Security News > 2020 > September

"My warning to the public is that digital currency exchanges are not like banks. The security of digital currency exchanges is only as good as your own vigilance. While law enforcement will do everything within our power to protect you, you must also protect yourself." How could the North Korean Lazarus Group become any more of a threat to the rest of the internet? We're glad you asked.

If you had any doubts about the criticality of the Zerologon vulnerability affecting Windows Server, here is a confirmation: the US Cybersecurity and Infrastructure Security Agency has issued on Friday an emergency directive instructing federal agencies to "Immediately apply the Windows Server August 2020 security update to all domain controllers" - and to do so by the end of Monday. "If affected domain controllers cannot be updated, ensure they are removed from the network," CISA advised.

The Department of Homeland Security has given system administrators until today to patch a critical vulnerability in Windows Server that could allow an attacker to hijack federal networks, via a flaw in the Netlogon authentication system. On 18 September, the DHS's cybersecurity division issued an emergency directive giving government agencies a four-day deadline to patch the CVE-2020-1472 vulnerability, also known as Zerologon, citing the "Unacceptable risk" it posed federal networks.

Mozilla is decommissioning Firefox Send and Firefox Notes, two legacy services that emerged out of the Firefox Test Pilot program. Firefox Send, the browser maker reveals, is being discontinued because it has been abused for delivering malware and phishing attacks.

Perhaps the most secretive firm to emerge from Silicon Valley, Palantir Technologies is set for a stock market debut this month that may shed light on the Big Data firm specializing in law enforcement and national security. Palantir is a major player in "Predictive policing," a technology which critics say can amplify bias in law enforcement.

This sounds like a bad idea.

Tripp is the former Gigafactory technician who, after a brief stint at the Nevada facility in 2018, went to the press as a whistleblower with claims that defective battery packs in Tesla's Model 3 line of cars had become so much of a problem that Tesla was unable to meet the production target set by boss Elon Musk - 5,000 flash motors a week. Tripp countersued Tesla claiming defamation and false light.

The U.S. Federal Energy Regulatory Commission and the North American Electricity Reliability Corporation last week released a report outlining cyber incident response and recovery best practices for electric utilities. The study is based on information provided by experts at eight U.S. electric utilities of various sizes and functions, and its goal was to help the industry improve incident response and incident recovery plans, which authors of the study say help ensure the reliability of the bulk electric system in the event of a cybersecurity incident.

A US judge on Sunday blocked the government's ban on WeChat downloads, hours before it was due to take effect in an ongoing technology and espionage battle between Washington and Beijing. The Trump administration had ordered a ban on downloads of the messaging platform WeChat as well as hugely popular video-sharing app TikTok, both owned by Chinese companies.

Workers - and the tech and security teams that support them - had to "Improvise" just to keep organisations operating at all, meaning security was, for some perhaps, an afterthought. Our friends at cloud native security experts ExtraHop have identified ten key threats any security pro should be aware of, and the techniques to tackle them, and they'd love to share them with you.