Security News > 2020

Software development over the past decade: The good news is that more organizations than ever have secure software development practices in place, says Chris Eng, chief research officer at Veracode. The bad news is that many of the same flaws - including injection vulnerabilities - persist.

While the cost of sequencing the human genome continues to decrease, the imperative to secure this most personal of personally identifiable information does not, says Brian Castagna, CISO of Seven Bridges. He shares best practices for all organizations that store sensitive information in the cloud.

Well, you shouldn't have, because the pair were among sub-domains hijacked by vulnerability researchers to prove Microsoft is lax with its own online security. Now, as we said, Microsoft has loads of these sub-domains, and after a while it just stops updating some of them and abandons them.

Netgear is warning users of a critical remote code execution bug that could allow an unauthenticated attacker to take control of its Wireless AC Router Nighthawk hardware running firmware versions prior to 1.0.2.68. The critical vulnerability, tracked by Netgear as PSV-2019-0076, affects the company's consumer Nighthawk X4S Smart Wi-Fi Router first introduced in 2016 and still available today.

In a new study on DMARC usage and success, email cybersecurity company Vailmail found that spoof attempts drop to nearly zero "Within a few months after that domain moves to DMARC enforcement." There has been a steady increase in organizations using Domain-based Message Authentication, Reporting, and Conformance as a security measure against domain spoofing but enforcement continues to be the main struggle for most enterprises. Nearly 80 percent of US federal government domains have DMARC records and of those 93%. These high numbers are due mostly to a Department of Homeland Security directive in 2017 mandating DMARC at enforcement for most executive branch domains by January 2018.

A phishing campaign was recently discovered leveraging OneNote, Microsoft's digital notebook that automatically saves and syncs notes, to bypass detection tools and download malware onto victims' systems. The attacker was utilizing OneNote as a way to easily experiment with various lures that either delivered the credential-stealing Agent Tesla keylogger or linked to a phishing page - or both.

MoleRATs, a politically-motivated threat actor apparently linked to the Palestinian terrorist organization Hamas, has expanded its target list to include insurance and retail industries, Palo Alto Networks' security researchers report. Spear-phishing emails were leveraged to deliver malicious documents - mostly Word documents, but also one PDF - which in turn attempted to trick the intended victim into enabling content to run a macro, or force them into clicking a link to download a malicious payload. The Spark backdoor was used in most of these assaults, allowing the attackers to open applications and run command line commands on the compromised system.

What do the numbers and trends mean? Pandemic expert Regina Phelps analyzes the latest developments. Phelps, the founder of Emergency Management & Safety Solutions, is warning organizations to be prepared for "The long haul" - a sustained health crisis that could extend for as long as 12 months, she believes, with impacts on everything from global supply chains and regional economies to individual organizations' work-at-home practices.

Software development benefits from security checks being brought to bear early and often, but the blending of in-house and open source code has historically complicated that process, says Patrick Carey, senior director of product marketing at Synopsys. How "AppSec" is shifting left to find and eliminate defects earlier in the software development lifecycle;.