Round Up of Major Breaches and Scams
TikTok has been collecting unique identifiers from millions of Android devices without their users’ knowledge using a tactic previously prohibited by Google because it violated people’s privacy, new research has found. The app concealed the practice, which can track users online without their consent, with an added layer of encryption, according to analysis by and a report in the Wall Street Journal (WSJ). TikTok, owned by Beijing-based parent company ByteDance Ltd., appears to have stopped the practice in November, according to the report.
Rights groups are celebrating after the Court of Appeal ruled that the use of facial recognition (AFR) technology by South Wales Police is unlawful, although the force may not stop future pilots. The case was brought by Liberty and activist Ed Bridges, 37, from Cardiff, whose image had been captured twice in 2017 and 2018 as police trawled through crowds to match the images with suspects’ headshots in their database.
Round Up of Major Malware and Ransomware Incidents
Earlier this year, two ESET researchers disclosed a flaw in processor chips powering over 1 billion Wi-Fi and Internet of Things (IoT) devices that would make it easy for attackers to snoop on encrypted traffic. Last week at Black Hat, the researchers explained that the attack surface area for these kinds of flaws is broader than they initially thought and that the weakness is present in a several other popular chipsets that could put even more IoT and Wi-Fi devices at risk.
Around a third (33%) of UK universities have been targeted with ransomware, freedom of information (FOI) requests submitted by the agency TopLine Comms have revealed. Of the 134 universities the requests were sent to, 105 responded. Of these, 35 (33%) revealed they had been subjected to attack while 25 (24%) said they hadn’t. The remaining 43 (45%) refused to answer, with the main concern being that admission of attack could lead to further targeting.
Scammers are relying on fabricated news articles about the COVID-19 pandemic in an attempt to trick readers into signing up for bunk coronavirus cures. A network of content farm websites — the kind of sites that typically publish false hyperpartisan articles — are masquerading as legitimate news sites as part of an attempt to scam Americans, according to research published Wednesday by RiskIQ. By posting what appeared to be inflammatory news articles with headlines like “One Mom Has Found a Solution to Fight Back Coronavirus,” fraudsters aim to bring a would-be victim to their website.
Round Up of Major Vulnerabilities and Patches
Microsoft earlier today released its August 2020 batch of software security updates for all supported versions of its Windows operating systems and other products. This month’s Patch Tuesday updates address a total of 120 newly discovered software vulnerabilities, of which 17 are critical, and the rest are important in severity. But don’t worry, you don’t need to stop using your computer or without Windows OS on it.
If you haven’t recently updated your Chrome, Opera, or Edge web browser to the latest available version, it would be an excellent idea to do so as quickly as possible, The Hacker News advises. Cybersecurity researchers on Monday disclosed details about a zero-day flaw in Chromium-based web browsers for Windows, Mac and Android that could have allowed attackers to entirely bypass Content Security Policy (CSP) rules since Chrome 73.
The most important of these is a cross-site scripting (XSS) flaw in the Knowledge Management component of NetWeaver. Tracked as CVE-2020-6284 and featuring Hot News priority, the issue has a CVSS score of 9. A default component of all SAP Enterprise Portal installations, Knowledge Management allows users to manage data sources in multiple formats, to create and modify content and folders, as well as upload files.
This vulnerability is CVE-2020-6542, a high-severity use-after-free bug in ANGLE (Almost Native Graphics Layer Engine), the Chrome component responsible for translating OpenGL ES API calls to hardware-supported APIs available for the operating system (such as Vulkan, OpenGL, and Direct3D). Discovered by Piotr Bania of Cisco Talos, the remote code execution vulnerability is easy to exploit, as the attacker only needs to set up a website containing malicious code that would be triggered upon user visit.
New research disclosed a string of severe security vulnerabilities in the ‘Find My Mobile’—an Android app that comes pre-installed on most Samsung smartphones—that could have allowed remote attackers to track victims’ real-time location, monitor phone calls, and messages, and even delete data stored on the phone. Portugal-based cybersecurity services provider Char49 revealed its findings on Samsung’s Find My Mobile Android app at the DEF CON conference last week and shared details with the Hacker News.
Adobe’s latest security update has tackled a set of critical and important bugs in Acrobat and Reader. On Tuesday, the company issued its standard monthly round of fixes, the majority of which relate to the popular PDF viewing and editing software. In total, 26 vulnerabilities have been resolved, 11 of which are deemed critical and could lead to remote code execution. The patches have been created for Acrobat DC, Acrobat Reader DC, Acrobat and Classic 2020, Acrobat Reader 2020, Acrobat/Reader 2017, and Acrobat/Reader 2015 on Windows and macOS machines.
There is no doubt technology has made our lives easier, but it has also made us vulnerable to cyber-attacks. Seemingly, the Bitdefender IoT vulnerability research team has discovered a vulnerability (CVE-2019-17098) in the August Smart lock pro + connect, that if exploited can provide threat actors full access to your Wi-Fi network. Packed with spiffy and innovative features, August Smart lock pro + connect allows users to control their home’s main door or elsewhere.