Security News > 2020 > October

An unsealed warrant in a case involving alleged pedophile R&B star R. Kelly has shown how the Feds can get Google to hand over the details of people who make specific web search queries. Fast forward to this week, and Robert Snell of Detroit News uncovered the aforementioned search warrant [PDF] showing how Homeland Security investigators in June enlisted Google and Verizon Wireless to connect Williams, who lives in the state of Georgia, to the scene of the crime in Florida.

Cybercriminals have planted a payment card skimmer on the websites of several organizations using the Playback Now conference platform, Malwarebytes reported on Thursday. The customer websites hosted on it - customers receive a dedicated website which they can use to serve their content - had been injected with a payment card skimmer that allowed the attackers to steal the financial information of users purchasing conference materials from those sites.

At the Virus Bulletin Conference last week, two security researchers explained how they were able to compromise the command and control panels of 10 Internet of Things botnets. The researchers, Aditya K. Sood and Rohit Bansal of SecNiche Security Labs, revealed at the online conference that they were able to access the C&C panels of the Mana, Vivid, Kawaii, Verizon, Goon, 911-Net, Purge Net, Direct, 0xSec, and Dark botnets.

Google has added improved malware protection for all Google Chrome users who are also enrolled in the company's Advanced Protection Program. Google's Advanced Protection Program is a free service that aims to protect the accounts of users including but not limited to activists, journalists, business leaders, and political teams who have a higher risk of being targeted by online attacks.

A security researcher discovered that malicious apps for Fitbit devices can be uploaded to the legitimate Fitbit domain and users can install them from private links. Various mobile apps from Fitbit and its developer community are published in the official Fitbit Gallery.

"The ICO investigation found that the company was not involved in the business of supplying PPE, but that the director had decided to buy face masks to sell on at a profit," the data regulator said in a statement. The firm is also said to have "Deleted a database of key evidence which would have shown the full extent of the volume of emails they had sent" after ICO investigators contacted the company.

Microsoft has also issued updated guidance since the August Patch Tuesday release to clarify the steps needed to secure systems with this vulnerability. October 2020 Patch Tuesday forecast Microsoft continues to address record numbers of vulnerabilities each month.

Checkmarx announced a new GitHub Action to bring comprehensive, automated static and open source security testing to developers. APIsec provides a 100% automated and continuous API security testing platform that eliminates the need for expensive, infrequent, manual pen-testing.

Don't get me wrong, a fine-tuned and efficient IGA program is well worth it. An IGA program helps ensure an organization's data security, assist in completing audits, and support significant boosts in operational agility.

The PCI Security Standards Council and the ATM Industry Association issued a joint bulletin to highlight an increasing threat that requires urgent awareness and attention. An ATM cash-out attack is an elaborate and choreographed attack in which criminals breach a bank or payment card processor and manipulate fraud detection controls as well as alter customer accounts so there are no limits to withdraw money from numerous ATMs in a short period of time.