This week was full of vulnerabilities, scams and breaches. Not everything is gloomy though, as Zoom announced some new security measures for their platform. Let us go and see what happened.
1. A researcher has publicly disclosed technical details and proof of concept for four unpatched zero-day vulnerabilities affecting IBM's enterprise security software. Interestingly the reason the researcher went public was IBM's refusal to acknowledge the existence of the vulnerabilities after the researcher responsibly disclosed them. Three of those vulnerabilities are critical, while the remaining one is a high impact bug. According to IBM, they are working on mitigating steps that they will issue in the future.
2. COVID-19 continues to be a headache for the cybersecurity community. Israeli researchers report that hackers are trying to scam people into using fake websites claiming to register their data for the government's COVID-19 aid. This scam is another example of how malicious actors take advantage of the fear and uncertainty that people have, for financial and personal profit. We urge all users to be very careful, always check the validity of the email address that contacted you and only use legitimate government websites if you want to register for financial aid.
3. Another week another data breach, as a hacker managed to compromise the personal data of 23 million players of the online children's game Webkinz World. The hacker was able to gain access to the 1GB file, containing the data, using an SQL injection on one fo the websites web forms. Since the attack, the company patched the entry point, a little too late.
4. Another Zoom news, positive this time as the company announced that the next version would include the addition of some security measures. The measures will consist of more powerful encryption for the data sent between participants in a meeting and the ability for administrators to choose which parts of the world they route their data through. This update comes a bit too late since a lot of government and private agencies have already banned Zoom from their video conferences including Google, India and Taiwan.
5. KrebsOnSecurity just posted a rather impressive scam that will remind every security-conscious person that even they can fall a victim to a phone-based phishing scam. The fraud involved the victim taking a call from a malicious actor posing as his bank informing him of some frauds that had been detected on his account. What followed is very interesting, and I urge you to go and read the article to learn how even a veteran cybersecurity professional can be tricked and lose $10.000 to a phone scam.