Security News > 2020 > December

A vast majority of operational technology devices affected by the Urgent/11 vulnerabilities and many devices impacted by the CDPwn flaws remain unpatched, IoT security firm Armis reported on Tuesday. According to the company, 97% of industrial devices affected by the Urgent/11 vulnerabilities have not been patched.

The global Google services outage yesterday was caused by the company's Identity Management System failing after a bug restricted its storage space. According to a tweet and a Google status report, the outage was caused by the company's automated quota management system reducing the amount of storage available to Google's authentication system.

Two thousand servers containing 45 million images of X-rays and other medical scans were left online during the course of the past twelve months, freely accessible by anyone, with no security protections at all. Among the data - drawn from unprotected online storage devices with ties to hospitals and medical centres all over the planet - were 23,000 images of UK patients, left exposed to the public internet on 90 separate servers.

Vulnerability submissions have increased over the past 12 months on at least one crowdsourced security platform, with critical issue reports recording a 65% jump. This year, submissions for vulnerability submissions through Bugcrowd recorded a 50% increase, while for Priority 1 reports there was a growth of 65%. Web apps remain in the hackers' top preferences, although they are diversifying the targets to stay competitive.

The City of Independence, Missouri, suffered a ransomware attack last week that continues to disrupt the city's services. At the beginning of the month, Independence suffered a ransomware attack that forced them to shut down their IT system as they recovered from the attack.

Palo Alto Networks security researchers have discovered a Linux-based cryptocurrency-mining botnet that being delivered via PostgreSQL. Dubbed PGMiner, the botnet exploits a remote code execution vulnerability in PostgreSQL to compromise database servers and then abuse them for mining for the Monero cryptocurrency. An open source relational database management system widely used in production environments, PostgreSQL has a "Copy from program" feature that was labeled as a vulnerability, something that the PostgreSQL security team quickly disputed.

Mozilla Firefox 84 was released today with a dramatic performance boost after adding native support on macOS devices with Apple Silicon processors. With the release of Firefox 84, all other Firefox development branches have also moved up a version bringing Firefox Beta to version 85 and the Nightly builds to version 86.

The enterprise monitoring software provider which found itself at the epicenter of the most consequential supply chain attacks, said as many as 18,000 of its high-profile customers might have installed a tainted version of its Orion products. The company also reiterated in its security advisory that besides 2019.4 HF 5 and 2020.2 versions of SolarWinds Orion Platform, no other versions of the monitoring software or other non-Orion products were impacted by the vulnerability.

Ireland's Data Protection Commission fined Twitter €450,000 for failing to notify the DPC of a breach within the 72-hour timeframe imposed by European Union's General Data Protection Regulation and to adequately document it. "The DPC's investigation commenced in January 2019 following receipt of a breach notification from Twitter and the DPC has found that Twitter infringed Article 33(1) and 33(5) of the GDPR in terms of a failure to notify the breach on time to the DPC and a failure to adequately document the breach," the Irish DPC said.

Data in an enclave cannot be read or modified by any entity outside the enclave itself, even if the host is physically compromised. AI and ML both leverage and create a number of data sets, each of which have different security requirements.