Security News > 2020

File hosting company Dropbox says it has awarded researchers over $1 million for vulnerabilities reported through its bug bounty program. Dropbox launched its bug bounty program in 2014 and in April 2015 it announced a program on the HackerOne platform.

A private yacht crew recruitment agency has left an AWS bucket containing the CVs, passports and even some drug test results for up to 17,000 people exposed to world+dog, according to reports. Crew & Concierge - a jobs firm in Bath, England, that targets "High net worth individuals", yacht captains, and management companies searching for seafarers to crew private yachts - left an Amazon Web Services S3 bucket open to anyone and everyone for around 11 months starting in February 2019.

Elastic, the company behind Elasticsearch and the Elastic Stack, announced the general availability of Elastic App Search on Elasticsearch Service. Elastic App Search is a ready-to-use, fully complete search solution with user-friendly relevance tuning and analytics built in.

"If the organization still doesn't pay, the remaining data is published, sometimes on a staggered basis. The group has also published data in Russian hacker forums with a note to 'use this information in any nefarious ways that you want.' In other words, it's highly likely that more of the firms' data will be published unless they pay." Threatening to dump exfiltrated data is merely the latest in a long line of ransomware gang innovations, which took a major leap forward four years ago, with a watershed, targeted attack against Hollywood Presbyterian Medical Center by the SamSam gang, says security researcher Vitali Kremez, who heads SentinelLabs for security firm SentinelOne.

"Most of them are companies with between $5 million and $20 million in annual revenue, and are scaling up to the next level." The purpose of this new cybersecurity hub is to provide the ecosystem and help necessary for growth to $100 million or $200 million companies - and eventually perhaps to the next $1 billion cybersecurity business. "We already have the biggest cybersecurity hub in Israel," he said, "Where we continue to invest in and help create many of the new 'ex-8200' cybersecurity startups, and we help these companies grow in the U.S. or Europe. So, we have experience in this."

The European Union appears to be moving toward dropping a temporary ban on the use of facial recognition technology in public places, according to news reports. Some technology experts had said that a temporary ban on the use of facial recognition in public places would be impractical and ineffective.

Google might have mistakenly shared your private videos saved on the company's servers with other users, the tech giant admitted yesterday in a security notification sent quietly to an undisclosed number of affected users. According to a screenshot Jon Oberheide of Duo Security shared on Twitter, the issue reportedly remained active between 21st November and 25th November last year, during which "Some videos in Google Photos [service] were incorrectly exported to unrelated user's archives."

Vulnerabilities recently patched in Mini-SNMPD could be abused for denial-of-service attacks or to obtain sensitive information, Cisco Talos' security researchers report. It works on both x86 and ARM platforms running Ubuntu, Alpine Linux, and FreeBSD. Talos' researchers discovered a total of three vulnerabilities in Mini-SNMPD, including two out-of-bounds read bugs and one stack overflow.

According to TechRepublic's Jack Wallen, businesses should be prepared for "An inordinate rise of security breaches, attacks, and incidents" in 2020 - and guarding against them should be a top priority for the enterprise as the new decade begins. Drawing from their collective insight as cybersecurity experts over the past decade, the Cyber Resilience Think Tank has published a new ebook, Commencing a New Decade: 2020 Predictions, which highlights areas of cybersecurity risks, as well as solutions, for 2020 and beyond.

The social media giant said that on Dec. 24, 2019, it discovered a large network of fake accounts abusing a legitimate API function on its platform that, when used as intended, allows accounts to find Twitter users that they may already know by matching phone numbers to their Twitter account names. The bad actors were using this legitimate feature to uncover Twitter users - opening concerns that they could have potentially obtained the true identities of human rights activists or dissidents who go under pseudonyms on Twitter.