Security News > 2020

Facebook gave up trying to hide behind that one long ago, somewhere amongst the outrage sparked by extremist content, fake news and misleading political advertising. During a Q&A session at the Munich Security Conference on Saturday, Zuckerberg admitted that Facebook isn't the passive set of telco pipes he once insisted it was, but nor is it like a regular media outlet that produces news.

A WordPress plugin with over 100,000 active installations had a hole which coould have allowed unauthorised attackers to wipe its users' blogs clean, it emerged this week. ThemeGrill is a WordPress theme developer that publishes its own Demo Importer plugin.

OpenSSH version 8.2 is out and the big news is that the world's most popular remote management software now supports authentication using any FIDO U2F hardware token. Adding support inside OpenSSH simply means that any U2F token can now be used, including older FIDO1 and more recent FIDO2 hardware.

A lawsuit seeking class action status has been filed against a New Jersey healthcare organization in the wake of a ransomware attack last December in which the entity paid attackers a ransom to unlock its systems. Because of the ransomware attack, patients had their medical care and treatment disrupted, the complaint alleges.

Eclypsium said on Monday that, despite years of warnings from experts - and examples of rare in-the-wild attacks, such as the NSA's hard drive implant - devices continue to accept unsigned firmware. The infosec biz said a miscreant able to alter the firmware on a system - such as by intercepting or vandalizing firmware downloads, or meddling with a device using malware or as a rogue user - can do so to insert backdoors and spyware undetected, due to the lack of cryptographic checks and validations of the low-level software.

Eclypsium said on Monday that, despite years of warnings from experts - and examples of rare in-the-wild attacks, such as the NSA's hard drive implant - devices continue to accept unsigned firmware. The infosec biz said a miscreant able to alter the firmware on a system - such as by intercepting or vandalizing firmware downloads, or meddling with a device using malware or as a rogue user - can do so to insert backdoors and spyware undetected, due to the lack of cryptographic checks and validations of the low-level software.

Many novice Office 365 shops do not know where platform-specific security vulnerabilities lie, or even that they exist. Companies get themselves into trouble when they do not fully understand the way data moves through O365 or they apply on-premise security practices to their cloud strategy.

There are things that have been true for technical people for decades and will continue to be true. About half the things you know will be obsolete after five years, so you'll have to learn new things and maybe pivot your career.

Following several recent reports of hackers gaining access to people's internet-connected Ring doorbell and security cameras, Amazon yesterday announced to make two-factor authentication security feature mandatory for all Ring users. Until now, enabling the two-factor authentication in Ring devices was optional, which definitely would have prevented most Ring hacks, but of course, many never bothered to enable it.

Risk Based Security's VulnDB team aggregated 22,316 newly-disclosed vulnerabilities during 2019, finding that 37.26% had available exploit code or a Proof of Concept and that 33.43% of all vulnerabilities in 2019 had a CVSS v2 score of 7.0 and above. Risk Based Security also identified a total of 302 vulnerabilities impacting Electronic Voting Machines, 289 of which have no known solution.