Category: Security Threats

Microsoft Patch Tuesday: 60 vulnerabilities resolved including two active exploits

Microsoft’s Windows Patch Tuesday resolves a total of 60 vulnerabilities, 19 of which are critical, including two zero-day security flaws which are being actively used in attacks today. The Redmond giant published a security advisory detailing the latest round of updates.

The update impacts the Windows operating system, Internet Explorer, Microsoft Edge, Microsoft Office services and apps, ChakraCore, the .NET Framework, Microsoft Exchange and SQL Server, as well as Visual Studio. Security updates were also released for Adobe Flash Player.

Read more about the resolved vulnerabilities on ZDNet.

Beyond Spectre: Foreshadow, a new Intel security problem

Spectre and Meltdown are more than a new class of security holes. They’re deeply embedded in the fundamental design of recent generations of CPUs. So it shouldn’t come as any surprise that yet another major Intel chip security problem has been discovered: Foreshadow.

According to the researchers who found it, “Foreshadow is a speculative execution attack on Intel processors which allows an attacker to steal sensitive information stored inside personal computers or third party clouds.”

Read more about the newly discovered Intel chip security problem on ZDNet.

Google location tracking continues even when turned off

Turning off Google location tracking may not be as simple as changing one setting to “off,” according to new research.

An AP investigation found that even with Google location tracking turned off, certain apps will take a timestamped snapshot of the user’s location and store that data when the user performs a search, opens Google Maps, or checks the weather.The unexpected Google location tracking behavior on Android and iOS devices has been confirmed by computer science researchers at Princeton University.

Read more about how it is possible for Google to track your movements even when location tracking is turned off, on TechTarget.

Police Bodycams Can Be Hacked To Doctor Footage

The most crucial function police body cameras need to perform—beyond recording footage in the first place—is protecting the integrity of that footage so it can be trusted as a record of events. However, security researcher Josh Mitchel has found that many body cameras on the market today are vulnerable to remote digital attacks, including some that could result in the manipulation of footage.

Mitchell analyzed five body camera models from five different companies and found vulnerabilities in all but one that would allow an attacker to delete footage, or to download footage off a camera, edit it and then re-upload it, leaving no indication of the change.

Read more about the discovered vulnerabilities in police bodycams on Wired.

Vulnerabilities in mPOS devices could lead to fraud and theft

Vulnerabilities in mPOS (mobile point-of-sale) machines could allow malicious merchants to defraud customers and attackers to steal payment card data, Positive Technologies researchers have found.

The use of mPOS devices has seen huge growth over the last few years. Like ATMs and traditional POS, they are at the end point of payment infrastructure, meaning they are very attractive and accessible to criminals for both the testing of these devices and in the movement of fraudulent money.

Read about the vulnerabilities that have been discovered in a number of market-leading mPOS devices popular in both the U.S. and Europe: Square, SumUp, iZettle, and PayPal, on Help Net Security.

A botnet of smart irrigation systems can deplete a city’s water supply

Ben-Gurion University of the Negev (BGU) cyber security researchers warn of a potential distributed attack against urban water services that uses a botnet of smart irrigation systems that water simultaneously.

The researchers analyzed and found vulnerabilities in a number of commercial smart irrigation systems, which enable attackers to remotely turn watering systems on and off at will.

Read more about the disturbing findings of the new research on Help Net Security.

Smart city systems are riddled with critical security vulnerabilities

IBM has discovered 17 zero-day vulnerabilities in smart city systems which could debilitate core services. At the Black Hat conference in Las Vegas, the cybersecurity firm’s X-Force Red team demonstrated how old-school threats are placing the cities of the future at risk in the present day.

Smart city technology spending is predicted to hit $80 billion this year and become as high as $135 billion by 2021. Together with researchers from Threatcare, IBM X-Force Red discovered that smart city systems developed by Libelium, Echelon and Battelle were vulnerable to attack.

Read more about the uncovered zero-day bugs which can be used to kill our critical city systems, on ZDNet.

Comcast customer portal vulnerabilities exposed sensitive data

Comcast has resolved two critical vulnerabilities which had the potential to expose confidential information including home addresses and social security numbers belonging to over 26.5 million customers.

As reported by Buzzfeed, the previously unknown bugs were discovered by security researcher Ryan Stevenson. The vulnerabilities were found within customer software provided by Comcast Xfinity, a subsidiary of Comcast which provides cable, Internet, and telecommunications services.

Read more about the critical bugs that impact multiple versions of the open-source software, on ZDNet.

AWS S3 Bucket Exposed Containing GoDaddy Server Configuration and Pricing Models

Another week, another publicly accessible AWS storage cloud found to be leaking enterprise secrets. This time around, the company exposed was GoDaddy – but in a twist on the normal storyline, it was an AWS employee responsible for the misconfiguration.

Researchers with the UpGuard Cyber Risk Team found a publicly accessible Amazon S3 bucket wide open for public consumption. Included within that data store were documents that detailed configurations and pricing information for tens of thousands of systems in the AWS cloud.

Read more about the GoDaddy data leak on DarkReading.

IoT security: Lessons we can learn from the evolution of road safety

In the world we know today, road safety is carefully enforced to the point where we take it for granted. But it wasn’t always thus. People simply weren’t aware of the risks. In the past there were no uniform traffic safety regulations and no safety precautions built into vehicles, such as seatbelts or no airbags.

We’re currently facing serious security challenges with the Internet of Things, and the parallels with road safety are striking. The number of connected devices offered in the market rises inexorably and the low cost of manufacturing often relegates good security to an afterthought.

Read more about what cybersecurity professionals can learn from the evolution of road safety in order to improve IoT security according to Brian Honan, CEO of BH Consulting, on Help Net Security.