoft has extended the protection capabilities of Microsoft Defender Advanced Threat Protection with the addition of a Unified Extensible Firmware Interface scanner. With hardware and firmware-level attacks increasing in frequency over the past several years, Microsoft has decided to expand its security solution's capabilities to ensure it can continue to keep users secure.

Zoom CEO Eric Yuan announced in a blog post Wednesday that Zoom is extending its end-to-end encryption offering to all Zoom account holders. Zoom released the first draft of its E2EE plan in late May as part of a response to criticism of its security flaws, which became public as Zoom signups skyrocketed during the COVID-19 pandemic.

Researchers at Awake Security have published a report on malicious extensions in the Chrome web store, making both specific claims of over 32 million downloads of one malware family, and general claims of weak security in both domain registration and Google's store. This led them to a bunch of malicious browser extensions, 111 in total, which "Were found to upload sensitive data or not perform the task they're advertised to perform. A common technique, they said, is that the developer gets a clean version of an extension approved, and later updates it with the malicious payload. Some of the suspicious extensions have a reassuring number of reviews and downloads, in one case more than 22,000 reviews and 10 million downloads, presumably achieved by bot activity. Another popular approach is to clone a genuine extension and bundle it with malware."Awake has since worked with Google to take down these extensions from the Chrome Web Store," said the report, but no doubt more are on the way.

A remote USB function in a software provider's code has been found to contain a significant vulnerability. "USB for Remote Desktop," works by redirecting USB devices to remote sessions over Microsoft RDP, Teradici PCoIP, or Citrix ICA Protocols.