Security News > 2022 > July

While people were celebrating the Fourth of July holiday in the United States, Google quietly rolled out a stable channel update for Chrome to patch an actively exploited zero-day vulnerability, the fourth such flaw the vendor has had to patch in its browser product so far this year. Chrome 103 for Android and Version 103.0.5060.114 for Windows and Mac, outlined in separate blog posts published Monday, fix a heap buffer overflow flaw in WebRTC, the engine that gives the browser its real-time communications capability.

Alibaba's financial services affiliate, Ant Group, has open sourced its "Privacy-preserving Computation Framework." A "Secure Processing Unit" that offers a "Provable, measurable secure computation device, which provides computation ability while keeping your private data protected".

Malicious individuals are using stolen personally identifiable information and voice and video deepfakes to try to land remote IT, programming, database and software-related jobs, the FBI has warned last week. Deepfakes are synthetic media - images, audio recordings, videos - that make it look like a person has been doing and saying things they haven't done or said.

The Netherlands' Maastricht University has managed to recoup the Bitcoin ransom it paid to ransomware scum in 2019 - and has made a tidy profit on the deal. The University explained that in 2019 it suffered a ransomware attack that prevented staff and students from accessing research data, email, or library resources.

Google on Monday shipped security updates to address a high-severity zero-day vulnerability in its Chrome web browser that it said is being exploited in the wild. The shortcoming, tracked as CVE-2022-2294, relates to a heap overflow flaw in the WebRTC component that provides real-time audio and video communication capabilities in browsers without the need to install plugins or download native apps.

A pro-China influence campaign singled out rare earth mining companies in Australia, Canada, and the U.S. with negative messaging in an unsuccessful attempt to manipulate public discourse to China's benefit. Targeted firms included Australia's Lynas Rare Earths Ltd, Canada's Appia Rare Earths & Uranium Corp, and the American company USA Rare Earth, threat intelligence firm Mandiant said in a report last week, calling the digital campaign Dragonbridge.

A threat actor has taken to a forum for news and discussion of data breaches with an offer to sell what they assert is a database containing records of over a billion Chinese civilians - allegedly stolen from the Shanghai Police. HackerDan released sample datasets: one containing delivery addresses and often instructions for drivers; another with police records; and the last with personal identification information like name, national ID number address, height, and gender.

PCI DSS is a global standard that provides a baseline of technical and operational requirements designed to protect account data. To provide organizations time to understand the changes in the new version and implement any updates needed, the current version of PCI DSS, 3.2.1, will remain active for two years until it is retired on 31 March 2024.

In this Help Net Security video, Etai Hochman, CTO at Mirato, talks about Shift Left, a concept that means to find and prevent defects early in the software delivery process. Shifting application security left to engage developers earlier in the software development lifecycle results in faster fixes and less wasted energy prioritizing and fixing vulnerabilities that pose little to no risk.

"People have become the primary attack vector for cyber-attackers around the world," said Lance Spitzner, SANS Security Awareness Director. "Awareness programs enable security teams to effectively manage their human risk by changing how people think about cybersecurity and help them exhibit secure behaviors, from the Board of Directors on down," said Spitzner.