IT Security Newsletter

IT Security Newsletter - 09/04/2020

Written by Cadre | Fri, Sep 4, 2020

Warner Music Group finds hackers compromised its online stores

Warner Music Group (WMG), the third-largest global music recording company, has disclosed a data breach affecting customers' personal and financial information after several of its US-based e-commerce stores were hacked in April 2020 in what looks like a Magecart attack. With a history of over 200 years, WMG has more than 3,500 employees and it operates in over 70 countries via a network of subsidiaries, affiliates, and non-affiliated licensees. READ MORE...

Attackers Can Exploit Critical Cisco Jabber Flaw With One Message

An attacker can execute remote code with no user interaction, thanks to CVE-2020-3495. Researchers are warning of a critical remote code-execution (RCE) flaw in the Windows version of Cisco Jabber, the networking company's video-conferencing and instant-messaging application. Attackers can exploit the flaw merely by sending targets specially crafted messages - no user interaction required. The flaw (CVE-2020-3495) has a CVSS score of 9.9 out of 10, making it critical in severity. READ MORE...

5 Ways for Cybersecurity Teams to Work Smarter, Not Harder

Burnout is real and pervasive, but some common sense tools and techniques can help mitigate all that. A career in cybersecurity is extremely rewarding. It also comes with its challenges, including last-minute fire drills, understaffed teams, and overworked employees - all while protecting the company's most valuable assets, its intellectual property, employee, and customer data. These factors can generate immense stress for cybersecurity professionals, causing them to quit their job or completely leave the field. READ MORE...

Google rolls out Secure DNS support to Chrome for Android

Google is rolling out DNS-over-HTTPS (DoH) support to Chrome for Android, starting with devices where the web browser has been updated to version 85. DoH enables DNS resolution over encrypted HTTPS connections instead of using plain text DNS lookups, thus preventing attackers from seeing what sites are you browsing by monitoring your DNS traffic. The company has already included the DoH secure DNS protocol in the desktop browser with the release of Chrome 83 three months ago, in May 2020. READ MORE...

New Email-Based Malware Campaigns Target Businesses

Researchers who found "Salfram" say its campaigns use the same crypter to distribute payloads, including ZLoader, SmokeLoader, and AveMaria. A series of email-based malware distribution campaigns is targeting businesses with multiple malware payloads that include Gozi ISFB, ZLoader, SmokeLoader, and AveMaria, researchers say. The Cisco Talos team has been watching attackers launch these campaigns over the past several months and reports they employ several techniques designed to evade detection. READ MORE...

Facebook Announces Formal Vulnerability Disclosure Policy for Third-Party Bugs

The social media giant has also launched a new website for sharing information on WhatsApp security. Facebook today rolled out a formal policy for disclosing vulnerabilities in third-party products and also announced the creation of a new website for providing security updates and bug disclosures related to WhatsApp. Facebook's new Security Vulnerability Disclosure Policy formally codifies a set of practices the social media behemoth said it would follow in releasing information about any security issues. READ MORE...

India Blocks High-Profile Chinese Apps on Political, Privacy Concerns

Technology minister bans, Baidu, WeChat Work, AliPay and 115 others for capturing using data and transmitting it to servers outside of the country without authorization. India has blocked 118 more mobile apps in its continued crackdown on the use mobile apps from China, citing concerns that they transmit user data out of the country and threaten its "sovereignty and integrity" as political tensions between the two countries rise. Though not all of the apps banned by the Ministry of Electronics and Information Technology are from China. READ MORE...

WhatsApp Discloses 6 Bugs via Dedicated Security Site

The company committed to more transparency about app flaws, with an advisory page aimed at keeping the community better informed of security vulnerabilities. Facebook-owned WhatsApp has fixed six previously undisclosed vulnerabilities in its chat platform, revealing the move on a new dedicated security advisory site aimed at informing its more than 2 million users about bugs and keeping them updated on app security. READ MORE...

TikTok scrubs ads promoting diet pills, fake apps after Tenable report

Silly scammers, TikTok is for kids. The video-sharing app, which claims some 49 million daily active users in the U.S., said Thursday it removed an array of advertisements from its central #ForYou page that marketed suspicious diet pills, fake mobile apps and other inauthentic services. The removal came after researchers from the security firm Tenable alerted TikTok about an ecosystem of promotions that aim to defraud users out of money, trick them into downloading shady apps or collect their personally identifiable information. READ MORE...

Voatz urges Supreme Court to not protect ethical research from prosecution

If the mobile voting firm Voatz actually is interested in working with security researchers who can examine their technology, the company sure has an odd way of showing it. Massachusetts-based Voatz on Thursday filed an amicus brief to the Supreme Court, arguing that only security researchers with clear permission should be authorized to probe systems for vulnerabilities. The filing came as part of a Supreme Court case in which justices are poised to reconsider the Computer Fraud and Abuse Act. READ MORE...

The Hidden Costs of Losing Security Talent

Companies know that security talent costs money and good people are hard to find. But what they don't always consider are the hidden costs of losing an experienced security analyst. According to Simone Petrella, founder and CEO of online training firm CyberVista, an experienced security analyst commands an average annual salary of about $100,000. And when that analyst leaves a company, it typically takes eight months to replace that person and almost four months to train a replacement. READ MORE...

  • ...in 1888, George Eastman receives a patent for his roll film camera and registers the trademark "Kodak".
  • ...in 1957, The Ford Motor Company introduces the Edsel, which was touted as the car of the future, but ended up a commercial flop.
  • ...in 1972, CBS premieres "The Price Is Right", currently the longest running game show on American TV.
  • ...in 1998, Google is founded by two Stanford University students, Larry Page and Sergey Brin.