Security News > 2020

In light of recent ransomware and other cyberattacks against vendors serving numerous healthcare organizations, it's critical to develop and deploy comprehensive vendor risk management programs, says John Farley managing director of the cyber practice at Arthur J. Gallagher & Co., a provider of cyber insurance and risk management consulting. "It's very common that it's the vendor that gets hacked, and therefore you're going down. You're not the direct target of the cyberattack; it's your vendor," Farley says in an interview with Information Security Media Group.

Hackers with ties to the Russian government have been targeting Ukrainian natural gas company Burisma with a series of phishing attacks designed to steal employee credentials, according to researchers at Area 1 Security. Russian hackers' attacks on Burisma appear to have started around November, according to the Times.

As forecasted, January 2020 Patch Tuesday releases by Microsoft and Adobe are pretty light: the "Star of the show" is CVE-2020-0601, a Windows flaw flagged by the NSA that could allow attackers to successfully spoof code-signing certificates and use them to sign malicious code or intercept and modify encrypted communications. The flaw only affects newer versions of Windows and Windows Server, and is found in the Windows CryptoAPI, which validates Elliptic Curve Cryptography certificates.

The U.S. National Security Agency has informed Microsoft that Windows is affected by a potentially serious spoofing vulnerability that could allow hackers to make a malicious file appear to come from a trusted source or conduct man-in-the-middle attacks. The NSA reached out to reporters to inform them about the vulnerability before Microsoft released its patches.

The online giant said its "Sandbox" program would still allow advertisers the ability to deliver targeted messages, while also sparing people from being tracked by snippets of code called "Cookies" when they use its Chrome web browser. "We are confident that with continued iteration and feedback, privacy-preserving and open-standard mechanisms like the Privacy Sandbox can sustain a healthy, ad-supported web in a way that will render third-party cookies obsolete," Chrome director of engineering Justin Schuh said in a post.

With no bug fixes or patches available for Windows 7 after Jan. 14, Veritas CIO John Abel offers tips to safeguard the PCs in your organization.

Google has set an aggressive two-year deadline for dropping support for third-party tracking cookies in its Chrome web browser. Justin Schuh, engineering director for Google Chrome, said in a post Tuesday that the phasing out of third-party cookies was in response to evolving attitudes about online privacy.

This is a current list of where and when I am scheduled to speak: I'm speaking at Indiana University Bloomington on January 30, 2020. I'll be at RSA Conference 2020 in San Francisco. On Wednesday,...

Google Project Zero security researchers have published technical details on an iMessage vulnerability addressed last year, which could be exploited remotely to achieve arbitrary code execution. Tracked as CVE-2019-8641, the vulnerability is considered Critical, featuring a CVSS score of 9.8, and was discovered by Google Project Zero security researchers Samuel Groß and Natalie Silvanovich.

U.S. Attorney General William Barr is ratcheting up the pressure on Apple to unlock two iPhones belonging to a Saudi national who killed three at a military based in Pensacola, Florida, in December. In comments on Monday, the attorney general labeled the shooting as an act of terrorism and accused Apple of hampering a counterterrorism investigation.