Cross-site scripting (XSS) vulnerability in cgi-bin/scrut_fa_exclusions.cgi in Plixer International Scrutinizer NetFlow and sFlow Analyzer 8.6.2.16204 and other versions before 9.0.1.19899 allows remote attackers to inject arbitrary web script or HTML via the standalone parameter.Cross-site scripting (XSS) vulnerability in cgi-bin/userprefs.cgi in Plixer International Scrutinizer NetFlow & sFlow Analyzer 8.6.2.16204, and possibly other versions before 9.0.1.19899, allows remote attackers to inject arbitrary web script or HTML via the newUser parameter. NOTE: this might not be a vulnerability, since an administrator might already have the privileges to create arbitrary script.Multiple SQL injection vulnerabilities in Plixer International Scrutinizer NetFlow & sFlow Analyzer 8.6.2.16204, and possibly other versions before 9.0.1.19899, allow remote attackers to execute arbitrary SQL commands via the (1) addip parameter to cgi-bin/scrut_fa_exclusions.cgi, (2) getPermissionsAndPreferences parameter to cgi-bin/login.cgi, or (3) possibly certain parameters to d4d/alarms.php as demonstrated by the search_str parameter.cgi-bin/userprefs.cgi in Plixer International Scrutinizer NetFlow & sFlow Analyzer before 9.0.1.19899 does not validate user permissions, which allow remote attackers to add user accounts with administrator privileges via the newuser, pwd, and selectedUserGroup parameters.At CES 2020, Patriot One Technologies explained its Patscan platform, which can detect hidden weapons and more without the perpetrator even knowing they've been scanned.Researchers found unremovable malware preinstalled in the Unimax U686CL, a budget Android device sold by Assurance Wireless.Cross-site scripting (XSS) vulnerability in the Smiley module 6.x-1.x versions prior to 6.x-1.1 and Smileys module 6.x-1.x versions prior to 6.x-1.1 for Drupal allows remote authenticated users with the "administer smiley" permission to inject arbitrary web script or HTML via a smiley acronym.fwknop before 2.0.3 allow remote authenticated users to cause a denial of service (server crash) or possibly execute arbitrary code.Samsung Kies before 2.5.0.12094_27_11 has registry modification.Samsung Kies before 2.5.0.12094_27_11 has arbitrary directory modification.Samsung Kies before 2.5.0.12094_27_11 has arbitrary file modification.Samsung Kies before 2.5.0.12094_27_11 has arbitrary file execution.Samsung Kies before 2.5.0.12094_27_11 contains a NULL pointer dereference vulnerability which could allow remote attackers to perform a denial of service.The (1) my_popenv_impl and (2) my_spawnv functions in src/condor_utils/my_popen.cpp and the (3) systemCommand function in condor_vm-gahp/vmgahp_common.cpp in Condor 7.6.x before 7.6.10 and 7.8.x before 7.8.4 does not properly check the return value of setuid calls, which might cause a subprocess to be created with root privileges and allow remote attackers to gain privileges via unspecified vectors.Gateway Geomatics MapServer for Windows before 3.0.6 contains a Local File Include Vulnerability which allows remote attackers to execute local PHP code and obtain sensitive information.PHP code injection in TinyWebGallery before 1.8.8 allows remote authenticated users with admin privileges to inject arbitrary code into the .htusers.php file.Invision Power Board before 3.3.1 fails to sanitize user-supplied input which could allow remote attackers to obtain sensitive information or execute arbitrary code by uploading a malicious file.The error function in Error.cc in poppler before 0.21.4 allows remote attackers to execute arbitrary commands via a PDF containing an escape sequence for a terminal emulator.EllisLab CodeIgniter 2.1.2 allows remote attackers to bypass the xss_clean() Filter and perform XSS attacks.389 Directory Server before 1.2.7.1 (aka Red Hat Directory Server 8.2) and HP-UX Directory Server before B.08.10.03, when audit logging is enabled, logs the Directory Manager password (nsslapd-rootpw) in cleartext when changing cn=config:nsslapd-rootpw, which might allow local users to obtain sensitive information by reading the log.Electric utilities continue to be a target of nation-state attackers, even before the latest tensions between Iran and the United States, says a critical-infrastructure security firm.After a poke from the UK's watchdog, the companies promised to beef up filters to strain out those who write, buy and sell fluffy nonsense.We'll have one serving of whatever Las Vegas is eating and wish Pittsburg Unified School District good luck with getting unstuck.Attackers are using a serious bug in Citrix products to scan the internet for weaknesses, according to experts.Researchers say that physically disruptive attacks aren't imminent, but an increased focus on U.S. electrical-grid operators doesn't bode well.Despite ranking at the top of respondents' concerns, organizations still show gaps in acting on cybersecurity, Society for Information Management (SIM) report finds.Attackers are creating phishing sites from Sway, an effective approach as links for the domain are typically trusted, says security firm Avanan.The carpentry maxim 'measure twice, cut once' underscores the importance of timely, accurate, and regular metrics to inform security leaders' risk decisions.Possible Iranian retaliation may include cyberattacks, laboratory testing company recieves lawsuit after data breach, and another school district hit with ransomware - catch up on the week's news with the Friday Five.Pretty-Link WordPress plugin 1.5.2 has XSSAt CES 2020, Patriot One Technologies explained its PATSCAN platform, which can detect hidden weapons and more without the perpetrator even knowing they've been scanned.The India-based call centers scammed US victims out of millions of dollars between 2013 and 2016.One way to patch the millennium bug was to move it, rather than actually to fix it... are we looking at Y2.02K?A Virgin Mobile-branded phone distributed by Assurance Wireless to low-income U.S. citizens has a trojan pre-installed that can download additional malware.Cisco patched two high-severity flaws this week, in its Webex and IOS XE Software products.You might not find these measurements on a standard cybersecurity department checklist. But they can help evaluate risks you haven't even considered yet.The new features come from a partnership with security firm Avira, but they won't be free: They're part of a new package called HomeCare Pro.Read insights from industry experts on how artificial intelligence and machine learning will help prevent cybersecurity breaches.In Arial Campaign Enterprise before 11.0.551, multiple pages are accessible without authentication or authorization.Arial Campaign Enterprise before 11.0.551 stores passwords in clear text and these may be retrieved.Arial Campaign Enterprise before 11.0.551 has unauthorized access to the User-Edit.asp page, which allows remote attackers to enumerate users' credentials.The approach allowed researchers to use machine learning on encrypted data without first decrypting it.An SQL Injection vulnerability exists in the ID parameter in Online TV Database 2011.Tinfoil Security's dynamic application and API security testing capabilities will be added to Synopsys Software Integrity Group.CES was more exciting than ever this year. Key topics included 5G, AI, IoT, robotics, Wi-Fi 6, edge computing, automation, blockchain, quantum computing, privacy, AR, and VR.From analytics and AI to 5G and Wi-Fi 6, here's all the enterprise tech that took center stage at CES 2020.At CES 2020, Sleep Number debuted its latest smart beds, which feature climate-controlled technology that gathers data while you snooze.A Westworld-themed experience gave CES attendees a creepy glimpse into tech consequences of the future.From a Firefox zero-day to a military ban on TikTok - and everything in between. It's the weekly security roundup.If that bill passes, you can say bye-bye to YouTube, says one content creator.A letter sent to the Google CEO by Privacy International claims bloatware has allowed a privacy and security hole to open almost unnoticed.Relax: Nic Cage deepfakes aren't going anywhere. It's only "maliciously misleading" impersonations that are now verboten.Looks like the Snake ransomware was created especially for network-wide attacks.New research has heightened an already urgent call to abandon SHA-1, a cryptographic algorithm still used in many popular online services.From analytics and AI to 5G and Wi-Fi 6, here's all the enterprise tech that took center stage at CES 2020.Threat actors will continue to grow enterprise-style businesses that evolve just like their legitimate counterparts.Over 25,000 servers globally are vulnerable to the critical Citrix remote code execution vulnerability.The issue lies in underlying reference software used by multiple cable-modem manufacturers to create device firmware.Mozilla Firefox before 3.6 is vulnerable to XSS via the rendering of Cascading Style SheetsThe Manor Independent School District is investigating a phishing email scam that led to three separate fraudulent transactions.Wondering how this guy could be so clumsy? So is he.A Westworld-themed experience gave attendees a creepy glimpse into tech consequences of the future.Virginia appears to be following in the footsteps of California with a new legislation, the Virginia Privacy Act, that would strengthen the data privacy rights of Virginians.CES wiz-bang surveillance tech gives privacy advocates the willies.Check Point's December 2019 Index finds Emotet as lead malware for the third month in a row, spreading email spam, some which alleged support of the teen activist.Google has removed 17,000 Joker-infested apps from the Play store to date.The wide-scale phishing scam reportedly started in early November and continued through December, before it was discovered by the Texas school district.Windows 7 and Server 2008 will continue to work after Jan. 14, 2020, but will no longer receive security updates.If you can answer these six questions, you'll be off to a great start.Organizations need to apply mitigations for vulnerability in Citrix Application Delivery Controller and Citrix Gateway ASAP, security researchers say.The attack may have compromised donors' payment information.Your best bet is to finish a migration to Windows 10 ASAP, but there are other options in the interim, says content delivery company Kollective.A former contractor in Beijing: βIt sounds a bit crazy now [...] that they gave me the URL, a username and password sent over email.βWe don't care how little you made from your crimes, the judge said. We care that you went after an outfit that gives a ton to charities.Google is testing out a feature to make Android's built-in password manager safer.A fortnight in to 2020 and we have the first security flaw to be given its own name: Cable Haunt - complete with eye-catching logo.Refusal to unlock the phones of a Florida shooter could set up another legal battle between Apple and the Feds over data privacy in the case of criminal investigations.It's the end of support this week for Windows 7 and Server 2008. But what if you truly can't migrate off software, even after security updates stop coming?How some ICS product functions can be weaponized by altering their configurations.Meltdown, Spectre exploits will likely lead to customers making tradeoffs between performance and security of applications, especially virtual and cloud-based appsKoala Framework before 2011-11-21 has XSS via the request_uri parameter.For nearly six months, an attack group linked to Iran reportedly had access to the network of Bahrain's national oil company, Bapco, before it executed a destructive payload.Overall Adobe patched nine flaws in Illustrator CC and Experience Manager.The apps itself isn't malicious - the treachery lies in the payment model.A letter to 25 companies says Consumer Reports will change ratings to reflect stronger security and privacy standards.PacketFence is a network access control (NAC) system. It is actively maintained and has been deployed in numerous large-scale institutions. It can be used to effectively secure networks, from small to very large heterogeneous networks. PacketFence provides NAC-oriented features such as registration of new network devices, detection of abnormal network activities including from remote snort sensors, isolation of problematic devices, remediation through a captive portal, and registration-based and scheduled vulnerability scans.Today's the day. The balloon goes up. The ship goes down. The patches fall behind. The crooks pull ahead.The cloud-focused program will pay out $10,000 as its top reward.Google says it has a two-year timeline for phasing out support for third-party cookies in its Chrome web browser.How prepared is the energy sector for an escalating attack surface in the operating technology environment? Here are five trends to watch.Network intruders are staying undetected for an average of 95 days, enabling them to target critical systems and more completely disrupt business.With no bug fixes or patches available for Windows 7 after Jan. 14, Veritas CIO John Abel offers tips to safeguard the PCs in your organization.CISA, the DHS agency that oversees cybersecurity matters in the US, is urging organizations to patch Pulse Secure VPN servers in the wake of news that they're being used to spread ransomware.It's "not about blocking" but removing them altogether, the company said.The oil & gas company is at the heart of the ongoing US presidential impeachment case.January Patch Tuesday tackles 50 bugs, with eight rated critical, all as it pushes out its last regular Windows 7 patches.Magecart groups using automated infection scans infected the site, which was running outdated Magento software.The flaw, in Intel VTune Profiler, could enable privilege escalation.A Code Execution vulnerability exists the attachment parameter to index.php in Jcow CMS 4.x to 4.2 and 5.2 to 5.2.Meltdown, Spectre exploits will likely lead to customers making tradeoffs between performance and security of applications, especially virtual and cloud-based appsIt's a big one. Don't wait around, get your updates right now!A Cross-Site Scripting (XSS) vulnerability exists in the g parameter to index.php in Jcow CMS 4.2 and earlier.A Cross-Site Scripting (XSS) vulnerability exists in the rcID parameter in Concrete CMS 5.4.1.1 and earlier.A Cross Site Request Forgery (CSRF) vulnerability exists in the administrator functions in WebsiteBaker 2.8.1 and earlier due to inadequate confirmation for sensitive transactions.An Arbitrary File Upload vulnerability exists in admin/media/upload.php in WebsiteBaker 2.8.1 and earlier due to a failure to restrict uploaded files with .htaccess, .php4, .php5, and .phtl extensions.An SQL Injection vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table names or column names.A Cross-Site Scripting vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table descriptions, field names, or labels before display.A Cross-Site Scripting (XSS) vulnerability exists in the reorder administrator functions in sNews 1.71.The software giant patched 300+ bugs in its quarterly update.Many companies are struggling to get a handle on risk exposure because of visibility issues, Radware survey shows.The National Security Agency is publicly acknowledged for its finding and reporting of CVE-2020-0601, marking the start of what it says is a new approach to security.Attorney General Barr and President Trump are demanding Apple unlock the mass shooter's iPhone. Apple replies: You can't break just 1 phone.No need to wait until you've gurgled out of your mother's womb to experience the joys of having your privacy breached.The malware is new and in the early stages of its development -- but packs a sophisticated punch.Criminals have been caught trying to sneak a malicious package on to the popular Node.js platform npm (Node Package Manager).Here are the most serious bugs from Microsoft's Patch Tuesday - Including CryptoAPI and RCE flaws in Windows Remote Desktop Gateway.A new report recommends that corporate boards answer four key questions on a regular basis to guide cybersecurity governance.Enterprises currently consider the technology a best practice because of its flexibility, scalability, performance, and agility.Designed to exploit a vulnerability in Windows 10 and Windows Server 2016 and 2019, the bug could allow an attacker to remotely access and control an infected computer.Joomla! before 2.5.3 allows Admin Account Creation.Joomla! core before 2.5.3 allows unauthorized password change.Cisco IronPort Web Security Appliance up to and including 7.5 does not validate the basic constraints of the certificate authority which could lead to MITM attacksCisco IronPort Web Security Appliance does not check for certificate revocation which could lead to MITM attackswhoopsie-daisy before 0.1.26: Root user can remove arbitrary filesCisco IronPort Web Security Appliance AsyncOS software prior to 7.5 has a SSL Certificate Caching vulnerability which could allow man-in-the-middle attacksspamdyke prior to 4.2.1: STARTTLS reveals plaintextJoomla! 1.5x through 1.5.12: Missing JEXEC CheckTiki Wiki CMS Groupware 7.0 has XSS via the GET "ajax" parameter to snarf_ajax.php.Legal battle pitting Feds against the tech giant over data privacy and device security in criminal cases seems inevitable.You'll be surprised at how many devices, apps, and services are associated with your Firefox cloud account. Find out how to remove them.Google is aiming to phase out third-party cookies in Chrome in two years, but that will have to prove palatable to users, publishers, and advertisers.Together, the Travel & Hospitality ISAC and the Retail & Hospitality ISAC intend to improve communications and collaboration about the evolving threat landscape.Honeypots are crucial tools for security researchers and security teams. Understanding what they are and what they can do can be critical for making them safe and useful for your organization.Common and evolving strategies include the use of zero-font attacks, homograph attacks, and new tactics for fake attachments.Class members have until Jan. 22, next week, to claim benefits.Written off multiple times as obsolete, firewalls continue to elude demise by adding features and ensuring that VPNs keep humming.A concerted, targeted phishing campaign took aim at 600 different staffers and officials, using Norway as a lure.Snare for Linux before 1.7.0 has CSRF in the web interface.EMC RepliStor Server Service before ESA-09-003 has a DoASOCommand Remote Code Execution Vulnerability. The flaw exists within the DoRcvRpcCall RPC function -exposed via the rep_srv.exe process- where the vulnerability is caused by an error when the rep_srv.exe handles a specially crafted packet sent by an unauthenticated attacker.The Linux kernel before 2.4.36-rc1 has a race condition. It was possible to bypass systrace policies by flooding the ptraced process with SIGCONT signals, which can can wake up a PTRACED process.Systrace before 1.6.0 has insufficient escape policy enforcement.Simple Machine Forum (SMF) versions 1.0.4 and earlier have an SQL injection vulnerability that allows remote attackers to inject arbitrary SQL statements.The employees allegedly stole confidential information belonging to the company, including batch production control records for drug manufacturing, according to reports.Many organizations underestimate the value of their data to skilled and organized cybercriminals, said security provider eSentire.Threatpost talks to Venafi about the recently-disclosed Microsoft vulnerability and whether the hype around the flaw was warranted.Imperva SecureSphere Web Application Firewall (WAF) before 12-august-2010 allows SQL injection filter bypass.The iPhone can now be used in lieu of a physical security key as a means of protecting Google accounts.There are five different pillars to implement when moving to a modern, zero-trust security model.Authentication bypass bugs in WordPress plugins InfiniteWP Client and WP Time Capsule leave hundreds of thousands of sites open to attack.Company agrees to set aside a minimum of $380.5 million as breach compensation and spend another $1 billion on transforming its information security over the next five years. The 147 million US consumers affected by the breach have one week from today to file a claim.There is a file disclosure vulnerability in SMF (Simple Machines Forum) affecting versions through v2.0.3. On some configurations a SMF deployment is shared by several "co-admins" that are not trusted beyond the SMF deployment. This vulnerability allows them to read arbitrary files on the filesystem and therefore gain new privileges by reading the settings.php with the database passwords.A backdoor (aka BMSA-2009-07) was found in PyForum v1.0.3 where an attacker who knows a valid user email could force a password reset on behalf of that user.python-markdown2 before 1.0.1.14 has multiple cross-site scripting (XSS) issues.Fight for the Future is building on its success in pressuring concert promoters to back off of plans to use the technology at festivals.Google doesn't want to block third-party cookies in Chrome right now. It has promised to make them obsolete later, though. Wait - what?Apps like Grindr, Tinder and Happn are (over-)sharing data about sexuality, religion, and location with a shadowy network of data brokers. And it's not just dating apps that are doing it...Researchers have discovered bad authentication bypass vulnerabilities affecting two WordPress plugins which should be patched as soon as possible.New research shows apps that dupe users into being charged excessively with little reward persist on the Android app store.AD is still the single point of authentication for most companies that use Windows. But it has some shortcomings that should be addressed.Two proof-of-concept exploits were publicly released for the major Microsoft crypto-spoofing vulnerability.New episode - listen now!Wireshark is a GTK+-based network protocol analyzer that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and Win32 and to give Wireshark features that are missing from closed-source sniffers.A "pre-mortem analysis" sheds light on the potential destruction of a cyberattack against major US banks.We said, "Assume that someone will find out how to do it pretty soon," and that's exactly what happened.The only Democratic campaign known to have a CISO loses Mick Baccio due to a "fundamental philosophical difference with campaign management."Now that you have the Observium network monitoring platform installed, it's time to add a host.A hellish mix of features shows the 5ss5c ransomware to be the son of Satan.Cisco Unified Personal Communicator 7.0 (1.13056) does not free allocated memory for received data and does not perform validation if memory allocation is successful, causing a remote denial of service condition.Cybercriminals are evolving their tactics, and the security community anticipates voice and video fraud to play a role in one of the next big data breaches -- so start protecting your business now.The work by security researcher Saleem Rashid shows that the bug could be exploited in the real world to spoof security certificates on machines without Microsoft's patch.The most successful email lures don't promise riches, but issue imminent cybersecurity warnings or urgent office messages, a report reveals.The U.S. HHS released a draft of its federal health IT plan for 2020-2025 and health and privacy are top of mind.iPhone users can now use Bluetooth to secure their Google accounts.The flaws affect a key tool for managing its network platform and switches.Malware described by the DHS as among the worst ever continues to evolve and grow, researchers from Cisco Talos, Cofense, and Check Point Software say.Risks of nation-state attacks go beyond Iran, and the need for awareness and security don't stop at any national border.Recommendations cover areas including security and privacy while listing alternatives to free online services that slurp your users' data."People think they're going to put on a cute filter and have puppy dog ears, and not realize that that data's being collected."Google has updated its Smart Lock to let iOS users security-dongle-ize their iPhones.The January 2020 update featured a joint record of 334 patches, matching an identical number released in July 2018.As more troops are deployed to the Middle East, the U.S. military fears OPSEC failures, an app exposed the sensitive data of babies, and a site helping Australian bushfire victims becomes a victim itself - catch up on the week's news with the Friday Five.By inserting themselves into business emails among employees, cybercriminals can trick victims into wiring money or sharing payment information, says security firm Barracuda Networks.Fraudulent emails tell recipients their W-2 forms are ready and prompt them to click malicious links.You'll get the best results when you're clear on what you want to accomplish from a pen test.The agency changed its policy to provide more timely and actionable information to state and local election officials in the case of a cybersecurity breach to election infrastructure.Following a year that saw the fewest number of vulnerabilities reported since 2015, Oracle's latest quarterly patch fixes nearly 200 new vulnerabilities.The website, WeLeakData.com, claimed to have more than 12 billion records gathered from over 10,000 breaches.A new report from Check Point recaps the cybercrime trends, statistics, and vulnerabilities that defined the security landscape in 2019.Our tips will help you boost your resistance to phishing, even when the crooks make a determined effort to reel you in.Are publicly-released PoC exploits good or bad? Why is the Joker malware giving Google a headache? The Threatpost team discusses all this and more in this week's news wrap.CES 2020: A "hacked" robot was on display to demonstrate how SigmaDots serverless architecture is poised to fend off IoT security threats.Are publicly released proof-of-concept exploits more helpful for system defenders -- or bad actors?IoT security is becoming a top-of-mind priority in the personal care industry. Essence group believes it has the solution and had it on display at CES 2020.Weak challenge questions by customer service reps make it easy for fraudsters to hijack a phone line and bypass 2FA to breach accounts.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2008-1382. Reason: This candidate is a reservation duplicate of CVE-2008-1382. Notes: All CVE users should reference CVE-2008-1382 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.The WeLeakInfo "data breach notification" domain is no more.Researchers say that JhoneRAT has various anti-detection techniques - including making use of Google Drive, Google Forms and Twitter.Commentary: As more workloads move to the cloud, developers need help with security. Find out how the startup Cyral is helping to improve data security in the cloud.From nasty snakes to rickrolling the NSA, get up to date with everything we've written in the last seven days - it's weekly roundup time.The Spinner personalises βsubconscious influencingβ for a specific target.Molly Russell's grieving father has backed a psychiatrists' report, saying that tech companies must be forced to hand over anonymized data.The FBI has announced that it will tell local election officials when hackers try to infiltrate their systems.The FBI has seized the domain for WeLeakInfo.com, a site that sold breached data records, after a multinational effort by law enforcement.There are many ways to improve your organization's cybersecurity practices, but the most important principle is to start from the top.Maavi is a fuzzing tool that scans for vulnerabilities with obfuscated payloads. Has proxy support, records full history of actions, and has various bells and whistles.A new bill in California would amend the CCPA and further health data exemptions - namely data that's been de-identified in the eyes of HIPAA.There are many ways to improve your organization's cybersecurity practices, but the most important principle is to start from the top.With 2FA enabled on your Docker Hub account, you'll find you cannot access it with your user password from within the CLI. Jack Wallen shows you how to make this work.A researcher has discovered thousands of Tinder users' images publicly available for free online.NULL is assigned to local instance of audio device pointer after free instead of global static pointer and can lead to use after free issue in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8053, MDM9206, MDM9207C, MDM9607, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8998, Nicobar, QCS605, Rennell, SA6155P, SDM630, SDM636, SDM660, SDM670, SDM710, SDM845, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR2130Buffer over-read can occur while playing the video clip which is not standard in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8017, APQ8053, APQ8064, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA6574AU, QCS605, QM215, Rennell, SA6155P, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130Null pointer dereference can occur while parsing the clip which is nonstandard in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8017, APQ8053, APQ8064, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, Nicobar, QCA6574AU, QCS605, QM215, Rennell, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130Improper initialization of local variables which are parameters to sfs api may cause invalid pointer dereference and leads to denial of service in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking in APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9206, MDM9607, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8998, QM215, SDA660, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660While transferring data from APPS to DSP, Out of bound in FastRPC HLOS Driver due to the data buffer which can be controlled by DSP in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCN7605, QCS605, QM215, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM845, SDX20, SDX24, SDX55, SM6150, SM8150, SM8250, SXR1130, SXR2130While trying to obtain datad ipc handle during DPL initialization, Heap use-after-free issue can occur if modem SSR occurs at same time in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Wearables in APQ8009, APQ8053, APQ8096AU, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCA6574AU, QCS605, QM215, SDA660, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SM6150, SM7150, SM8150, SXR1130Null-pointer dereference issue can occur while calculating string length when source string length is zero in Snapdragon Auto, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8017, APQ8053, APQ8064, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996, Nicobar, QCS605, QM215, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDX20, SM6150, SM8150, SM8250, SXR1130, SXR2130Most of the US and China's requests had to do with investigations into fraud, suspected account access and phishing.Looking to switch things up but not sure how to do it? Security experts share their advice for switching career paths in the industry.Citrix has issued its first set of patches fixing a nasty vulnerability that's been hanging over some of its biggest products.Bad actor obtained passwords for servers, home routers, and smart devices by scanning internet for devices open to the Telnet port.A fictitious industrial company with phony employees personas, website, and PLCs sitting on a simulated factory network fooled malicious hackers - and raised alarms for at least one white-hat researcher who stumbled upon it.Commentary: Users tend to stick with their preferred browser even when it works poorly for them.A security key is a good option to use for two-factor authentication when logging into certain websites.Among 60,000 large companies analyzed by security ratings company BitSight, almost 90% still have Windows 7 PCs in their environment.Traditional data-leak prevention is not enough for businesses facing today's dynamic threat landscape.CVE-2020-0674 is a critical flaw for most Internet Explorer versions, allowing remote code execution and complete takeover.New versions of the ransomware now sniff out saved credentials for Internet Explorer, Mozilla Firefox, Mozilla Thunderbird, Google Chrome and Microsoft Outlook.We all make assumptions. They rarely turn out well. A new/old date problem offers a lesson in why that's so.Managing multiple devices can be a full-time job. With a few tools in your arsenal, you can optimize mobile devices for zero-touch management.Citrix has issued the first of several updates fixing a critical vulnerability in various versions of its Citrix Application Delivery Controller (ADC) and Citrix Gateway products.More businesses think SD-WAN will reduce WAN costs, but only 37% think SD-WANs will help defend against malware and other threats.The latest version of the FTCode ransomware can steal credentials from five popular browsers and email clients.Prizm Content Connect 5.1 has an Arbitrary File Upload VulnerabilitymIRC prior to 7.22 has a message leak because chopping of outbound messages is mishandled.Tiki Wiki CMS Groupware 7.0 has XSS via the GET "ajax" parameter to snarf_ajax.php.websitebaker prior to and including 2.8.1 has an authentication error in backup module.Jara 1.6 has an XSS vulnerabilityJara 1.6 has a SQL injection vulnerability.Mozilla Firefox prior to 3.6 has a DoS vulnerability due to an issue in the validation of certificates.Mozilla Firefox through 1.5.0.3 has a vulnerability in processing the content-length headerA new report recommends that corporate boards answer four key questions on a regular basis to guide cybersecurity governance.While doing good for the user is the theoretical ideal, the threat of fiscal repercussions should drive organizations to take privacy seriously. That means security and data privacy teams must work more closely.Simple Machine Forum (SMF) versions 1.0.4 and earlier have an SQL injection vulnerability that allows remote attackers to inject arbitrary SQL statements.A new report that aggregates post-GDPR data breach statistics in Europe suggests new, higher fines are to come in 2020.WebSploit is an advanced man-in-the-middle framework.This application, known as the SolarWinds n-Central Dumpster Diver, utilizes the nCentral agent dot net libraries to simulate the agent registration and pull the agent/appliance configuration settings. This information can contain plain text active directory domain credentials. This was reported to SolarWinds PSIRT(psirt@solarwinds.com) on 10/10/2019. In most cases the agent download URL is not secured allowing anyone without authorization and known customer id to download the agent software. Once you have a customer id you can self register and pull the config. Application will test availability of customer id via agent download URL. If successful it will then pull the config. We do not attempt to just pull the config because timing out on the operation takes to long. Removing the initial check, could produce more results as the agent download could be being blocked where as agent communication would not be. Harmony is only used to block the nCentral libraries from saving and creating a config directory that is not needed.The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually. This is the cross platform package.Personal data on over 8,100 individuals and confidential business information likely exposed in June 2019 incident.The purchase is intended to bring new cloud capabilities to the FireEye Helix security platform.Researchers have discovered how ransomware can take advantage of the Windows Encrypting File System, prompting security vendors to release patches.Software firm is "aware of limited targeted attacks" exploiting a scripting issue vulnerability in Internet Explorer 9, 10, and 11 that previously has not been disclosed.A sophisticated malware-as-a-service phishing kit includes full customer service and anti-detection technologies.Commentary: There's a lot of hype about bug bounties, but here's some truth.Our unique dancing style can be used by a machine-learning model to ID us, regardless of musical genre. Unless it's Metal. We all headbang.Another company has ended up accidentally spilling sensitive data from business collaboration tool Trello.How do you ensure you're compliant with privacy regulations? NIST has released a Privacy Framework to help you get your house in order.The network of sites and services run by the alleged operators target the Rainbow Six Siege game, selling attacks to cheating players.More than half of security experts think that the good outweighs the bad when it comes to proof-of-concept exploits, according to a recent Threatpost poll.Palo Alto Networksβ Unit 42 researchers observed a variant of the wormlike botnet that adds scanner technology to brute-force Web authentication.They're especially relevant regarding several issues we face now, including biometrics, secure data management, and human error with passwords.ImpressPages CMS v1.0.12 has Unspecified Remote Code Execution (fixed in v1.0.13)The cybercriminals behind the powerful banking malware have turned their attention to government targets like Sen. Cory Booker.The trove of information is potentially a scammer's bonanza.The newest version of the sLoad malware dropper comes equipped with infection tracking capabilities and an anti-analysis trick.Logwatch analyzes and reports on unix system logs. It is a customizable and pluggable log monitoring system which will go through the logs for a given period of time and make a customizable report. It should work right out of the package on most systems.The company today disclosed an approach to data security designed to protect against modern threats at a lower cost than complex network tools.A Cross-site Scripting (XSS) vulnerability exists in the Serendipity freetag plugin before 3.30 in the tagcloud parameter to plugins/serendipity_event_freetag/tagcloud.swf.Multiple Cross-site Scripting (XSS) vulnerabilities exist in Joomla! through 1.7.0 in index.php in the search word, extension, asset, and author parameters.A Cross-site Request Forgery (CSRF) vulnerability exists in Advanced Electron Forums (AEF) through 1.0.9 due to inadequate confirmation for sensitive transactions in the administrator functions.Microsoft has today announced a data breach that affected one of its customer databases.New guidelines show how the agency will coordinate with state officials in the event of a cyberattack on election infrastructure.Exactly who is king of the castle here?Recent data protection laws mean that the data protection officer and CISO must work in tandem to make sure users' data is protected.Some the records, found on five identically configured servers, might have contained data in clear text.NIST released new guidance last week, its Privacy Framework, that can be used by organizations as a risk management tool, to answer questions about its privacy posture, or establish its own program.A reverse proxy issue exists in FluxBB before 1.4.7 when FORUM_BEHIND_REVERSE_PROXY is enabled.An Access Control vulnerability exists in the Facebook, Twitter, and Embedded plugins in Vanilla Forums before 2.0.17.9.An issue exists in Vanilla Forums before 2.0.17.9 due to the way cookies are handled.Cross-Site Request Forgery (CSRF) vulnerability exists in panel.php in UseBB before 1.0.12.A File Inclusion vulnerability exists in act parameter to admin.php in UseBB before 1.0.12.An attack chain of vulnerabilities in ConnectWise's software for MSPs has similarities to some of the details of the August attack on Texas local and state agencies.Organizations are moving toward next-generation cybersecurity solutions this year, but security fragmentation is a looming threat.You'll be surprised at how many devices, apps, and services are associated with your Firefox cloud account. Find out how to remove them.A Cross-Site Scripting (XSS) vulnerability exists in the admin login screen in Phorum before 5.2.18.For all the cautions against doing so, one-third of organizations in a Proofpoint survey said they paid their attackers after getting infected with ransomware.A newly discovered threat actor named Vivin is raking in Monero from cryptomining malware, showing that this type of attack isn't going away anytime soon.New research finds security operations centers suffer high turnover and yield mediocre results for the investment they require.The competition targets the systems that run critical infrastructure and more.Companies should realize that any user could be a target and use threat data to build a security awareness training program, says Proofpoint.Whatβs the difference between a real job and a fake one found on the internet? The fake ones are suspiciously easy to get interviews for.Stopping software updates for legacy kit is nothing new, but it's the way the company has done it that has Sonos customers' hackles up.Sources told Reuters that Apple may have been convinced by arguments made during the legal fight over cracking the San Bernardino iPhone.Digital forensic evidence points to the phone's massive, months-long data egress having likely been triggered by Pegasus mobile spyware.New research outlines vulnerabilities in Safariβs Intelligent Tracking Protection that can reveal user browsing behavior to third parties.Is there some good news hidden in the story of the CVE-2020-0601 crypto vulnerability?A general approach to privacy, no matter the regulation, is the only way companies can avoid a data protection disaster in 2020 and beyond.Attackers 'weaponized' Active Directory to spread the ransomware.The critical flaw exists in Cisco's administrative management tool, used with network security solutions like firewalls.Budget limitations and a lack of knowledge or training are two major factors hurting many SMBs, according to a survey from Untangle.Sysdig falco is a behavioral activity monitoring agent that is open source and comes with native support for containers. Falco lets you define highly granular rules to check for activities involving file and network activity, process execution, IPC, and much more, using a flexible syntax. Falco will notify you when these rules are violated. You can think about falco as a mix between snort, ossec and strace.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.mIRC before 6.35 allows attackers to cause a denial of service (crash) via a long nickname.Server-side request forgery (SSRF) vulnerability in feed-proxy.php in extjs 5.0.0.CISA has released an advisory for six high-severity CVEs for GE Carescape patient monitors, Apex Pro, and Clinical Information Center systems.Expect cache attacks to get worse before they get better. The problem is that we don't yet have a good solution.The malware uses thousands of partner websites to spread malvertising code.The malicious email campaign included a never-before-seen malware downloader called Carrotball, and may be linked to the Konni Group APT.CISA is spreading new guidance to ensure admins can properly defend against Emotet malware attacks, which the agency claims are on the rise.The Feds have warned on six vulnerabilities in GE medical equipment that could affect patient monitor alarms and more.A new document separates cloud vulnerabilities into four classes and offers mitigations to help businesses protect cloud resources.Emotet is considered one of the most damaging banking Trojans, primarily through its ability to carry other malware into an organization.TechRepublic's Karen Roby talks with Radware exec Mike O'Malley about the growing security risks that accompany 5G for providers, smart cities, and the enterpriseTechRepublic's Karen Roby talks with Radware exec Mike O'Malley about the growing security risks that accompany 5G for providers, smart cities, and the enterprise.Learn how to secure Firefox tabs from mischief with the Don't Touch My Tabs add-on.In two years, the adware-dropping Shlayer Trojan has spread to infect one in 10 MacOS systems, Kaspersky says.A new, comprehensive code will compel online services to put children's health and safety before data-collecting profits.How Sergey Denisoff described his early ad-buying ventures: buying BS popup traffic and reselling it to buyers demanding BS traffic.The street outside ICAAN's offices in Playa Vista, California, is likely a little more crowded than normal.The honeypot demonstrates the various security concerns plaguing vulnerable industrial control systems.Looking to change jobs? Watch out for fraudsters who use legitimate job services, slick websites, and an interview process to convince applicants to part with sensitive personal details.You'll need to add resume tactician to your skill set in order to climb up the next rung on the security job ladder. Here's how.Learn how to avoid saving your Docker login credentials in plain text by creating an encrypted credential storage.Now that you have the Observium network monitoring platform installed, it's time to add a host.Appleβs much-vaunted Intelligent Tracking Prevention (ITP) could leave users exposed to a raft of privacy issues, including - ironically - being tracked.testssl.sh is a free command line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws, and much more. It is written in (pure) bash, makes only use of standard Unix utilities, openssl and last but not least bash sockets.The newly-introduced bill targets the Patriot Act's Section 215, previously used by the U.S. government to collect telephone data from millions of Americans.Cybercriminals created a homemade RAT that uses multiple cloud services and targets countries like Saudi Arabia, Iraq, Egypt, Libya, Algeria, and Morocco.Job performance details of over 900 employees left exposed online, a new ransomware family targets Windows 10 users, and more - catch up on the week's news with the Friday Five.The flaw could allow a remote, unauthenticated attacker to enter a password-protected video conference meeting.Russian national faced multiple charges in connection with operating the marketplace for stolen credit-card credentials, and a forum for VIP criminals to offer their services.Ransomware actors are turning their sights on larger enterprises, making both average cost and downtime inflicted from attacks skyrocket.There are important steps security teams should take to be ready for the evolving security threats to the IoT in 2020.The DEF CON Social Engineering Capture the Flag contest inspired a new event aimed at teaching both security and non-security professionals on the fine art of hacking human behavior.Lulzbuster is a very fast and smart web directory and file enumeration tool written in C.From a big Microsoft data breach to the seizing of a stolen-creds site by the FBI - and everything in between. It's weekly roundup time.One of the proposed bills would set up a $5m fund to help small towns upgrade their systems and bolster their security.Instagram CEO Adam Mosseri's houses were surrounded by SWAT teams after hoax phone calls claimed hostages were being held there.It's both a genius move to protect from assault and fraud and a personal data grab.The new U.K. law mandates that manufacturers apply several security controls to their connected devices.Cardplanet offered refunds on invalid card data, along with a card checking service that ensured a stolen card was still valid.Take this quick, multiple choice survey and tell us about your company's cybersecurity strategies for the upcoming year.Privacy-mature companies complete sales more quickly, have fewer and less serious breaches, and recover from incidents faster, according to Cisco's annual survey.Tiki 8.2 and earlier allows remote administrators to execute arbitrary PHP code via crafted input to the regexres and regex parameters.NetworkManager 0.9.x does not pin a certificate's subject to an ESSID when 802.11X authentication is used.State senators have issued proposals they say would encourage municipalities to upgrade their cyber-postures.The employee accessed information, including names, addresses, and social security numbers, from Feb. 2017 to Oct. 2019.Researchers wonder if a recent "amateur spam" campaign by the once-prevalant malware distribution botnet is a sign of trojans looking to other infection paths.After discovering a wide pattern of potentially malicious behavior in browser extensions, the two search giants are cracking down.Learn how to secure Firefox tabs from mischief with the Don't Touch My Tabs add-on.The risk management field is growing more challenging as threats evolve. How will these changing threats affect your organization in 2020?aircrack-ng is a set of tools for auditing wireless networks. It's an enhanced/reborn version of aircrack. It consists of airodump (an 802.11 packet capture program), aireplay (an 802.11 packet injection program), aircrack (static WEP and WPA-PSK cracking), airdecap (decrypts WEP/WPA capture files), and some tools to handle capture files (merge, convert, etc.).Ransomware attackers collected an average of around $84,000 from victim organizations, up from $41,000 in Q3 of 2018, Coveware says.Okta's annual study shows companies investing in apps and tools focused on security, data, and app development; favorites include GitHub and Zoom.Mozillaβs policy is unambiguous - add-ons must be self-contained and not load remote code, which opens up the user to all sorts of risks.Cisco has patched bugs in Webex and in Firepower Management Centre, the device that controls its security products.A potential class action says Clearview AI is breaking biometrics privacy law by ransacking social media so police can match photos with IDs.The government has flip-flopped, most recently proposing rules that would transfer regulation out of the hands of the State Department.Zoom has patched a flaw that could have allowed attackers to guess a meeting ID and enter a meeting.New research from IOActive has found that βblindlyβ trusting the encryption of the widely adopted device protocol can lead to DDoS, sending of false data and other cyber attacks.A newly discovered Zoom vulnerability would have enabled an attacker to join active meetings and access audio, video, and documents shared.While there are dozens of metrics available to determine success, there are two key cybersecurity performance indicators every organization should monitor.Learn how to avoid saving your Docker login credentials in plain text by creating an encrypted credential storage.Here are 5 things you can start doing today for your own and for everyone else's online good!Here are 10 important tasks security administrators should perform to keep devices protected and secure.An Access Control vulnerability exists in the Facebook, Twitter, and Embedded plugins in Vanilla Forums before 2.0.17.9.An issue exists in Vanilla Forums before 2.0.17.9 due to the way cookies are handled.Many executives either don't know what their company's cyber defense is, lack budget, or spend too much time analyzing rather than taking action.The Amazon-owned video doorbell uses third-party trackers to serve up rich data to marketers without meaningfully notifying users.Finally, some good news about CCPA: If you've built your security infrastructure to PCI DSS standards, you may be already covered by California's new data protection rulesIntel has promised a third patch to remediate the Zombieload speculative execution vulnerability.In a criminal trial, prosecutors for the now defunct fitness tracking company Jawbone are alleging the ex-employee stole studies the company considered its βcrown jewels" before joining Fitbit.The pair, based in Fort Lauderdale, Fla., were running a sophisticated credit card fraud factory.Begin with one application, then give your tech team some time to learn.Threat actors leveraging social media for hacks and misinformation are growing more coordinated.Researchers have release a new proof-of-concept attack targeting a new Intel Speculative-type bug called CacheOut present in most Intel CPUs.In the past few years, social media has transformed from a communications gold mine to a minefield of disinformation campaigns.The root keys used to protect communication on LoRaWAN infrastructure can be easily obtained, IOActive says.Hackers claiming to be from the hacktivist group OurMine temporarily took over Twitter accounts of the NFL and several teams in the league."We are here to show people that everything is hackable," says hacking group OurMine, back to spread its unwelcome spiel on hacked accounts.Hefty collection of U.S. and international payment cards from the incident revealed in December found up for sale on dark-web marketplace Jokerβs Stash.Google Chrome extension developers have been left high and dry for weeks as the company struggles to cope with a spike in fraud on the Chrome Web Store.β¦ with a clumsily worded proposed bill that wouldn't protect researchers.Marking yesterday's 14th anniversary of Europe's first data protection day reminds us how far we still have to go.Threat hunting is a sophisticated, advanced technique that should be reserved for specific instances and be conducted only by trained professionals.Attacks against endpoints have become more costly, up more than $2 million since 2018.Threat hunting is a sophisticated, advanced technique that should be reserved for specific instances and be conducted only by trained professionals.Just how much will that Β£1000 "free" gift card cost? We took a look so you don't have to...Forget the infamous Meltdown and Spectre chip flaws from 2018, the problem thatβs tying down Intelβs patching team these days is a more recent class of side channel vulnerabilities known collectively as ZombieLoad.While the California Consumer Privacy Act will force companies to provide a modicum of meaningful privacy, World Privacy Day still mainly celebrates data security.A software identity-based approach should become a standard security measure for protecting workloads in all enterprise networks.Maya Horowitz with Check Point Research discussed recently-disclosed Zoom vulnerabilities that could have opened up web conferencing meetings to hackers.Admins are encouraged to update their websites to stave off attacks from Magecart card-skimmers and others.The Joker's Stash underground marketplace is offering stolen payment card data from Wawa's recently disclosed data breach.Dokeos 2.1.1 has multiple XSS issues involving "extra_" parameters in main/auth/profile.php.contao prior to 2.11.4 has a sql injection vulnerabilityGet them now before the crooks figure out what to do with the holes.Common elements to highly effective security champion programs that take DevSecOps to the next levelThe root keys used to protect communication on LoRaWAN infrastructure can be easily obtained, IOActive says.Data privacy is an increasing concern for companies and individuals. Learn more about what's on the landscape for 2020.Common elements to highly effective security champion programs that take DevSecOps to the next level.Hershey is suing a former exec who it claims took valuable trade secrets before leaving his job for a snack bar maker.After a year of big changes, white hats reaped more from Google's programs than ever before.Is a Linux SSH GUI in your future? Jack Wallen believes once you try Snowflake, there's no going back.Is a Linux SSH GUI in your future? Jack Wallen believes once you try Snowflake, there's no going back.The latest version of the BitWarden Android client supports facial recognition. Find out how to enable it.The latest version of the BitWarden Android client supports facial recognition. Find out how to enable it.BabyGekko before 1.2.4 has SQL injection.The team sheds light on how their organization works and what they're watching in the threat landscape.Songs by Ariana Grande, Taylor Swift, and Post Malone are the most popular places.Appleβs iOS 13.3.1 update includes a host of security patches and a way to turn off U1 Ultra Wideband tracking.Servers worldwide that were used to control malware-infected systems jumped more than 71% compared to 2018, Spamhaus says.Pwn2Own Miami could help spur more research on and attention to the security of industrial control system products, experts say.The manufacturers have issued BIOS updates to address the issues, but researchers warn DMA attacks are likely possible against a range of laptops and desktops.eSurv execs have been charged with fraud, unauthorized access to a computer system, illicit interception and illicit data processing.The settlement in a case over the social networkβs Tag Suggestions feature is the latest financial blow the company has taken over its handling of user privacy.The US state wants to make sure employers don't "overstep their bounds" by imposing mandatory employee microchipping.Hershey is suing a former exec who it claims took valuable trade secrets before leaving his job for a snack bar maker.Reportedly, the bug wasn't patched, leading to a data breach in July.Facebook's new Off-Facebook Activity feature is part of the company's effort to appear more privacy-friendly to its users.Too many states and municipalities still rely on aging systems; it's time they upped their game and treated election technology like they would any other security project.A surprising number of users seem to be setting Trello boards, and their often highly sensitive content, to βpublicβ.New episode available now.Most laptops, workstations, and servers are still vulnerable to physical attacks via direct memory access, despite mitigations often being available, report says.Vulnerabilities allow unauthenticated remote attackers to access sensitive device information and launch denial of service attacks.The recently disclosed Jeff Bezos phone hack and other incidents show that mobile devices are being increasingly targeted by sophisticated nation-state attackers.A remote code execution flaw enabled a breach of UN offices in Geneva and Vienna, as well as the Office of the High Commissioner for Human Rights.The ongoing global spread of the disease precipitates malware infections.The U.N. confirmed the incident but there are conflicting reports whether or not data was exfiltrated as a result.For businesses planning to adopt 5G, the sheer number of IoT devices creates a much larger attack surface.An investigation of airport cybersecurity found glaring gaps in security for web and mobile applications, misconfigured public clouds, Dark Web exposure and code repositories leaks.SMBs need action, not just insight.SMBs need action, not just insight.Given the tech industry's poor track record of protecting users data and controlling its environmental impact, regulators around the globe are stepping into the void.Developers behind WordPress plugin Code Snippets have issued a patch for the high-severity flaw.Implementing basic strategies can ensure your remote team's work will be secure, data will be protected, and you'll be far less exposed to security risks.Competitions for users are a long-time tradition on underground cybercrime forums for members looking for money - and cred with major criminal syndicates.Some 93% of all mobile transactions across 20 countries were blocked as fraudulent, Upstream says.Researchers detail the process of finding two flaws in the Azure Stack architecture and Azure App Service, both of which have been patched.How an organization handles a breach can be just as critical as protecting against one, according to Security.org.A class-action lawsuit against Facebook for the use of its tag suggestions feature looks like it's finally done churning through the courts.Program is the latest the tech giant has launched that pay users and security researchers to find vulnerabilities in its numerous products.They use it to offer things like budgeting apps. It puts passwords and privacy at risk, but some say they can't afford to build APIs instead.The DOI has doubled down on a previous order, keeping the agencyβs drones grounded for another 30 days for a more in-depth security review.UN staffers: the "entire domain" was probably compromised by an attacker who was lurking on the UN's networks.Larger winnings for underground skills competitions are attracting sophisticated crime groups.Falling prey to a hacker because it neglected to properly patch its systems, the United Nations also failed to publicly disclose the hack. Here's how your organization can avoid the same mistakes.Lulzbuster is a very fast and smart web directory and file enumeration tool written in C.Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. It provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy. Individuals can use it to keep remote Websites from tracking them and their family members. They can also use it to connect to resources such as news sites or instant messaging services that are blocked by their local Internet service providers (ISPs).Faraday is a tool that introduces a new concept called IPE, or Integrated Penetration-Test Environment. It is a multiuser penetration test IDE designed for distribution, indexation and analysis of the generated data during the process of a security audit. The main purpose of Faraday is to re-use the available tools in the community to take advantage of them in a multiuser way.Microsoft OS flaws, out-of-bounds reads, ICS gear and a record number of high-severity bugs marked 2019 for the ZDI program.Learn how to secure your iOS 13 devices and protect your privacy by tweaking the default settings.Patch now before you receive a message that's more than just bad news!According to new Dark Reading research, some respondents have even left behind commercial off-the-shelf software and migrated to open-source or in-house homegrown applications. Click image to read more.The state of New York may ban ransomware payments, NFL Twitter accounts get hacked, and Facebook releases a new data privacy tool for users - catch up on the week's news with the Friday Five.The Batch::BatchRun module 1.03 for Perl does not properly handle temporary files._is_safe in the File::Temp module for Perl does not properly handle symlinks.Parallel::ForkManager module before 1.0.0 for Perl does not properly handle temporary files.ABRT might allow attackers to obtain sensitive information from crash reports.The recent attack messages use new techniques to extort Bitcoin payments from Ashley Madison users hit in massive 2015 data breach.APT34 has been spotted in a malware campaign targeting customers and employees of a company that works closely with U.S. federal agencies, and state and local governments.A new study of stolen passwords reflects the consequences of password overload.Jony Fischbein shares the concerns and practices that are top-of-mind in his daily work leading security at Check Point Software.Five-year old data from the site's breach is at the center of a new cryptocurrency ransom campaign, and it may be the beginning of a new trend.Researchers have observed the cybercrime group back in action, now using a new tactic for distributing malware.Agent Tesla and LokiBot are common payloads in the botnet-driven spam effort.High-tech security features will help keep 49ers and Chiefs fans safe during Super Bowl weekend in Miami.Cybercriminals are using global fears about the virus to spread the Emotet trojan.From exposing private data on Trello to critical iPhone bugs - and everything in between. It's weekly roundup time.OpenSK is a piece of firmware that you can install on a USB dongle of your own, turning it into a usable FIDO or U2F key.Scammers got away with a $3.1m BEC heist, art dealer and museum blame each other, and ownership of a valuable landscape is up in the air.The tricky trojan evolves yet again, remaining one of the most advanced vehicles for delivering malware.It put 19 internet-calling companies on notice that helping illegal robocalls is illegal. It has sued before, and it can do it again.Apple thinks it's come up with a simple way to make SMS two-factor authentication (2FA) one-time codes less susceptible to phishing attacks.While device-aware two-factor authentication is no panacea, it is more secure than conventional SMS-based 2FA. Here's why.A new extortion attack has targeted hundreds of users affected by the Ashley Madison breach over the past week.sqlmap is an open source command-line automatic SQL injection tool. Its goal is to detect and take advantage of SQL injection vulnerabilities in web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user's specified DBMS tables/columns, run his own SQL statement, read or write either text or binary files on the file system, execute arbitrary commands on the operating system, establish an out-of-band stateful connection between the attacker box and the database server via Metasploit payload stager, database stored procedure buffer overflow exploitation or SMB relay attack and more.The Gone Phishing Tournament tested how susceptible people are to opening fraudulent emails and entering their login information.The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.Cybercriminals capitalize on fears of a global health emergency with phishing emails claiming to offer advice for protecting against coronavirus.Researchers were able to fool popular autopilot systems into perceiving projected images as real - causing the cars to brake or veer into oncoming traffic lanes.A UN aviation agency uses GIS software to track transmission lines while 20 US airports set up screening centers.The settlement, one of the highest in US history, is a testament to robust privacy legislation.Popular trojan is sneaking its way onto PCs via malspam campaign that uses three levels of encryption to sneak past cyber defenses.There's been a sharp increase in scans for vulnerable Nortek Linear Emerge E3 systems, SonicWall says.Shenzhen Hawk Internet Co. is identified as the parent company behind five app developers seeking excessive permissions in Android apps.One CTO tells us about his belated pursuit of a foundational infosecurity certification -- why he wanted it and what it took.Although the ransomware is unsophisticated, the malware does show that some crypto-attackers are targeting certain industrial control products.Microsoft allowed a certificate to expire, knocking the Office 365 version of Teams offline for almost an entire day.Microsoft allowed a certificate to expire, knocking the Office 365 version of Teams offline for almost an entire day.Google's Super Bowl ad featured an elderly man's voice as he asked Google Assistant to help him remember details about his late wife.Twitter admitted it broke the rules when it handed over control of the student's account to college administrators.Criminals have found to their cost that reducing a device to a pile of rubble means nothing if the internal chips are still in working order.Get ready for consolidation risk, microbreaches, and other cybersecurity hazards, warn experts from Mimecast, the Cyber Resilience Think Tank.State-sponsored actors may have been behind the social media abuse, said Twitter.Predictions are a dime a dozen. Here are six trends that you won't be hearing about anytime soon.ZPanel 10.0.1 has insufficient entropy for its password reset process.Ushahidi before 2.6.1 has insufficient entropy for forgot-password tokens.Joomla! 1.7.1 has core information disclosure due to inadequate error checking.Joomla! com_mailto 1.5.x through 1.5.13 has an automated mail timeout bypass.Joomla! core 1.7.1 allows information disclosure due to weak encryptionA Shmoocon presentation points out several weaknesses built in to Kubernetes configurations and how a researcher can exploit them.The company believes state-sponsored actors may also be involved.Here's what small and midsize businesses should consider when they decide it's time to up their website security.The medical device giant has issued fixes for bugs first disclosed in 2018 and 2019.As part of its February bug fixes, Google is patching a critical severity remote code execution vulnerability and an information disclosure bug.For cities, states and towns, paying up is short-sighted and only makes the problem worse.In the healthcare sector, concerns about the spreading coronavirus outbreak have reignited the discussion around HIPAA, protected health information, and when it's legal for healthcare providers to disclose patient records.Almost half of security professionals don't know where or how to use Zero Trust policies in a hybrid IT environment, says a survey commissioned by security provider Pulse Secure.Mozilla offers users a service that will send alerts for account breaches associated with email addresses. Find out how to use Firefox Monitor.Mozilla offers users a service that will send alerts for account breaches associated with email addresses. Find out how to use Firefox Monitor.HR experts and tech leaders say organizations that skip training during a tech transition almost always pay a high price.Customers took to Twitter to air their grievances after some of the transportation giant's operations were downed.Various APT groups are successfully using Web shell attacks on a more frequent basis.Red Kite said that domain-spoofing and convincing scam emails claiming to be from suppliers were the cause.Thousands of servers could be exposed to SharePoint vulnerability CVE-2019-0604, recently used in cyberattacks against Middle East government targets.Six of them were the same as from the previous year, according to new Recorded Future analysis.Almost three-quarters of enterprises plan to have a zero-trust access model by the end of the year, but nearly half of cybersecurity professionals lack the knowledge to implement the right technologies, experts say.Most of the targets in 2019 were in the gaming and gambling industries, says security company Imperva.Infrastructure as code offers advantages in automating your data center management but also carries certain risks, says Unit 42, the global threat intelligence team at Palo Alto Networks.The Gamaredon advanced persistent threat (APT) group has been supercharging its operations lately, improving its toolset and ramping up attacks on Ukrainian national security targets. Vitali Kremez, head of SentinelLabs, said in research released on Wednesday that he has been tracking an uptick in Gamaredon cyberattacks on Ukrainian military and security institutions that started in [β¦]It relates to Twitterβs contact upload feature, which allows users to find others via contact info such as email or phone number.Google has patched Android bugs that include a couple of critical flaws that could let hackers run their own code on the mobile operating system.It's revamping Messenger Kids with new parental controls and updated information on its childrenβs data policy.As the well-worn internet saying goes - there is no cloud, itβs just someone elseβs computer.Though the fourth quarter of 2019 saw a decrease in malicious activity, threats such as the Emotet malware continued to thrive, says Nuspire.Cybersecurity needs unconventional hires to help lead the next phase of development and innovation, coupled with salaries that aren't insultingMany Philips Hue smart light bulbs have a firmware flaw that leads hackers into an entire network, Check Point Research found.Cisco has released patches to address the five vulnerabilities, which could lead to remote code-execution and denial of service.The researcher behind the five critical Cisco flaws, collectively called CDPwn, talks about why Layer 2 protocols are under-researched when it comes to security vulnerabilities.A high-severity vulnerability could allow cybercriminals to push malware or remotely execute code, using seemingly innocuous messages.IBM InfoSphere Information Server 8.1, 8.5, 8.7, 9.1 has a Session Fixation VulnerabilityText messages may be old hat - but SMS is still a handy tool for crooks out to find more about you.Sadly, cybercrooks love a crisis, because it gives them a believable reason to contact you with a phishing scam. Take care out there!Malware campaign targets global manufacturers that are still dependent on Windows 7 subsystems to run fleets of IoT endpoints.As the regulatory landscape transforms, it's still smart to stay strategically focused on protecting your data.This python script is a fuzzer for the ISO-8385 financial protocol. It is compatible with sulley and bofuzz and is now part of the official bofuzz release.nfstream is a Python package providing fast, flexible, and expressive data structures designed to make working with online or offline network data both easy and intuitive. It aims to be the fundamental high-level building block for doing practical, real world network data analysis in Python. Additionally, it has the broader goal of becoming a common network data processing framework for researchers providing data reproducibility across experiments.Clam AntiVirus is an anti-virus toolkit for Unix. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a command-line scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use in your own software.Data loss prevention is one of eight key practices outlined by the SEC last week to enhance cybersecurity preparedness and operational resiliency.The private videos of some Google Photos users were accidentally shared with other people. Here's how to secure online files to protect them from exposure.The malware is back in targeted attacks against Brazilian banking customers, this time using a new technique that involves mobile app authorization.Ask the Experts -- about a technological game of keep-away that protects the most precious resources from the greatest dangers.Malicious emails in a new attack campaign contain links and attachments claiming to lead victims to W-9 forms.Apple Bonjour before 2011 allows a crash via a crafted multicast DNS packet.A NULL pointer dereference flaw was found in the way LibVNCServer before 0.9.9 handled certain ClientCutText message. A remote attacker could use this flaw to crash the VNC server by sending a specially crafted ClientCutText message from a VNC client.Coppermine gallery before 1.4.26 has an input validation vulnerability that allows for code execution.PmWiki before 2.2.21 has XSS.The infection uses Lemon_Duck PowerShell malware variant to exploit vulnerabilities in embedded devices at manufacturing sites.The decoys and lures will help redirect attacks away from devices that can't be protected through traditional means.Joomla! 1.6.0 is vulnerable to SQL Injection via the filter_order and filer_order_Dir parameters.bbPress through 1.0.2 has XSS in /bb-login.php url via the re parameter.PHPShop through 0.8.1 has XSS.Vanilla Forums 2.0.17.1 through 2.0.17.5 has XSS in /vanilla/index.php via the p parameter.Batavi before 1.0 has CSRF.Attacks turned to cheaper, shorter attacks to try and disrupt targets, Imperva analysis shows.Paul Vixie says emerging encryption protocols for endpoints could 'break' security in enterprise - and even home - networks.OpenVAS Manager v2.0.3 allows plugin remote code execution.SAP NetWeaver 7.0 allows Remote Code Execution and Denial of Service caused by an error in the DiagTraceHex() function. By sending a specially-crafted packet, an attacker could exploit this vulnerability to cause the application to crash.The malware-infected apps used to harvest data and sign users up to premium services have been downloaded more than 382 million times.The file-sharing service also disclosed details of past notable bugs for the first time.APT group poses as a former Wall Street Journal journalist to launch phishing campaigns and steal victim email account details.Version 80 of the Chrome browser is out with some new features designed to save your security and your sanity.The 10 finalists will each have three minutes to make their case for being the most innovative, promising young security company of the year.Twitter isn't interested in how the βsynthetic or manipulatedβ media is created, but if it has the potential to cause harm it'll be removed.Data exposure is one of the biggest threats from attacks on IoT devices. A new report recommends a shift to perimeter-less security strategies.In Iowa this week, a smartphone app for reporting presidential caucus results debuted. It did not go well.Cross-site scripting (XSS) vulnerability in the administrative interface in Atmail Webmail Server 6.4 allows remote attackers to inject arbitrary web script or HTML via the Date field of an email.Google Chrome before 3.0 does not properly handle XML documents, which allows remote attackers to obtain sensitive information via a crafted web site.The flaw affecting WhatsApp's desktop client when it's paired with the iPhone app allowed attackers access to local file systems.The 10 finalists will each have three minutes to make their case for being the most innovative, promising young security company of the year.New episode available now.Joker was the hottest film among cybercriminals with 304 malicious files named after Batman's arch-nemesis, says security firm Kaspersky.Whatβs trending in cybersecurity? This yearβs session submissions tell us.University researchers show that changing the brightness of monitor pixels can communicates data from air-gapped systems in a way not visible to human eyes.Quality control and standard software dev process could have prevented extended delays in reporting the results of the 2020 Iowa Caucus.Has working in the cybersecurity industry affected your ability to trust? Take the poll now.The powerful Minebridge backdoor gives cyberattackers full run of a victim's machine.The malware uses a tactic to force victims to retype passwords into their systems - which it tracks via a keylogger.Brand impersonators favor Facebook, Yahoo, Network, and PayPal in phishing attempts to steal credentials from victims.Extreme delays in reporting results shows "move fast and break things" is the wrong approach for election infrastructure, developers and business leaders say.Two years ago, Symantec and McAfee were both primed for a comeback. Today, both face big questions about their future.The deal, valued at $1.9 billion, is expected to close next quarter.An Authentication vulnerability exists in NETGEAR WGR614 v7 and v9 due to a hardcoded credential used for serial programming, a related issue to CVE-2006-1002.A vulnerability exists in Arctic Torrent 1.4 via unspecified vectors in .torrent file handling, which could let a malicious user cause a Denial of Service.A vulnerability exists in JPEGsnoop 1.5.2 due to an unspecified issue in JPEG file handling, which could let a malicious user execute arbitrary codeA vulnerability exists in HCView (aka Hardcoreview) 1.4 due to a write access violation with a GIF file.Command Injection vulnerability exists via a CSRF in DD-WRT 24-sp2 from specially crafted configuration values containing shell meta-characters, which could let a remote malicious user cause a Denial of Service.What makes these scams so completely obvious in the physical form?Businesses receive $30,000 of 'free' CISO time as security leaders report job-related stress taking a toll on their health and relationships.New exploit builds on previous research involving Philips Hue Smart Bulbs.If you need strong command line encryption on Linux, look no further than 7zip.Ireland's Data Protection Commission has announced that it's looking into Google yet again - this time for the way it processes user location data and transparency.A recent slew of skimming attacks have been linked back to Magecart Group 12.Organizations were attacked for employees' data, including names, addresses and birthdates used to set up hundreds of bank accounts.Graphics tablet company Wacom can collect data unconnected to its products, such as which applications users open on their computers.It's my First Amendment right to scrape publicly available face images, its CEO says. Besides, we're just doing what Google Search does.Researchers have retrieved data from a disconnected computer by altering its LCD's pixel density just enough for a camera to pick it up.Ransomware takes a dangerous turn, a flaw in the Android Twitter app is exploited, and more - catch up on the week's news with the Friday Five.New attacks discovered by Cofense can perform keylogging, steal data and completely hijack a mobile device.Voting machinery needs hardware-level security. The stakes are the ultimate, and the attackers among the world's most capable.LinuxMint as of 2012-03-19 has temporary file creation vulnerabilities in mintUpdate.LinuxMint as of 2012-03-19 has temporary file creation vulnerabilities in mintNanny.RCE and myriad other types of attacks could take aim at the 19 percent of vulnerable companies that haven't yet patched CVE-2019-19781.UFONet abuses OSI Layer 7-HTTP to create/manage 'zombies' and to conduct different attacks using GET/POST, multithreading, proxies, origin spoofing methods, cache evasion techniques, etc.Employees who create external accounts but use them internally pose a risk to your security, says password manager company 1Password.When you need a vulnerability to exploit, but there isn't one... why not simply bring your own, along with your malware?File downloads like images or executables may not be delivered over HTTPS - even if they are available from an HTTPS website.statusnet through 2010 allows attackers to spoof syslog messages via newline injection attacks.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2008-3792. Reason: This candidate is a duplicate of CVE-2008-3792. Notes: All CVE users should reference CVE-2008-3792 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Although radio frequency energy (RF) communications are increasingly essential to modern wireless networking and IoT, the security of RF is notoriously lax.Has working in the cybersecurity industry affected your ability to trust? Take the poll now.Cybercriminals are now using fears over the outbreak to steal email credentials, security officials say.Attackers deploy a legitimate, digitally signed hardware driver to delete security software from machines before encrypting files.If you need strong command line encryption on Linux, look no further than 7zip.Compliance with the new privacy rules doesn't always fall on data center managers, but when it does, it's more difficult than it may sound.The flaw was recently patched in Android's February Security Bulletin.A limited number of user videos were shared with others in a five-day incident from November.Wacom stated that its data collection is done only in aggregate -- but that doesn't fix the issues, according to security experts.Cross-site scripting (XSS) vulnerability in admin/system.html in Openfiler 2.3 allows remote attackers to inject arbitrary web script or HTML via the device parameter.CSRF vulnerability in Smoothwall Express 3.A cross-site scripting (XSS) vulnerability in Smoothwall Express 3.A survey of IT professionals finds AR and 5G bust for 2020, machine learning and DevOps on top.Learn how to keep your iOS devices--and your data--secure with these iOS 13 privacy settings and Apple resources.Cross-site scripting (XSS) vulnerability in Flowplayer Flash 3.2.7 through 3.2.16, as used in the News system (news) extension for TYPO3 and Mahara, allows remote attackers to inject arbitrary web script or HTML via the plugin configuration directive in a reference to an external domain plugin.MediaWiki before 1.18.5, and 1.19.x before 1.19.2 saves passwords in the local database, (1) which could make it easier for context-dependent attackers to obtain cleartext passwords via a brute-force attack or, (2) when an authentication plugin returns a false in the strict function, could allow remote attackers to use old passwords for non-existing accounts in an external authentication system via unspecified vectors.Cross-site scripting (XSS) vulnerability in main/dropbox/index.php in Chamilo LMS before 1.8.8.6 allows remote attackers to inject arbitrary web script or HTML via the category_name parameter in an addsentcategory action.From Google's OpenSK project to Apple's SMS 2FA proposal, and everything in between. Get up to date with the hot stories of the last week.If you visit the website of renowned Canadian novelist Patrick deWitt today, you'll see a surprising message. "THIS IS NOT PATRICK DEWITT", it says.Russia is still using social media in a sustained campaign to dabble in US affairs, according to FBI director Chris Wray.Child safety groups penned an open letter to Facebook, urging a delay on encrypted messaging until sufficient safeguards are in place.Google has announced a timetable for phasing out insecure file downloads in the Chrome browser starting with desktop version 81 due next month.A typical workday for a bot, from its own point of view.The new tactic used by Emotet allows the malware to infect nearby insecure Wi-Fi networks - and their devices - via brute force loops.Misconfigured Docker registries could leak confidential data, lead to a full-scale compromise and interrupt the business operations.βDevelopments that exacerbate the risk and complicate making Internet of Things devices more secure.The leaky repository belongs to JailCore, a cloud management and compliance platform used in several states' correctional facilities.BlackBerry PlayBook before 2.1 has an Information Disclosure Vulnerability via a Web browser component errorInfoSphere Guardium aix_ktap module: DoSHP Systems Insight Manager before 7.0 allows a remote user on adjacent network to access informationFeds have charged four members of the Chinese Peopleβs Liberation Army (PLA) in connection with the infamous 2017 Equifax breach.Hackers are using malicious emails about the coronavirus to trick people with a malware called AZORult.The leaky repository belongs to JailCore, a cloud management and compliance platform used in several states' correctional facilities.Scammers use dating sites to try to build relationships with people to get money or personal information. Here are 13 tips to protect yourself.DMARC can prevent spammers from using a trusted domain name to send junk mail, a useful tactic for the presidential campaigns and for your organization, according to security provider Valimail.Four members of China's People Liberation Army hacked the information broker, leading to the theft of sensitive data on approximately 145 million citizens.On Friday, with just under five months to go until CCPA is enforced, California's Attorney General released a modified version of draft regulations for implementing the law.Phishing emails have been uncovered that request a full rundown of personal data - even asking for photos of passports.The RobbinHood ransomware is using a deprecated Gigabyte driver as the tip of the spear for taking out antivirus products.Personal details of nearly 6.5 million Israelis were out in the open after the entire registry was uploaded to an notably insecure app.If you don't follow these Kubernetes deployments security best practices from Portshift, your containers, their underlying technologies, and your data could be at risk.Sanders and Trump campaigns lack proper DMARC security enforcement, study finds.Researchers learn how North Korea is expanding its Internet use in order to generate revenue and bypass international sanctions.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.In full glare of the world, Facebook admins have found themselves in an unseemly struggle to wrestle back control of the companyβs Twitter accounts.Attacks on industrial control systems are up and code for banking trojans and ransomware is evolving the fastest.Officials pointed to ongoing threats against US institutions, painting a dire picture of hacking efforts to support Chinese economic goals.Eric Eoin Marques has pleaded guilty to running what was once believed to be the largest child abuse hosting provider on the dark web.The uncontrolled search path vulnerability allows a local user to use DLLs to escalate privileges and affects Windows PCs.Facebook impersonations came in second place among phishing campaigns, followed by Microsoft, said email security firm Vade Secure.Security and compliance are key factors to consider when outsourcing your data center, according to a report from data center provider US Signal.Security automation will reshape hiring trends in both the US and the UK, according to a new report.Safer Internet Day - here's how to make your business better at cybersecurity, no matter how safe you are already!Why not make Safer Internet Day the excuse you need to do all those cybersecurity tweaks you've been putting off?Don't just report metrics -- analyze, understand, monitor, and adjust them. These 10 tips will show you how.Crypto AG made millions selling encryption devices to more than 120 countries, which unknowingly transmitted intel back to the CIA.GRR Rapid Response is an incident response framework focused on remote live forensics. The goal of GRR is to support forensics and investigations in a fast, scalable manner to allow analysts to quickly triage attacks and perform analysis remotely. GRR consists of 2 parts: client and server. GRR client is deployed on systems that one might want to investigate. On every such system, once deployed, GRR client periodically polls GRR frontend servers for work. "Work" means running a specific action: downloading file, listing a directory, etc. GRR server infrastructure consists of several components (frontends, workers, UI servers) and provides web-based graphical user interface and an API endpoint that allows analysts to schedule actions on clients and view and process collected data.Overall, Adobe patched flaws tied to 42 CVEs as part of its regularly scheduled updates.As an alternative to an on-site DNS server, this cloud-hosted DNS service lets you block, filter, and analyze activity across your network and devices.Assessing supply chains is one of the more challenging third-party risk management endeavors organizations can take on.The latest data from Malwarebytes show the average Mac sees almost twice as many bad apps as Windows systems, but actual malware continues to be scarce.Infection vectors were evenly divided among phishing, vulnerability exploitation, and unauthorized credential use in 2019.Middleware data was exposed, which can create a secondary path for malware through which applications and data can be compromised.As businesses' daily operations become more dependent on cloud services, ransomware authors will follow to maximize profits. The good news: Many of the best practices for physical servers also apply to the cloud.Zenphoto before 1.4.3.4 admin-news-articles.php date parameter XSS.The high-severity vulnerability could enable denial of service, privilege escalation and information disclosure.In charging four Chinese nationals with 2017's Equifax hack this week, the DOJ also said intellectual property - Equifax's own trade secrets - were stolen as part of the hack.This month's Patch Tuesday brings fixes for 99 CVEs, including one IE flaw seen exploited in the wild.Cross-site scripting (XSS) vulnerability in PrestaShop before 1.4.9 allows remote attackers to inject arbitrary web script or HTML via the index of the product[] parameter to ajax.php.Multiple cross-site scripting (XSS) vulnerabilities in pragmaMx 1.x before 1.12.2 allow remote attackers to inject arbitrary web script or HTML via the (1) name parameter to modules.php or (2) img_url to includes/wysiwyg/spaw/editor/plugins/imgpopup/img_popup.php.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2012-6720 and CVE-2012-6721. Reason: this candidate was intended for one issue, but the description and references inadvertently combined multiple issues. Notes: All CVE users should consult CVE-2012-6720 and CVE-2012-6721 to determine which ID is appropriate. All references and descriptions in this candidate have been removed to prevent accidental usage.SQL injection vulnerability in search.php in phxEventManager 2.0 beta 5 allows remote attackers to execute arbitrary SQL commands via the search_terms parameter.Buffer overflow in the auerswald_probe function in the Auerswald Linux USB driver for the Linux kernel before 2.6.27 allows physically proximate attackers to execute arbitrary code, cause a denial of service via a crafted USB device, or take full control of the system.There are 12 critical and five previously disclosed bugs in the February 2020 Patch Tuesday Update.Researchers found the total cost far exceeded the amount of ransom paid to attackers.Multiple cross-site scripting (XSS) vulnerabilities in Ariadne 2.7.6 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO parameter to (1) index.php and (2) loader.php.A web-mapping project came across detainees' prescriptions and other PII that could be used by identity thieves to victimize prisoners.Finding what cloud services employees are using is only half the battle: integrating Microsoft Cloud App Security and Defender Advanced Threat Protection means you can track, block or audit cloud app usage.The indictment suggests the hack was part of a series of major data thefts organized by Chinese military and intelligence agencies.Cybercriminals double down on successful internet scams, with a focus on phishing, BEC and other defrauding schemes that have proven to work.Kate Moussouris sounds off on the challenges behind creating successful bug bounty programs.Make these mistakes and invaders might linger in your systems for years.The implications of chaos form the basis of a new approach to encryption that promises quantum-proof perfect secrecy.The int3 handler in the Linux kernel before 3.3 relies on a per-CPU debug stack, which allows local users to cause a denial of service (stack corruption and panic) via a crafted application that triggers certain lock contention.The SIP implementation on the Linksys SPA2102 phone adapter provides hashed credentials in a response to an invalid authentication challenge, which makes it easier for remote attackers to obtain access via a brute-force attack, related to a "SIP Digest Leak" issue.The SIP implementation on the Gizmo5 software phone provides hashed credentials in a response to an invalid authentication challenge, which makes it easier for remote attackers to obtain access via a brute-force attack, related to a "SIP Digest Leak" issue.From March, the Firefox, Chrome, Safari and Edge browsers will show warnings when users visit websites that only support TLS versions 1.0 or 1.1.The implications of chaos form the basis of a new approach to encryption that promises quantum-proof perfect secrecy. But first, your current crypto needs some tidying up.The Identity Theft Recource Center warns that businesses of all sizes should be vigilant about data security.Assessing supply chains is one of the more challenging third-party risk management endeavors organizations can take on.With 5G adoption, businesses will be able to power more IoT devices and perform tasks more quickly, but there will be security ramifications.Among other issues, the music platform didn't limit the number of login attempts someone could make.NTCrackPipe is a basic local Windows account cracking tool.Instead, try prioritizing with the aid of a thorough asset inventory.A Memory Corruption Vulnerability exists in NVIDIA Graphics Drivers 29549 due to an unknown function in the file proc/driver/nvidia/registry.A memory leak vulnerability exists in Cisco IOS before 15.2(1)T due to a memory leak in the HTTP PROXY Server process (aka CSCtu52820), when configured with Cisco ISR Web Security with Cisco ScanSafe and User Authenticaiton NTLM configured.The release of Firefox 73 fixed high-severity memory safety bugs that could cause arbitrary code execution and missing bounds check that could enable memory corruption.The National Counterintelligence and Security Center said this week it plans to double down on securing critical infrastructure, supply chain, the economy, democratic institutions, and cyber/technical operations.Shaman 1.0.9: Users can add the line askforpwd=false to his shaman.conf file, without entering the root password in shaman. The next time shaman is run, root privileges are granted despite the fact that the user never entered the root password.Android SQLite Journal before 4.0.1 has an information disclosure vulnerability.regcomp in the BSD implementation of libc is vulnerable to denial of service due to stack exhaustion.Mambo CMS through 4.6.5 has multiple XSS.The Bluetooth stack in Android before 2.3.6 allows a physically proximate attacker to obtain contact information via an AT phonebook transfer.BEC attacks comprised nearly half of cybercrime losses last year, which totaled $3.5 billion overall as Internet-enabled crimes ramped up.The software security maker is suspected of selling data about more than 100 million users to companies including Google, Microsoft, and Home Depot.TinyBrowser plugin for Joomla! before 1.5.13 allows arbitrary file upload via upload.php.Tiny browser in TinyMCE 3.0 editor in Joomla! before 1.5.13 allows file upload and arbitrary PHP code execution.Each breach exposed an average of 13 million records, Risk Based Security found.Nest users who aren't using 2FA or a Google account will be required to take an extra step by verifying their identity via email.The tech giant acknowledged some achievements in efforts to bolster mobile app security but recognized more needs to be done.The FBI's Internet Crime Report shows that business email comprise is the biggest money-maker for cybercriminals.Microsoft has finally patched the Internet Explorer (IE) zero-day flaw the company said in January was being used in βlimited targeted attacksβ.Users of Dell SupportAssist should patch their software immediately to fix a software bug that could lead to arbitrary code execution.No zero-day bugs, so by updating promptly you are keeping ahead of the crooks, not merely catching up!The Identity Theft Resource Center warns that businesses of all sizes should be vigilant about data security. The COO offers advice about passwords, cloud security, and patch management.A recent phishing scam targeted Puerto Ricoβs Industrial Development Company.Listen now!As we gear up for the voting season, let's put aside any links between foreign interference and voting machine security and focus on the actual risks threatening election security.Suricata is a network intrusion detection and prevention engine developed by the Open Information Security Foundation and its supporting vendors. The engine is multi-threaded and has native IPv6 support. It's capable of loading existing Snort rules and signatures and supports the Barnyard and Barnyard2 tools.Hackers are adopting organized crime tactics to make billions from victims all over the globe.New Accenture study says organizations need to think beyond securing just their own enterprises and take better steps to secure their vendor ecosystems.New legislation, introduced today, would give the agency authority to enforce data practices, launch investigations, and issue subpoenas.A new Data Protection Agency would overhaul federal regulation efforts around data privacy - but experts are skeptical that the U.S. government can get it right.A Positive Technologies study finds 82% of web application vulnerabilities lie in the source code.Mobile apps are used in nearly 80% of attacks targeting mobile devices, followed by network and operating system attacks.CEOs are generally from a finance/business track, rather than a technology one--why their traditional agenda and practices must change.There is no one-size-fits-all strategy for security, but a robust plan and the implementation of new technologies will help you and your IT team sleep better.Security pros need be on high alert from now until Tax Day on April 15. Here are seven ways to help keep your company safe.There are now billions of IoT devices in businesses across the world, prompting the need for increased security measures to protect them.XSS in Telligent Community 5.6.583.20496 via a flash file and related to the allowScriptAccess parameter.Stored XSS vulnerability in UpdateFieldJson.jspa in JIRA 4.4.3 and GreenHopper before 5.9.8 allows an attacker to inject arbitrary script code.Researchers are urging users of the GDPR Cookie Consent WordPress plugin to update as soon as possible.A new set of indictments adds conspiracy to violate RICO statutes to a list of existing charges against the Chinese telecommunications giant.With more than 80 different schemes for authenticating devices either proposed or implemented, best practices and reference architectures are sorely needed, experts say.Squirrelmail 4.0 uses the outdated MD5 hash algorithm for passwords.The new threat model hones in on ML security at the design state.Peer-to-peer botnets, TCP reflection attacks, and increased activity on Sundays are three DDoS attack trends from last quarter.Commentary: It takes hubris to tell Jimmy Wales, the founder of Wikipedia, how to store data.What happens when understaffed security teams at home and abroad are sequestered in physical quarantine zones?An old, dormant domain is going on sale - and the results could be catastrophic for enterprises with common Active Directory misconfigurations.Udacity Dataset 2, used to train thousands of engineers, contained thousands of unlabeled vehicles and hundreds of unlabeled pedestrians.The app's rollout in the EU has been delayed until Facebook can show privacy regulators its data protection workings.The US Court of Appeals ruled that he couldn't continue to be held for refusing to give up his passcodes.A popular GDPR compliance WordPress plugin vendor has patched a flaw that rendered both site visitors and admins vulnerable to XSS attacks.Flaws in the blockchain app some states plan to use in the 2020 election allow bad actors to alter or cancel someoneβs vote or expose their private info.When it comes to building buy-in from the business, all cybersecurity needs is love -- especially when it comes to communication.After running real-world tests of Android's facial recognition on a Pixel 4, Jack Wallen shares his theory of why some people are so concerned about facial recognition.EnumJavaLibs is a tool that can be used to discover which libraries are loaded (i.e. available on the classpath) by a remote Java application when it supports deserialization.The coronavirus, which has already led to the deaths of more than 1,000 people, is a topic that scammers are corrupting for their own purposes.Top stories of this week include a new Emotet Wi-Fi hack and Robbinhood ransomware operators using a "bring your own bug" technique.Hackers have expanded their exploitation of the outbreak fears with hundreds of scams and operations.Customers of RBC, HSBC, TD, Meridian, BNC and Chase are targeted in latest attack.More trouble in the Internet of Things - Bluetooth firmware code in many devices is found to have numerous bugs.Fraudulent dating and relationship apps and websites raise the risks for those seeking online romance on Valentine's Day.Informa Tech combines Ovum, Heavy Reading, Tractica, and IHS Markit research.A voting app ignites a security debate, the US brings new charges against Huawei, and how the DPO and CISO complement each other - catch up on the week's news with the Friday Five!The scam uses a range of themes, including tech-support scares and slot machines.Palm Beach County's elections supervisor does not believe the attack is linked to Russian hacking attempts targeting Florida.The for-profit company wants to make absentee voting easier for members of the military, people with disabilities, and older adults, but its biggest test included only 15,000 voters.Researchers say hackers can alter, stop, or expose how an individual user has voted through the Voatz app.The malicious Chrome extensions were secretly collecting users' browser data and redirecting them to malware-laced websites.Security experts say that 5G supply chain concerns should be taken seriously β whether itβs in the context of Huawei or not.Consumers in dozens of countries were targeted, Lookout says.Martin Hellman, co-creator of the Diffie-Hellman key exchange, and his wife of 53 years, Dorothie, talk about the current state of cryptography and what making peace at home taught them about making peace on Earth.Get yourself up to date with everything we've written in the last seven days - it's weekly roundup time.The Ohio man is charged with running a Bitcoin mixer to launder over $300mβnow worth $3.6bβon behalf of Dark Net crooks trying to hide out.The US needs a data protection agency of its own, and Kirsten Gillibrand wants to be the one that makes it happen.A court has forced Google to reveal the details of an anonymous poster who published an unpalatable review of a dentist.Google has abruptly pulled over 500 Chrome extensions from its Web Store that researchers discovered were stealing browsing data and executing click fraud and malvertising.A File Inclusion vulnerability exists in Zabbix 2.0.6 due to inadequate sanitization of request strings in CGI scripts, which could let a remote malicious user execute arbitrary code.Microsoft can analyze dangerous emails to determine why those messages made it past your spam filters.This is a Linux/portable port of OpenBSD's excellent OpenSSH. OpenSSH is based on the last free version of Tatu Ylonen's SSH with all patent-encumbered algorithms removed, all known security bugs fixed, new features reintroduced, and many other clean-ups.A Denial of Service (infinite loop) exists in OpenSIPS before 1.10 in lookup.c.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2012-4531. Reason: This candidate is a duplicate of CVE-2012-4531. Notes: All CVE users should reference CVE-2012-4531 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.A lack of proper code-signing verification and authentication for firmware updates opens the door to information disclosure, remote code execution, denial of service and more.Researchers at VPN advisory company vpnMentor have found yet another online data exposure caused by a misconfigured cloud database.Popular cryptocurrency IOTA has temporarily shut down its entire network after a hacker stole funds from ten of its highest-value users.A small but determined group of Twitter users think it is a good idea to direct message (DM) pictures of male genitals to complete strangers.Ten days after a suspected ransomware attack, residents of the English borough of Redcar and Cleveland must be starting to wonder when their Councilβs IT systems will return.Interest in Kubernetes is increasing, and DevOps is losing steam, based on O'Reilly survey findings.Scam threatens to flood sites using Googleβs banner-ad program with bot and junk traffic if owners donβt pay $5K in bitcoin.When a user interacts with an enterprise system the result can be productivity or disaster. Here are 8 opportunities for the disaster side to win out over the productive.A humorous nod to the lack of gender equity in cybersecurity hiring was our judges' unanimous choice. And the winners are ...You could be making millions in just two years!HTTPS web encryption - blessing or curse? A new SophosLabs report looks at how much the crooks love TLS.You could be making millions in just two years!Network cards, video cameras, and graphics adapters are a few of the subsystems whose lack of security could allow attackers to turn them into spy implants.Cyberattacks on Mac endpoints nearly doubled over those on Windows for the first time, according to the 2020 State of Malware Report.Lulzbuster is a very fast and smart web directory and file enumeration tool written in C.OpenDNSSEC is software that manages the security of domain names on the Internet. The project intends to drive adoption of Domain Name System Security Extensions (DNSSEC) to further enhance Internet security.Mozilla Firefox before 25 allows modification of anonymous content of pluginProblem.xml bindingWordPress Portable phpMyAdmin Plugin 1.4.1 has Multiple Security Bypass VulnerabilitiesA vulnerability in the network of marketing contractor Computer Facilities led to a breach at the South African bank.Websites using a vulnerable version of the WordPress plugin, ThemeGrill Demo Importer, are being targeted by attackers.Cross-site request forgery (CSRF) vulnerability in the persona_xsrf_token function in persona.module in the Mozilla Persona module 7.x-1.x before 7.x-1.11 for Drupal allows remote attackers to hijack the authentication of aribitrary users via a security token that is not a string data type.Make cybersecurity your top priority, moving away from addressing individual problems with Band-Aids and toward attaining a long-term cyber-fitness plan.PrestaShop 1.5.5 vulnerable to privilege escalation via a Salesman account via upload moduleA Privilege Escalation Vulnerability exists in IBM Maximo Asset Management 7.5, 7.1, and 6.2, when WebSeal with Basic Authentication is used, due to a failure to invalidate the authentication session, which could let a malicious user obtain unauthorized access.Multiple cross-site scripting (XSS) vulnerabilities in Cisco Linksys E4200 router with firmware 1.0.05 build 7 allow remote attackers to inject arbitrary web script or HTML via the (1) log_type, (2) ping_ip, (3) ping_size, (4) submit_type, or (5) traceroute_ip parameter to apply.cgi or (6) new_workgroup or (7) submit_button parameter to storage/apply.cgi.IBM Tivoli Endpoint Manager 8 does not set the HttpOnly flag on cookies.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.Unsigned firmware in WiFi adapters, USB hubs, trackpads, and other devices can be compromised by hackers, says enterprise firmware security company Eclypsium in a new report.The new company will focus on giving customers earlier indications of network and server compromise.APT34/OilRig and APT33/Elfin have established a highly developed and persistent infrastructure that could be converted to distribute destructive wiper malware.Consumers and employees are finally becoming more sensitive to the privacy of their data. As technology leaders it's worth getting ahead of this trend.Ring outlined new security and data privacy measures, Tuesday, following backlash of the connected doorbell in the past year.Like other recent state data privacy laws, new legislation in Washington would require businesses to establish, implement, and maintain reasonable administrative, technical, and physical data security practices.The OG access fields (visibility fields) implementation in Organic Groups (OG) module 7.x-2.x before 7.x-2.3 for Drupal does not properly restrict access to private groups, which allows remote authenticated users to guess node IDs, subscribe to, and read the content of arbitrary private groups via unspecified vectors.The Authenticated User Page Caching (Authcache) module 7.x-1.x before 7.x-1.5 for Drupal does not properly restrict access to cached pages, which allows remote attackers with the same role-combination as the superuser to obtain sensitive information via the cached pages of the superuser.Deal with private equity entity Symphony Technology Group revealed one week before the security industry's RSA Conference in San Francisco.OurMine took over the Spanish powerhouse soccer team's Twitter account.Insecure developer accounts, legacy software, and nonstandard naming schemes are major problems, Linux Foundation and Harvard study concludes.A vulnerability in Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on the affected software. The vulnerabilities is due to improper input validation of certain parameters passed to the affected software. An attacker could exploit this vulnerability by convincing a user to follow a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected site or allow the attacker to access sensitive browser-based information.A vulnerability in the Cisco ASA that could allow a remote attacker to successfully authenticate using the Cisco AnyConnect VPN client if the Secondary Authentication type is LDAP and the password is left blank, providing the primary credentials are correct. The vulnerabilities is due to improper input validation of certain parameters passed to the affected software. An attacker must have the correct primary credentials in order to successfully exploit this vulnerability.OpenSSH version 8.2 is out and the big news is that the worldβs most popular remote management software now supports authentication using any FIDO (Fast Identity Online) U2F hardware token.A WordPress plugin with over 100,000 active installations had a bug that could have allowed unauthorised attackers to wipe its users' blogs clean, it emerged this week.Zuckerberg is in Brussels right in time for the European Commission's release of its manifesto on regulating AI.With no password required and no encryption in place, a burglar or ID thief could have seen your photos, your address and more.Traditional e-mail based scams are also in the mix this year, one in particular that uses the legitimate app TeamViewer to take over victimsβ systems.There's a new version of Microsoft Edge in town based on Chromium. Here's how to manage the browser's security and privacy settings.Cynet Free Threat Assessment spotlights critical, exposed attack surfaces and provides actionable knowledge of attacks that are currently alive and active.The voting experience should be the same whether the vote is in person, by mail, or over the Internet. Let's not allow one bad incident stop us from finding new ways to achieve this.One site registered in Russia offers a coronavirus cure for $300.Hackers are going after everyone this tax season, including the companies handling our most sensitive information.Report suggests IT leaders think breaches are inevitable and don't have adequate risk management in place.Use-after-free vulnerability in the add_post_var function in the Posthandler component in PHP 5.6.x before 5.6.1 might allow remote attackers to execute arbitrary code by leveraging a third-party filter extension that accesses a certain ksep value.The STARTTLS implementation in MailMarshal before 7.2 allows plaintext command injection.The XStream extension in HP Fortify SCA before 2.2 RC3 allows remote attackers to execute arbitrary code via unsafe deserialization of XML messages.The third catfish attempt in three years from the Palestinian militant group adds a few technical advances to the mix.A new Emotet campaign is spread via SMS messages pretending to be from banks and may have ties to the TrickBot trojan.An attack on a natural gas compression facility sent the operations offline for two days.Despite the growth of 5G and 4G, older network technologies beset with certain security flaws will be around for many more years, says enterprise security provider Positive Technologies.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.Nokogiri before 1.5.4 is vulnerable to XXE attacksD-Link DSR-250N devices before 1.08B31 allow remote authenticated users to obtain "persistent root access" via the BusyBox CLI, as demonstrated by overwriting the super user password.A cross-site scripting (XSS) vulnerability in Wolf CMS 0.75 and earlier allows remote attackers to inject arbitrary web script or HTML via the setting[admin_email] parameter to admin/setting.Amazon Web Services is a top source of cyberattacks, responsible for 94% of all Web attacks originating in the public cloud.Are you asking the right questions to determine how well your vendors will protect your data? Probably not.OverlayFS in the Linux kernel before 3.0.0-16.28, as used in Ubuntu 10.0.4 LTS and 11.10, is missing inode security checks which could allow attackers to bypass security restrictions and perform unauthorized actions.Following an attack on a gas compression facility, CISA is urging organizations to take steps to safeguard their systems.More than 55 percent of medical imaging devices - including MRIs, XRays and ultrasound machines - are powered by outdated Windows versions, researchers warn.The attack took a gas compression facility offline for two days, disrupting the supply chain.Researchers spot gaps in users' and IT practitioners' security habits, and between security tools and user preferences.Researchers spot gaps in users' and IT practitioners' security habits, and between security tools and user preferences.McAfee researchers say they were able to get a Tesla to autonomously accelerate by tricking its camera platform into misreading a speed-limit sign.Multiple SQL injection vulnerabilities in BOINC allow remote attackers to execute arbitrary SQL commands via unspecified vectors.A new PwC report reveals what customers expect when it comes to expectations of privacy surrounding their data.Multiple stack-based buffer overflows in the __dn_expand function in network/dn_expand.c in musl libc 1.1x before 1.1.2 and 0.9.13 through 1.0.3 allow remote attackers to (1) have unspecified impact via an invalid name length in a DNS response or (2) cause a denial of service (crash) via an invalid name length in a DNS response, related to an infinite loop with no output.Multiple cross-site request forgery (CSRF) and cross-site scripting (XSS) vulnerabilities in Axous 1.1.1 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) add an administrator account via an addnew action to admin/administrators_add.php; or (2) conduct cross-site scripting (XSS) attacks via the page_title parameter to admin/content_pages_edit.php; the (3) category_name[] parameter to admin/products_category.php; the (4) site_name, (5) seo_title, or (6) meta_keywords parameter to admin/settings_siteinfo.php; the (7) company_name, (8) address1, (9) address2, (10) city, (11) state, (12) country, (13) author_first_name, (14) author_last_name, (15) author_email, (16) contact_first_name, (17) contact_last_name, (18) contact_email, (19) general_email, (20) general_phone, (21) general_fax, (22) sales_email, (23) sales_phone, (24) support_email, or (25) support_phone parameter to admin/settings_company.php; or the (26) system_email, (27) sender_name, (28) smtp_server, (29) smtp_username, (30) smtp_password, or (31) order_notice_email parameter to admin/settings_email.php.The Linux kernel from v2.3.36 before v2.6.39 allows local unprivileged users to cause a denial of service (memory consumption) by triggering creation of PTE pages.Amazon is following Google's lead by forcing all users to use two-factor authentication when logging into their Ring accounts.Firefox version 73 has only been out for a week but already Mozilla has had to update it to v73.0.1 to fix a range of browser problems.This week a hacking forum posted data from the breachβwhich included personal and contact details for celebrities, tech CEOs, government officials and employees at large tech companies.Two critical Adobe vulnerabilities have been fixed in Adobe After Effects and Adobe Media Encoder.Almost half of connected hospital devices are still exposed to the wormable BlueKeep Windows flaw nearly a year after it was announced, according to a report released this week.A DivvyCloud report finds 196 data breaches exposed more than 33 billion records due to environments without appropriate security.In addition, more third parties are discovering the attacks rather than the companies themselves.CEOs today are prepared with better questions than 'Are we secure,' and chief information security officers had better be ready to answer.The attacker(s) infected both IT and operational networks with an unspecified ransomware strain, though the facility never lost control.With these fundamentals in mind, organizations can reduce their security and compliance risks as they reap the cloud's many benefits:Employees who create external accounts but use them internally pose a risk to your security, says password manager company 1Password.DMARC can prevent spammers from using a trusted domain name to send junk mail, a useful tactic for the presidential campaigns and for your organization, according to security provider Valimail.Exaggerated Lion, a newly discovered cybercrime group, uses new and unique tactics to target U.S. companies in BEC attacks.CYBERSECURITY 2020 by WILEY π
βοΈ Secure yourself a new bundle of cybersecurity ebooks! Get ebooks like Cryptography Engineering: Design Principles and Practical Applications, Reversing: Secrets of Reverse Engineering, Social Engineering: The Science of Human Hacking, and more.
βͺοΈ $959 Worth of awesome ebooks & videos βͺοΈ
β«οΈ Pay $1 or more β«οΈ
βͺοΈ DRM-Free βͺοΈ
β«οΈ Multi-format β«οΈ
Learn how to prevent Linux users from executing certain commands and confining them to their home directory by employing rbash.Mac users, check out these five antivirus software options, which includes one antimalware app that is ideal for SMBs.Learn how to prevent Linux users from executing certain commands and confining them to their home directory by employing rbash.New security tool from Bastille Networks can help security teams enforce no cell-phone zones.Data published on a hacking forum includes phone numbers and email addresses of travelers ranging from everyday tourists to celebrities and tech CEOs.A default password would let anyone access the Cisco Smart Software Manager On-Prem Base platform, even if it's not directly connected to the internet.The IPv6 implementation in Apple Mac OS X (unknown versions, year 2012 and earlier) allows remote attackers to cause a denial of service via a flood of ICMPv6 Router Advertisement packets containing multiple Routing entries.The IPv6 implementation in FreeBSD and NetBSD (unknown versions, year 2012 and earlier) allows remote attackers to cause a denial of service via a flood of ICMPv6 Router Advertisement packets containing multiple Routing entries.The IPv6 implementation in Microsoft Windows 7 and earlier allows remote attackers to cause a denial of service via a flood of ICMPv6 Router Advertisement packets containing multiple Routing entries.The IPv6 implementation in FreeBSD and NetBSD (unknown versions, year 2012 and earlier) allows remote attackers to cause a denial of service via a flood of ICMPv6 Neighbor Solicitation messages, a different vulnerability than CVE-2011-2393.The IPv6 implementation in Microsoft Windows 7 and earlier allows remote attackers to cause a denial of service via a flood of ICMPv6 Neighbor Solicitation messages, a different vulnerability than CVE-2010-4669.Today, in a room full of cybersecurity professionals, there are still more people called Steve than there are women.RSA 2020 is around the corner! Learn what Digital Guardian has planned at booth S935 and elsewhere for the week.Multiple cross-site scripting (XSS) vulnerabilities in LongTail Video JW Player through 5.10.2295 allow remote attackers to inject arbitrary web script or HTML via the (1) link, (2) logo.link, or (3) aboutlink parameter, or a nested URI scheme name for (4) javascript, (5) asfunction, or (6) vbscript.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2012-3835. Reason: This issue was MERGED into CVE-2012-3835 in accordance with CVE content decisions, because it is the same type of vulnerability and affects the same versions. Notes: All CVE users should reference CVE-2012-3835 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.fs/proc/base.c in the Linux kernel through 3.1 allows local users to obtain sensitive keystroke information via access to /proc/interrupts.Integer signedness error in the btrfs_ioctl_space_info function in the Linux kernel 2.6.37 allows local users to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted slot value.A new report shows the scale of ransomware's harm and the growth of that damage year-over-year -- an average of $141,000 per incident.Microsoft made several security announcements ahead of RSA Conference, including its decision to bring Microsoft Defender to iOS and Android.A global facilities company with half-a-million staff has shuttered most of its IT systems after a malware attack.nfstream is a Python package providing fast, flexible, and expressive data structures designed to make working with online or offline network data both easy and intuitive. It aims to be the fundamental high-level building block for doing practical, real world network data analysis in Python. Additionally, it has the broader goal of becoming a common network data processing framework for researchers providing data reproducibility across experiments.The Google Play apps violated the tech behemoth's disruptive advertising policies.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.Most iOS and Android apps that Cometdocs has published on Google and Apple app stores transmit entire documents - unencrypted.CYBERSECURITY 2020 by WILEY π
βοΈ Secure yourself a new bundle of cybersecurity ebooks! Get ebooks like Cryptography Engineering: Design Principles and Practical Applications, Reversing: Secrets of Reverse Engineering, Social Engineering: The Science of Human Hacking, and more.
βͺοΈ $959 Worth of awesome ebooks & videos βͺοΈ
β«οΈ Pay $1 or more β«οΈ
βͺοΈ DRM-Free βͺοΈ
β«οΈ Multi-format β«οΈ
RSA, MWC and Facebook are the latest tech trade shows impacted by the Novel Coronavirus (COVID-19). Here's what you need to know.The bill now goes to the House, which has a stiffer competing bill pending that would call for a 3.5 year moratorium.After fixing a pile of critical security flaws as part of last weekβs Patch Tuesday, Adobe has raised two more needing urgent attention.Eight apps - mostly camera utilities and children's games - were discovered spreading a new malware strain that steals data and signs victims up for expensive premium services.The data dump apparently included PII for Justin Bieber and Jack Dorsey.Readers of Security Now will join the Dark Reading community, gaining access to a wide range of cybersecurity content.The US and UK governments have both accused Russia of launching a cyber attack against the Georgian government last year.Larry Tesler, the computing pioneer who insisted that user interfaces should be both comfortable *and* consistent, has died aged 74.The incident cut off access to e-mail and shared IT services across customer sites of the multinational Denmark-based facility-management firm.New episode - listen now!These two groups have talked past each other for years, each hobbled by their own tunnel vision and misperceptions.A new release leverages machine learning to help companies reduce the search time they need to remain compliant in regulated industries.Managers and industry leaders are beginning to address mental health in the IT world - and here are symptoms to look for and solutions to try.Destructive attacks and disinformation will likely target the Summer Olympics in Tokyo, two groups of threat experts say.The organization, which sells patient administration tools to hospitals, could not confirm whether patient data was accessed.Kernel/Modules/AgentTicketWatcher.pm in Open Ticket Request System (OTRS) 3.0.x before 3.0.21, 3.1.x before 3.1.17, and 3.2.x before 3.2.8 does not properly restrict tickets, which allows remote attackers with a valid agent login to read restricted tickets via a crafted URL involving the ticket split mechanism.Kernel/Modules/AgentTicketPhone.pm in Open Ticket Request System (OTRS) 3.0.x before 3.0.20, 3.1.x before 3.1.16, and 3.2.x before 3.2.7, and OTRS ITSM 3.0.x before 3.0.8, 3.1.x before 3.1.9, and 3.2.x before 3.2.5 does not properly restrict tickets, which allows remote attackers with a valid agent login to read restricted tickets via a crafted URL involving the ticket split mechanism.Insecure plugin update mechanism in tucan through 0.3.10 could allow remote attackers to perform man-in-the-middle attacks and execute arbitrary code ith the permissions of the user running tucan.Scammers are posing as event organizers in a sophisticated fraud effort.From data privacy to industrial IoT cybersecurity concerns, Threatpost editors discuss the top stories they expect to see at this year's RSA Conference, which kicks off next week in San Francisco.When we followed the phishing trail, we found ourselves at a web page we weren't expecting...Chinese hackers breach online gambling sites, CISA warns of ransomware attacks across the critical infrastructure sector, and more - catch up on the week's news with the Friday Five.The distributed denial-of-service attacks took a congressional candidate's website offline for a total of 21 hours during the campaign for office.While the concerns are legitimate, Barracuda also wants IT professionals to know that practical solutions exist.Smartphone users don't want government encryption backdoors and would rather read "terms and conditions" than watch the movie "Cats."The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of guesses in which a string in an HTTP request URL potentially matches an unknown string in an HTTP response body, aka a "BREACH" attack, a different issue than CVE-2012-4929.Multiple unspecified vulnerabilities in Autonomy KeyView IDOL before 10.16, as used in Symantec Mail Security for Microsoft Exchange before 6.5.8, Symantec Mail Security for Domino before 8.1.1, Symantec Messaging Gateway before 10.0.1, Symantec Data Loss Prevention (DLP) before 11.6.1, IBM Notes 8.5.x, IBM Lotus Domino 8.5.x before 8.5.3 FP4, and other products, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted file, related to "a number of underlying issues" in which "some of these cases demonstrated memory corruption with attacker-controlled input and could be exploited to run arbitrary code."Information-disclosure vulnerability in Netsurf through 2.8 due to a world-readable cookie jar.Heap-based buffer overflow in Xchat-WDK before 1499-4 (2012-01-18) xchat 2.8.6 on Maemo architecture could allow remote attackers to cause a denial of service (xchat client crash) or execute arbitrary code via a UTF-8 line from server containing characters outside of the Basic Multilingual Plane (BMP).Cybercriminals posted the information of more than 10 million customers on a hacker forum a year after the initial attack on a cloud server.When patched last week, the bug affected at least 1 million websites. Zero-day exploits were going on then.Based on years of pilot projects and proofs-of-concept, the Industrial Internet Consortium has detailed the best-practices organizations can use to ensure successful deployments.A new lawsuit alleges that Googleβs G Suite for Education program covertly collects data from students, violating both COPPA and other data privacy regulations.The init script in the Debian x11-common package before 1:7.6+12 is vulnerable to a symlink attack that can lead to a privilege escalation during package installation.A resurgence in Emotet malware may make it one of the most pervasive security threats of 2020.
Secure Access Service Edge is a new name for a known and growing architecture designed to strengthen security in cloud environments.Wapiti is a web application vulnerability scanner. It will scan the web pages of a deployed web application and will fuzz the URL parameters and forms to find common web vulnerabilities.From malware attacks to malicious browser extensions - and everything in between. It's your weekly security roundup.From 1 September 2020, Safari will no longer trust SSL/TLS certificates with more than a year on the clock.Security experts discuss the threats putting mobile devices at risk and how businesses can better defend against them.These apps plunk ads in front of us when we're trying to do something else, often leading to inadvertent ad clicks and much cursing.Cisco's 2020 CISO Benchmark Study links a robust patch policy and collaboration to smaller data breaches.Many security teams don't update response plans on a regular basis but complying with GDPR is getting easier.Security leaders need to connect their work to broader business goals and create a culture of learning to attract talent.The company left a server open and unprotected, regurgitating private data slurped from thousands of surveilled people, including children.A leak at the Defense Information Systems Agency exposed personal information of government employees, including social security numbers.What is cyber insurance? Get a definition, learn why it's important, how it works, best practices, and more in this week's Data Protection 101, our series on the fundamentals of information securityCheck out Dark Reading's updated, exclusive coverage of the news and security themes that are dominating RSA Conference 2020 in San Francisco.Criminals will exploit the confusion and hustle and bustle of the games to their advantage, according to security researcher.Trusting the cloud involves a change in mindset. You must be ready to use runtime encryption in the cloud.Nearly 60% of IT and security pros say deployment of business services in the cloud has rushed past their ability to secure them.Server-side request forgery is a dangerous attack method that is also becoming an issue for the cloud. Here are some of the basics to help keep your Web server from turning against you.But 73% of financial companies are moving applications off the cloud and back on premises.Google's reCAPTCHA Enterprise and Web Risk API get a general release; Chronicle Security gets boosts from new threat detection and timelining features.Hash collision attack vulnerability in Jenkins before 1.447, Jenkins LTS before 1.424.2, and Jenkins Enterprise by CloudBees 1.424.x before 1.424.2.1 and 1.400.x before 1.400.0.11 could allow remote attackers to cause a considerable CPU load, aka "the Hash DoS attack."A UN aviation agency uses GIS software to track transmission lines while 20 US airports set up screening centers.Software developer builds a malicious proof-of-concept iOS app that can read data temporarily saved to the deviceβs clipboard.CYBERSECURITY 2020 by WILEY π
βοΈ Secure yourself a new bundle of cybersecurity ebooks! Get ebooks like Cryptography Engineering: Design Principles and Practical Applications, Reversing: Secrets of Reverse Engineering, Social Engineering: The Science of Human Hacking, and more.
βͺοΈ $959 Worth of awesome ebooks & videos βͺοΈ
β«οΈ Pay $1 or more β«οΈ
βͺοΈ DRM-Free βͺοΈ
β«οΈ Multi-format β«οΈ
CISOs report increases in alert fatigue and the number of records breached, as well as the struggle to secure mobile devices in a new Cisco study.Security researchers and practitioners will be talking about a surge in SMS-based phishing attacks, the threat employees pose to data security, and how to improve health and wellness on security team members.Companies of all sizes are being hit by mobile attacks and feeling the effects for extended periods of time, according to the 2020 Verizon Mobile Security Index.Organizations lament a lack of qualified job candidates as they continue to struggle to hire and retain security teams, the new ISACA State of Cybersecurity 2020 report shows.Nonsense! says Google in response to a lawsuit filed by New Mexico's AG, which accuses Google of violating COPPA's child privacy laws.That smart home speaker isn't listening to everything you say, according to new research - but it is listening a lot more than it should.Fascinating research from SophosLabs into a wolf-in-sheep's-clothing malware sample.The Ultimate Security Prosβ Checklist fully maps the core duties of common security positions, from the core technical security aspect to team management and executive reporting.The Department of Homeland Security and two U.S. military branches already had discontinued use of the app based on concerns over Chinese data-security and censorship practices.Company plans to integrate Light Point Security's technology into the McAfee Secure Web Gateway and its Mvision UCE platform.There are far more ways to be helpful than adding to the noise of what a company probably did wrong.Ahead of her keynote at the RSA Conference, Cisco's head of advisory CISOs outlines to Dark Reading a unique paradigm that asks security teams to stop fighting their users, and start sharing control with them.The acquisition will allow McAfee to integrate browser isolation technology into its Secure Web Gateway product and MVISION Unified Cloud Edge platform.Sysdig falco is a behavioral activity monitoring agent that is open source and comes with native support for containers. Falco lets you define highly granular rules to check for activities involving file and network activity, process execution, IPC, and much more, using a flexible syntax. Falco will notify you when these rules are violated. You can think about falco as a mix between snort, ossec and strace.WhatWeb is a next-generation web scanner. WhatWeb recognizes web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1800 plugins, each to recognize something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more. WhatWeb supports an aggression level to control the trade off between speed and reliability.The rise of regulations like GDPR have launched personal data security into the spotlight, and artificial intelligence is here to help.Digital Guardian is pleased to share that effective today, we've launched a new Managed Detection & Response (MDR) service to better help customers secure their most sensitive data.Private chat invites aren't meant to be unfindable, Facebook says, though a snippet of code eventually shielded them from Google indexing.Is Android finally about to get on top of the issue of apps that quietly suck up location data?In a RSA 2020 simulation, the Red Team compromised email accounts, deepfake videos, and disinformation on Election Day in Adversaria.The reality of the cybersecurity industry is starkly different than what's perceived by the rest of the world.Order out of chaos? The saga of Chronicle continues with new security features for the Google Cloud Platform.Take a comprehensive approach to better protect your organization. Security hygiene is a must, but also look at your risk posture through a data protection lens.Google patches zero-day bug tied to memory corruptions found inside the Chrome browser's open-source JavaScript and Web Assembly engine, called V8.Security professionals need to stop being snobs to solve the talent gap and improve problem-solving skills.The annual cryptographer's panel took on issues of privacy and how new crypto-technologies apply to it in today's digital world.NaCl in 2015 allowed the CLFLUSH instruction, making rowhammer attacks possible.When a bug's a zero-day that means it's being actively exploited. So don't delay, just patch today!Coinsource now offers ATMs that customers can use to manage their Bitcoin.