The COVID-19 pandemic is creating an urgent need for technical solutions to assist in the critical process of digital contact tracing. Apple has now released iOS 13.5 to the general public, including the exposure notification API framework it developed with Google. In this blog, I’m going to take a deeper look at how these solutions work from a technical perspective and the potential security considerations.
Yes, there’s really a World Password Day. Celebrated on the first Thursday of May, the event was started by Intel in 2013 to raise awareness of the need for secure passwords. As a security professional, I must admit that 7 years later, I question the need to continue to observe this event. Do we, in the year 2020, really still need to be told that passwords are important? Sadly, yes. We still need a reminder that secure passwords are incredibly important. While I imagine most people would say they know that, it’s one thing to know it and quite another to put it into practice. In 2020, issues associated with passwords still abound.
Digital contact tracing is an emerging technology in response to the COVID-19 pandemic. While innovative, intriguing and necessary, it raises some interesting privacy and employment law concerns. My co-author Dan Schwartz and I share our initial thoughts on this evolving issue.
Reports of a bug being actively exploited affecting the Apple Mail iOS application are making news. This bug may have been leveraged in the wild as early as January of 2018, according to sources. Apple has not confirmed that they have seen this attack being exploited against customers. However, it has confirmed that the bug isn’t happening in the beta of the latest (unreleased) iOS. Other security researchers have confirmed the “likelihood” of the legitimacy of this attack being used in the wild. If the vulnerability is truly being exploited, the risks are very real.
A new type of attack, called “Zoombombing” or “Zoomraiding” specifically targets the over 200 million daily Zoom meeting participants that now rely on the video conferencing solution for remote work, remote education and social connection.
On March 22nd, 2020, the remaining provisions of the New York SHIELD Act went into effect (the sections associated with data breach notifications went live in October of 2019). This law dictates the responsibilities organizations have for protecting the personal information data of residents of the State of New York. You may be thinking “our business isn’t based in New York State, so we’re good, right?” You would be wrong.
Even in times like these, the need for proper security never stops. If anything, we are seeing dramatic increases in security threats as bad actors try to capitalize on the chaos and people’s quest for any information on COVID-19. That, along with the nature of our work being different now put us in a spot where organizations need to re-evaluate their security.
Microsoft recently identified a new critical security vulnerability in its Internet Explorer (IE) web browser. Microsoft has confirmed that the vulnerability is being targeted and exploited in the wild, so it is critical that IE users are aware of the issue and how to mitigate it. This vulnerability (CVE-2020-0674) can be exploited by an attacker hosting a crafted website, and grants access to the system with the same privileges as the current user.
Cisco issued guidance on how to identify and remediate the effects of five vulnerabilities in the Cisco Discovery Protocol implementation on some Cisco NX-OS devices. The vulnerabilities could, in certain situations, enable an attacker to trigger a memory overflow and gain control of a vulnerable device or cause it to shut down or reload.
“Patch Tuesday” is the day when Microsoft typically announces and releases all of the security updates for their software products. While every Patch Tuesday can be impactful from a workload standpoint, some announcements from Microsoft carry more weight than others. On Tuesday, January 14th, 2020, we saw another example of that.