Security News > 2020

Hundreds of Internet-accessible, unprotected medical imaging systems expose data on millions of patients worldwide, German security firm Greenbone reveals. Such data included patient name and date of birth, date of examination, some details on the reason for examination, and even image data for those patients.

Google has made a concerted effort in recent months to try to eliminate bad apps for its Android mobile platform on the Google Play store-something the company historically has battled. These type of apps have been installed nearly 600 million times on 100 million plus devices, according to a Sophos report, which said it pulled the numbers from Google's own Google Play marketplace.

Several proof-of-concept exploits have already been created - and some of them have been made public - for CVE-2020-0601, the crypto-related Windows vulnerability that Microsoft patched recently after being notified by the U.S. National Security Agency. Currently, there is no evidence that the vulnerability has been exploited in attacks, but PoC exploits have been created for CVE-2020-0601 much faster than many had anticipated.

Researchers have discovered password bypass vulnerabilities affecting two WordPress plugins from a publisher called Revmakx. The first vulnerable plugin is RevMakx's InfiniteWP Client, a tool that allows admins to manage multiple WordPress sites from the same interface.

All of the tested apps share user data with multiple third parties, and all but one share data beyond the device advertising ID, including a user's IP address and GPS position; personal attributes such as gender and age; and app activities such as GUI events. Though not all of the data transmissions Mnemonic analyzed included excessive personal data such as GPS location, put all of the data together, and you can create detailed pictures of individuals.

Google doesn't want to block third-party cookies in Chrome right now. Once these approaches have addressed the needs of users, publishers, and advertisers, and we have developed the tools to mitigate workarounds, we plan to phase out support for third-party cookies in Chrome.

Fugue has open sourced Regula, a tool that evaluates Terraform infrastructure-as-code for security misconfigurations and compliance violations prior to deployment. Regula rules are written in Rego, the open source policy language employed by the Open Policy Agent project and can be integrated into CI/CD pipelines to prevent cloud infrastructure deployments that may violate security and compliance best practices.

On Tuesday, the digital rights group Fight for the Future announced that it's teamed up with Students for Sensible Drug Policy to ban the biometric technology from university campuses. Facial recognition surveillance spreading to college campuses would put students, faculty, and community members at risk.

Facebook will explicitly tell users who use Facebook Login to log into third-party apps what information those apps are harvesting from their FB account. At the same time, users will be able to react quickly if someone managed to compromise their Facebook accounts and is using their credentials to access other apps and websites.

One gaping hole in the U.S. government's push to counter Chinese-built 5G telecommunications gear remains the lack of alternatives. For the past year, the U.S. has been pushing its allies, including the Five Eyes intelligence alliance - comprising Australia, Canada, New Zealand, the U.K. and the U.S. - to not use Chinese-built networking equipment in their national 5G rollouts or any "Sensitive" networks.