Security News

A voice-activated TV remote can be turned into a covert home surveillance device, according to researchers from infosec firm Guardicore who probed the device to show that a man-in-the-middle attack could compromise it. Guardicore discovered an attack vector on US telco giant Comcast's Xfinity XR11 voice remote - of which around 18 million units have been sold - that allowed malicious people to turn it into an eavesdropping device.

Fleek launches Space, an open source, private file storage and collaboration platform. Space's mission is to enable a fully private, peer to peer file and work collaboration experience for users.

The deputy chief executive of Singapore's Cyber Security Agency, Brigadier General Gaurav Keerthi, says the island nation now considers providing a secure environment to citizens and businesses the equivalent of providing fresh water and sewerage services, and will next week improve digital hygiene with a voluntary "Cybersecurity Labelling Scheme" that will rate consumer broadband gateways. Speaking at the Black Hat Asia conference in Singapore today, Keerthi explained that it's his job to defend Singapore from cyber-threats.

CISA orders federal agencies to implement Zerologon fixIf you had any doubts about the criticality of the Zerologon vulnerability affecting Windows Server, here is a confirmation: the US Cybersecurity and Infrastructure Security Agency has issued an emergency directive instructing federal agencies to "Immediately apply the Windows Server August 2020 security update to all domain controllers." NIST guide to help orgs recover from ransomware, other data integrity attacksThe National Institute of Standards and Technology has published a cybersecurity practice guide enterprises can use to recover from data integrity attacks, i.e., destructive malware and ransomware attacks, malicious insider activity or simply mistakes by employees that have resulted in the modification or destruction of company data.

Infosec boffins at the University of Kent have developed a "Comprehensive playbook" for companies who, having suffered a computer security breach, want to know how to shrug off the public consequences and pretend everything's fine. In a new paper titled "A framework for effective corporate communication after cyber security incidents," Kent's Dr Jason Nurse, along with Richard Knight of the University of Warwick, devised a framework for companies figuring out how to publicly respond to data security breaches and similar incidents where servers are hacked and customer records end up in the hands of criminals.

68 percent of respondents report investing their own free time, outside working hours to improve their cyber skills. 46 percent of organizations do not confirm new hire skills for specific roles and 40 percent rarely or never assess the skills of newly onboarded team members.

Qualys announced the immediate availability of Qualys Multi-Vector EDR. Taking a new multi-vector approach to Endpoint Detection and Response, Qualys now brings the unified power of its highly scalable cloud platform to EDR. "Qualys Multi-Vector EDR provides our Infosec team with actionable visibility into our endpoints in terms of detecting malicious hashes provided by intelligent agencies as well as detecting potential malicious attacks through authorized processes, to keep our company assets secure." "Unfortunately, not all organizations have such a focus. Nevertheless, weaving in threat intelligence enables Qualys to combine in-house context and vulnerability management-driven prioritization with external context, representing an opportunity to achieve something greater than the majority of the market to date," said Mark Child, research manager, European Security, IDC. "We are proud to deliver Multi-Vector EDR to customers and extend into the detection and response market," said Philippe Courtot, chairman and CEO of Qualys.

In the amicus brief it filed, Voatz suggests that only authorized security research should be considered lawful, but not independent security research, even if in good faith. "It is clear security research has tangibly improved the safety and security of systems we depend upon. It is not a given that this vital security work will continue. A broad interpretation of the CFAA would magnify existing chilling effects, even when there exists a societal obligation to perform such research," the letter reads.

About 70 members of the computer security community on Monday challenged US voting app maker Voatz's effort to dictate the terms under which bug hunters can look for code flaws. Earlier this month, Massachusetts-based Voatz filed an amicus brief in Van Buren v. United States, a case being heard by the US Supreme Court that will determine the scope of the US Computer Fraud and Abuse Act, a cybersecurity law long criticized for its ambiguity.

About 70 members of the computer security community on Monday challenged US voting app maker Voatz's effort to dictate the terms under which bug hunters can look for code flaws. Earlier this month, Massachusetts-based Voatz filed an amicus brief in Van Buren v. United States, a case being heard by the US Supreme Court that will determine the scope of the US Computer Fraud and Abuse Act, a cybersecurity law long criticized for its ambiguity.