Security News > 2022 > May

Even C-suite executives use terrible passwords like '123456'. That's not just the case not just with regular website users and employees: A report released Tuesday by password manager NordPass examines how even C-suite executives and business owners try to secure their accounts with some of the most unsecure passwords imaginable.

While they have good intentions to foster mental health and spiritual wellness, the majority of mental-health and prayer apps can harm their users in other ways by exposing personal and intimate data due to a severe lack of security and privacy protections, researchers from Mozilla have found. Mozilla's Jen Caltrider, the lead researcher for the report, went so far as to call the majority of mental health and prayer apps "Exceptionally creepy" in a blog post about the study.

Five critical remote code execution vulnerabilities in millions Aruba and Avaya devices can be exploited by cybercriminals to take full control of network switches commonly used in airports, hospitals, and hotels, according to Armis researchers. The flaws affect about 10 million devices across HPE's Aruba and Extreme Networks' Avaya switching portfolio, and have severity scores ranging from 9.0 to 9.8 out of 10.

According to the research paper by Trinity College Dublin computer science professor Douglas Leith, the company had been gathering far too much user data from core messaging apps, and the forensic analysis of the network flow extracted a well-deserved mea culpa from Mountain View. The complexity of this system is matched by the lack of transparency over how it works, much as the charming simplicity of using Alexa - you just gab at it - hides how it works.

Google in the next few days plans to begin testing fenced frames, a proposed web API to help its Privacy Sandbox ad technologies meet commitments to privacy of a sort. Fenced frames are designed to take the place of inline frames, or iframes, for specific scenarios like delivering interest-based ads without betraying interest data to the web page in which they're embedded.

Cybersecurity researchers have disclosed a new variant of the AvosLocker ransomware that disables antivirus solutions to evade detection after breaching target networks by taking advantage of unpatched security flaws. "This is the first sample we observed from the U.S. with the capability to disable a defense solution using a legitimate Avast Anti-Rootkit Driver file," Trend Micro researchers, Christoper Ordonez and Alvin Nieto, said in a Monday analysis.

A newly discovered suspected espionage threat actor has been targeting employees focusing on mergers and acquisitions as well as large corporate transactions to facilitate bulk email collection from victim environments. Mandiant is tracking the activity cluster under the uncategorized moniker UNC3524, citing a lack of evidence linking it to an existing group.

The new PyScript project lets you embed Python programs directly in HTML pages and execute them within the browser without any server-based requirements. "PyScript is a framework that allows users to create rich Python applications in the browser using a mix of Python with standard HTML." explains Anaconda in a recent blog post.

Cloud-based code hosting platform GitHub described the recent attack campaign involving the abuse of OAuth access tokens issued to Heroku and Travis-CI as "Highly targeted" in nature. "This pattern of behavior suggests the attacker was only listing organizations in order to identify accounts to selectively target for listing and downloading private repositories," GitHub's Mike Hanley said in an updated post.

The Open Source Security Foundation has announced the initial prototype release of a new tool that's capable of carrying out dynamic analysis of all packages uploaded to popular open source repositories. Called the Package Analysis project, the initiative aims to secure open-source packages by detecting and alerting users to any malicious behavior with the goal of bolstering the security of the software supply chain and increasing trust in open-source software.