<img src="https://secure.ruth8badb.com/159098.png" alt="" style="display:none;">

IT Security Newsletter

Get the latest headlines, summaries, and security news!

IT Security Newsletter - 09/03/2020

Hacking

WordPress Websites Attacked via File Manager Plugin Vulnerability

Hackers are exploiting a critical vulnerability that may be affecting hundreds of thousands of websites running WordPress. The vulnerability lies in versions of the popular third-party plugin WordPress File Manager, which has been installed on over 700,000 websites. WordPress File Manager bills itself as a tool to make it simple for webmasters to upload, edit, archive, and delete files and folders on their website's backend. READ MORE...


Most IoT Hardware Dangerously Easy to Crack

Manufacturers need to invest more effort into protecting root-level access to connected devices, security researcher says. A vast majority of IoT hardware in homes and offices is vulnerable to attacks that allow devices to be easily taken over and manipulated for malicious purposes. Few device manufacturers or security researchers are paying nearly as much attention to this issue as they are to software vulnerabilities, according to Marc Rogers, white hat hacker and executive director of cybersecurity at Okta. READ MORE...


AlphaBay dark web marketplace moderator gets 11 years in prison

Bryan Connor Herrell, a 25-year-old from Colorado, was sentenced to 11 years of prison time for acting as a moderator on the dark web marketplace AlphaBay. According to court documents, between May 2016 and July 2017, Herrell acted as a marketplace moderator and a scam watcher known under the 'Penissmith' and 'Botah' nicknames. During this time, he settled more than 20,000 disputes between AlphaBay vendors and buyers, while being paid by the marketplace owners in Bitcoin. READ MORE...

Malware

Government Backed 'MDBR' Service Blocks Connections to Malicious Domains

A new Malicious Domain Blocking and Reporting (MDBR) service will help organizations improve security by preventing IT systems from connecting to malicious domains. Launched through a partnership between the U.S. Department of Homeland Security's Cybersecurity Infrastructure Security Agency (CISA), Center for Internet Security (CIS), and Akamai Technologies, the MDBR service adds another layer of Domain Name System (DNS) security to help organizations protect applications. READ MORE...

Information Security

U.S. Agencies Must Adopt Vulnerability-Disclosure Policies by March 2021

U.S. agencies must implement vulnerability-disclosure policies by March 2021, according to a new CISA mandate. The U.S. government's cybersecurity agency is now requiring federal agencies to implement vulnerability-disclosure policies (VDPs), which would give ethical hackers clear guidelines for submitting bugs found in government systems, by next March. Currently, most federal agencies lack a formal mechanism to receive information from white-hat hackers about potential security. READ MORE...


BEC Wire Transfers Average $80K Per Attack

The average wire-transfer loss from business email compromise (BEC) attacks is significantly on the rise: In the second quarter of 2020 the average was $80,183, up from $54,000 in the first quarter. That's according to the recently released Anti-Phishing Working Group (APWG)'s Phishing Activity Trends Report [PDF], which pointed out that the rise in dollar amounts could be driven largely by one Russian BEC operation, which has been targeting companies for an average of $1.27 million per effort. READ MORE...


Which cybersecurity failures cost companies the most and which defenses have the highest ROI?

Massachusetts Institute of Technology (MIT) scientists have created a cryptographic platform that allows companies to securely share data on cyber attacks they suffered and the monetary cost of their cybersecurity failures without worrying about revealing sensitive information to their competitors or damaging their own reputation. The SCRAM platform allows defenders to learn from past attacks and provides insight into which cyber-risk control areas require additional scrutiny or investment. READ MORE...

Exploits/Vulnerabilities

Router vendor has patched some zero-days, but leaves others wide open

In April, security researcher Rich Mirch got a text from a friend who had just switched to a new wireless router and was raving about its high-speed internet. You have to try it, the friend told Mirch. Curious, Mirch downloaded the router's firmware and started picking it apart. He found that the device, made by an obscure Canada-based company called MoFi Network, had multiple password-related vulnerabilities packed into its code. But Mirch wanted to delve deeper. READ MORE...


Why Kubernetes Clusters Are Intrinsically Insecure (& What to Do About Them)

Teams new to Kubernetes often deploy clusters in an insecure way by default because they don't know what they don't know. Unless you've got a team of battle-hardened Kubernetes experts, you're bound to run into trouble. For example, it's not always obvious when a Kubernetes deployment is overpermissioned, and often the easiest way to get something working is to give it root access or cluster-admin permissions. But just because the site is working doesn't mean your job is done. READ MORE...

Science & Culture

How to keep K-12 distance learners cybersecure this school year

With the pandemic still in full swing, educational institutions across the US are kicking off the 2020-2021 school year in widely different ways, from re-opening classrooms to full-time distance learning. Sadly, as schools embracing virtual instruction struggle with compounding IT challenges on top of an already brittle infrastructure, they are nowhere near closing the K-12 cybersecurity gap. Kids have no choice but to continue their studies within the current social and health climate. READ MORE...


The Joys of Owning an 'OG' Email Account

When you own a short email address at a popular email provider, you are bound to get gobs of spam, and more than a few alerts about random people trying to seize control over the account. If your account name is short and desirable enough, this kind of activity can make the account less reliable for day-to-day communications because it tends to bury emails you do want to receive. But there is also a puzzling side to all this noise: Random people tend to use your account as if it were theirs. READ MORE...

On This Date

  • ...in 1838, future abolitionist Frederick Douglass escapes from slavery by boarding a northbound train from Maryland.
  • ...in 1969, film director Noah Baumbach ("Marriage Story", "The Squid and the Whale") is born in New York City.
  • ...in 1976, the Viking 2 spacecraft lands at Utopia Planitia on Mars.
  • ...in 1986, American snowboarder and three-time Olympic gold medalist Shaun White is born in San Diego, CA.