Roundup Congratulations to all. We did this until April. Here is a handy epic of security news bits and bytes beyond what we covered with The Reg.
Xiaomi phones at the center of Brouhaha tracking
A Forbes Report last week described how some Xiaomi Android phones track their owners' web browsing and online activities.
It was claims handsets collect things like browsing history, search queries and news feed activity, and send data to servers in China even when using the private privacy mode of the supplied Xiaomi browser .
Xiaomi, in response, claimed that he anonymized the data collected for performance monitoring, even though he admitted that this “aggregated data collection” included URLs, even in incognito mode.
“The privacy of our users and internet security are of the highest priority at Xiaomi,” added the phone maker. “We are confident that we strictly follow and fully comply with local laws and regulations.”
Both sides have had a bit of a barney over what's going on exactly. Xiaomi claimed he was not doing anything sneaky. Infosec bods said the data is anonymized using unique user identification numbers that don't change frequently, which isn't particularly bright.
Andrew Tierney, one of the researchers involved in the investigation, torn in Xiaomi, stating that his answer was unclear, and added: “There is no doubt that [Xiaomi] Mint Browser sends search terms and URLs in incognito mode. ”
Today, the phone provider released an update for its Mi browsers, Mi Browser Pro on Google Play and Mint Browser on Google Play to “include an option in incognito mode for all users of both browsers to enable / disable aggregated data collection. “Which should, in theory, when disabled, stop retrieving URLs and other items from Xiaomi even in private mode.
PerSwaysion attacks threaten Microsoft 365 customers
Group-IB said a gang of hackers active since last year infected targeted victims by luring them to phishing servers imitating Microsoft 365.
Known as PerSwaysion, the crew compromised more than 150 executives and leaders of organizations in the financial, legal, consulting and manufacturing sectors, we are told. In addition to devoting a considerable amount of work to configuring machines that impersonate Microsoft services, criminals also rely heavily on Redmond Sway's file sharing service.
“The PerSwaysion campaign is a collection of small, targeted phishing attacks by multiple cybercriminals, attacking small and medium-sized financial services firms, law firms and real estate groups,” said Group-IB.
LabCorp faces lawsuit for data breach
Medical test giant LabCorp still grappling with fallout from last year network intrusion at one of its sub-contracted invoice collectors.
A group of investors launched a derivative trial against LabCorp and its management team. The lawsuit, filed in Delaware, United States, claims that LabCorp executives have not done enough to secure their patient records, and as a result, the American company and its investors have suffered a financial blow.
White House says foreign network equipment is gone
President Donald Trump released an executive order prohibiting the purchase of any equipment manufactured abroad for use in the American electrical network.
The order, which applies to “bulk” back-end electrical equipment, is based on the belief that a significant national security risk is created when US power companies purchase and install network-connected devices that could be diverted or otherwise compromised for the hacker. the American power grid.
Magento gets patched
Adobe Magento Commerce Suite administrators will want to make sure they are fully up to date The version fixes for more than a dozen security breaches.
The update includes fixes for six holes in the execution of arbitrary code considered to be critical security risks. Other vulnerabilities allow bypassing permissions, escalating privileges, and disclosing information.
Distance learning materials may contain bugs
Infosec bods have cracked open WordPress plugins used by schools for distance education, and say that some of the tools could be exploited by criminals to manipulate notes.
A report from CheckPoint details three WordPress plugins popular with schools for distance learning that contain potentially serious bugs.
In some cases, these are basic things like SQL injection attacks or arbitrary file replacement bugs that would alter the back-end of the site. In other cases, however, they have found an increase in breaches of privilege. In the case of a classroom, this would mean that a student is upgrading to obtain the teacher's credentials.
Ferris Bueller would be so proud …
Scammers caught selling mock collars in Moscow
The IB Group team said they had broken a network of more than 100 sites that claimed to allow Russian citizens to bypass the nation's lock orders.
The sites were selling fake street passes – credentials that allow people to drive to Moscow, St. Petersburg and other major cities that limited their travel during the coronavirus pandemic. These passes were of course false and, in addition to losing their money and angering the police, the victims also risked having their payment information stolen.
Moscow police were able to locate two of the operators and have already arrested them.
Microsoft Releases Edge Chromium Update
Users and administrators running the Chromium version of Edge will want to get an update for two security vulnerabilities listed by CVE. The bugs (CVE-2020-6461, CVE-2020-6462) describe a pair of post-release use vulnerabilities () discovered by researcher Zhe Jin.
But don't go calling it an out of band update from Microsoft. One of the changes to come with Microsoft's move to Chrome engine for its browser Edge is a new update schedule. As Google maintains its own calendar for releasing updates, Redmond also finds itself deleting browser updates on days other than Patch Tuesday. ®
Office 365 client-to-client migration tips