Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

Content tagged with Vulnerabilities / Threats posted in August 2020
Page 1 / 3   >   >>
Slack Patches Critical Desktop Vulnerability
News  |  8/31/2020  | 
The remote code execution flaw could allow a successful attacker to fully control the Slack desktop app on a target machine.
Malicious Android Apps Slip Through Google Play Protection
Quick Hits  |  8/31/2020  | 
Multiple Android apps were found spying on users and recruiting victims' devices into ad-fraud botnets.
UVA Researcher Charged with Computer Intrusion & Trade Secret Theft
Quick Hits  |  8/31/2020  | 
Chinese national Haizhou Hu was researching bio-mimics and fluid dynamics at the University of Virginia.
From Defense to Offense: Giving CISOs Their Due
Commentary  |  8/31/2020  | 
In today's unparalleled era of disruption, forward-thinking CISOs can become key to company transformation -- but this means resetting relationships with the board and C-suite.
Data Privacy Concerns, Lack of Trust Foil Automated Contact Tracing
News  |  8/28/2020  | 
Efforts to create a technology framework for alerting people to whether they have been exposed to an infectious disease have been hindered by a number of key issues.
DNC Warns Campaign Staffers of Dating App Dangers
Quick Hits  |  8/28/2020  | 
The Democratic National Committee advises against sharing too much work and personal information on popular dating apps.
TA542 Returns With Emotet: What's Different Now
Quick Hits  |  8/28/2020  | 
Researchers report the TA542 threat group has made code changes to its malware and started targeting new locations with Emotet.
Ransomware Red Flags: 7 Signs You're About to Get Hit
Slideshows  |  8/28/2020  | 
Caught off guard by a ransomware attack? Security experts say the warning signs were there all along.
Redefining What CISO Success Looks Like
Commentary  |  8/28/2020  | 
Key to this new definition is the principle that security programs are designed to minimize business risk, not to achieve 100% no-risk.
DDoS Attacks Halt NZ Exchange Trading for Third Day
Quick Hits  |  8/27/2020  | 
New Zealand Exchange officials say the motive for the attacks is unclear.
Vulnerability Volume Poised to Overwhelm Infosec Teams
News  |  8/27/2020  | 
The collision of Microsoft and Oracle patches on the same day has contributed to risk and stress for organizations.
The Inside Threat from Psychological Manipulators
Commentary  |  8/27/2020  | 
How internal manipulators can actually degrade your organization's cyber defense, and how to defend against them.
How CISOs Can Play a New Role in Defining the Future of Work
Commentary  |  8/27/2020  | 
Rather than just reacting to security issues in the COVID-19 era, CISOs are now in a position to be change agents alongside their C-suite peers.
Higher Education CISOs Share COVID-19 Response Stories
News  |  8/26/2020  | 
Security leaders from Stanford, Ohio State, and the University of Chicago share challenges and response tactics from the COVID-19 pandemic.
US Warns of Ongoing BeagleBoyz Bank-Theft Operations
Quick Hits  |  8/26/2020  | 
The North Korean operatives have attempted to steal more than $2 billion since 2015 in a series of ongoing campaigns.
6 Signs Your Supply Chain Risk Just Shot Up
Slideshows  |  8/26/2020  | 
Risk levels are not steady states. Here are six indications that the danger posed by your supply chain is headed in the wrong direction.
With More Use of Cloud, Passwords Become Even Weaker Link
News  |  8/26/2020  | 
Slow patching provides vulnerabilities to exploit. A lack of network segmentation allows unrestricted lateral movement. Yet a report surveying a year of penetration tests finds that passwords still top the list of what attackers use to compromise systems.
Deep Fake: Setting the Stage for Next-Gen Social Engineering
Commentary  |  8/26/2020  | 
Humans are susceptible to normalcy bias, which may leave us vulnerable to disinformation that reinforces our beliefs.
Phishing Attack Used Box to Land in Victim Inboxes
News  |  8/25/2020  | 
A phishing attack targeting government and security organizations used a legitimate Box page with Microsoft 365 branding to trick victims.
Online Business Fraud Down, Consumer Fraud Up
Quick Hits  |  8/25/2020  | 
Criminals are changing tactics to match changing business conditions in the coronavirus pandemic, according to a new report.
Three Easy Ways to Avoid Meow-like Database Attacks
Commentary  |  8/25/2020  | 
The largest problem facing database security today is the disconnect between security teams and DBAs beginning from the moment of configuration and continuing throughout the database lifecycle.
The Fatal Flaw in Data Security
Commentary  |  8/25/2020  | 
Simply stated: No matter how sophisticated your security software is, data cannot be simultaneously used and secured. But that may be changing soon.
CISA Releases 5G Security Guidelines
Quick Hits  |  8/24/2020  | 
The new document defines lines of effort for developing security for the growing 5G network.
Attackers Use Unicode & HTML to Bypass Email Security Tools
News  |  8/24/2020  | 
Researchers spot cybercriminals using new techniques to help malicious phishing emails slip past detection tools.
DeathStalker APT Targets SMBs with Cyber Espionage
Quick Hits  |  8/24/2020  | 
The hacker-for-hire group, operating since at least 2012, primarily targets financial firms.
Large Ad Network Collects Private Activity Data, Reroutes Clicks
News  |  8/24/2020  | 
A Chinese mobile advertising firm has modified code in the software development kit included in more than 1,200 apps, maliciously collecting user activity and performing ad fraud, says Snyk, a software security firm.
Dark Reading Launches New Section on Physical Security
Commentary  |  8/24/2020  | 
Partnership with IFSEC enables Dark Reading to cover new areas of security and expand its audience.
Average Cost of a Data Breach in 2020: $3.86M
Commentary  |  8/24/2020  | 
When companies defend themselves against cyberattacks, time is money.
University of Utah Pays in Cyber-Extortion Scheme
Quick Hits  |  8/21/2020  | 
Though a ransomware attempt was thwarted, the university paid to prevent the release of student PII.
74 Days From the Presidential Election, Security Worries Mount
News  |  8/21/2020  | 
With pandemic measures continuing and political divisions deepening, security experts express concern about the security and integrity of the November election.
'Next-Gen' Supply Chain Attacks Surge 430%
News  |  8/21/2020  | 
Attackers are increasingly seeding open source projects with compromised components.
Post-Pandemic Digitalization: Building a Human-Centric Cybersecurity Strategy
Commentary  |  8/21/2020  | 
COVID-19 won't be the last major disruption of its kind. Instead, it is a glimpse into what may be to come as digitalization continues to affect all aspects of our lives.
Cryptominer Found Embedded in AWS Community AMI
News  |  8/21/2020  | 
Researchers advise Amazon Web Services users running Community Amazon Machine Images to verify them for potentially malicious code.
Smart-Lock Hacks Point to Larger IoT Problems
News  |  8/20/2020  | 
Two recent reports on smart-locks vulnerabilities show that IoT vendors have a bigger job to do in ensuring their products are safely deployed and configured.
Twitter Hack: The Spotlight that Insider Threats Need
Commentary  |  8/20/2020  | 
The high profile attack should spur serious board-level conversations around the importance of insider threat prevention.
IBM Db2 Flaw Gives Attackers Read/Write Access to Shared Memory
Quick Hits  |  8/20/2020  | 
Researchers discover a lack of explicit memory protections around the shared memory used by the Db2 trace facility.
Banks and the New Abnormal
Commentary  |  8/20/2020  | 
Banks have hesitated to adopt many strong security practices, and for understandable reasons. But now is the time to be bold.
Fuzzing Services Help Push Technology into DevOps Pipeline
News  |  8/19/2020  | 
As part of a continuous testing approach, fuzzing has evolved to provide in-depth code checks for unknown vulnerabilities before deployment.
Sophisticated P2P Botnet Targeting SSH Servers
News  |  8/19/2020  | 
'FritzFrog' is fileless, uses its own proprietary P2P implementation, and has breached at least 500 servers so far, Guardicore says.
CISA Warns of New RAT Aimed at US Defense Contractors
Quick Hits  |  8/19/2020  | 
Hidden Cobra, an APT group associated with the government of North Korea, is thought to be behind the campaign.
Newly Patched Alexa Flaws a Red Flag for Home Workers
News  |  8/19/2020  | 
Alexa could serve as an entry point to home and corporate networks. Security experts point to the need for manufacturers to work closely with enterprise security teams to spot and shut down IoT device flaws.
ICS Vulnerability Reports Rapidly Rise
News  |  8/19/2020  | 
More scrutiny of products for industrial control systems is expected to expose even more weaknesses in devices that run critical infrastructure.
How to Control Security Costs During a Down Economy
Commentary  |  8/19/2020  | 
Three key areas security professionals should watch when managing their budgets.
Stolen Data: The Gift That Keeps on Giving
Commentary  |  8/19/2020  | 
Users regularly reuse logins and passwords, and data thieves are leveraging that reality to breach multiple accounts.
Canadian Government Issues Statement on Credential-Stuffing Attacks
Quick Hits  |  8/18/2020  | 
The government is responding to threats targeting the GCKey service and CRA accounts, which are used to access federal services.
New Campaign Combines Extortion, DDoS
Quick Hits  |  8/18/2020  | 
Latest attacks bank on the reputation of two prominent APT groups to increase the threat credibility.
Four Ways to Mitigate Supply Chain Security Risks From Ripple20
Commentary  |  8/18/2020  | 
Enterprises can significantly alleviate current and long-standing third-party risk by using tactical and strategic efforts to assess and manage them.
New 'Duri' Campaign Uses HTML Smuggling to Deliver Malware
News  |  8/18/2020  | 
Researchers who detected the attack explain what businesses should know about the HTML smuggling technique.
Why Quality & Security Both Matter in Software
Commentary  |  8/18/2020  | 
It's time to position quality and security as equals under the metric of software integrity.
Firms Still Struggle to Prioritize Security Vulnerabilities
News  |  8/17/2020  | 
Security debt continues to pile up, with 42% of organizations attributing remediation backlogs to a breach, a new study shows.
Page 1 / 3   >   >>


News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: "Elon, I think our cover's been blown."
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27400
PUBLISHED: 2021-04-22
HashiCorp Vault and Vault Enterprise Cassandra integrations (storage backend and database secrets engine plugin) did not validate TLS certificates when connecting to Cassandra clusters. Fixed in 1.6.4 and 1.7.1
CVE-2021-29653
PUBLISHED: 2021-04-22
HashiCorp Vault and Vault Enterprise 1.5.1 and newer, under certain circumstances, may exclude revoked but unexpired certificates from the CRL. Fixed in 1.5.8, 1.6.4, and 1.7.1.
CVE-2021-30476
PUBLISHED: 2021-04-22
HashiCorp Terraform’s Vault Provider (terraform-provider-vault) did not correctly configure GCE-type bound labels for Vault’s GCP auth method. Fixed in 2.19.1.
CVE-2021-22540
PUBLISHED: 2021-04-22
Bad validation logic in the Dart SDK versions prior to 2.12.3 allow an attacker to use an XSS attack via DOM clobbering. The validation logic in dart:html for creating DOM nodes from text did not sanitize properly when it came across template tags.
CVE-2021-27736
PUBLISHED: 2021-04-22
FusionAuth fusionauth-samlv2 before 0.5.4 allows XXE attacks via a forged AuthnRequest or LogoutRequest because parseFromBytes uses javax.xml.parsers.DocumentBuilderFactory unsafely.