IT Security Newsletter - 10/15/2020
Barnes & Noble warns customers it has been hacked, customer data may have been accessed
American bookselling giant Barnes & Noble is contacting customers via email, warning them that its network was breached by hackers, and that sensitive information about shoppers may have been accessed. In the email to customers, Barnes & Noble says that it became aware that it had fallen victim to a cybersecurity attack on Saturday October 10th. However, although payment information might be considered at risk - the bookseller says that there was personal information stored on the compromised servers. READ MORE...
The online proctoring service ProctorTrack has disabled access to their service after its parent company was hacked.
The online proctoring service ProctorTrack has disabled access to their service after its parent company was hacked. With many schools and colleges performing remote learning, including tests, online proctoring services are increasingly being used to prevent students from cheating. ProctorTrack is one such solution by Verificient that is used by numerous universities, including Rutgers, University of Western Ontario, Ohio University, Illinois State University, Purdue University, and MIT. READ MORE...
Iran Acknowledges Cyberattacks on Government Departments
Iran's cybersecurity authority acknowledged cyberattacks on two governmental departments this week, state media reported Thursday. The cyberattacks occurred Tuesday and Wednesday and were under investigation, the state-owned IRAN daily newspaper said. While the report did not say which government departments were targeted, it called the attacks "important" and said some other departments temporarily took down their online services as a precaution against further attacks. READ MORE...
Microsoft fixes critical Outlook bug exploitable via preview pane
Microsoft has released the October 2020 Office security updates with a total of 24 security updates and 5 cumulative updates for 7 different products, fixing 13 vulnerabilities that could enable remote attackers to execute arbitrary code on vulnerable systems. The highlight of this month's Microsoft Office security updates is without a doubt CVE-2020-16947, a remote code execution vulnerability that leads to remote code execution when previewing or opening maliciously crafted emails. READ MORE...
Microsoft fixes Windows certificate spoofing bug abusing CAT files
Microsoft's October 2020 Patch Tuesday fixed 87 security bugs, one of which is an "Important" Windows Spoofing Vulnerability that abuses CAT files. The vulnerability enables attackers to create "polyglot malware," which merges different file types, to spoof digital signatures. To guarantee that an executable is legitimate and unaltered, software manufacturers add digital signatures to their releases before shipping them - a process also known as code signing. Signature spoofing flaws enable attackers to pass inauthentic, READ MORE...
Beware COVID-19 Charity Fraudsters, Warns the FBI
Scammers have no qualms about exploiting the pandemic to steal from the unwary. Don't just look out for yourself, warn vulnerable friends and family of scams too. From the as-if-you-didn't-have-enough-to-worry-about-in-2020 department, the FBI has warned that scammers are attempting to defraud the public by exploiting the COVID-19 pandemic. Scams can, of course, arrive via all manner of routes - face-to-face on the doorstep, via phone calls or text message, but it's even easier for fraudsters to target a larger pool of victims. READ MORE...
SAP Patches Critical Vulnerability in CA Introscope Enterprise Manager
The updates released by SAP for October 2020 include 15 Security Notes, including one that addresses a critical vulnerability. Six previously released Patch Day Security Notes were updated. Featuring a CVSS score of 10, the critical flaw is an OS command injection vulnerability that affects CA Introscope Enterprise Manager version 10.7.0.304 or lower (impacted products include Solution Manager and Focused Run). The bug is tracked as CVE-2020-6364. An attacker able to exploit the vulnerability could inject OS commands and gain full control. READ MORE...
TikTok unveils bug bounty program, scraps with US government in court over looming ban
TikTok announced a global bug bounty program Thursday amid an ongoing court battle to continue operating in the U.S. The program, a partnership with HackerOne, is an expansion of a more limited vulnerability disclosure program for the popular video-sharing app. "This partnership will help us to gain insight from the world's top security researchers, academic scholars and independent experts to better uncover potential threats and make our security defenses even stronger," TikTok wrote in a blog post. READ MORE...
Zoom rolls out end-to-end encryption (E2EE) next week
Zoom announced today that it will roll out end-to-end encryption (E2EE) for all users starting next week, as part of a 30-day technical preview. To start using E2EE when joining new meetings during this roll out phase, meeting participants will have to join using the Zoom desktop client, mobile app, or from Zoom Rooms. Users will know if their meeting uses E2EE if a green shield logo with a padlock is displayed in the upper left corner of the window. "We're excited to announce that starting[...]" READ MORE...
- ...in 1878, Thomas A. Edison founds the Edison Electric Light Co.
- ...in 1938, musician and activist Fela Kuti, who was an ambassador for Pan-African music and the Afrobeat genre, is born in Abeokuta, Nigeria.
- ...in 1969, rallies against the war in Vietnam draw over 2 million demonstrators across the US, a quarter million of them in the nation's capital.
- ...in 2003, China launches its first manned space mission, Shenzhou 5.