<img src="https://secure.ruth8badb.com/159098.png" alt="" style="display:none;">

IT Security Newsletter

Get the latest headlines, summaries, and security news!

IT Security Newsletter - 3/5/2020

Top News

Verisign, Amazon patch zero-day vulnerability that utilized homoglyph characters

Verisign has fixed an issue that could have allowed attackers to register bogus domains by using homoglyphs in place of more common characters, due to research from California-based security firm Soluble. Matt Hamilton, principal security researcher at Soluble, discovered the flaw when he attempted to register an Amazon Web Services S3 bucket with Unicode emoji characters. READ MORE...

Breaches

Carnival Cruise Line Operator Discloses Potential Data Breach

The world's largest cruise ship operator Carnival Corporation & plc announced a potential data breach affecting some of its customers after hackers accessed employee email accounts. Carnival Corporation is included in both the S&P 500 and the FTSE 100 indices, and it owns nine cruise line brands and a travel tour company. READ MORE...


Zynga faces class action suit over massive Words With Friends hack

Zynga - maker of addictive (and crook-tempting) online social games such as FarmVille, Mafia Wars, Café World and Zynga Poker - is facing a potential class action lawsuit over the September 2019 breach in which hackers got access to more than 218 million Words with Friends accounts. Zynga's Draw Something was also targeted in the September breach. READ MORE...

Hacking

J.Crew Disables User Accounts After Credential Stuffing Attack

US clothing retailer J.Crew announced that it was the victim of a credential stuffing attack around April 2019 that led to some of its customers' accounts and information being accessed by hackers. Credentials stuffing is a type of attack where hackers use large collections of username/password combinations bought from underground markets and leaked after previous security breaches and use them to gain access to user accounts on other online platforms. READ MORE...

Exploits/Vulnerabilities

Fake alerts about outdated security certificates lead to malware

Cyber criminals have been trying out a new approach for delivering malware: fake alerts about outdated security certificates, complete with an "Install (Recommended)" button pointing to the malware. The malware peddlers behind this scheme are obviously counting on users not knowing exactly what a security certificate is and that they are not responsible for keeping it updated, as well as exploiting users' desire to keep themselves safe online. READ MORE...


'Unfixable' boot ROM security flaw in millions of Intel chips could spell 'utter chaos' for DRM, file encryption, etc

A slit in Intel's security - a tiny window of opportunity - has been discovered, and it's claimed the momentary weakness could be one day exploited to wreak "utter chaos." It is a fascinating vulnerability, though non-trivial to abuse in a practical sense. It cannot be fixed without replacing the silicon, only mitigated, it is claimed: the design flaw is baked into millions of Intel processor chipsets. The problem revolves around cryptographic keys that, if obtained, can be used to break the root of trust in a system. READ MORE...


Critical Netgear Bug Impacts Flagship Nighthawk Router

Netgear is warning users of a critical remote code execution bug that could allow an unauthenticated attacker to take control of its Wireless AC Router Nighthawk (R7800) hardware running firmware versions prior to 1.0.2.68. The warnings, posted Tuesday, also include two high-severity bugs impacting Nighthawk routers, 21 medium-severity flaws and one rated low. READ MORE...