Security News > 2020

Researchers at Soluble today said they worked with Verisign to thwart the registration of domain names that use homoglyphs - non-Latin characters that look just like letters of the Latin alphabet - to masquerade as legit domains. First reported back in the 2000s, this technique allow miscreants to use characters that, when displayed in the browser bar, appear to show the URL of a valid site - such as Apple.com or Google.com - despite being a completely different domain name.

Free and open certificate authority Let's Encrypt is revoking over 3 million currently-valid certificates after discovering a bug in its Certification Authority Authorization code. Thus, a subscriber could issue certificates for validated domain names 30 days after validation, without a second check being performed 8 hours prior to issuance, and the certificate would be issued even if someone installed CAA records for that domain name to prohibit certificate issuance by Let's Encrypt.

"In a notification email to its clients, the organisation said:"We recently discovered a bug in the Let's Encrypt certificate authority code. Typically, a Web server that services many separate domain names and uses Let's Encrypt to secure them receives a single LE certificate that covers all domain names used by the server rather than a separate cert for each individual domain.

The Information Commissioner's Office has fined Cathay Pacific Airways £500,000 for leaky security that exposed the personal data of 9.4 million passengers - 111,578 of whom were from the UK. The breach, which occurred between October 2014 and May 2018, exposed passengers' names, passport and identity details, dates of birth, postal and email addresses, phone numbers, and travel history, as well as 430 credit card numbers, 27 of which were active. The unauthorised access was first suspected in March 2018, when Cathay's database suffered a brute force attack, and confirmed in May. A Cathay Pacific spokesman said at the time that the combination of data accessed varied for each affected passenger.

Starting with 20:00 UTC, today, the non-profit certificate authority Let's Encrypt will begin it's effort to revoke a little over 3 million TLS/SSL certificates that it issued while a bug affected its CA software. "The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let's Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let's Encrypt."

It's particularly alarming when those passwords are supposed to secure video streams of your life, your front door, your bedroom, your child, your belongings, or any other manner of footage streamed out from your most intimate moments. Until new laws are in place, it is vital that consumers research smart device purchases carefully, and follow guidance to ensure their devices are protected by strong passwords and receiving regular security updates to reduce the risk of hackers exploiting vulnerabilities.

Google published patches for over 70 software vulnerabilities in its Android security bulletin this month, finally fixing a security exploit for MediaTek chipsets said to have been in the wild for months, affecting millions of devices. Google classifies CVE-2020-0069 as an elevation of privilege bug in MediaTek's command queue driver, and only gives it a high severity ranking in its bulletin.

Airline pilots faced with hacked or spoofed safety systems tend to ignore them - but could cost their airlines big sums of money, an infosec study has found. The team, who presented their paper at the NDSS infosec symposium, found that while their attacks against these systems "Created significant control impact and disruption through missed approaches", all pilots in the study were able to cope and land their simulated aircraft safely.

A UK cybercrime vigilante was so incensed by tech support scammers he reverse-hacked the call centre in India to reveal CCTV footage of perpetrators as they ripped off their victims in real-life calls. During 2019, Browning said he was able to identify dozens of call centres in India where many of tech support scams targeting English speakers originate.

India: Facebook removed a network of 37 Facebook accounts, 32 Pages, 11 Groups and 42 Instagram accounts whose activity originated in India and which focused on the Gulf region, US, UK and Canada. Egypt: Facebook removed a network of 333 Facebook accounts, 195 Pages, 9 Groups and 1194 Instagram accounts.