Security News > 2020

If you want to enable two-factor authentication for Nextcloud on a per-user basis, it's just a simple app installation away.

If you want to enable two-factor authentication for Nextcloud on a per-user basis, it's just a simple app installation away. The first thing you must do is enable two-factor authentication for your Nextcloud server.

Today, for modest amounts of money, would-be scammers can buy high-quality phishing tools online, through the Dark Web, enabling them to skip all the fuss and bother of actually learning how to code or do graphics or any of the other steps required to successfully scam someone. There the price of a phishing page averaged $338. Phishing - essentially stealing sensitive information like passwords, credentials, reset notifications and other forms of access through trickery - is the single most common form of online attack.

Organizations have fallen behind with the patching of a Microsoft Exchange Server vulnerability addressed with Microsoft's February 2020 Patch Day updates and already targeted in attacks. The issue, which exists because keys created at installation are not unique, is tracked as CVE-2020-0688 and impacts Microsoft Exchange 2010, 2013, 2016, and 2019.

The U.S Department of Health and Human Services was the victim of a cyberattack on Sunday as the federal government attempts to deal with the coronavirus crisis, according to a report from Bloomberg. "The U.S. Health & Human Services fell victim to a Distributed Denial of Service attack yesterday when several endpoints controlled by a nation-state attacked their networks," Stephen Boyce, principal consultant at risk management and digital forensics firm Crypsis Group, said.

Nurses are among the groups most heavily targeted by email scammers because of the value of the data they can access, according to email security biz Proofpoint's Adenike Cosgrove. Cosgrove, an infosec strategist for Proofpoint, told The Register that not only are nurses and other frontline healthcare professionals at the top of phishing target lists, but that a healthcare worker asked her for advice on security best practice - rather than her own organisation's security team.

The first report on the new campaign came in a RedDrip Team tweet on March 12, 2020: "Malicious document, pretending to be from the Government of #India with health advisory of Coronavirus, seems delivered by #Transparent Tribe. Victims are lured to enable macro to execute #Crimson #RAT payload.". There have been numerous media reports about the Chinese nation-state APT Vicious Panda.

A researcher earned $6,500 from Slack last year after finding a critical vulnerability that could have been exploited to hijack Slack accounts. The vulnerability was reported to Slack in mid-November via the company's bug bounty program on HackerOne and it was patched within 24 hours, which is not uncommon for Slack when it comes to account hijacking issues.

Passengers will now be allowed to travel with containers of liquid hand sanitizer up to 12 ounces. The agency cautioned that the shift could mean slightly longer waits at checkpoint because the containers may have to be screened separately when going through security.

Over the coming weeks, a new alternative routing feature will become available across all of the ProtonMail and ProtonVPN mobile and desktop applications, the company says. "While we have largely been able to overcome censorship and attacks, it's imperative that we remain one step ahead of those who would seek to spy on people and restrict the freedom of information. Alternative routing is an additional capability which helps us ensure users can access our services," Proton says.