Security daily (08-09-2020)

Hartford Public Schools delay reopening amid ransomware attack

U.S. school administrators have spent months mapping out how the coronavirus would disrupt the start of the school year. But officials in Hartford, Conn., are dealing with another, unexpected challenge now that a ransomware attack has forced the city’s public schools to postpone classes. The file-locking malware “caused an outage of critical systems and the restoration of those systems [is] not complete,” Hartford Public School officials said in a statement. “This includes the system that communicates our transportation routes to our bus company and it is preventing our ability to operate schools on Tuesday.” “Everyone at Hartford Public Schools was ready to welcome back our beautiful and capable students in person and remotely,” the statement said. Schools and universities were already facing a barrage of ransomware threats before the COVD-19 pandemic forced administrators to shift classes online, potentially opening up new avenues for attack. An incident in April shut down computer servers at a community college in […] The post Hartford Public Schools delay reopening amid ransomware attack appeared first on CyberScoop. (CyberScoop)

Chinese cyber power is neck-and-neck with US, Harvard research finds

As conventional wisdom goes, experts tend to rank the U.S ahead of China, U.K., Iran, North Korea, Russia, in terms of how strong it is when it comes to cyberspace. But a new study from Harvard University’s Belfer Center shows that China has closed the gap on the U.S. in three key categories: surveillance, cyber defense, and its efforts to build up its commercial cyber sector. “A lot of people, Americans in particular, will think that the U.S., the U.K., France, Israel are more advanced than China when it comes to cyber power,” Eric Rosenbach, the Co-Director of Harvard’s Belfer Center, told CyberScoop. “Our study shows it’s just not the case and that China is very sophisticated and almost at a peer level with the U.S.” Overall, China’s cyber power is only second to the U.S., according to the research, which was shared exclusively with CyberScoop. But the study also found […] The post Chinese cyber power is neck-and-neck with US, Harvard research finds appeared first on CyberScoop. (CyberScoop)

How the government is keeping hackers from disrupting coronavirus vaccine research

Six months ago, as professional sports were postponed indefinitely, schools were shuttering, Tom Hanks was the poster boy for COVID-19, and President Donald Trump addressed a nervous nation, people at the highest levels of the U.S. government became laser-focused on one idea: Coronavirus vaccine research needed to be defended from hacking attempts. Soon after the World Health Organization declared a pandemic, the Pentagon’s Defense Digital Service and the National Security Agency got to work on a behind-the-scenes protection mission for “Operation Warp Speed,” the U.S. government program responsible for producing 300 million coronavirus vaccine doses by January 2021. Known as the Security and Assurance portion of Operation Warp Speed, the mission is no small effort. Consisting of people from DDS, NSA, FBI, the Department of Homeland Security and the Department of Health and Human Services, it has been running behind the scenes for months, and is being detailed here for the first time. […] The post How the government is keeping hackers from disrupting coronavirus vaccine research appeared first on CyberScoop. (CyberScoop)

Beijing floats a plan to protect Chinese companies from American cyber 'bullying'

If Chinese technology companies are going to lose global market share amid concerns about their ties to the Communist government, Beijing isn’t going to let that happen quietly. In a speech Tuesday, Chinese State Councillor Wang Yi proposed a set of international rules intended to increase trust and refute the Trump administration’s strategy to limit the reach of Chinese-made technologies. Wang said the “Global Initiative on Data Security” is a recognition that data protection techniques are increasingly politicized at a moment when “individual countries” are “bullying” others, sometimes “hunting” foreign-based companies. The speech coincided with an ongoing effort in Washington to limit what officials have described as a national security threat from China-based corporations including TikTok and Huawei. While the U.S. has provided few specific examples of the apparent threat, intelligence officials have consistently warned that Chinese national security laws require Chinese companies to provide data at the government’s request. Chinese […] The post Beijing floats a plan to protect Chinese companies from American cyber 'bullying' appeared first on CyberScoop. (CyberScoop)

Cryptobugs Found In Numerous Google Play Store Apps

(News ≈ Packet Storm)

China Pushes New Global Data Security Initiative

(News ≈ Packet Storm)

Critical Adobe Flaws Allow Attackers To Run JavaScript In Browsers

(News ≈ Packet Storm)

Microsoft September 2020 Patch Tuesday Fixes 129 Vulnerabilities

(News ≈ Packet Storm)

Researcher Reveals Google Maps XSS Bug, Patch Bypass

(News ≈ Packet Storm)

Online Voting Vendor Voatz Urges Supreme Court To Limit Security Research

(News ≈ Packet Storm)

Reflected XSS in WordPress Plugin Admin Pages

The administrative dashboard in WordPress is a pretty safe place: Only elevated users can access it. Exploiting a plugin’s admin panel would serve very little purpose here — an administrator already has the required permissions to do all of the actions a vulnerability could cause. While this is usually true, there are a number of techniques bad actors are using to trick an administrator into performing actions they would not expect, such as Cross Site Request Forgery (CSRF) or Clickjacking attacks. Continue reading Reflected XSS in WordPress Plugin Admin Pages at Sucuri Blog. (Sucuri Blog)

Microsoft Releases September 2020 Security Patches For 129 Flaws

As part of this month's Patch Tuesday, Microsoft today released a fresh batch of security updates to fix a total of 129 newly discovered security vulnerabilities affecting various versions of its Windows operating systems and related software.

Of the 129 bugs spanning its various products — Microsoft Windows, Edge browser, Internet Explorer, ChakraCore, SQL Server, Exchange Server, Office, (The Hacker News)

Japan, France, New Zealand Warn of Sudden Uptick in Emotet Trojan Attacks

Cybersecurity agencies across Asia and Europe have issued multiple security alerts regarding the resurgence of email-based Emotet malware attacks targeting businesses in France, Japan, and New Zealand.

"The emails contain malicious attachments or links that the receiver is encouraged to download," New Zealand's Computer Emergency Response Team (CERT) said. "These links and attachments may (The Hacker News)

Microsoft’s Patch Tuesday Packed with Critical RCE Bugs

The most concerning of the disclosed bugs would allow an attacker to take over Microsoft Exchange just by sending an email. (Threatpost)

Critical Intel Active Management Technology Flaw Allows Privilege Escalation

The critical Intel vulnerability could allow unauthenticated attackers gain escalated privileges on Intel vPro corporate systems. (Threatpost)

Critical Adobe Flaws Allow Attackers to Run JavaScript in Browsers

Five critical cross-site scripting flaws were fixed by Adobe in Experience Manager as part of its regularly scheduled patches. (Threatpost)

Cryptobugs Found in Numerous Google Play Store Apps

A new dynamic tool developed by Columbia University researchers flagged cryptography mistakes made in more than 300 popular Android apps. (Threatpost)

Bug in Google Maps Opened Door to Cross-Site Scripting Attacks

A researcher discovered a cross-site scripting flaw in Google Map's export function, which earned him $10,000 in bug bounty rewards. (Threatpost)


/security-daily/ 09-09-2020 23:44:21