Security News > 2020 > July

Bleeping Computer is in touch with the data breach broker: a "Known and reputable" broker who's selling databases, all of which contain different data types but all of which include usernames and hashed passwords. Home Chef, a meal delivery service, confirmed a data breach two weeks after a hacker group named Shiny Hunters listed a database of 8 million customer records on a dark web marketplace.

Researchers have discovered a new Mac malware that encrypts files on compromised systems like a piece of ransomware, but also allows its operators to steal data and take full control of an infected device. Initially named EvilQuest, the malware was later renamed ThiefQuest to avoid confusion as EvilQuest is the name of a video game.

Microsoft has released fixes for two remote code execution vulnerabilities in the Microsoft Windows Codecs Library on Windows 10 machines. Both flaws - CVE-2020-1425 and CVE-2020-1457 - arose because of the way the Microsoft Windows Codecs Library handled objects in memory.

"From a security perspective it has a lot to learn about trust. Or rather, we have a lot to learn on how to program it to trust. It's the newest, shiniest version of garbage in / garbage out if we don't learn from our mistakes. At ISECOM we are spending a lot of effort on how we can make security tests for AI and learning how it fits into the OSSTMM framework as a new channel alongside Data Networks, Wireless, Physical, Human, Telecommunications, and Applications." ISECOM is a non-profit, open source research organization that maintains the Open Source Security Testing Methodology Manual, Hacker Highschool and a security certification authority, all the while operating as a specialty security boutique for securing iconic places that can't be secured with traditional security products.

Enterprise key management services are powerful technologies for confidential computing that can help organizations decentralize and execute their most sensitive business logic outside of public clouds in a completely confidential manner. Storing credit history in AWS. A large financial firm uploads its customers' credit history and private data into AWS S3 containers protected by client-side encryption using an enterprise key management service.

The global survey conducted by Ponemon Institute found that respondents' security response efforts were hindered by the use of too many security tools, as well as a lack of specific playbooks for common attack types. Slowly improving: More surveyed organizations have adopted formal, enterprise-wide security response plans over the past 5 years of the study; growing from 18% of respondents in 2015, to 26% in this year's report.

In the first quarter of 2020, DDoS attacks rose more than 278% compared to Q1 2019 and more than 542% compared to the last quarter, according to Nexusguard. Researchers attribute the sharp rise in incidents to malicious efforts during the COVID-19 pandemic, causing DDoS attacks to interrupt service for large companies and individuals alike.

Just as quickly as Zoom became a household name for connecting work colleagues, church and school groups, friends, family, book clubs and others during stay-at-home lockdowns, it also gained a reputation for lax security as intrusive "Videobombers" barged into private meetings or just spied on intimate conversations. The work on "Security and privacy is never going to be done, but it is now embedded in how we approach everything we do at Zoom now," the company's chief financial officer, Kelly Steckelberg, told The Associated Press in a recent interview.

Key findings 75% of global CIOs expressed concern about the security risks connected with the proliferation of TLS machine identities. 56% of CIOs said they worry about outages and business interruptions due to expired certificates.

Cyberattacks bypass the WAF. 49% of security professionals reported more than a quarter of attempts to sidestep their WAF protocols had been successful in the last 12 months. 29% of respondents admitted they had found it difficult to alter their WAF policies to guard against new web application attacks, while just 15% said they had found the process very easy.