Security News > 2020 > June

Forty-one percent of organizations believe usernames and passwords are one of the most effective access management tools-even though most hacking-related breaches are a result of weak, stolen, or reused user credentials, according to a new report. Although stronger IT security and data protection are increasingly important, the Thales 2020 Access Management Index report finds that 94% of global IT professionals believe data breaches in the past year have been the biggest influence over their organization's security policies and access management.

Windows 10 updates released as part of last week's Patch Tuesday appear to be making life hard for some printer users. Windows cannot print due to a problem with the current printer setup.

Cisco announced this week that it has added new security features to Webex and that it has also patched several high-severity vulnerabilities in the conferencing product. At its Cisco Live 2020 event, the networking giant informed customers that it has extended its data loss prevention retention, Legal Hold and eDiscovery features to Webex Meetings.

Cisco has released security updates for Cisco Webex Meetings and Cisco Webex Meetings Server that fix several remotely exploitable vulnerabilities, as well as one less severe one that could allow hackers to gain access to a target's Webex account. CVE-2020-3361 affects Cisco Webex Meetings sites and Cisco Webex Meetings Server and could allow an unauthenticated, remote attacker to gain unauthorized access to a vulnerable Webex site.

A credential-phishing attempt that relies on impersonating Bank of America has emerged in the U.S. this month, with emails that get around secure gateway protections and heavy-hitting protections like DMARC. The campaign involves emails that ask recipients to update their email addresses, warning users that their accounts could be recycled if this isn't done. "This ensured that the email wasn't caught in the bulk email filters provided by native Microsoft email security or the Secure Email Gateway."

"When working remotely, it creates a problem when the password is changed or reset. The old credentials will still be cached, [and] not automatically replaced by the new credentials using the new password." This results in workers being locked out of their accounts: "[They] end up in a scenario where they need to remember both the old password and the new password," he said.

As companies moved to 100% remote work, IT teams delayed security improvements and revenue-generating projects to get colleagues set up for telecommuting. A new survey found that despite these shifting priorities, IT executives and managers saw an increase in productivity during the shift to working from home.

Researchers have discovered a sophisticated new phishing campaign that uses recognized brand names to bypass security filters as well as to trick victims into giving up Microsoft Office 365 credentials to gain access to corporate networks. A new report from Check Point Software first observed the attacks-the majority of which targeted European companies, with others seen in Asia and the Middle East-in April, when they discovered emails sent to victims titled "Office 365 Voice Mail.".

Updates released this week by Drupal patch several vulnerabilities, including a flaw that could allow an attacker to execute arbitrary PHP code. The code execution vulnerability, tracked as CVE-2020-13664, can be exploited against Drupal 8 and 9 installations, but only in certain circumstances.

Otorio's incident response team identified a high-score vulnerability in OSISoft's PI System. Installed in some of the world's largest critical infrastructure facilities, OSIsoft Software's PI System is a data management platform that accesses a broad range of core OT network assets in the sites it serves.