Microsoft Warns of Zero-Day Internet Explorer Exploits

Mathew J. Schwartz • January 20, 2020

Microsoft says it's prepping a patch to fix a memory corruption flaw in multiple versions of Internet Explorer that is being exploited by in-the-wild attackers, and it's issued mitigation guidance. Security firm Qihoo 360 says the zero-day flaw has been exploited by the DarkHotel APT gang.

Cybercrime

Windows 7: Microsoft Ceases Free Security Updates

Latest

3rd Party Risk Management

Aussie Bank Says Server Upgrade Led to Data Breach

Jeremy Kirk • January 17, 2020

P&N Bank in Perth, Australia, says a server upgrade gone wrong led to the breach of sensitive personal information in its customer relationship management system. The incident is another example how organizations can be imperilled by mistakes on the part of their suppliers.

Active Defense & Deception

Analysis: Huawei 5G Dilemma

Nick Holland • January 17, 2020

The latest edition of the ISMG Security Report discusses why Britain is struggling to determine whether to use China's Huawei technology in developing its 5G networks. Plus: An update on a mobile app exposing infant photos and videos online and an analyst's take on the future of deception technology.

Governance

Windows Vulnerability: Researchers Demonstrate Exploits

Scott Ferguson • January 16, 2020

A day after the NSA disclosed a significant vulnerability that could affect the cryptographic operations in some versions of Windows, security researchers started releasing "proof of concept" code designed to show how attackers potentially could exploit the flaw. This highlights the urgency of patching.

Critical Infrastructure Security

Senators Field Legislation to Build Huawei 5G Alternatives

Mathew J. Schwartz • January 16, 2020

One gaping hole in the U.S. government's push to counter Chinese-built 5G telecommunications gear remains the lack of alternatives. But a bipartisan group of senators is seeking to create a $1 billion fund to create trusted, Western-built options.

Cybercrime

'Wartime' Security Mentality Revisited

Tom Field • January 15, 2020

Five years ago, cybersecurity executive Dave Merkel called upon enterprises to shed their "peacetime" mindsets and adopt a "wartime" stance against persistent cybercriminals and nation-state actors. How have they risen to that challenge?

Cybercrime

Report: Russian Hackers Targeted Ukrainian Gas Firm Burisma

Ishita Chigilli Palli • January 14, 2020

Hackers with ties to the Russian government have targeted Ukrainian natural gas firm Burisma with phishing attacks designed to steal credentials, according to researchers at Area 1 Security. The company is at the center of the impeachment of President Donald Trump.

Breach Notification

Baby's First Data Breach: App Exposes Baby Photos, Videos

Jeremy Kirk • January 14, 2020

A baby photo and video-sharing app called Peekaboo Moments is exposing sensitive logs through an exposed Elasticsearch database, a researcher has found. The data includes baby photos and videos, birthdates, location data and device information.

Endpoint Security

'Cable Haunt' Modem Flaw Leaves 200 Million Devices at Risk

Mathew J. Schwartz • January 13, 2020

A flaw in a Broadcom chip built into many cable modems means hundreds of millions of the devices are vulnerable to a buffer overflow exploit, dubbed Cable Haunt, that attackers can use to take full control of a modem, researchers say. Only some ISPs have begun pushing firmware updates to fix the flaw.

Cybercrime

Severe Citrix Flaw: Proof-of-Concept Exploit Code Released

Jeremy Kirk • January 13, 2020

Proof-of-concept code has been released to exploit a severe Citrix vulnerability present in tens of thousands of enterprises. Citrix says it's developing permanent patches but that enterprises should use its mitigation guidance. In the meantime, attackers are hunting for vulnerable machines.

Cybercrime

Why Penetration Tests Are So Essential

Steve King • January 13, 2020

Corporate network security breaches, which can prove costly to remediate and expose a company to lawsuits, are frequently the result of vulnerabilities that could have been fixed for a relatively low cost. A a brute force penetration test is a critical first step in finding those vulnerabilities.

Governance

Facebook's FTC Privacy Settlement Challenged in Court

Scott Ferguson • January 10, 2020

Six months after Facebook agreed to a landmark privacy settlement with the U.S. Federal Trade Commission that resulted in a $5 billion fine, a federal judge is still considering objections from advocacy groups that claim the deal doesn't go far enough.

Critical Infrastructure Security

Hackers Increasingly Probe North American Power Grid

Mathew J. Schwartz • January 10, 2020

Hackers have been increasingly probing the North American power grid for weaknesses, but the industry - driven in part by regulators - is increasingly able to identify and repel attackers, industrial cybersecurity experts say.