Security News
Taiwan's CERT detected cyber-crooks impersonating medical authorities to attack the country's tech industry during the early stages of the COVID pandemic. "Attackers used COVID-19 social engineering to increase the success rate of their attacks," said TWCERT/CC director Chih-Hung Lin.
Thousands of ISO certifications at risk of lapsing due to halted re-certification auditsThousands of valuable ISO management system certifications earned by UK companies may now be at risk because auditors from Certification Bodies may not have been able to attend organizations' premises to conduct essential re-certification audits during the current coronavirus pandemic. Kali Linux 2020.3 released: A new shell and a Bluetooth Arsenal for NetHunterOffensive Security has released Kali Linux 2020.3, the latest iteration of the popular open source penetration testing platform.
The CERT Coordination Center at Carnegie Mellon University has published alerts on several vulnerabilities that impact Diebold Nixdorf ProCash and NCR SelfServ automated teller machines. A vulnerability in the Diebold Nixdorf ProCash 2100xe USB ATMs running Wincor Probase version 1.1.30, CERT/CC reveals, could be abused by an attacker with physical access to internal machine components to commit deposit forgery.
From September 1, Apple software, from Safari to macOS to iOS, will reject new HTTPS and other SSL/TLS certificates that are valid for more than 398 days, plus or minus some caveats. "Connections to TLS servers violating these new requirements will fail," Apple warned in its official note.
On Saturday, at 10:48 UTC, Sectigo's AddTrust legacy root certificate expired, causing a bit of weekend havoc for thousands of websites and services that rely on it for making a secure TLS/SSL connection. "Generally speaking, this is affecting older, non-browser clients which talk to TLS servers which serve a Sectigo certificate chain ending in the expired certificate," wrote Andrew Ayer, founder of SSLMate, in a blog post.
British companies have been offered access to a £400k pot of cash to design a UK-specific "Kitemark" assurance scheme for Internet of Things products. The government grant scheme is intended to complement previous announcements, making it a legal requirement that IoT devices ship with unique, non-default passwords and for vendors to "Explicitly state" for how long security updates will be published.
A list posted by US-CERT this week rattles off the 10 most oft-targeted security vulnerabilities during the past three years, and finds that, shock horror, for the most part, keeping up with patching will keep you safe. Microsoft ranks highly in the list because its software is widely used, and provides the most potential targets for hackers, though on the other hand, fixes have been available for these bugs for a long while: it doesn't have to be this way, people.
Rabobank's Australian outpost has messed up its Android app, leaving an unknown number of users unable to access their bank accounts on mobile devices. Customers brought The Register's attention to the pile of woeful reviews for the bank's app, many featuring a complaint that it produces the error "Unable to connect please check your internet connection".
Let's Encrypt has halted its plans to cancel all three million flawed web security certificates - after fearing the super-revocation may effectively break a chunk of the internet for netizens. Earlier this week, the non-profit certificate authority, which issues HTTPS certs for free, announced a plan to disable some three million certificates tainted by a software bug.
UPDATE. Popular free certificate authority Let's Encrypt said it will revoke 3 million Transport Layer Security certificates Wednesday, because of a Certificate Authority Authorization bug. Let's Encrypt explained on Tuesday it had to revoke the 3 million certificates because of a CAA bug that impacted the way its software checked domain ownership before issuing certificates.