Security News

San Francisco, CA-based attack surface management firm RiskIQ has raised $15 million in a Series D funding round led by National Grid Partners. RiskIQ monitors the attack surface from outside of the firewall, with services including vulnerability management, application security and penetration testing.

A critical vulnerability affecting traffic light controllers made by SWARCO could have been exploited by hackers to disrupt a city's traffic lights. Peter Fröhlich, managing director at ProtectEM, told SecurityWeek that the vulnerability was discovered during a security audit conducted for a city in Germany that hired his company to analyze networked traffic systems.

ASE is used by more than 30,000 organizations globally - including 90 percent of the top banks and security firms worldwide, according to SAP. Researchers disclosed six vulnerabilities that they discovered while conducting security tests for the latest version of the software, ASE 16. While SAP has released patches for both ASE 15.7 and 16.0 in its May 2020 update, researchers disclosed technical details of the flaws on Wednesday, saying "There is no question" that the patches should be applied immediately if they haven't been already.

Does your IT security model take into account things like pacemakers? According to Dr Victoria Baines, speaking at Infosec Europe, "We also perhaps neglect the idea that critical infrastructure might be inside people" as well as merely carried in their pockets. Baines was speaking during a panel webinar about protecting critical national infrastructure.

Cybersecurity researchers from Cisco Talos unveiled today that it discovered two critical vulnerabilities in the Zoom software that could have allowed attackers to hack into the systems of group chat participants or an individual recipient remotely. According to the researchers, successful exploitation of both flaws requires no or very little interaction from targeted chat participants and can be executed just by sending specially crafted messages through the chat feature to an individual or a group.

Cybersecurity researchers from Cisco Talos unveiled today that it discovered two critical vulnerabilities in the Zoom software that could have allowed attackers to hack into the systems of group chat participants or an individual recipient remotely. According to the researchers, successful exploitation of both flaws requires no or very little interaction from targeted chat participants and can be executed just by sending specially crafted messages through the chat feature to an individual or a group.

Google has addressed two critical flaws in its latest monthly Android update that enable remote code execution on Android mobile devices. The critical bugs exist in the Android System area, and would allow a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process.

Google has started rolling out the June 2020 security patches for the Android operating system, which address a total of 43 vulnerabilities, including several rated critical. This is one of the two critical remote code execution issues patched in System, both affecting Android releases 8.0 through 10.

nCipher Security, an Entrust Datacard company, announces its support for new key import method for Azure Key Vault, allowing customers to generate and transfer encryption keys to Azure Key Vault using an on-premises or as a service nShield HSM, giving them complete control over both their keys and their data security. Azure Key Vault helps safeguard cryptographic keys and secrets that cloud applications and services use.

Security researcher Bhavuk Jain has landed a $100,000 payday after he reported a critical flaw in Apple's sign-in system that could be exploited to access countless accounts on sites from Dropbox and Spotify to Airbnb. The security hole affected all third-party apps that use the service - Apple's equivalent of the Facebook and Google sign-in services - and "Could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not."