Security News > 2020
A deluge of attacks has included phishing emails purported to be from health agencies, counterfeit product offers and bogus charity donation requests, according to security analysts. Even with the unprecedented opportunity, some hackers are considering pulling back on their attacks on people during the crisis, according to researchers who monitor "Dark web" forums.
In Zoom's white paper, there is a list of "Pre-meeting security capabilities" that are available to the meeting host that starts with "Enable an end-to-end encrypted meeting." Later in the white paper, it lists "Secure a meeting with E2E encryption" as an "In-meeting security capability" that's available to meeting hosts. When reached for comment about whether video meetings are actually end-to-end encrypted, a Zoom spokesperson wrote, "Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection."
A white hat hacker says he has earned $75,000 from Apple for reporting several Safari vulnerabilities that can be exploited to hijack the camera and microphone of devices running iOS or macOS. Researcher Ryan Pickren identified a total of seven vulnerabilities in Apple's Safari web browser, three of which can be exploited to spy on users through the camera and microphone of their iPhone, iPad or Mac computer. Apple patched the vulnerabilities that allow hackers to spy on users in January, while the other flaws were fixed in March.
Thousands of mobile applications for Android contain hidden behavior such as backdoors and blacklists, a group of researchers has discovered. Set to discover such behaviors, researchers from The Ohio State University, New York University, and CISPA Helmholtz Center for Information Security came up with a tool that can detect "The execution context of user input validation and also the content involved in the validation," thus finding any secrets of interest.
Researchers have discovered threat actors once again capitalizing on the COVID-19 pandemic and current attention on the World Health Organization with a new spearphishing email designed to spread the LokiBot trojan sent using the WHO trademark as a lure. Instead, it sends an attachment that unleashes the infostealer LokiBot if downloaded and executed, according to a blog post published Thursday by threat analyst Val Saengphaibul.
Microsoft is offering hospitals security tips to try to help. Though some ransomware groups have actually pledged to leave hospitals alone during the COVID-19 outbreak, other groups are clearly exploiting the situation.
Zoom, in particular, has witnessed a massive influx of new users, which lead to increased scrutiny from information security researchers. Zoombombing, additionally exacerbated by lax privacy and security choices made by users and vulnerabilities that allow for the creation of tools like zWarDial, which automates Zoom meeting discovery.
A stored cross-site scripting vulnerability in the Contact Form 7 Datepicker WordPress plugin will not receive a patch, leaving websites exposed to attacks, WordPress security firm Defiant reports. The plugin, designed to integrate with the Contact Form 7 contact form management plugin, had over 100,000 installations when the vulnerability was discovered.
Used properly, bug bounty platforms connect security researchers with organizations wanting extra scrutiny. CSO's investigation shows that the bug bounty platforms have turned bug reporting and disclosure on its head, what multiple expert sources, including HackerOne's former chief policy officer, Katie Moussouris, call a "Perversion."
In a rare find, a researcher has unveiled dozens of related bugs in a core Windows API that could enable attackers to elevate their privileges in the operating system. The bugs take advantage of a long-understood problem with win32k, which is the user interface kernel component in Windows.