Security News > 2023 > May

Today is World Password Day, but yesterday was an inflection point that may force a change to next year's event, perhaps we'll call it "World Passwordless Day" or "Password Memorial Day." Google announced at this year's RSA conference that it's now supporting passkeys across accounts on all its major platforms. Google's announcement comes a year after the company, along with Microsoft, Apple and others said they would start the shift to passkeys with expanded support for a common passwordless sign-in standard created by the Fast Identity Online Alliance and the World Wide Web Consortium.

Various sectors in East Asian markets have been subjected to a new email phishing campaign that distributes a previously undocumented strain of Android malware called FluHorse that abuses the Flutter software development framework. "The malware features several malicious Android applications that mimic legitimate applications, most of which have more than 1,000,000 installs," Check Point said in a technical report.

Capita is telling pension customers that some data contained within its systems was potentially accessed when criminals broke into the outsourcing giant's tech infrastructure earlier this year. As part of the ongoing investigation, Capita said in April around 4 percent of its servers were accessed by the intruder and some customers, colleagues and suppliers' data was lifted.

Italian corporate banking clients are the target of an ongoing financial fraud campaign that has been leveraging a new web-inject toolkit called drIBAN since at least 2019. "The main goal of drIBAN fraud operations is to infect Windows workstations inside corporate environments trying to alter legitimate banking transfers performed by the victims by changing the beneficiary and transferring money to an illegitimate bank account," Cleafy researchers Federico Valentini and Alessandro Strino said.

Joe Sullivan, the former Uber CSO who has been convicted last year for attempting to cover up a data breach Uber suffered in 2016 and kept it hidden from the Federal Trade Commission, has been sentenced to three years of probation plus 200 hours of community service. Sullivan became Chief Security Officer at Uber in April 2015, and in November 2016 testified before the FTC under oath that the company had taken to keep customer data secure following a 2014 data breach.

The North Korean state-sponsored threat actor known as Kimsuky has been discovered using a new reconnaissance tool called ReconShark as part of an ongoing global campaign. Active since at least 2012, the prolific threat actor has been linked to targeted attacks on non-governmental organizations, think tanks, diplomatic agencies, military organizations, economic groups, and research entities across North America, Asia, and Europe.

This article explores the challenges of protecting modern websites from third-party scripts and the security risks associated with a lack of visibility over these scripts. Third-party scripts are often invisible to standard security controls like Web Application Firewalls because they are loaded from external sources that are not under the control of the website owner.

PHP software package repository Packagist revealed that an "Attacker" gained access to four inactive accounts on the platform to hijack over a dozen packages with over 500 million installs to date. "The attacker forked each of the packages and replaced the package description in composer.json with their own message but did not otherwise make any malicious changes," Packagist's Nils Adermann said.

Cisco has revealed the existence of a critical vulnerability in the web-based management interface of Cisco SPA112 2-Port Phone Adapters. "This vulnerability is due to a missing authentication process within the firmware upgrade function. An attacker could exploit this vulnerability by upgrading an affected device to a crafted version of firmware," Cisco's security advisory explains.

The UK National Savings and Investment bank is being bombarded with complaints over failing online security and authentication features which customers say have locked them out of their accounts. The Register has contacted NS&I to offer it the opportunity to respond.