Security News > 2020 > June

ConnectWise has fixed a high-severity vulnerability affecting a ConnectWise Automate API and is urging users who run the solution on their premises to implement the provided hotfixes. The vulnerability affects on-premise and cloud instances of ConnectWise Automate versions 2020.5 and earlier.

A group of security researchers has devised a new technique for eavesdropping on conversations that relies on the analysis of a light bulb's frequency response to sound. Called Lamphone, the novel side-channel attack demonstrates that fluctuations in the air pressure on the surface of the hanging bulb can be exploited to recover speech and singing in real time, using a remote electro-optical sensor placed externally.

Known as Control Flow Enforcement Technology, or CET, the protections are designed to prevent miscreants from exploiting certain programming bugs to execute malicious code that infects systems with malware, steals data, spies on victims, and so on. There are various mitigations in place on modern systems, such as Data Execution Prevention, that stop hackers from injecting and executing malicious code into a program when a victim opens a specially crafted document or connects to a remote service.

Rakhshan was sentenced to five years in federal prison and ordered to pay more than $520,000 in restitution. He admitted to conspiring to launch a DDoS attack in January 2015, targeting Leagle.com, a legal aggregation site that had published information about Rakhshan's prior criminal conviction in Canada, and which was hosted by a provider located in Dallas, Texas.

The increased use of mobile banking apps due to the COVID-19 pandemic is sure to be followed by an increased prevalence of mobile banking threats: fake banking apps and banking Trojans disguised as those apps, the FBI has warned. "Studies of US financial data indicate a 50 percent surge in mobile banking since the beginning of 2020. Additionally, studies indicate 36 percent of Americans plan to use mobile tools to conduct banking activities, and 20 percent plan to visit branch locations less often," the FBI pointed out.

United States House representatives last week sent a letter to Zoom to demand explanation for the communication platform's decision to close the accounts of U.S.-based Chinese activists. Last week, Zoom confirmed that, at the request of the Chinese government to block four June 4 meetings that were illegal in the country, it closed the accounts of three individuals located outside China, namely Lee Cheuk-yan, Wang Dan, and Zhou Fengsuo.

Jason Healey takes a detailed look at the US federal cybersecurity budget and reaches an important conclusion: the US keeps saying that we need to prioritize defense, but in fact we prioritize attack. The Defense Department's cyber-related budget is nearly 25 percent higher than the total going to all civilian departments, including the departments of Homeland Security, Treasury and Energy, which not only have to defend their own critical systems but also partner with critical infrastructure to help secure the energy, finance, transportation and health sectors.

Magecart attackers have compromised web shops belonging to large retail chains Claire's and Intersport and equipped them with payment card skimmers. How the attackers managed to compromise the web shops is still unknown, but they started planning the attack a month before actually executing it.

Get yourself up to date with everything we've written in the last seven days - it's weekly roundup time.

High impact vulnerabilities in modern communication protocol used by mobile network operators can be exploited to intercept user data and carry out impersonation, fraud, and denial of service attacks, cautions a newly published research. The findings are part of a new Vulnerabilities in LTE and 5G Networks 2020 report published by London-based cybersecurity firm Positive Technologies last week.