Security News > 2022 > January

Over the past two years, many public sector organizations were prompted by the immediate need to deploy digital infrastructure to maintain continuity of their services amid the COVID-19 pandemic - such as offering citizens license renewals online and virtual education - and are now grappling with the impacts on cybersecurity and user experience. Most governments are looking to expand their digital services in the next two years and rank protecting citizen's privacy and data as most important when thinking about online citizen services.

Apricorn announced new findings from Freedom of Information requests submitted to 16 government departments into the security of devices held by public sector employees. Despite the number of misplaced devices, NHS Digital were not required to notify the Information Commissioner's Office of any lost or stolen devices in the past year as these incidents related to encrypted devices and were unlikely to result in a risk to individuals' rights and freedoms as required under Article 33 of the UK GDPR. All organisations, whether they operate in the commercial or public sector, should take heed of the level of mitigation encryption brings in a breach event.

Amid the COVID-19 crisis, the global market for zero-trust security estimated at $18.3 billion in the year 2020, is projected to reach a revised size of $64.4 billion by 2027, growing at a CAGR of 19.7% over the period 2020-2027, according to ResearchAndMarkets. On-Premise, one of the segments analyzed in the report, is projected to record 19% CAGR and reach US$39.

Researchers have disclosed a security shortcoming affecting three different WordPress plugins that impact over 84,000 websites and could be abused by a malicious actor to take over vulnerable sites. "This flaw made it possible for an attacker to update arbitrary site options on a vulnerable site, provided they could trick a site's administrator into performing an action, such as clicking on a link," WordPress security company Wordfence said in a report published last week.

UniCC, the biggest dark web marketplace of stolen credit and debit cards, has announced that it's shuttering its operations after earning $358 million in purchases since 2013 using cryptocurrencies such as Bitcoin, Litecoin, Ether, and Dash. "Don't build any conspiracy theories about us leaving," the anonymous operators of UniCC said in a farewell posted on dark web carding forums, according to blockchain analytics firm Elliptic.

Enterprise software maker Zoho on Monday issued patches for a critical security vulnerability in Desktop Central and Desktop Central MSP that a remote adversary could exploit to perform unauthorized actions in affected servers. Tracked as CVE-2021-44757, the shortcoming concerns an instance of authentication bypass that "May allow an attacker to read unauthorized data or write an arbitrary zip file on the server," the company noted in an advisory.

An elusive threat actor called Earth Lusca has been observed striking organizations across the world as part of what appears to be simultaneously an espionage campaign and an attempt to reap monetary profits. "The list of its victims includes high-value targets such as government and educational institutions, religious movements, pro-democracy and human rights organizations in Hong Kong, COVID-19 research organizations, and the media, amongst others," Trend Micro researchers said in a new report.

Microsoft has released emergency out-of-band updates to address multiple issues caused by Windows Updates issued during the January 2021 Patch Tuesday.All OOB updates released today are available for download on the Microsoft Update Catalog, and some of them can also be installed directly through Windows Update as optional updates.

Microsoft has released emergency out-of-band updates to address multiple issues caused by Windows Updates issued during the January 2021 Patch Tuesday. All OOB updates released today are available for download on the Microsoft Update Catalog, and some of them can also be installed directly through Windows Update as optional updates.

Google Chrome has announced plans to prohibit public websites from directly accessing endpoints located within private networks as part of an upcoming major security shakeup to prevent intrusions via the browser. The proposed change is set to be rolled out in two phases as part of releases Chrome 98 and Chrome 101 scheduled in the coming months via a newly implemented W3C specification called private network access.