Security News

Bruce Schneier coined the phrase security theater to describe "Security measures that make people feel more secure without doing anything to actually improve their security." That's the situation we still face today when it comes to defending against cyber security risks. Broaching a concern such as security theater with security professionals can result in defensiveness or ire from disturbing a well-established process, or worse, practitioners assuming there is some implied level of foolishness or ineptitude.

Policymakers should focus on five critical success factors in order to ensure the US continues to build its emerging 5G economy, according to a report from Boston Consulting Group. Drawing on an in-depth analysis of the factors that secured America's leadership of the 4G economy, the study concludes that spectrum availability and wireless network deployments, along with broader economic factors such as a pro-investment and innovation business climate, private sector R&D, and workforce readiness are key to expanding a country's 5G penetration rate and 5G-powered economic growth.

A team at Temple University in Philadelphia has been tracking worldwide ransomware attacks on critical infrastructure, and anyone can request access to the data. An analysis of the data currently shows that government facilities were the most targeted type of critical infrastructure - followed at a distance by education and healthcare - and Maze was the most common ransomware strain.

Google patched a critical vulnerability in the Media Framework of its Android operating system, which if exploited could lead to remote code execution attacks on vulnerable devices. "The most severe of these issues is a critical security vulnerability in the Media Framework component that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process," according to the Android security update.

Intel this week released security patches to address a critical vulnerability in Active Management Technology and Intel Standard Manageability. The bug, which Intel calls improper buffer restrictions in network subsystems, could be abused by unauthorized users to escalate privileges via network access in provisioned AMT and ISM versions before 11.8.79, 11.12.79, 11.22.79, 12.0.68 and 14.0.39.

Remote, unauthenticated attackers can exploit the flaws to launch various malicious attacks - including deploying ransomware, and shutting down or even taking over critical systems. The flaws exists in CodeMeter, owned by Wibu-Systems, which is a software management component that's licensed by many of the top industrial control system software vendors, including Rockwell Automation and Siemens.

Two of the Security Notes are rated Hot News and address critical flaws in SAP Marketing - Mobile Channel Servlet and NetWeaver and ABAP Platform, which feature CVSS scores of 9.6 and 9.1, respectively. "An exploit of the vulnerability enables an attacker to perform tasks related to contact and interaction data," Onapsis, a firm that specializes in securing Oracle and SAP applications, explains.

Google addressed two critical vulnerabilities in the Android System component as part of the newly released September 2020 set of security patches. More than 50 flaws are described in the Android Security Bulletin for September 2020: twenty-two as part of the 2020-09-01 security patch level and twenty-nine with the 2020-09-05 security patch level.

Microsoft has released patches for 129 security bugs in its September Patch Tuesday update. Another critical RCE vulnerability that should be prioritized for patching is CVE-2020-1210, which exists in SharePoint due to a failure to check an application package's source markup.

Intel patched a critical privilege escalation vulnerability in its Active Management Technology, which is used for remote out-of-band management of PCs. AMT is part of the Intel vPro platform and is primarily used by enterprise IT shops for remote management of corporate systems. The issue, found internally by Intel employees, ranks 9.8 out of 10 on the CVSS scale, making it critical severity, according to Intel in a Tuesday security advisory.