Security News

The breaches, which had been unreported, only came to light in January when Conservative MP Dean Allison demanded that the country's federal government produce a report for the Canadian House of Commons, according to the CBC. The 800-page report contained details about agency breaches in 2018 and 2019. In the report, the government admitted that agencies responsible for national defense, healthcare, tax revenue, postal service and immigration all sustained data breaches or accidentally exposed citizen data.

Unsigned firmware in WiFi adapters, USB hubs, trackpads, and other devices can be compromised by hackers, says enterprise firmware security company Eclypsium in a new report. A report released Tuesday by Eclypsium details the risks involved in using devices with unsigned firmware.

More than 22,000 vulnerabilities were disclosed in 2019 and over one-third had an exploit or a proof-of-concept available, Risk Based Security revealed on Tuesday. The company's 2019 Year End Vulnerability QuickView Report shows that of the 22,316 new security holes 33% were rated high severity based on their CVSS score.

Now, security firm ClearSky says that at least three advanced persistent threat groups, all with apparent ties to the Iranian government, have been joining the fray and hitting unpatched Fortinet, Pulse Secure and Palo Alto Networks VPN servers and Citrix remote gateways. Specific flaws needing to be patched include CVE-2019-11510 in Pulse Secure's VPN SSL servers, CVE-2018-13379 in Fortigate's SSL VPN servers, and CVE-2019-1579 in Palo Alto Network VPN servers, all of which ClearSky says Fox Kitten is now exploiting.

Another option is to report the email to Microsoft for analysis via the Outlook add-in called Report Message or a specific Microsoft address. You can use the process to report a "False negative," meaning a spam message that should have been identified as spam but was not.

Microsoft has decided to remove a couple of Windows security updates that address a UEFI issue after some users complained that the updates caused serious problems. Some users reported that their devices became unusable after trying to install the KB4524244 security update for Windows 10.

The company's "Web Application Vulnerabilities and Threats: Statistics for 2019" report found signs that companies are beginning to prioritize security but are still failing to do everything necessary when protecting web applications and users. Nine times out of 10, hackers are able to easily attack website visitors and 82% of web application vulnerabilities lie in the source code.

As the U.S. ramps up pressure on its allies to ban equipment from Chinese manufacturer Huawei from their 5G networks, U.S. officials now say they have evidence that the firm has created a backdoor that allows it to access mobile phone networks around the world, according to the Wall Street Journal. "We have evidence that Huawei has the capability secretly to access sensitive and personal information in systems it maintains and sells around the world," says Robert O'Brien, national security adviser, according to the Journal report.

Granicus, one of the largest IT service providers for U.S. federal and local government agencies, acknowledges that it left a massive Elasticsearch database exposed to the internet for at least five months, but it says the risks involved were low. Ehrlich says the Granicus database included links to files on websites belonging to the Department of Health and Human Services and U.S. House of Representatives, as well as hundreds of other local government units across the country.

Starting in the 1970s and continuing through the 1990s, the U.S. Central Intelligence Agency and the German BND intelligence service secretly controlled the majority of the Swiss firm Crypto AG, giving the two agencies access to the company's communication equipment, which was used around the world for top-secret government messages, according to the reports. A former Crypto AG worker told Switzerland's SRF television station that he would find two sets of encryption algorithms within the company's devices.