Security News > 2020

The World Economic Forum believes that the success - and safety - of the aviation industry is largely down "To the successful balance between regulatory and risk priorities." But times, prompted by the Fourth Industrial Revolution and digital transformation, are changing; and WEF notes, "As technology is changing, so are the priorities of aviation stakeholders and more work is required to ensure optimal resilience." And this is without the additional complications of new technologies such as unmanned aerial vehicles. The work involved interviews, surveys and workshops with industry participants, trade associations, regulators, air navigation service providers, airlines, airports and OEM manufacturers as well as ICT and insurance businesses working with and supporting the industry.

The U.S. National Security Agency has published advice on mitigating cloud vulnerabilities. The document provides four basic sections: an overview of the basic components usually delivered by cloud service providers; an explanation of the concept of shared responsibility; an analysis of the primary cloud threat actors; and an analysis and description of the main cloud vulnerabilities and their mitigations.

Cisco has confessed to a vulnerability in its Webex Meetings Suite sites and Webex Meetings Online sites that allowed an "Unauthenticated" attendee sitting on a workstation far, far away to join a "Password-protected meeting without providing the meeting password". According to the security advisory, which was rated as "High": "The vulnerability is due to unintended meeting information exposure in a specific meeting join flow for mobile applications."

Aleksai Burkov, a Russian cybercriminal responsible for over $20m in credit card fraud, pleaded guilty last week for access device fraud, identity theft, computer intrusion, wire fraud, and money laundering, after being indicted four years ago for operating a carding website called Cardplanet. This website, which ran from 2009 until 2013, served as a forum for cybercriminals to buy and sell credit card details stolen from victims.

There is no evidence of backdoors in the Huawei equipment; the incident has not damaged relations between the African Union and China; and Huawei has stated, "These data leaks did not originate in technology supplied by Huawei to the AU. What Huawei supplied for the AU project included data center facilities, but those facilities did not have any storage or data transfer functions." Tony Scott concludes in his supply chain whitepaper, provided exclusively to SecurityWeek ahead of public release, a conclusion that is endorsed by Huawei's Purdy, that there is one essential element missing from all current supply chain solutions: independent product testing.

IoT device manufacturers must also provide a public point of contact so that anyone can report a flaw, to be "Acted on in a timely manner;" and, manufacturers must also explicitly state the minimum length of time for which devices will receive security updates at the point of sale. The regulation was developed by the Department for Digital, Culture, Media and Sport after an extensive consultation period that kicked off in May 2019, when the U.K. announced it was accepting regulatory proposals for IoT security regulation.

In an effort to keep users safe - and when it comes to Tinder or other dating apps, that means keeping them from being raped, murdered or even, in one horrific case, dismembered - Tinder is incorporating a panic button into the app, as well as Artificial Intelligence-enabled photo recognition to help stop catfishing. The news about the panic button and other new safety features was announced on Thursday by Tinder's parent company, Match Group, which also owns pretty much all of the popular dating/hookup apps, including Match, PlentyOfFish, Meetic, OkCupid, OurTime, Pairs, and Hinge.

A cyberattack disclosed recently by Mitsubishi Electric, which resulted in hackers gaining access to the company's network and stealing corporate data, likely involved exploitation of a vulnerability in Trend Micro's OfficeScan product. Mitsubishi Electric is a top contractor for Japan's military and infrastructure, but the company said in its data breach notice that no infrastructure-related information was impacted in the hack.

Proof-of-concept exploits have been released for two recently patched Remote Desktop Gateway vulnerabilities that can be exploited for remote code execution. Remote Desktop Gateway is a Windows Server component previously known as Terminal Services Gateway.

According to The New York Times, the latest victim was Instagram CEO Adam Mosseri, whose houses in New York and San Francisco were surrounded in early November by heavily armed SWAT teams after hoax phone calls claimed hostages were being held there. After what is described as "Tense, hours-long standoffs" the police realised there were no hostages and so the incident wad filed along with the lengthening list of SWATting hoaxes the media has reported on.