Security News > 2020 > August

Hackers have breached Michigan State University's online store, gaining access to customer credit card numbers and other personal information, the university said. The university is offering free credit monitoring to anyone affected by the breach.

An attack launched in May 2020 against a South Korean company involved an exploit that chained zero-day vulnerabilities in Windows and Internet Explorer, Kaspersky reported on Wednesday. The vulnerabilities exploited in the attack have now been patched, but they had a zero-day status when exploitation was first observed.

The flaws exist in Citrix Endpoint Management, often referred to as XenMobile Server, which enables businesses to manage employees' mobile devices and mobile applications by controlling device security settings and updates. Specifically impacted at a critical level by the dual vulnerabilities is: XenMobile Server 10.12 before RP2, XenMobile Server 10.11 before RP4, XenMobile Server 10.10 before RP6 and XenMobile Server before 10.9 RP5. The remaining three flaws are rated medium- and low-severity.

The official Call for Presentations for SecurityWeek's 2020 Industrial Control Systems Cyber Security Conference, being held October 19 - 22, 2020 in SecurityWeek's Virtual Conference Center, has been extended to August 31st. As the premier ICS/SCADA cyber security conference, the event was originally scheduled to take place at the InterContinental Atlanta, but will now take place in a virtual environment due to COVID-19. The 2020 Conference is expected to attract thousands of attendees from around the world, including large critical infrastructure and industrial organizations, military and state and Federal Government.

"The crux of the problem is that while most types of customer accounts these days can be managed online, the process of tying one's account number to a specific email address and/or mobile device typically involves supplying personal data that can easily be found or purchased online - such as Social Security numbers, birthdays and addresses." In short, although you may not be required to create online accounts to manage your affairs at your ISP, the U.S. Postal Service, the credit bureaus or the Social Security Administration, it's a good idea to do so for several reasons.

Cybersecurity training organisation the SANS Institute suffered the loss of 28,000 items of personally identifiable information after a staffer's email account was accessed by malicious people. In a statement on its website, SANS said: "Aside from the affected user, we currently believe that no other accounts or systems at SANS were compromised."

Google this week announced that an update for Chrome 84 includes 15 security patches, including for a serious vulnerability for which the tech giant awarded a $10,000 bug bounty. This vulnerability is CVE-2020-6542, a high-severity use-after-free bug in ANGLE, the Chrome component responsible for translating OpenGL ES API calls to hardware-supported APIs available for the operating system.

Mitchell Baker, the CEO of Mozilla Corporation and chairwoman of the Mozilla Foundation, announced on Tuesday that the company has laid off roughly 250 people, and former employees say the list includes cybersecurity staff. While Mozilla has not shared any specifics on what type of staff it has laid off, at least two employees in security roles reported being among those impacted.

SecurityWeek will host its 2020 Cloud Security Summit virtual eventon Thursday, August 13, 2020.

TikTok has been collecting unique identifiers from millions of Android devices without their users' knowledge using a tactic previously prohibited by Google because it violated people's privacy, new research has found. The app bundled the MAC address with other device data and sent it to ByteDance upon the app's first installation and opening on a new device, according to the report.