Security News > 2020 > October

The US Cybersecurity and Infrastructure Security Agency has released a list of 25 vulnerabilities Chinese state-sponsored hackers have been recently scanning for or have exploited in attacks. "Most of the vulnerabilities [] can be exploited to gain initial access to victim networks using products that are directly accessible from the Internet and act as gateways to internal networks. The majority of the products are either for remote access or for external web services, and should be prioritized for immediate patching," the agency noted.

Chinese state-sponsored hackers are targeting a Cisco Discovery Protocol vulnerability that was disclosed earlier this year, the networking giant and the U.S. National Security Agency revealed on Tuesday. The list includes several vulnerabilities that were not known to have been targeted, including CVE-2020-3118, which impacts Cisco products.

Attention readers, if you are using Google Chrome browser on your Windows, Mac, or Linux computers, you need to update your web browsing software immediately to the latest version Google released earlier today. Without revealing technical details of the vulnerability, the technical lead for Google's Project Zero Ben Hawkes warned on Twitter that while the team has only spotted an exploit targeting Chrome users, it's possible that other projects that use FreeType might also be vulnerable and are advised to deploy the fix included in FreeType version 2.10.4.

The team behind Lightning Network has released extensive details on the vulnerabilities that were discovered in the cryptocurrency protocol and its software implementations. Attackers could have exploited these vulnerabilities to cause DoS and to disrupt crypto transactions by intercepting "Smart contracts" made between two parties.

MariaDB announced a major expansion of MariaDB SkySQL cloud database. With this update, SkySQL now runs the latest version of MariaDB Platform X5, which most notably added distributed SQL capabilities for global scale.

Sweden is banning Chinese tech companies Huawei and ZTE from building new high-speed wireless networks after a top security official called China one of the country's biggest threats. The Swedish telecom regulator said Tuesday that four wireless carriers bidding for frequencies in an upcoming spectrum auction for the new 5G networks must not use equipment from Huawei or ZTE. Wireless carriers that plan to use existing telecommunications infrastructure for 5G networks must also rip out any existing gear from Huawei or ZTE, the Swedish Post and Telecom Authority said.

The exact process for blocklisting a domain is often opaque, but it's a gradual process involving a measurable reputation for each domain that changes over time. A company afraid of trademark infringement might want to register a domain with every conceivable variation on its name to stop phishers from targeting its customers.

When moving to the cloud, perimeter security is still important, but identity-based security is available to strengthen the security posture. As a result, organizations win operationally, financially, and from a security perspective, when moving to the cloud.

Modern cybersecurity professionals understand the advantage of controls like zero standing privilege, which authorizes no one and requires that each user request access and evaluation before granting privileged access. Implementing the design concept of zero standing privilege is crucial to hardening against privilege escalation attacks, as it removes the administrator's vast amounts of standing power and access.

Researchers from the University of Ottawa, in collaboration with Ben-Gurion University of the Negev and Bar-Ilan University scientists, have been able to create optical framed knots in the laboratory that could potentially be applied in modern technologies. Their work opens the door to new methods of distributing secret cryptographic keys - used to encrypt and decrypt data, ensure secure communication and protect private information.