Security News > 2020 > July

An annoying vulnerability in the widely used GRUB2 bootloader can be potentially exploited by malware or a rogue insider already on a machine to thoroughly compromise the operating system or hypervisor while evading detection by users and security tools. Any system on which GRUB2 can be installed and run at boot-time is potentially vulnerable.

Researchers are warning of a critical vulnerability in a WordPress plugin called Comments - wpDiscuz, which is installed on more than 70,000 websites. The flaw gives unauthenticated attackers the ability to upload arbitrary files and ultimately execute remote code on vulnerable website servers.

Let me tell you how it will be There's one for you, nineteen for me 'Cause I'm the taxman, yeah, I'm the taxman Should five per cent appear too small Be thankful I don't take it all 'Cause I'm the taxman, yeah, I'm the taxman If you drive a car, I'll tax the street If you try to sit, I'll tax your seat If you get too cold, I'll tax the heat If you take a walk, I'll tax your feet 'Cause I'm the taxman, yeah, I'm the taxman. You end up with a fraudulent tax return filed against your name; the government ends up with a huge dent in its tax revenues; and the mess can take ages to sort out.

"According to a Ponemon Institute study sponsored by ID Experts, a provider of identity protection and data breach services, consumers have taken notice. The study, Privacy and Security in a Digital World: A Study of Consumers in the United States, found that, on a scale of 1 to 10, 86% of adults said they are"Very concerned" about how Facebook and Google use their personal information. "Most consumers do not believe big tech companies alone will protect their privacy rights through self-regulation."

Research from Check Point Software have discovered a number of vulnerabilities in online dating service OK Cupid's mobile app and website that could allow attackers to not only steal personal data, but take actions on a user's behalf as well. The OKCupid mobile app makes extensive use of deep linking, which involves sending a user directly to an internally linked page without their realizing it.

Identity and access protection provider Ermetic this week announced that it secured $17.25 million in a Series A funding round, which brings the total amount raised by the company to $27.3 million. Founded in 2019, the company provides protection for identities and data in the cloud, through access policy and continuous visibility.

A report published Wednesday by security firm Tanium describes how IT leaders were surprised by the security threats and challenges they've had to face in the wake of COVID-19. A full 96% admitted that they were caught off guard by the security challenges that arose within the first two months of the lockdown.

FireEye security researchers have linked a series of disinformation operations that have been ongoing since at least March 2017. While some of the aspects of the campaign resemble those of the Secondary Infektion operation, the researchers did not observe cyber threat activity to support the previously detailed operations, and many other attributes of the newly detailed attacks are different.

China's ambassador to Britain has threatened to withdraw Huawei and several billions in investment following the government's decision to ban the manufacturer's products from 5G mobile networks. Following US sanctions aimed at disrupting Huawei's use of US chip design tech, Britain's National Cyber Security Centre declared it would not vet homegrown Chinese chips in Huawei equipment, giving the government justification for a ban on national security grounds.

In cases where the database administrators failed to change the default logins, accessing the database would be a simple task. Citing a real-world example of a major database leak, NordPass pointed to the instance from early 2019 in which millions of Facebook records were exposed on a public Amazon cloud server.