Security News > 2020

Research from Akamai recently found that up to 75 percent of all credential abuse attacks against the financial services industry in 2019 targeted APIs directly. "We talk about API attacks and the reason why criminals are using targeted methods against API because the traditional 'throw it and hope it sticks' against financial services just isn't cutting it anymore, they have to be more creative," Steve Ragan, security researcher with Akamai, told Threatpost.

Intel's March security updates reached its customers this week and on the face of it, the dominant theme is the bundle of flaws affecting the company's Graphics drivers. The star flaw of the month is CVE 29, the Load Value Injection weakness publicised this week by a diverse group of mainly academic security researchers.

Within the last 12 months, the total cost of data loss has reached an average of more than $1 million per organization, Dell Technologies found. Despite businesses managing nearly 40% more data than they were a year ago, the majority of professionals said their current data protection solutions aren't good enough.

Avast this week disabled a JavaScript interpreter that is part of its antivirus product, after a security researcher discovered a vulnerability that could potentially lead to remote code execution. Despite being a high-privilege process running untrusted input, the emulator was not sandboxed and also had poor mitigation coverage, Ormandy discovered.

A popular analytics platform has been secretly installing root certificates on mobile devices so it can suck up users' data from its 20 or more ad-blocker and virtual private network mobile apps, according to a BuzzFeed News investigation. Some of the apps are no longer available, but BuzzFeed News said it recently traced a handful of apps in the Google Play store to Sensor Tower, including Free and Unlimited VPN, Luna VPN, Mobile Data, and Adblock Focus.

Microsoft today finally released an emergency software update to patch the recently disclosed very dangerous vulnerability in SMBv3 protocol that could let attackers launch wormable malware, which can propagate itself from one vulnerable computer to another automatically. The latest vulnerability, for which a patch update is now available on the Microsoft website, exists in the way SMBv3 protocol handles requests with compression headers, making it possible for unauthenticated remote attackers to execute malicious code on target servers or clients with SYSTEM privileges.

Microsoft today finally released an emergency software update to patch the recently disclosed very dangerous vulnerability in SMBv3 protocol that could let attackers launch wormable malware, which can propagate itself from one vulnerable computer to another automatically. The latest vulnerability, for which a patch update is now available on the Microsoft website, exists in the way SMBv3 protocol handles requests with compression headers, making it possible for unauthenticated remote attackers to execute malicious code on target servers or clients with SYSTEM privileges.

Facebook and other tech companies need to be regulated like the tobacco industry, warned Christopher Wylie, the whistleblower who exposed the Cambridge Analytica scandal. The data scientist revealed how he helped the disgraced company, founded by Donald Trump's former right-hand man Steve Bannon, to use unauthorised personal data harvested from Facebook to help swing a string of elections, including Trump's US presidential win in 2016.

Google announced on Wednesday that it's prepared to pay out an extra $313,337 for interesting Cloud Platform vulnerabilities submitted in 2020. Researchers who find vulnerabilities in Google Cloud Platform and disclose them through the company's Vulnerability Reward Program can earn up to $31,337.

Whisper, the secret-sharing app that called itself the "Safest place on the Internet," left years of users' most intimate confessions exposed on the Web tied to their age, location and other details, raising alarm among cybersecurity researchers that users could have been unmasked or blackmailed. A Post reporter was able to freely browse and search through the records, many of which involved children: A search of users who had listed their age as 15 returned 1.3 million results.