Security News > 2020

The developers of the free and open-source forum software MyBB have shared some data on the vulnerabilities patched in their product over the past years. According to MyBB developers, 103 vulnerabilities have been patched in the 1.8.x branch since its release in 2014.

With Android 11 in the works, Google finds itself having to refine location access once again by announcing a lock on how apps access location even when they have general access permission. The problem is apps that continue to track device location even when they are not being used, otherwise known as background access - something users only acquired some granular control over in Android 10 last year.

A simple Google search could lead people to invite codes that would let them find and join private WhatsApp group chats, given that the pages were indexed by Google. This is past tense, at least for Google search: as of Saturday, WhatsApp tweaked the glitch out of existence, though the search was still working on other, major search engines as of today.

While an earlier report from security firm Cybereason found that Raccoon enabled credential stealing from Tor-hosted devices, the new analysis by CyberArk shows that the infostealer has now expanded its reach into popular web browsers, including Google Chrome, Mozilla Firefox, Microsoft Edge and others. "What used to be reserved for more sophisticated attackers is now possible even for novice players who can buy stealers like Raccoon and use them to get their hands on an organization's sensitive data," the report states.

A threat actor - likely a state-sponsored cyberespionage group - has used a sophisticated technique to allow a piece of malware hosted on a server to communicate with command and control servers through a firewall. It's unclear exactly how the attackers planted the malware, but researchers believe they may have accessed the server through a dictionary attack on an exposed SSH port.

Facebook recently investigated suspicious content meant to support U.S. presidential candidate Sen. Bernie Sanders but was unable to substantiate involvement by Russians or supporters of President Donald Trump, The Wall Street Journal reported Monday, citing people familiar with the matter. Last week, The Washington Post reported that U.S. officials had told Sanders that Russia was trying to support his campaign.

Networking devices vendor Zyxel has released patches for several network attached storage devices to address a critical vulnerability that is already being exploited by cybercriminals. "A remote code execution vulnerability was identified in the weblogin.cgi program of Zyxel NAS products running firmware version 5.21 and earlier. Missing authentication for the program could allow attackers to perform remote code execution via OS command injection," Zyxel explains in an advisory.

With privacy laws and data breaches coming into focus in 2019, security leaders are looking for new ways to keep personal information safe. The heightened conversation around data security has resulted in mounting pressure on privacy professionals, who are ultimately responsible for keeping an organization's data secure.

In theory DNS over HTTPS does not hide the "Fact" of the request transmission, "When" or "Length" of the request from a "Third party" evesdropper only the request "Contents". That is whilst DNS over HTTPS might hide the request contents it does not hide the request or the time it happened at, nore does it hide the traffic to the site the DNS request was for.

The United States Supreme Court has kicked out Apple's attempt to overturn a judgement in one of the cases in its 10-year patent fight with VirnetX. The Supremes rejected Apple's petition for a judicial review in a bid to overrule the 2016 decision of a lower court, which awarded VirnetX $302m, which later rose to $439.8m in damages, fees and interest for Apple's use of its patents. Apple had argued earlier this month that the "Federal Circuit has created a gaping loophole that facilitates massive damages in patent cases where the damages claims are based on prior licenses" - in essence saying that VirnetX had overvalued the inventions to the court.