Security News

The Apache Project's popular Guacamole open-source remote desktop software contained vulns allowing remote attackers to steal login creds and hijack targeted machines, researchers have said. The Apache Foundation has issued patches for Guacamole following Check Point's research, which resulted in two CVEs.

Industrial control systems can be hacked through barcode scanners, researchers at cybersecurity services company IOActive said on Tuesday. Hackers previously demonstrated that keystrokes can be remotely injected via an industrial barcode scanner into the computer the scanner is connected to, which could result in the computer getting compromised.

A University of Texas at Dallas study of 100 mobile apps for kids found that 72 violated a federal law aimed at protecting children's online privacy. Dr. Kanad Basu, assistant professor of electrical and computer engineering in the Erik Jonsson School of Engineering and Computer Science and lead author of the study, along with colleagues elsewhere, developed a tool that can determine whether an Android game or other mobile app complies with the federal Children's Online Privacy Protection Act.

Researchers at Awake Security have published a report on malicious extensions in the Chrome web store, making both specific claims of over 32 million downloads of one malware family, and general claims of weak security in both domain registration and Google's store. This led them to a bunch of malicious browser extensions, 111 in total, which "Were found to upload sensitive data or not perform the task they're advertised to perform. A common technique, they said, is that the developer gets a clean version of an extension approved, and later updates it with the malicious payload. Some of the suspicious extensions have a reassuring number of reviews and downloads, in one case more than 22,000 reviews and 10 million downloads, presumably achieved by bot activity. Another popular approach is to clone a genuine extension and bundle it with malware."Awake has since worked with Google to take down these extensions from the Chrome Web Store," said the report, but no doubt more are on the way.

As multiple companies inch closer to a potentially life-saving vaccine for the coronavirus, cybercriminals with varying motives have increased attacks. During a webinar with CISO MAG earlier this month, Bryan Ware, assistant director for the US Cybersecurity and Infrastructure Security Agency said the attacks being led by the Chinese government were "Hindering vaccine development in the US," and the government body released its own memo to vaccine researchers urging them to beef up defenses.

A security researcher was able to compromise an Android application by invoking each of its exposed Activity components. Activities, one of the three primary components of Android apps, are called using Intents, which are messaging objects that applications use to communicate with their different components.

At least a dozen bogus "Contact tracing" apps designed to look like official software to track coronavirus infections have been deployed globally to spread malware and steal user data, security researchers said Wednesday. Anomali said the fake COVID-19 apps do not appear to be distributed through official channels like the Google Play Store but rather are being spread through other apps, third-party stores, and websites that encourage downloads.

VMware this week informed customers that it has patched a high-severity information disclosure vulnerability affecting its Workstation, Fusion and vSphere virtualization products. The flaw, tracked as CVE-2020-3960, was reported to VMware by Cfir Cohen, a researcher from Google's cloud security team.

Expiring root certificates will cause devices like smart TVs and refrigerators to fail in the next few years, security researcher Scott Helme has warned. In order to validate the certificate the client must have a trusted root certificate from the issuing authority, and this, says Helme, is a problem for devices that never get updated.

Canada's Citizen Lab laboratory has uncovered a hacks-for-hire phishing operation targeting anyone from political activists and oligarchs to lawyers and CEOs that hit more than 10,000 email inboxes over seven years. The North American outfit claims to have traced the so-called Dark Basin campaign to an Indian firm called BellTroX InfoTech Services - which denies all wrongdoing.