Security News > 2020

Starting in the 1970s and continuing through the 1990s, the U.S. Central Intelligence Agency and the German BND intelligence service secretly controlled the majority of the Swiss firm Crypto AG, giving the two agencies access to the company's communication equipment, which was used around the world for top-secret government messages, according to the reports. A former Crypto AG worker told Switzerland's SRF television station that he would find two sets of encryption algorithms within the company's devices.

The patched version of Mozilla's browser, launched on Tuesday, is Firefox 73 and Firefox ESR 68.5. One of the vulnerabilities, tracked as CVE-2020-6800, was fixed in a previous release of Firefox 72 and the current Firefox ESR 68.5 update on Tuesday.

Online music platform SoundCloud, which can be thought of as an audio-based YouTube for music creators, has addressed several security bugs in its APIs that could lead to denial-of-service or account takeover via credential-stuffing. According to researcher Paulo Silva of Checkmarx Security Research, three different groups of security vulnerabilities were found in the platform: A authentication issue which could lead to account takeover; a rate-limiting bug that could lead to DoS; and an improper input validation.

Apple has joined the FIDO Alliance, an organization that aims to help reduce the use of passwords by providing free and open authentication standards. Nok Nok Labs, inventor of the FIDO specifications and a founding member of the FIDO Alliance, announced on Wednesday that Apple has not only become a member, but that it has also taken a leadership role as a board member.

Siemens' Patch Tuesday updates for February 2020 address serious denial-of-service vulnerabilities in several of the company's products. Siemens SIMATIC PCS 7, SIMATIC WinCC and SIMATIC NET PC products are affected by a high-severity DoS flaw if encrypted communication is enabled.

Some of the companies listed in the J.P. Morgan document sell data sourced from "Personal inboxes," the document adds. A spokesperson for J.P. Morgan Research, the part of the company that created the document, told Motherboard that the research "Is intended for institutional clients."

The Identity Theft Recource Center warns that businesses of all sizes should be vigilant about data security.

An unsecured, internet-facing database belonging to cosmetic giant Estée Lauder exposed over 440 million company records, including email addresses and IT logs, according to a report from a security researcher who discovered it. It's not clear how long the database may have been exposed or if anyone accessed any of the data, Fowler adds.

We're committed to completely eradicating weak versions of TLS because at Mozilla we believe that user security should not be treated as optional. Although not exactly a household name, TLS is the encryption protocol that makes several types of secure connection possible, including secure versions of SMTP, POP3, FTP and of, course, HTTP. For example, when a browser visits a site using HTTPS, TLS sets up authentication, the exchange of session keys, and agreement on cipher suites.

Red teaming, especially continuous red teaming, is by far the most effective way of finding weaknesses in corporate infrastructures - but is phenomenally expensive and beyond the reach of all but the largest and most wealthy companies. Hazzard and Wolpoff chose to develop a red team platform for everyone rather than a red team service for the wealthier companies.