Security News

PolKit vulnerability can give attackers root on many Linux distrosA memory corruption vulnerability in PolKit, a component used in major Linux distributions and some Unix-like operating systems, can be easily exploited by local unprivileged users to gain full root privileges. Attackers connect rogue devices to organizations' network with stolen Office 365 credentialsAttackers are trying out a new technique to widen the reach of their phishing campaigns: by using stolen Office 365 credentials, they try to connect rogue Windows devices to the victim organizations' network by registering it with their Azure AD. Stealthy Excel malware putting organizations in crosshairs of ransomware gangsThe HP Wolf Security threat research team identified a wave of attacks utilizing Excel add-in files to spread malware, helping attackers to gain access to targets, and exposing businesses and individuals to data theft and destructive ransomware attacks.

The European Systemic Risk Board proposed a new systemic cyber incident coordination framework that would allow EU relevant authorities to coordinate better when responding to major cross-border cyber incidents impacting the Union's financial sector. ESRB is an independent EU body established in 2010 that oversees the European Union's financial system to prevent and mitigate systemic risk.

The European Union is, once again, calling on bug hunters to delve into specific open source software and report bugs."One criteria in selecting bug bounties was their use within European public services," the European Commission Open Source Programme Office explained.

The European Data Protection Supervisor has ordered European Union law enforcement agency Europol to delete any data it has on individuals that's over six months old, provided there's no link to criminal activity. The investigation concluded the law enforcement agency needed to up its game when it came to data minimisation and retention and encouraged Europol to make necessary changes and then let the EDPS know of its action plan.

The European Parliament's Internal Market and Consumer Protection Committee has adopted the Digital Services Act proposal by 36 votes to 7 and 2 abstentions. The main goal of the DSA is to empower EU regulators to control large internet platforms and impose stricter mechanisms for removing "Fake news" and "Abusive content."

Ukrainian law enforcement arrested 51 suspects believed to have been selling stolen personal data on hacking forums belonging to hundreds of millions worldwide, including Ukraine, the US, and Europe. "As a result of the operation, about 100 databases of personal data relevant for 2020-2021 were seized," the Cyberpolice Department of the National Police of Ukraine said.

It was reported that the private key used to sign EU Digital Covid certificates was leaked and circulated on messaging apps and online data breach marketplaces. The key was misused to generate certificates for Adolf Hitler, Mickey Mouse, and Sponge Bob that were, for a short time, recognized as valid by official government apps.

The EU needs more cybersecurity graduates to plug the political bloc's shortage of skilled infosec bods, according to a report from the ENISA online security agency. In a new report titled "Addressing the EU Cybersecurity Skills Shortage and Gap Through Higher Education", academics Jason Nurse and Konstantinos Adamos, together with ENISA's Athanasios Grammatopoulos and Fabio Di Franco, said the European Union needs to get more students signing up for cybersecurity degrees.

The European Commission has taken action to improve the cybersecurity of wireless devices available on the European market. The delegated act to the Radio Equipment Directive adopted today aims to make sure that all wireless devices are safe before being sold on the EU market.

Having struck down Safe Harbor - the agreement governing EU-US data transfers - in 2015, the Court of Justice of the European Union went on to condemn its replacement, the beleaguered EU-US Privacy Shield, to a similar fate just over a year ago. Now, it would be wrong to say that lightning struck a third time - the CJEU did not invalidate SCCs - but the Court did rule, in the same judgment that put an end to the Privacy Shield, that businesses must assess the underlying transfer of data to which the contracts apply.