Security News > 2020 > June

A specialized CIA unit that developed hacking tools and cyber weapons didn't do enough to protect its own operations and wasn't prepared to respond when its secrets were exposed, according to an internal report prepared after the worst data loss in the intelligence agency's history. Sen. Ron Wyden, D-Ore., a senior member of the Senate Intelligence Committee, obtained the redacted report from the Justice Department after it was introduced as evidence in a court case this year involving stolen CIA hacking tools.

A report released Tuesday by IT software vendor Ivanti highlights some of the challenges in light of the move to remote working. Among the respondents, 70% said they increased VPN access to more employees, 54% had to set up and distribute extra devices, and 52% created more "How-to" articles for remote workers to follow.

Adobe announced on Tuesday that it has patched 18 critical code execution vulnerabilities in its After Effects, Illustrator, Premiere Pro, Premiere Rush, and Audition products. Adobe fixed five critical out-of-bounds write, out-of-bounds read and heap overflow vulnerabilities that can be exploited for arbitrary code execution in the context of the targeted user.

The US is letting blacklisted Chinese technology giant Huawei back into the fold when it comes to companies working together to set standards for 5G telecom networks. US Secretary of Commerce Wilbur Ross this week announced a new rule allowing companies to share technology with Huawei for the purpose of developing standards for the new generation of wireless services.

API security startup Salt Security has raised $20 million in a Series A funding round led by Tenaya Capital. "The majority of API traffic is for custom applications, which is the result of digital transformations and cloud-based application deployment. For security teams, growth in API volume is important when considering risk, because some security tools are not equipped to manage API traffic."

As far as we can see, the first wave of Intel processors that will include these new protections are the not-quite-out-yet CPUs known by the nickname "Tiger Lake", so if you're a programmer you can't actually start tinkering with the CET features just yet. Errors in using memory are one of the leading causes of software bugs that lead to security holes, known in the trade as vulnerabilities.

A just-released report on the 2016 Central Intelligence Agency data breach, which led to the Vault 7 document dump on WikiLeaks, blames "Woefully lax" security by the nation's top spy agency. The report outlined various security issues discovered in the CCI. For instance, while CCI's DevLAN network had been certified and accredited, CCI had not worked to develop or deploy user activity monitoring or "Robust" server audit capabilities for the network, according to the report.

A report published Tuesday by security provider Avira explores the reluctance on the part of many to adopt these contact tracing apps. Commissioned by Avira and conducted by research firm Opinion Matters, an online survey of 2,005 people found that 71% of them would not use COVID-19 contact tracing apps.

A series of 19 different vulnerabilities, four of them critical, are affecting hundreds of millions of internet of things and industrial-control devices. Researchers at JSOF uncovered the faulty part of Treck's code, which is built to handle the ubiquitous TCP-IP protocol that connects devices to networks and the internet, in the devices of more than 10 different manufacturers-and it's likely present in dozens more.

Brit cycling equipment shop Wiggle confirmed to The Reg today it was delinking customers' payment cards from their accounts, two weeks after first receiving complaints that orders were appearing on customers' accounts that they had not made themselves. Ross Clemmow, CEO at Wiggle, told The Reg: "[W]e understand a small number of customers' login details have been acquired outside of Wiggle's systems and some have been used to gain access to Wiggle accounts and purchases made.