The threat group also has a new subsidiary, Magecart Group 12.π Read
via "Threatpost | The first stop for security news".
π‘ Cybersecurity & Privacy news π‘
The threat group also has a new subsidiary, Magecart Group 12.Despite the existence of patches, the proliferation of unpatched installations are enticing targets for malicious actors, according to a WhiteHat report.Signs of the attack first showed up two months before it was identified as a cyberattack, but they were mistaken for a pure equipment failure by Schneider Electric, security expert reveals at S4x19.A missing check for whether a property of a JS object is private in V8 in Google Chrome prior to 55.0.2883.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.Leaky Fortnite single sign-on mechanism could have allowed hackers to access game accounts.With the right tools and trained staff, any organization should be able to deal with threats before information is compromised.The two were able to hack into the SEC's computer systems due to phishing attacks that stole credentials and spread malware.βManaged Security Service Providers can alleviate many of the headaches suffered by in-house security, but they need to remain nimble and focused to retain their edge.Bugs in Epic Games' platform could let intruders take over players' accounts, view personal data, and/or buy in-game currency.MailEnable before 8.60 allows XXE via an XML document in the request.aspx Options parameter.MailEnable before 8.60 allows Stored XSS via malformed use of "<img/src" with no ">" character in the body of an e-mail message.MailEnable before 8.60 allows Privilege Escalation because admin accounts could be created as a consequence of %0A mishandling in AUTH.TAB after a password-change request.MailEnable before 8.60 allows Directory Traversal for reading the messages of other users, uploading files, and deleting files because "/../" and "/.. /" are mishandled.SmarterTools SmarterMail before 13.3.5535 was vulnerable to stored XSS by bypassing the anti-XSS mechanisms. It was possible to run JavaScript code when a victim user opens or replies to the attacker's email, which contained a malicious payload. Therefore, users' passwords could be reset by using an XSS attack, as the password reset page did not need the current password.Insufficient data validation on image data in PDFium in Google Chrome prior to 51.0.2704.63 allowed a remote attacker to perform an out of bounds memory read via a crafted PDF file.Criminals are increasingly trying to defraud businesses by diverting payrolls of CEOs, other senior executives, Agari says.When it comes to acceptable circumstances for government disclosure of zero-days, the new Vulnerabilities Equity Process might be the accountability practice security advocates have been waiting for.The storage server was left open for about a week and exposed everything from sensitive FBI investigations to data related to patients with AIDS.Bugs in Epic Games' platform could let intruders take over players' accounts, view personal data, and/or buy in-game currency.Mistaken assumptions about the ordering of records in the answer section of a response containing CNAME or DNAME resource records could lead to a situation in which named would exit with an assertion failure when processing a response in which records occurred in an unusual order. Affects BIND 9.9.9-P6, 9.9.10b1->9.9.10rc1, 9.10.4-P6, 9.10.5b1->9.10.5rc1, 9.11.0-P3, 9.11.1b1->9.11.1rc1, and 9.9.9-S8.A query with a specific set of characteristics could cause a server using DNS64 to encounter an assertion failure and terminate. An attacker could deliberately construct a query, enabling denial-of-service against a server if it was configured to use the DNS64 feature and other preconditions were met. Affects BIND 9.8.0 -> 9.8.8-P1, 9.9.0 -> 9.9.9-P6, 9.9.10b1->9.9.10rc1, 9.10.0 -> 9.10.4-P6, 9.10.5b1->9.10.5rc1, 9.11.0 -> 9.11.0-P3, 9.11.1b1->9.11.1rc1, 9.9.3-S1 -> 9.9.9-S8.Under some conditions when using both DNS64 and RPZ to rewrite query responses, query processing can resume in an inconsistent state leading to either an INSIST assertion failure or an attempt to read through a NULL pointer. Affects BIND 9.8.8, 9.9.3-S1 -> 9.9.9-S7, 9.9.3 -> 9.9.9-P5, 9.9.10b1, 9.10.0 -> 9.10.4-P5, 9.10.5b1, 9.11.0 -> 9.11.0-P2, 9.11.1b1.Bodhi 2.9.0 and lower is vulnerable to cross-site scripting resulting in code injection caused by incorrect validation of bug titles.An error in handling certain queries can cause an assertion failure when a server is using the nxdomain-redirect feature to cover a zone for which it is also providing authoritative service. A vulnerable server could be intentionally stopped by an attacker if it was using a configuration that met the criteria for the vulnerability and if the attacker could cause it to accept a query that possessed the required attributes. Please note: This vulnerability affects the "nxdomain-redirect" feature, which is one of two methods of handling NXDOMAIN redirection, and is only available in certain versions of BIND. Redirection using zones of type "redirect" is not affected by this vulnerability. Affects BIND 9.9.8-S1 -> 9.9.8-S3, 9.9.9-S1 -> 9.9.9-S6, 9.11.0-9.11.0-P1.The Oklahoma Securities Commission accidentally leaked 3 TB of information, including data on years of FBI investigations.Our reader poll showed overwhelming support for 2FA even in the wake of a bypass tool being released -- although lingering concerns remain.Researchers dig into vulnerabilities in popular building automation systems, devices.Logon Manager in SAS Web Infrastructure Platform before 9.4M3 allows reflected XSS on the Timeout page.They're charged with phishing and inflicting malware to get into the EDGAR filing system, stealing thousands of filings, and selling access.A researcher has discovered an exposed database containing gigabytes of call logs, SMS data, and internal system credentials belonging to US Voice-over-IP (VoIP) service provider VOIPo.com.In a case that could be straight out of a legal TV drama, a computing font has cost a couple two houses in a Canadian bankruptcy case.New samples of cryptomining malware performs a never-before-seen function: uninstalling cloud security products.She sent her bank account details three times, she said. Unfortunately, they wound up in crooks' hands, and her money wound up in their pockets.A skilled attacker can get inside your company by abusing common email applications. Here are three strategies to block them.Thousands of individual breaches make up the database, one of the largest troves of stolen credentials ever seen.Refined malware payloads from Chinese threat actor Rocke Group are sidestepping security tools to install cryptocurrency miners on cloud systems.In iOS before 11.2, exchange rates were retrieved from HTTP rather than HTTPS. This was addressed by enabling HTTPS for exchange rates.In macOS High Sierra before 10.13.3, Security Update 2018-001 Sierra, and Security Update 2018-001 El Capitan, a logic error existed in the validation of credentials. This was addressed with improved credential validation.In iOS before 11.2, a type confusion issue was addressed with improved memory handling.In iOS before 9.3.3, a memory corruption issue existed in the kernel. This issue was addressed through improved memory handling.New global survey shows businesses are valuing IoT security more highly, but they are still challenged by IoT data visibility and privacy.In iOS before 11.2, an inconsistent user interface issue was addressed through improved state management.In iOS before 9.3.3, tvOS before 9.2.2, and OS X El Capitan before v10.11.6 and Security Update 2016-004, proxy authentication incorrectly reported HTTP proxies received credentials securely. This issue was addressed through improved warnings.Data privacy is no longer a nice-to-have security commodity, but a must-have commodity.If your network doesn't allow connections into the default VNC port 5901, you can tunnel it through SSH.In iOS before 9.3.3, tvOS before 9.2.2, and OS X El Capitan before v10.11.6 and Security Update 2016-004, a downgrade issue existed with HTTP authentication credentials saved in Keychain. This issue was addressed by storing the authentication types with the credentials.An 87GB dump of email addresses and passwords containing almost 773 million unique addresses and just under 22 million unique passwords has been found.The network no longer provides an air gap against external threats, but access devices can take up the slack.Get up close and personal with the latest tools and techniques for testing (and breaking) everything from HTTPS to deep neural networks to Microsoft Office!Apple CEO Tim Cook has called on the government to double down on data privacy regulation in 2019.Without a formal plan or policy, wearables may introduce your company to a security breachβ.Multiple threat actors are using relatively simple techniques to take advantage of the vulnerability, launching cryptominers, skimmers, and other malware payloads.In iOS before 9.3.3, tvOS before 9.2.2, and OS X El Capitan before v10.11.6 and Security Update 2016-004, a validation issue existed in the parsing of 407 responses. This issue was addressed through improved response validation.A new program will pay bounties of up to $20,000 for new critical bugs in the company's Azure DevOps systems and services.Facebook says the accounts and pages were part of two unrelated disinformation operations aimed at targets outside the US.Microsoft is offering rewards of up to $20,000 for flaws in its Azure DevOps online services and the latest release of the Azure DevOps server.Data appears to be from multiple breaches over past few years, says researcher who discovered it.The platform can't keep us from driving while blindfolded, but at least it can remove videos that glorify our more brainless moments.Here's the latest Naked Security podcast - enjoy!...or that they can edit the (often inaccurate) pigeon-holes Facebook likes to put us in, a study found.Android apps that want access to your call and SMS data now have to pass muster with Google's team of reviewers.Have I Been Pwned? (HIBP) has revealed a huge cache of breached email addresses and passwords, which it has named Collection #1.The Redmond giant is keenly interested in remote code execution and privilege escalation flaws.Cloud security experts weigh in with the practices and tools they prefer to monitor and measure security metrics in the cloud.Blockchain may finally be ready to move from hype to reality, with continued IoT integrations and tokenization, according to KPMG.Twitter has fixed the issue, which has been ongoing since 2014.For medical entities, simply following HIPAA cloud service provider guidelines is no longer enough to ensure that your practice is protected from cyber threats, government investigations, and fines.The PCI Software Security Framework will eventually replace PCI DA-DSS when it expires in 2022.One common criticism of bug bounty programs is that very few hackers actually make money. Not only is this untrue, but it misses the point.A default configuration allows full admin access to unauthenticated attackers.Threatpost editors break down the top headlines from the week ended Jan. 18.An Austrian non-profit, led by privacy activist and attorney Max Schrems, has filed suit against 8 tech giants for non-compliance with the EU General Data Protection Regulation.The Fallout EK has added the latest Flash vulnerability to its bad of tricks, among other tune-ups.Two apps on Google Play were infecting devices with the Anubis mobile banking trojan.But rate of funding appears unsustainable, according to Strategic Cyber Ventures.The most common vulnerabilities seen last year run the gamut from cross-site scripting to issues with CMS platforms.Here's a fascinating history of cryptography that has plenty to teach you - and you don't need a degree in mathematics to follow along!Security keys are logged when any WCDMA call is configured or reconfigured in snapdragon automobile, snapdragon mobile and snapdragon wear in versions MDM9607, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 625, SD 650/52, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SDA660, SDX20, SXR1130Improper access control on secure display buffers in snapdragon automobile, snapdragon mobile and snapdragon wear in versions MDM9206, MDM9607, MDM9650, MSM8996AU, SD 210/SD 212/SD 205, SD 820, SD 820A, SD 835, SDA660AGPS session failure in GNSS module due to cyphersuites are hardcoded and needed manual update everytime in snapdragon mobile and snapdragon wear in versions MDM9635M, MDM9645, MDM9650, MDM9655, MSM8909W, SD 835, SD 845, SD 850From WhatsApps that aren't meant for you to the highly promising USB-C authentication, and everything in between. It's weekly roundup time.From WhatsApps that aren't meant for you to the highly promising USB-C authentication, and everything in between. It's weekly roundup time.From WhatsApps that aren't meant for you to the highly promising USB-C authentication, and everything in between. It's weekly roundup time.The Apple CEO wants the FTC to set up a data-broker clearinghouse so people can see the data that companies have collected on them.Oklahomaβs Department of Securities (ODS) exposed 3TB of files in plain text containing sensitive data on the public internet this month.A Chilean Senator has taken to Twitter with alarming news β the company running the countryβs ATM network suffered a serious cyberattack.The latest privacy glitch, which went unnoticed for over four years, may trigger yet another EU privacy probe.Organizations must strengthen their security posture in cloud environments. That means considering five critical elements about their infrastructure, especially when it operates as an IaaS.In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.WhatsApp has capped the number of people you can forward messages to, after India was seized by rumour-inspired mob lynchings.The Democratic National Committee has filed a civil complaint accusing Russia of trying to hack its computers as recently as November 2018.Location data extracted from the athletic hitman's Garmin GPS watch and TomTom sat nav led to his conviction in two gangland murders.A researcher has found that websites can use some extensions to bypass security policies, execute code, and even install other extensions.When addressing security vulnerabilities, enterprises should focus on those with publicly available exploit code, according to a Kenna Security report.The patches are part of Adobe's second unscheduled update this month.By using a combination of new cryptocurrencies and peer-to-peer marketplaces, cybercriminals are laundering up to an estimated $200 billion in ill-gotten gains a year. And that's just the beginning.Selling personal information and compromised accounts of popular Instragram users has become more lucrative than ransomware and cryptojacking campaigns.The French Data Protection Authority (DPA) found a lack of transparency when it comes to how Google harvests and uses personal data for ad-targeting purposes.In Drupal 8.x prior to 8.3.7 When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view. It is best practice to always include some form of access restrictions on all views, even if you are using another module to display them.In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system.The fine represents the first major penalty for a US technology company under the new European regulations.Researchers show how rogue web applications can be used to attack vulnerable browser extensions in a hack that gives adversaries access to private user data.New side-channel attacks are getting lots of attention, but other more serious threats should top your list of threats.The approach's promise continues to entice cryptographers and academics. But don't expect it to help in the real world anytime soon.IT and cybersecurity positions continue to rank near the top of the salary ranges paid to IT professionals, according to a new survey.An intruder thought to be a former employee used a backdoor into the WPML website to skim email addresses and send a mass email blast.Adversaries took advantage of the large attack surface of large communications networks to spread small volumes of junk traffic across hundreds of IP prefixes in Q3 2018, Nexusguard says.A hacked Nest camera broadcast the fake warning about incoming North Korean missiles, sending a family into βfive minutes of sheer terror.βIn a landmark ruling, Franceβs data protection commissioner has fined Google 50 million Euros (around $57m) for violating Europeβs privacy laws.The RogueRobin uses a mix of novel techniques.0patch released the fix for the remote code execution vulnerability in Windows, which has a CVSS score of 7.8.Last week hackers allegedly compromised an adminβs Steam account and used it to spawn planes, tanks, and whales in Atlas.Online gamblers lose their private data as yet another unsecured Elasticsearch database is discovered.Here's the latest Naked Security podcast. Enjoy!Old school but effective, hackers are shifting aware from in-your-face ransomware to attacks that are much more subtle.Find yourself some of the latest and most exciting cybersecurity tools at the Arsenal, where you can meet and chat with their creators.A new report on the state of malware shows a spike in B2B malware, with former banking Trojans Emotet and TrickBot topping the list.Phishers often spoof major tech brands in their efforts to gain payments from individuals and businesses, according to a Vade Secure report.An emergency directive from the Department of Homeland Security provides "required actions" for U.S. government agencies to prevent widespread DNS hijacking attacks.If you've ever wanted to authenticate a Linux desktop to an OpenLDAP server, here's how it's done.With OpenLDAP, you can manage users on a centralized directory server and then configure each desktop to authenticate to that server.Why stockpiling cryptocurrency or paying cybercriminals is not the best response.Research shows that better corporate security has resulted in some hackers shifting their sights to the estates and businesses of wealthy families.More than 70% of tech professionals said security spending has increased in the past year, according to a Ping Identity report.The attack makes use of previously disclosed critical vulnerabilities in the Apple Safari web browser and iOS.Jack Wallen shows you how to lock out users after failed login attempts in CentOS 7.Here are six tips to put threat hunters in the driver's seat so they can outsmart their adversaries.The new malware is being propagated on P2P networks, and demands a ransom equivalent to $725 USD, according to McAfee Labs.Google Alphabet incubator Jigsaw says knowing how to spot a phish plus two-factor authentication are the best defenses against falling for a phishing email.Illicit Monero-mining malware accounts for more than 4 percent of the XMR in circulation, and has created $57 million in profits for the bad guys.In Apache Airflow 1.8.2 and earlier, an experimental Airflow feature displayed authenticated cookies, as well as passwords to databases used by Airflow. An attacker who has limited access to airflow, weather it be via XSS or by leaving a machine unlocked can exfil all credentials from the system.In Apache Airflow 1.8.2 and earlier, a CSRF vulnerability allowed for a remote command injection on a default install of Airflow.In Apache Airflow 1.8.2 and earlier, an authenticated user can execute code remotely on the Airflow webserver by creating a special object.Researchers detected 191,970 bad ads and estimates that around 1 million users were impacted.When criminals use technology to propagate social engineering attacks, securing your organization can become complicated. Here's what you need to know about phishing and spearphishing.The banking trojan hides its misdeeds with a rotating set of tactics.Mac admins or users savvy around Terminal can easily reset a password and have the affected account back to work within minutes.Age is an issue with application languages and frameworks, too.Modular design, ability to infect network shares make the malware dangerous, McAfee says.All government domain owners are instructed to take immediate steps to strengthen the security of their DNS servers following a successful hacking campaign.A vulnerability in the Admin portal of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to obtain confidential information for privileged accounts. The vulnerability is due to the improper handling of confidential information. An attacker could exploit this vulnerability by logging into the web interface on a vulnerable system. An exploit could allow an attacker to obtain confidential information for privileged accounts. This information could then be used to impersonate or negatively impact the privileged account on the affected system.Phishers often spoof major tech brands in their efforts to gain payments from individuals and businesses, according to a Vade Secure report.Hanging up on the fact-checkers probably isn't the best way for a news outlet to assure them that it's trustworthy.Apple has issued its January security updates fixing a list of mostly shared CVE flaws affecting iOS and macOS with a smattering for Safari, watchOS, tvOS, and iCloud for Windows.With the CISO at the table, organizations must focus on products, processes, and people to stay secure, according to the executive director of the National Cyber Security Alliance.Did you see the story about the US family whose Nest camera "warned" them of an impending nuclear attack? Here's how to keep hackers out...The decision means Yelp, and other platforms, are still protected from liability for user-submitted content under the CDA's Section 230.A bomb threat spam campaign that hit North America last month may have been engineered using a flaw in GoDaddyβs domain management process, it was revealed this week.Come to Black Hat Asia in March for an expert look at what's happening in the world of Internet of Things, and what you can do to secure it.These apps will help keep your enterprise safe from malware and other cybersecurity threats.Perpetrators are using smaller, bit-and-piece methods to inject junk into legitimate traffic, causing attacks to bypass detection rather than sounding alarms with large, obvious attack spikes.Security updates for the lifespan of a given device are critical to protecting your connected device against hackers, according to a Barracuda report.Multicloud is much more popular than hybrid cloud, with only 33% of professionals using a hybrid model, according to a Kentik report.Credential compromise emerged the main target for phishing campaigns in 2018 - rather than infecting victims' devices with malware.The most common attacks involved software vulnerabilities, stolen credentials, Web applications, and IoT devices.Using Google App Engine to mask the destination of links is a staggeringly easy way to conduct a phishing campaign, but Google claims it is not their problem.Attack threatens victims with three "deadly malware" infestations if they don't give up critical email account credentials.Attack threatens victims with three "deadly malware" infestations if they don't give up critical email account credentials.Make using SSH key authentication a snap with the new ssh-agent feature found in KeePassXC.You can call it collateral damage. You can call it trickledown cyberwarfare. Either way, foreign hacker armies are targeting civilian enterprises - as a means of attacking rival government targets.Breach latest example of how misconfigurations, human errors undermine security in a big way, experts say.A new wave of attacks abuses the Google Cloud Platform URL redirection in PDF decoys, sending users to a malicious link.A look at API attack trends such as the current (and failing) architectural designs for addressing security of these API transactions.Many organizations find that getting their data privacy house in order is paying off.PostGIS 2.x before 2.3.3, as used with PostgreSQL, allows remote attackers to cause a denial of service via crafted ST_AsX3D function input, as demonstrated by an abnormal server termination for "SELECT ST_AsX3D('LINESTRING EMPTY');" because empty geometries are mishandled.Adverts on Facebook featuring fake celebrity endorsements scam people out of their savings, and Facebook is now doing something about it.A man has been arrested a year after stealing β¬10m ($15m) of the IoT-focused cryptocurrency IOTA using bogus software that tricked users.Your likes, interest and personality can be gleaned from as few as 8-9 friends on social media, whether you're on the platform or not.The US Department of Homeland Security (DHS) has issued an emergency directive tightening DNS security after a recent wave of domain hijacking attacks targeting government websites.Emotet is moving, shape-shifting target for admins and their security software. Here's what we've learned from dealing with outbreaks.Interest in bug bounty programs is exploding, as companies look to crowdsourcing to combat hackers. But several misconceptions remain.Security keys are logged when any WCDMA call is configured or reconfigured in snapdragon automobile, snapdragon mobile and snapdragon wear in versions MDM9607, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 625, SD 650/52, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SDA660, SDX20, SXR1130In cybersecurity, as in history, security leaders who forget the lessons of the past will be doomed to repeat them.Recent statistics show just how much credential stealing has become a staple in the attacker playbook.The malware targets victims in multiple, sneaky ways as they move around the web.In a talk at the World Economic Forum, Microsoft's CEO voiced support for GDPR and expressed hope the United States creates a similar approach to privacy.The nation suspects Russia's hand in the attacks, which seem aimed at disrupting the upcoming presidential election.A spate of phishing emails with Word attachments deliver both the Gandcrab ransomware and Ursnif executable.Popular application ES File Explorer for Android has a significant vulnerability, putting your data at risk. Learn what's involved and how to remediate the threat.From a massive GDPR fine on a big tech company, to an emergency government security alert, here are the top security stories of the week.There are several actions companies can take to improve overall employee awareness about security. View the top five below.LabKey Server version 18.3.0-61806.763, released on January 16, patches all three issues, so users should update as soon as possible.Security pros know all too well that following basic privacy guidelines can cut down on human errors that can lead to serious security breaches.From the US gov's emergency directive to the 10 Year Challenge, and everything in between. It's weekly roundup time.YouTube personality Philip DeFranco warned that the messages pretending to be from him and other top influencers are scams.Of all the calamities that befall email users, few are more dreaded than the βreply allβ storm.βHi there,β said the polite (and fake) help desk, leading to a back-and-forth between a lying scammer and a lying security analyst.An experiment to make the internet safer ended up breaking parts of it last week.Today is Data Privacy Day. We asked around at Sophos for some tips from people that live security day in and day out.After years of embarrassment, I'm finally ready to admit how and why my Instagram account got hacked.The development team of the vulnerable Total Donations plugin appears to have abandoned it, and did not respond to inquiries from researchers.The best way to conform to the EU's new privacy regulation is to assume that you don't need to hold on to personal data, versus the opposite.Cyberattackers are targeting a pair of just-patched vulnerabilities that allow remote unauthenticated information disclosure leading to remote code-execution.Jack Wallen shows you how you can use SSH to proxy through a jump host from one machine to another.The YouTube competitor said that it was hopeful that it's containing the damage.Ahead of the 2020 Tokyo Olympic Games, the Japanese government is planning to access unsecured Internet of Things devices to identify users and request they change their passwords.Forward-thinking predictions for the year ahead from some of the cybersecurity industryβs wisest minds.A new campaign will see government employees hacking into personal IoT devices to identify those at highest security risk.At its peak, xDedic listed over 70,000 owned servers that buyers could purchase for prices starting as low as $6 each.Tom Merritt shares five ways companies can request data from their consumers--and actually get it.Tom Merritt shares five ways companies can request data from their consumers--and actually get it.Newly found bug reportedly allows callers to spy on you -- even if you don't pick up.Various resources in Atlassian Crowd before version 2.10.1 allow remote attackers with administration rights to learn the passwords of configured LDAP directories by examining the responses to requests for these resources.Dailymotion is resetting the account passwords of an unknown number of users after being hit by a βlarge-scaleβ credential stuffing attack.DIY giant B&Q reportedly suffered an Elasticsearch database breach this week that gave up information on around 70,000 shoplifters.Apple is scrambling to fix an embarrassingly dangerous "snooping" bug in its popular FaceTime app.Should we cheer for WhatsApp-esque, end-to-end encryption everywhere, or tremble at creeping Facebookism?Japan will hack citizens' IoT devices to mop up cyber security before the Olympics. Don't like the notion? Here's how to lock 'em down!Implementing modern systems could have a sinister side-effect for enterprise companies.The bug allows iPhone users to FaceTime other iOS users and eavesdrop on their conversations - even when the other end of the line doesn't pick up.Despite the wide-ranging effects of the Facebook data privacy scandal, only one-fifth of people are concerned over privacy issues related to social media use, according to a Yubico study.A report found that a dozen connected devices are open to several security and privacy issues.People are the biggest weakness to security breaches; people can also be your organization's biggest defense.Apple iPhone users discovered a serious FaceTime bug that lets you hear audio from another iPhone or even view live video without the recipient's knowledge.Firefox 65 rolls out new redesigned privacy controls as part of Mozilla's anti-tracking promise.Meanwhile, authorities are aggressively going after former users of the Webstresser DDoS-for-hire service.Today's releases include more advanced EDR tools, a new managed EDR service, and protection and hardening for Symantec's endpoint portfolio.Part two of RSAβs Conference Advisory Board look into the future tackles how approaches to cybersecurity must evolve to meet new emerging challenges.Where security really matters, the enterprise is only as secure as the endpoints it allows to access its sensitive core systems.Japan will carry out a βsurveyβ of 200 million deployed IoT devices, with white-hats trying to log into internet-discoverable devices using default credentials.A new survey shows more Americans are more concerned about their computer's security than the US border's.Anyone with access to an Exchange mailbox can take control of domain, security researcher says.They're putting up fake accounts to bilk the tender-hearted for donations, using the images of a real 5-year-old with real cerebral palsey.Cops from 14 countries are seeking to inflict a bit of distributed denial-of-freedom to whoever's behind 6 million around-the-globe attacks.Firefox has introduced a new set of controls to make it easier for privacy-conscious users to protect themselves from online ad trackers.A researcher has discovered an alarming way that an attacker controlling a Microsoft Exchange mailbox account could potentially elevate their privileges to become a Domain Administrator.The Facebook Research app pays teenagers $20 for extensive access to their phone and web activity.Thereβs a new version of Sophos Home out today, and it comes with a whole host of new features.The malware middle ground is full of journeymen, wallflowers and also-rans that'll bite you hard, if you let them.The potency of DDoS attacks lies in the number of packets being sent rather than the relative bandwidth involved in the attack.βMSSPs provide flexibility, expertise, and efficiencies in scale. Learn about more advantages below.If machine learning can be demonstrated to solve particular use cases in an open forum, more analysts will be willing to adopt the technology in their workflows.Build them carefully and maintain them rigorously, and ACLs will remain a productive piece of your security infrastructure for generations of hardware to come.before adding them to the toolbox.Another one of Facebook's apps has been banned from Apple's ecosystem due to the level of data that it collects and how it was distributed.VMware host servers require advanced software to manage them en masse. Admins can restrict access using AD services to authenticate and manage user account security.A spam injector hides in plain site within WordPress theme files.The credit card company reports Discover's card systems were not involved in the breach, discovered in August 2018.Here's the latest Naked Security podcast - enjoy!Facebook allegedly violated Apple's developer policy by operating a "focus group" paying users $20/month to agree to activity monitoring, and is now paying the price.Build them carefully and maintain them rigorously, and ACLs will remain a productive piece of your security infrastructure for generations of hardware to come.before adding them to the toolbox.Before you start calling users stupid, remember that behind every stupid user is a stupider security professional.A severe flaw exposes sensitive information for 35,000 kids and 20,000 individual accounts.January 10 torrent involved nearly four times as many packets as last year's huge attack on GitHub, says Imperva.A server security mishap exposed vast stores of data belonging to clients of Rubrik, a security and cloud management firm.US officials disrupt North Korea's Joanap attack infrastructure.In change_port_settings in drivers/usb/serial/io_ti.c in the Linux kernel before 4.11.3, local users could cause a denial of service by division-by-zero in the serial device layer by trying to set very high baud rates.It was paying people, including teens, up to $20 to install an app that got root access for βnearly limitless access,β encryption or no.A US court has sentenced a man to over five years for his part in a massive telecommunications fraud involving stolen cellphone accounts and reprogrammed phones.Singapore's Ministry of Health said the HIV status of 14,200 people, plus confidential data of 2,400 of their contacts, is in the possession of somebody who's not authorized to have it and who's published it online.Google and Mozilla are tidying up security features and patching vulnerabilities in Chrome and Firefox for Mac, Windows, and Linux.A newly discovered malware steals cookies, credentials and more to break into victims' cryptocurrency exchange accounts.A day after Facebook was dinged for shady iOS distribution techniques of its data-collecting research app, Google was discovered using the same methods for its own app.The CookieMiner malware attempts to extract credentials for cryptocurrency wallets and exchanges, as well as stored password and credit card information.Four key questions to consider as you plan out your next winning security strategy.Cyberattacks are increasing, and your organization may be making itself a high-profile target for attackers, according to a Radware report.The Department of Justice is looking to dismantle the Joanap botnet, which has been built and controlled by North Korea-linked hackers since 2009.A cyberattack lifts employee data at the French aerospace giant as news hits of "Collections 2-5" being passed around the underground.So far, 2019 shows no signs of a decline in data incidents.Few details as yet on a cyberattack that hit Airbus' commercial aircraft business.Dell SafeGuard and Response is geared toward businesses, governments, and schools that may lack resources they need to detect and remediate sophisticated threats.The last thing any business needs is a swarm of myths and misunderstandings seeding common and frequent errors organizations of all sizes make in safeguarding data and infrastructure.Swarm technology may be a game changer for the bad guys if organizations donβt change their tactics.βFrom counterfeit tickets to live streaming deals--Super Bowl 53 can generate a slew of cybersecurity risks. Learn how to protect yourself.A new module allows it to be rented to other malicious actors -- and it's likely other new capabilities are coming down the pike.Facebook is continuing to crack down on misinformation, political meddling, and "coordinated inauthentic behavior" on its platform.The research around a recent vulnerability shows how researchers follow leads and find unexpected results.It was using the same Apple enterprise back door as Facebook to get its market research done, but it owned up and backed off.Users of Microsoftβs Azure system lost database records as part of a mass outage on Tuesday. A combination of DNS problems and automated scripts were to blame, said reports.Yet another family unnerved by yet another voice coming from a nursery webcam serves as yet another argument against password reuse.In Pylons Colander through 1.6, the URL validator allows an attacker to potentially cause an infinite loop thereby causing a denial of service via an unclosed parenthesis.How many user credentials have fallen into the hands of criminals during a decade of data breaches? Billions, according to two recent discoveries.Staying up to date on Spectre and Meltdown can be challenging. This guide includes in-depth explanations about these uniquely dangerous security vulnerabilities and the best mitigation solutions.Whether you want an in-depth look at one of the biggest data breaches in recent memory or some advanced data forensics training, Black Hat Asia is the place to be.A pair of bugs in a very widely used Linux system tool called systemd have just been "weaponised" - check you're patched!The combination of simple, straightforward, and methodical ingredients are the keys to developing a balanced and well-rounded security program.Scams, infrastructure attacks, data harvesting and attacks on streamers are all in the offing.Open-source, industry standard specifications are available to protect your business, but real-world deployment is still lower than optimal.From Facebook's research app being pulled from iOS devices to a new-found dump of compromised credentials, here are the top news of the week.In the Linux kernel before 4.9.3, fs/xfs/xfs_aops.c allows local users to cause a denial of service (system crash) because there is a race condition between direct and memory-mapped I/O (associated with a hole) that is handled with BUG_ON instead of an I/O failure.In this week's Naked Security Live video: what to do about microphone-equipped devices in your home?If you run NGINX and want to use free certificates, it's possible with Let's Encrypt.A Chicago-area family's smart home controls were compromised in a hack that has left them feeling vulnerable in their own home.Path Traversal vulnerability in Photo Station versions: 5.7.2 and earlier in QTS 4.3.4, 5.4.4 and earlier in QTS 4.3.3, 5.2.8 and earlier in QTS 4.2.6 could allow remote attackers to access sensitive information on the device.The Remexi spyware has been improved and retooled.Learn about these uniquely dangerous vulnerabilities as TechRepublic's James Sanders discusses up-to-date info on the latest variants and best mitigation strategies to minimize performance impact.The decorating website said that account usernames, passwords and more have been compromised as part of a breach.You can easily prevent unwanted users and attacks from gaining access to your CentOS 7 server.From the DNS outage that deleted users' Azure data to the Nest security cam hijacker, and everything in between. It's weekly roundup time.A groundbreaking settlement in New York finds that selling fake likes and followers is illegal.The FBI revealed that it joined the Joanap botnet and started chewing it up from the inside.Chrome now checks for misspellings of popular URLs and will display a link to the site that it thinks the user might have wanted to visit.Researchers have discovered security holes in 5G, 4G and 3G telephony protocols, which can expose a user's location.Armed with an impressive bag of exploits and other tricks for propagation, researchers believe the new trojan could be the catalyst for an upcoming, major cyber-offensive.The unique threat landscape requires a novel security approach based on the latest advances in network and AI security.Despite several threat actors stating they are behind a massive 773M credential dump, researchers believe they have found the real distributor.State-sponsored groups are leveraging weaknesses in IoT devices to build botnets, and attacking private industry and public infrastructure in attacks, according to a Booz Allen report.Facebook's privacy disclosures "are quite vague" and should have been made more prominent, a federal judge argued.Referencing the Dalai Lama, the spam campaign is targeting recipients of a mailing list run by the Central Tibetan Administration.Team from University of Missouri take wraps off Dolus, a system 'defense using pretense' which they say will help defend software-defined networking (SDN) cloud infrastructure.If you absolutely have to have Amazon Alexa or Google Assistant in your home, heed the following advice.Audacity version 2.1.2 is vulnerable to DLL Hijack, it tries to load avformat-55.dll without supplying the absolute path, thus relying upon the presence of such DLL on the system directory. This behavior results in an exploitable DLL Hijack vulnerability, even if the SafeDllSerchMode flag is enabled.Joomla extension DT Register version before 3.1.12 (Joomla 3.x) / 2.8.18 (Joomla 2.5) contains an SQL injection in "/index.php?controller=calendar&format=raw&cat[0]=SQLi&task=events". This attack appears to be exploitable if the attacker can reach the web server.Cayosin brings together multiple strands of botnet tech and hacker behavior for a disturbing new threat.The number of data breaches dropped overall, but the amount of sensitive records exposed jumped to 446.5 million last year, according to the ITRC.Anyone could have accessed the entire database, including a child's location, on Gator watches and other models that share its back end.ConnectWise ManagedITSync integration through 2017 for Kaseya VSA is vulnerable to unauthenticated remote commands that allow full direct access to the Kaseya VSA database. In February 2019, attackers have actively exploited this in the wild to download and execute ransomware payloads on all endpoints managed by the VSA server. If the ManagedIT.asmx page is available via the Kaseya VSA web interface, anyone with access to the page is able to run arbitrary SQL queries, both read and write, without authentication.The only person who knew the password is dead, leaving customers unable to access around $190million in fiat and virtual currency.How do advanced persistent threat groups such as Double Secret Octopus and Anchor Panda get their ridiculous names?Half of the apps used to control a range of Internet of Things devices are insecure in a variety of ways, researchers found.FamilyTreeDNA has disclosed that it's opened up more than 1m DNA profiles to the FBI to help find suspects of violent crime.Several flaws in both open-source RDP clients and in Microsoft's own proprietary client make it possible for a malicious RDP server to infect a client computer β which could then allow for an intrusion into the IT network as a whole.Led by top infosec talent, these cutting-edge courses are an efficient way to get practical, hands-on training in everything from blockchain security to machine learning.The children's smartwatch allows bad actors to track their location and communicate with them, according to the alert.The industry has long needed an open, industry-standard testing framework. NetSecOPEN is working to make that happen.Eleven critical bugs will be patched as part of the February Android Security Bulletin.The US government will not be able to mitigate a cyber-enabled economic warfare attack without help from the private sector, according to a report from FDD and the Chertoff Group.Here's the latest Naked Security podcast - give it a listen!IBM BigFix Compliance 1.7 through 1.9.91 (TEMA SUAv1 SCA SCM) is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM X-Force ID: 123677.IBM BigFix Compliance 1.7 through 1.9.91 (TEMA SUAv1 SCA SCM) does not validate, or incorrectly validates, a certificate.This weakness might allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack. The software might connect to a malicious host while believing it is a trusted host, or the software might be deceived into accepting spoofed data that appears to originate from a trusted host. IBM X-Force ID: 123675.IBM BigFix Compliance 1.7 through 1.9.91 (TEMA SUAv1 SCA SCM) stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 123673.IBM BigFix Compliance 1.7 through 1.9.91 discloses sensitive information to unauthorized users. The information can be used to mount further attacks on the system. IBM X-Force ID: 123429.Haraka version 2.8.8 and earlier comes with a plugin for processing attachments for zip files. Versions 2.8.8 and earlier can be vulnerable to command injection.That's the conclusion of a classified postmortem report sent to the White House yesterday by Acting Attorney General and DHS Secretary.In addition, 91 reported fines have been imposed since the regulation went into effect last May.While containers can create more secure application development environments, they also introduce new security challenges that affect security and compliance.Criminals are taking advantage of Gmail's 'dots don't matter' feature to set up multiple fraudulent accounts on websites, using variations of the same email address, Agari says.Flaws in this connected smart scale might give the diet-challenged a legitimate reason to be nervous about using this vulnerable IoT device.New attack uses a repurposed version of the Trojan that spreads using Internet Relay Chat.One thing the world doesn't need: hackers who can broadcast to billboards of any size, be they PC monitor- or Godzilla-sized.Chainalysis found that two groups, which it calls Alpha and Beta, are responsible for stealing around $1 billion in funds from exchanges.From Firefox 66 for desktop and Android, due in March, media autoplay of video or audio will be blocked by default.A clear and present danger: Anyone with a web browser who knows where to look can access Jack'd users' photos, be they private or public.The key? Rather than getting bogged down in the technical details, focus on how a security program is addressing business risk.Today's financial cyber-rings have corporate insider and management roles -- cybercrime is not just just for hackers and coders anymore.Most people still lack an understanding of best practices for passwords and other security measures, Google found.One in three companies is still unprepared for many potential cybersecurity threats, according to an eSecurityPlanet.com report.The elevated privilege flaw exists in Microsoft Exchange and would allow a remote attacker to impersonate an administrator.How much do companies really gain from offloading security duties to the cloud? Let's do the math.After a data breach, 57% of consumers blame companies above everyone else, even hackers, for the event, according to an RSA Security report.Hackers don't always steal data. Sometimes the goal is to manipulate the data to intentionally trigger external events that can be capitalized on.Google's Confidential Computing Challenge aims to make it easier to achieve end-to-end encryption of data in the cloud.A tricky two-stage phishing scam is targeting Facebook and Google credentials using a landing page that hides behind Google's translate feature.A pragmatic, risk-based approach can help CISOs plan for an efficient, effective, and economically sound implementation of AI for cybersecurity.New RSA Security survey shows a generation gap in concerns over cybersecurity and privacy.The Pie Chart Panel plugin through 2019-01-02 for Grafana is vulnerable to XSS via legend data or tooltip data. When a chart is included in a Grafana dashboard, this vulnerability could allow an attacker to gain remote unauthenticated access to the dashboard.Several airlines send unencrypted links to passengers for flight check-in that could be intercepted by attackers to view passenger and other data, researchers found.Tensorflow, Google's open-source machine learning framework, has been used to block 100 million spam messages.Acquisition will enable it to provide threat detection, pen testing, and other security tools to customers.A researcher who discovered a flaw letting him steal passwords in MacOS is not sharing his findings with Apple without a macOS bug bounty program.Yet few engineers feel empowered to do anything about them, a survey shows.A Google/Harris Poll finds nearly two-thirds of users surveyed reuse passwords on multiple accounts.Privacy-focused cryptocurrency Zcash has fixed a flaw that would have allowed anyone with knowledge of it to produce counterfeit currency.Google's released a Chrome extension, Password Checkup, that's designed to warn users when they enter a username and password the company has detected in a data breach.It still works, you know. And there are photos and videos on it.The researcher says it works without root or administrator privileges and without password prompts. But he's not revealing how it works to Apple because there's no money for him in its invite-only/iOS-only bounties.In cybersecurity it pays to stay on top of the latest exploits, and there's no better place to do that than Black Hat Asia in Singapore next month.Barrett Lyon is co-founder of Netography, which emerged today with $2.6M in seed funding from Andreessen Horowitz.When there's a DDoS attack against your voice network, are you ready to fight against it?Up to eight airlines do not encrypt e-ticketing booking systems - leaving personal customer data open for the taking.Traditional computers work with binary digits, or bits as they are called for short, that are either zero or one. Typically, zero and one are represented by some traditional physical property β a hole punched in a tape, or no hole; a metal disc tilted left or right by an electric current; an electronic capacitor [β¦]The end of 2018 saw a spike in malicious attachments which businesses need to be wary of, according to a Proofpoint report.Lifesize is issuing a hotfix to address vulnerabilities in its enterprise collaboration devices, which could give hackers a gateway into target organizations.Visa's chief risk officer anticipates some healthy changes ahead.Trends in DDoS attacks show a evolution beyond Mirai code and point to next-gen botnets that are better hidden and have a greater level of persistence on devices β making them "far more dangerous."Apple's iOS 12.1.4 fixes a FaceTime bug that made headlines last week.Teenaged Fortnite player gets credit for finding the bug.The purchase will add WebRoot's cloud-based security to the cloud-based data backup and recovery platform of Carbonite.Vulnerable plugin for a remote management tool gave attackers a way to encrypt systems belonging to all customers of a US-based MSP.So much for creating a three-headed Cerberus marketing-happy chat dog! Also, we'll soon see the who-what-huh? behind the ads we're shown.Waze users are helping intoxicated drivers to evade checkpoints and could thus be "engaging in criminal conduct," say police.A university employee accidentally emailed a spreadsheet containing personal information on every one of the college's 4,557 students.Enterprises need to start preparing for a future without traditional passwords, according to LoginRadius.For the second time in a year, illegal child abuse images have been spotted inside a blockchain. According to a post by web blockchain payments system Money Button, on 30 January its service was abused to place βillegal contentβ inside the Bitcoin Satoshi Vision (BSV) ledger, a recent cryptocurrency hard fork from Bitcoin Cash [BCH]. [β¦]Absent from privacy policies, the tracking came to light after a breach with Air Canada's mobile app, then password slurping from Mixpanel.iOS app developers have been capturing how users interact with screens without gaining user consent.Officials believe a nation-state is to blame for the incident, which took place Thursday night into Friday morning.A vulnerability in FireOS, the Amazon Fire Tablet's operating system, has been patched.Security has become a stand-alone part of the corporate IT organization. That must stop, and transparency is the way forward.A trio of bugs could have opened Android 7, 8 and 9 to remote attackers wielding booby-trapped image files. Here's what you need to know...What do a telephony protocol, butt-sniffing, and multifactor authentication have in common? A John Klossner cartoon! And the winners are ...While the number of DDoS attacks have declined, they have become much more sophisticated, according to a Kaspersky Lab report.Researchers theorize how Bezosβ very personal pictures may have been allegedly hacked.A newly discovered malware campaign uses steganography to hide GandCrab in a seemingly innocent Mario image.Encryption can be critical to data security, but it's not a universal panacea.Citrix issues update for encryption weakness dogging the popular security protocol.Twelve members of 20-person group extradited to US to face charges related to theft of millions via fake ads other scams.Google's Adiantum boosts encryption for low-end devices with processors that do not have hardware support for AES.What VPN would you recommend for an Android user who uses public WiFi quite often and wants to buff up their security?An issue was discovered on MOBOTIX S14 MX-V4.2.1.61 devices. There is a default password of meinsm for the admin account.From the FBI-supporting DNA kit company, to the privacy bug in gay dating app Jack'd, and everything in between. It's weekly roundup time.Data shows that young people are most at risk of this type of fraud, in which they're talked into handing over their bank details.According to DARPA, air gapping computers and data is a security idea that has run its course and urgently needs to be replaced.They posed as military needing to offload cars before deployment, allegedly posting bogus ads on Craigslist, eBay, and AutoTrader.At least two users of the McDonalds mobile app arenβt lovinβ it after thieves hijacked their accounts and ordered hundreds of dollars of food for themselves.Facebook Messenger has made available the ability to unsend, or in their words "remove for everyone" your mis-sent messages.Make your networks more secure by using an SSH to proxy through a jump host from one machine to another.Cybercriminals are modifying wallet IDs copied to the clipboard in hopes that users will accidentally transfer funds to the wrong account.Blockchain technology is critical to business security, according to a Globant report. Here are the important blockchain terms to get accustomed with.As lawmakers face a Friday deadline to prevent the federal government from closing a second time, we examine the cost to the digital domain, both public and private.Can scientists out-perform sports stars, musicians and politicians in recognition and influence? You bet they can!It's futile to try to put the data genie back in the bottle. Next best thing is whole-enterprise data visibility.A fake MetaMask app is the first instance of this new type of cryptocurrency stealer appearing outside of shady third-party app stores.Three major websites are making data-breach news this week.But it can't operate in a bubble, a new Washington Post study indicates.The zero-day flaw in Adobe Reader DC could allow bad actors to steal victimsβ NTLM hashes.Wyden and Rubio are eyeing VPN services they say could be instruments of espionage for Russia and China.From spyware to leaky apps, mobile devices are facing a heightened level of threats. Are we prepared to secure them?Users on the dating website report hackers breaking into their accounts, changing email addresses, and resetting passwords.Adantium, developed by Google, brings communication encryption to bear on storage security.New data from the credit reporting firm shows the sheer scale of online activity in the US also has made businesses and consumers there prime targets.A new DNS cache poisoning attack is developed as part of the research toward a dissertation.Concealed Online, the third biggest "political advertiser" on Facebook, touts the Virginia loophole, granting concealed weapons permits.Brave is playing down fears after the revelation of what looked like a whitelist in its code allowing it to communicate with Facebook.A UK children's charity has found that children as young as eight are being sexually exploited online via social media.Time is money, baby: Jay Brodsky claims that Apple's 2FA "intermeddling" takes minutes out of his day, causing "economic loss."Russiaβs major ISPs plan to temporarily disconnect servers from the internet, effectively cutting the country off from the outside world.Cybersecurity and IT risk budgets continue to grow. Here's how they'll be spent.DonΒt overlook these promising Business Hall Sessions in Singapore next month. TheyΒre short, sweet, and open to all Black Hat Asia 2019 passholders.Crooks could take over your network thanks to a critical bug in a popular Linux containerisation toolkit... here's what you need to know.Overall, Adobe patched 75 important and critical vulnerabilities - including a flaw that could allow bad actors to steal victimsβ hashed password values.Your organization is almost certainly on the lookout for threats from outside the company. But are you ready to address threats from within?Luminate Security, which specializes in software-defined perimeter technology, will extend Symantec's integrated defense platform.Researchers from DigiCert, Utimaco, and Microsoft Research gives thumbs-up to a new algorithm for implementing quantum hacking-proof digital certificates.Apple is facing a lawsuit from a user claiming that two-factor authentication is a "waste of their personal time." Here's why businesses shouldn't ignore the security measure.Hackers up to 100 meters away could take over Xiaomi M365 scooters to brake or accelerate them.A fundamental component of container technologies like Docker, cri-o, containerd and Kubernetes contains an important vulnerability that could cause cascading attacks."Every file server is lost, every backup server is lost.βUsers of the popular plugin, Simple Social Buttons, are encouraged to update to version 2.0.22.All data belonging to US users-including backup copies-have been deleted in catastrophe, VMEmail says.In its February Patch Tuesday bulletin Microsoft patches four public bugs and one that under active attack.Dunkinβ Donuts may have just launched its first double-filled doughnut, but another doubling up is not quite as tasty. The chain has suffered its second credential-stuffing attack in three months. Like the first incident, the attack targeted pastry aficionados that have DD Perks accounts, which is Dunkinβs loyalty program. Names, email addresses, 16-digit DD Perks [β¦]With their regularly scheduled Patch Tuesday updates, both companies issued fixes for scores of vulnerabilities in their widely used software.Australian property valuation firm Landmark White exposed files containing personal data and property valuation details.The affected SICAM 230 process control system is used as an integrated energy system for utility companies, and as a monitoring system for smart-grid applications.Denial of Service attack in airMAX < 8.3.2 , airMAX < 6.0.7 and EdgeMAX < 1.9.7 allow attackers to use the Discovery Protocol in amplification attacks.Adobe has patched a flaw that enabled attackers to slurp a userβs network authentication details - but not before someone else patched it first.Some of the breaches are new, while some were reported last year. The sites include MyFitnessPal, MyHeritage, Whitepages and more.Only one in three organizations say they are confident they can prevent data breaches, according to Balbix.Here's the latest Naked Security podcast - enjoy!Apple has less of an iron grip over iOS than first thought, as organizations are using the Developer Enterprise Program for apps that would not be allowed in the App Store.There are no permission dialogues for apps in certain folders for macOS Mojave, which allows a malicious app to spy on browsing histories..The issue affects default installations of Ubuntu Server and Desktop and is likely included in many Ubuntu-like Linux distributions.... and enables de-authenticaton attacks that could knock targeted systems off the Wi-Fi and onto one of these nefarious cables.Ever since Apple announced enhanced privacy protection for macOS Mojave 10.14 last September, a dedicated band of researchers has been poking away at it looking for security flaws. Here's another.Information security is a corporate posture and must be managed at all levels: systems, software, personnel, and all the key processes.Speed, simplicity, and security underscore their desire, a new study shows.The Brave browser offers built-in protection against ad trackers, third-party cookies, and other potential threats to your privacy. Here's how to use it and tweak it.Creating a do-it-yourself VPN that you manage and access on your own terms is not as difficult as you might think.OpenAM (Open Source Edition) 13.0 and later does not properly manage sessions, which allows remote authenticated attackers to change the security questions and reset the login password via unspecified vectors.The Secure SLC Standard improves business efficiency for payment application vendors but could also stand as new security benchmark for other industries to follow.Online dating profiles and social media accounts add to the rich data sources that allow criminals to tailor attacks.An ongoing study investigating security bugs in Microsoft Office has so far led to two security patches.There was at least one health data breach a day and 503 health data breaches overall in 2018 according to analysis released this week.
π ReadBanking trojans, led by the ever-changing Emotet, dominated the email-borne threat landscape in Q4, according to Proofpoint.Monica Witt, former Air Force and counterintel agent, has been indicted for conspiracy activities with Iranian government, hackers.Researchers have identified multiple security issues with this Lenovo smartwatch.A new strain of MacOS malware hides inside a Windows executable to avoid detection.Hacking by external actors caused most breaches, but Web intrusions and exposures compromised more records, according to Risk Based Security.Our top tips for Valentine's Day and beyond - all in just 5 minutes. Enjoy!Increasing pressure, hefty workloads, and budgetary deficits have significant negative effects on CISOs worldwide, according to a Nominet report.Internet Explorer (IE) may have launched way back in 1995 but nearly a quarter of a century later itβs still creating work for Microsoft and Windows users.317 researchers from 78 countries turned 2018 into a worldwide bug-crunching spree.The apps, which violate content policies, got in there via the same Enterprise Certificate program that Facebook and Google exploited.The flaw is only one of many romance-related security issues as bad actors take advantage of Valentine's Day.Bleeping Computer learned of a strange phishing campaign which uses an unusually long URL - but why?There's no better place to brush up on the latest malware than Black Hat Asia in Singapore next month with a cornucopia of practical Trainings, Briefings, and Arsenal tool demos.Security practitioners reveal what's causing them the most frustration in their roles.Following revelations that Facebook, Google, Amazon, as well as purveyors of illicit content are abusing the Developer Enterprise Program, new reports show pirates are as well. Who's left?When each member of your security team is focused on one narrow slice of the pie, it's easy for adversaries to enter through the cracks. Here are five ways to stop them.Google Play said that app suspensions increased by 66 percent in 2018 on its platform.A recent attack on a US hospital gives us a colourful picture of both how a targeted ransomware attack happens, and how it can be stopped.The dating site said users' names and email addresses that were added to the system prior to May 2018 may be impacted.A Threatpost poll found that 52 percent don't feel prepared to prevent a mobile security incident from happening. The results reflect a challenging mobile security landscape.It has added the technique of using malicious XML files as its delivery method.A panel of data security experts discuss the the top considerations for choosing a Managed Detection & Response provider, including scale, technology, experience, and cost.Meet five female security experts who are helping to move our industry further than ever before.The (ISC)2 announces a new institute for working cybersecurity professionals to continue their education.The dating app says users' account data may have been obtained by an unauthorized party.In the weeks leading up to Valentine's Day 2019, researchers notice a new form of Gandcrab appearing in romance-themed emails.Keep local administrative accounts from being a malicious user's target by creating an invisible account.Carmaker's open source car-hacking tool platform soon will be available to the research community.A wireless device resembling an Apple USB-Lightning cable that can exploit any system via keyboard interface highlights risks associated with hardware Trojans and insecure supply chains.New initiative offers five principles for greater IoT security .Photography website 500px has become the latest site to admit suffering a serious data breach.A company operating a facial recognition system in China has exposed millions of residentsβ personal information online.A trio of reports from ICS security firm Dragos point out what was learned in 2018 and give industrial security teams some tips for making 2019 less dangerous.Despite a slight dip in the total number of breaches it was still a banner year for hackers focused on stealing data from websites, according to a Risk based Security report.Don't spend that 30 cents all in one place!The Feds triedβand failedβto force Facebook to break its encryption so investigators could listen in on suspected MS-13 gang conversations.Are you an Apple developer? Care about security? Using 2FA? You will be soon...Researchers warn that the phishing campaign looks "deceptively realistic."These programs are now an essential strategy in keeping the digital desperados at bay.The banking trojan is consistently evolving in hopes of boosting its efficacy.The industry needs to keep in mind the realities of hardware limits and transitional growing pains, according to Microsoft, Utimaco researchersWith attackers operating more aggressively and stealthily, some industrial network operators are working to get a jump on the threats.Learn how two decades of data was destroyed, doctors snooped on patient records, and how Netflix's honors GDPR requests - all in this week's Friday Five.Despite a welcome and needed DNS revamp, preventable abuse continues.If you're worried about privacy on your personal or company-issued mobile device, these 10 apps can help protect your data.The eight apps were secretly stealing victims' CPU power to mine for Monero.A "very realistic-looking" login prompt is designed to capture users' Facebook credentials, researchers report.Businesses don't have sufficient staff to find vulnerabilities or protect against their exploit, according to a new report by Ponemon Institute.IBM QRadar SIEM 7.2 and 7.3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 134177.In the old days, you just had redundant everything, and disaster recovery meant switching over. Not so in the world of cloud computing, security nightmares, and virtual everything.Data-exposure "lowlights" for the week ending Feb. 15, 2019.Vulnerability in Easy2map-photos WordPress Plugin v1.09 MapPinImageUpload.php and MapPinIconSave.php allows path traversal when specifying file names creating files outside of the upload directory.Vulnerability in Easy2map-photos WordPress Plugin v1.09 allows SQL Injection via unsanitized mapTemplateName, mapName, mapSettingsXML, parentCSSXML, photoCSSXML, mapCSSXML, mapHTML,mapID variablesVulnerability in YingZhi Python Programming Language v1.9 allows arbitrary anonymous uploads to the phone's storageA vulnerability in Mambo CMS v4.6.5 where the scripts thumbs.php, editorFrame.php, editor.php, images.php, manager.php discloses the root path of the webserver.Vulnerability in FileUtils v0.7, Ruby Gem Fileutils <= v0.7 Command Injection vulnerability in user supplied url variable that is passed to the shell.Threat-hunters say the breached data from the massive Equifax incident is nowhere to be found, indicating a spy job.Zabbix before 2.2.21rc1, 3.x before 3.0.13rc1, 3.1.x and 3.2.x before 3.2.10rc1, and 3.3.x and 3.4.x before 3.4.4rc1 allows open redirect via the request parameter.From McDonald's hamburglars to 1000-character phishing urls, and everything between. It's weekly roundup time.Articles 11 and 13 live on, with the dreaded 'link tax', 'meme killer', 'censorship machine' and all.When it appears in the next few weeks, the next version of Opera (βReborn 3β or βR3β) for Windows, Mac and Linux will become the first mainstream desktop browser to integrate a cryptocurrency wallet.Sounds like the crooks who tried to sell more than 600 million records last week are back with nearly 100 million more...No longer can privacy be an isolated function managed by legal or compliance departments with little or no connection to the organization's underlying security technology.It seems that someone from a company called Swift Recovery Ltd. is impersonating me -- at least on Telegram. The person is using a photo of me, and is using details of my life available on Wikipedia to convince people that they are me.They are not.If anyone has any more information -- stories, screen shots of chats, etc. -- please forward them to me.
Physical security goes hand in hand with cyberdefense. What happens when β as we see all too often β the physical side is overlooked?OpenAI has created what amounts to a text version of a deepfake - and itβs too scared for humanity to release the full version.Facebook considers itself to be βahead of and beyond the law,β UK lawmakers said in a report about "disinformation and 'fake news.'"They're never deleted, just erased from the UI. You can still see archived messages if you download your data.Six years after it was introduced, it looks as if Androidβs Advertising ID (AAID) might no longer be the privacy forcefield Google claimed it would be.Ever wondered what happens to helpline calls recorded "to ensure you get the service you deserve"? It can all go terribly wrong...RoboForm is an effective tool for creating and managing your website passwords. Learn how to use this password management tool.Security leaders set the tone for their organizations, and there are many places where the process can go wrong. Second in a six-part series.This marks Palo Alto Networks' latest acquisition and its first of 2019.Here are some practical ways to ensure your company's safety as Uncle Sam comes calling.The CSRF bypass flaw has now been fixed, and the researcher who discovered it has netted $25,000.A wide variety of data was visible through the vulnerability.The WinPot malware takes its cues from slot machines.This is the third update to the prolific GandCrab malware within the past year.There are severe and unsolved problems in our industry that justify a sustained effort and substantial investment. It's worth picking one.New data from CrowdStrike's incident investigations in 2018 uncover just how quickly nation-state hackers from Russia, North Korea, China, and Iran pivot from patient zero in a target organization.Russia-linked actors need just 18 minutes to go from compromise to lateral movement.Windows 7 and Windows Server 2008 users are being asked to upgrade their encryption support.Chip makers' focus on performance has left microprocessors open to numerous side-channel attacks that cannot be fixed by software updates - only by hard choices.In an unusual development, the group known for its attacks against companies in countries viewed as geopolitical foes is now going after companies in a country considered an ally, Check Point Software says.Cybercriminals see formjacking as a simple opportunity to take advantage of online retailers - and all they need is a small piece of JavaScript.Google Chrome's Incognito mode hasn't been an impenetrable privacy shield: For years, it's been a snap for web developers to detect when Chrome users are browsing in private mode and to block site visitors who use it. Now it looks like Google plans to close that loophole.Is it ok to launch a benign proof of concept that you know will go wide, to bring a flaw to people's attention, or should you stay quiet?Threat makers are sometimes geolocated to determine how credible their threats are, as in, are they near enough to really attack?Here's the latest Naked Security podcast... enjoy!Don't miss out on some of the world-class Briefings and Trainings on offer for cybersecurity professionals concerned about the most pressing threats of 2019.Some 90% of CISOs are confused about their role in securing a SaaS environment, according to an Oracle and KPMG report.A security engineer breaks down how easy it is for unskilled attackers to trick an unsuspecting user to submit credentials to a phishing site.As hundreds of millions of Europeans prepare to go to the polls in May, Fancy Bear ramps up cyber-espionage and disinformation efforts.A recent wave of cybercrime has targeted organizations with employees in Belgium, France, Germany, Poland, Romania, and Serbia.GitHub is offering unlimited rewards for critical vulnerabilities - and has added "safe harbor" terms to its bug bounty program.1Password, Dashlane, KeePass and LastPass each downplay what researchers say is a flaw in how the utilities manage memory.How the first documented nation-state cyberattack is changing security today.Prosecutors say that as part of a conspiracy to steal trade secrets, the Chinese-born scientist stole data related to bisphenol-A-free food packaging worth $120M.The music-recognition app that Apple bought for $400 million is removing Facebook Ads, DoubleClick, Facebook Analytics and more.More than 120 restaurants were affected by an incident that exposed customer credit card information.An ongoing phishing campaign is targeting hundreds of businesses to steal their email and browser credentials using a simply - but effective - malware.A new toolkit developed by the Global Cybersecurity Alliance aims to give small businesses a cookbook for better cybersecurity.Maritime transport still contributes in an important way to the worldβs economy, with on-time shipments influencing everything from commodities availability and spot pricing to the stability of small countries. Unfortunately, capsizing a ship with a cyberattack is a relatively low-skill enterprise, according to an analysis from Pen Test Partners. With so many previously outlined ways [β¦]Establishing sufficient cloud security is a complex challenge. Learn where your attention is best directed to achieve the best results.Companies think their data is safer in the public cloud than in on-prem data centers, but the transition is driving security issues.A viral post suggests (wrongly) that card skimmers always use Bluetooth. Anyway, just looking at nearby Bluetooth names doesn't help much...Companies covered under the EU mandate can get policies for up to $10 million for fines, penalties, and other costs.A vulnerability in the cluster service manager of Cisco HyperFlex Software could allow an unauthenticated, adjacent attacker to execute commands as the root user. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by connecting to the cluster service manager and injecting commands into the bound process. A successful exploit could allow the attacker to run commands on the affected host as the root user. This vulnerability affects Cisco HyperFlex Software releases prior to 3.5(2a).Seafile through 6.2.11 always uses the same Initialization Vector (IV) with Cipher Block Chaining (CBC) Mode to encrypt private data, making it easier to conduct chosen-plaintext attacks or dictionary attacks.It's been off by default, Google says - not much consolation to those who don't cotton to the notion of a "secret" listening gadget.Hacker Lauri Love has failed to get his computers back six years after UKβs National Crime Agency took them as part of a criminal investigation.Some 83% of US security professionals said employees have accidently exposed sensitive customer information, according to an Egress survey.Users of the popular file-compression tool are urged to immediately update after a serious code-execution flaw was found in WinRAR.Several popular password managers appear to do a weak job at scrubbing passwords from memory once they are no longer being used.SOC security analysts shoulder the largest cybersecurity burden. Automation is the way to circumvent the unavoidable human factor. Third in a six-part series.Admins should update immediately to fix a remote code-execution vulnerability.Regenerating certificates may securely resolve authentication traffic, which is not being properly encrypted.If you work with a service outside of its standard behavior, you may need to change its AppArmor profile mode.Adobe has issued yet another patch for a critical vulnerability in its Acrobat Reader - a week after the original fix.Extortion scams capitalize on compromised credentials, sensitive data, and technical vulnerabilities on Internet-facing applications to pressure victims to pay up.CRXcavator scans extensions in real time based on factors including permissions, external calls, and third-party libraries.Premium-access credentials to porn sites are hot in the cyber-underground, as credential-harvesting malware proliferates.Vulnerability in YingZhi Python Programming Language v1.9 allows arbitrary anonymous uploads to the phone's storageTop higher education institutions around the world are offering cybersecurity degrees and research programs for information security professionals looking to further their careers. The following are 82 of the top degree and research programs for cybersecurity studies.The constant stresses from advanced malware to zero-day vulnerabilities can easily turn into employee overload with potentially dangerous consequences. Here's how to turn down the pressure.In 98% of the assessments conducted for its research, Dtex found employees exposed proprietary company information on the Web - a 20% jump from 2018.It's like polymorphic behavior - only the changes are in the email lures themselves, with randomized changes to headers, subject lines, and body content.Can your phone reliably detect card skimmers using Bluetooth alone? Find out in the latest Naked Security Live video...Facebook announced it's tweaking its Android version, which was tracking your location even when the app wasn't in use.Weigh in on password managers with our Threatpost poll.Until this month, the Edge browser could bypass its own warnings about Flash content on 58 websites, thanks to a hidden list.Overzealous use of HTTP/2 flow control settings in IIS could have brought servers to their knees.Can YouTube ever keep video comments under control, or it is time to kill off comments altogether?When it comes to cloud security, know the difference between a great--or just okay--cloud vendor.There's no better place to bone up on the ins and outs of web security than Black Hat Asia in Singapore next month.Preventative technologies are only part of the picture and often come at the expense of the humans behind them.This bill requires businesses to notify consumers of compromised passport numbers and biometric data.From password manager vulnerabilities to 19-year-old flaws, the Threatpost team broke down this week's biggest news stories.The DHS plots a move to the cloud, China embraces data protection, and ATM hacking - catch up with the week's top infosec stories with this roundup!VPNs are critical for information security. But simply having these cozy security tunnels in the toolkit isn't enough to keep an organization's data safe.U.S. and subcontinent consumers were the most affected by this week's exposure revelations.Threatpost talks to HackerOne CEO Marten Mickos on the EU's funding of open source bug bounty programs, how a company can start a program, and the next generation of bounty hunters.Despite the openness of the Android platform, Google has managed to keep its Play store mainly free of malware and malicious apps. Outside of the marketplace is a different matter.LinkedIn profiles provide a persistent, patient threat actor with the information required to craft spear-phishing messages.There was a shocking turn of events in crypto-world.Phishing emails target a bank's users with malware - and make their landing page look more legitimate with fake Google reCAPTCHAs.In Vembu StoreGrid 4.4.x, the front page of the server web interface leaks the private IP address in the "ipaddress" hidden form value of the HTML source code, which is disclosed because of incorrect processing of an index.php/ trailing slash.Vembu StoreGrid 4.4.x has XSS in interface/registercustomer/onlineregsuccess.php, interface/registerreseller/onlineregfailure.php, interface/registerclient/onlineregfailure.php, and interface/registercustomer/onlineregfailure.php.Have you ever needed to boot a shoe that was a brick? Owners of Nike's $350 "self-lacing" trainers say they have.Jack Wallen shows you how to combine Enpass and Dropbox into a perfect, cloud-ready password manager.Although Linux is a very secure operating system, there are steps you can take to make it even more one. One simple step is password protecting the GRUB bootloader. Jack Wallen shows you hSSH has a lot of tricks up its sleeve, one of which is the ability to copy files between two remote servers. Jack Wallen shows you how.If you can't remember a password for a website you know you've had Chrome save, Jack Wallen shows you how you can view it.Jack Wallen walks you through the process of installing the open source security audit tool, OpenVAS, on the Ubuntu Server platform.From leaky password managers to nearly 100 million new stolen data records, and everything in between. It's weekly roundup time.Adobe has issued a new fix addressing a vulnerability in Reader it thought it had fixed on 12 February as part of Patch Tuesday.Unsealed court documents show that Facebook referred to big-spending kids as "whales" - a term borrowed from the casino industry.Tampa's mayor was trying to regain control of his Twitter account this week after it was used to post bomb threats and child sex abuse images.SSH has a lot of tricks up its sleeve, including the ability to copy files between two remote servers.Google has announced FIDO2 certification for devices running on Android 7 and above - meaning that users can use biometrics, fingerprint login or PINs instead of passwords.FIDO2 certification is paving the way for passwordless mobile security.Backdoors, cryptomining, fake apps, and banking Trojans increased substantially in the past year, according to McAfee. Here's how to protect your business.The enterprise must do its part in deploying and maintaining secure systems so that end users stand a chance against attackers.The attack threatens users with location-tracking, DoS, fake notifications and more.Learn why the Zero Trust model may be more secure than traditional networks security in this week's Data Protection 101.Officials report an unauthorized party obtained tax return data by using credentials obtained from an outside source.The hacker ran a botnet that spread 'NeverQuest' malware for three years and collected millions of banking credentials.A Threatpost reader poll examined risk, vulnerabilities, 2FA, the human element, attitudes on spreadsheets and more when it comes to password managers.Exceeding the limit of usage entries are not tracked and the information will be lost causing the content to lose continuity in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music in versions MSM8996AU, QCS605, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 675, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 8CX, SDA660, SDM439, SDM630, SDM660, Snapdragon_High_Med_2016, SXR1130.Improper input validation in wireless service messaging module for data received from broadcast messages can lead to heap overflow in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in versions MDM9150, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9650, MDM9655, MSM8909W, MSM8996AU, QCS605, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 650/52, SD 675, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM439, SDM630, SDM660, SDX20, Snapdragon_High_Med_2016, SXR1130.Improper input validation for argument received from HLOS can lead to buffer overflows and unexpected behavior in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking in versions IPQ8074, MDM9150, MDM9206, MDM9607, MDM9650, MSM8909W, MSM8996AU, QCA8081, QCS605, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 650/52, SD 675, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 8CX, SDA660, SDM439, SDM630, SDM660, Snapdragon_High_Med_2016, SXR1130.Improper input validation might result in incorrect app id returned to the caller Instead of returning failure in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile in versions MDM9607, MDM9650, MDM9655, MSM8996AU, QCS605, SD 210/SD 212/SD 205, SD 410/12, SD 615/16/SD 415, SD 636, SD 675, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 8CX, SDA660, SDM630, SDM660, SXR1130.Improper input validation can lead RW access to secure subsystem from HLOS in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile in versions MDM9650, MDM9655, MSM8996AU, QCS605, SD 410/12, SD 615/16/SD 415, SD 675, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 8CX, SXR1130.Improper access to HLOS is possible while transferring memory to CPZ in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music in versions MDM9150, MDM9206, MDM9607, MDM9650, MSM8996AU, QCS605, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 650/52, SD 675, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 8CX, SDA660, SDM439, SDM630, SDM660, Snapdragon_High_Med_2016, SXR1130.Bytes can be written to fuses from Secure region which can be read later by HLOS in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking in versions IPQ8074, MDM9150, MDM9206, MDM9607, MDM9650, MDM9655, MSM8996AU, QCA8081, QCS605, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 650/52, SD 675, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 8CX, SDA660, SDM439, SDM630, SDM660, Snapdragon_High_Med_2016, SXR1130.Usage of non-time-constant comparison functions can lead to information leakage through side channel analysis in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music in versions MDM9150, MDM9206, MDM9607, MDM9650, MDM9655, MSM8996AU, QCS605, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 650/52, SD 675, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 8CX, SDA660, SDM439, SDM630, SDM660, Snapdragon_High_Med_2016, SXR1130.Use of non-time constant memcmp function creates side channel that leaks information and leads to cryptographic issues in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking in versions IPQ8074, MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MDM9655, MSM8996AU, QCA8081, QCS605, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 650/52, SD 712 / SD 710 / SD 670, SD 800, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 8CX, SDA660, SDM439, SDM630, SDM660, Snapdragon_High_Med_2016, SXR1130.Data truncation during higher to lower type conversion which causes less memory allocation than desired can leads to a buffer overflow in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking in versions IPQ8074, MDM9150, MDM9206, MDM9607, MDM9650, MDM9655, MSM8996AU, QCA8081, QCS605, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 650/52, SD 675, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 8CX, SDA660, SDM439, SDM630, SDM660, Snapdragon_High_Med_2016, SXR1130A three-tier certification regimen shows adherence to the Platform Security Architecture.In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.Android's now on board with saying goodbye to passwords: more than a billion devices now support FIDO2.New York governor Andrew Cuomo has ordered an investigation into how Facebook is still allowing blabby apps to violate its privacy policies.How features such as infotainment and driver-assist can give others a leg up on car owners.Mozilla has told the Australian government that its anti-encryption laws could turn its own employees into insider threats.Security practitioners are most likely to stay at organizations that offer career development. Here are eight tips to consider as you plan your course of action.DNS security is under serious threat from cyberattackers and domain overseer ICANN wants internet companies to do something about it.Whether you're looking to perfect your AWS auditing skills or practice the latest cloud exploitation techniques, next month's Black Hat Asia can help you achieve your goals.The spam campaign is being used to spread a malicious .exe file, taking advantage of a vulnerability in WinRAR which was patched in January.As more organizations move to the public cloud and to DevOps and DevSecOps processes, the open source alternative for host-based intrusion detection is finding new uses.Officials report an unauthorized party obtained tax return data by using credentials obtained from an outside source.SHAREit has fixed two flaws in its app that allowed bad actors to authenticate their devices and steal files from a victim's device.From WannaCry and phishing to credential stuffing and cryptomining, attackers relied on many oldie-but-goodie attacks in 2018, according to a pair of new security threat reports.IT security and application development are disparate processes that are increasingly coming together. Here's a look at how that's happening.The pairing brings Sonatype data on open source components to the Kenna Security platform.A known vulnerability combined with a weakness in bare-metal server reclamation opens the door to powerful, high-impact attacks.Firmware vulnerabilities provide direct access to server hardware, enabling attackers to install malware that can pass from customer to customer.Learn how to combine Enpass and Dropbox into a perfect, cloud-ready password manager.AI and ML are often touted as silver bullets, but real-world applications for the technology seem thin on the ground.Botnets continue to spread to places never dreamed of a few years ago. But you can fight them off, and these tips can help.Because many organizations tend to overlook or underestimate the threat, social media sites, including Facebook, Twitter, and Instagram, are a huge blind spot in enterprise defenses.Ruslan Stoyanov gets 14 years in Russian prison.HTML5 used to build persistent malware on victims' computers.With insight from stakeholders, the politician hopes to develop a strategy to improve the healthcare industry's cybersecurity posture.Plain-text, unencrypted passwords were sent instead of having users reset them. There was no breach, the firm claims, but how would it know?Police allege that he updated radios with fraudulent software from a radio enthusiast who allegedly hacked encrypted radios for drug cartels.Researchers have discovered a flaw in some PDF document viewers that allows new content to be added to documents without breaking the electronic signatures.Chip maker Nvidia has released a security update, fixing eight CVE flaws in its Windows and Linux graphics display drivers.The China-linked threat group has returned in 2018 using updated RATs to launch its attacks, including ZxShell, Gh0st RAT, and SysUpdate malware.A major data breach would likely shut down half of SMBs permanently, according to an AppRiver report.Here's the latest Naked Security podcast - enjoy!In the cyber threat climate of the 21st century, sticking with DevOps is no longer an option.Many machines, including almost all Apple laptops and desktops produced since 2011, are vulnerable to data exfiltration via weaponized peripherals.SentinelOne and Intel announced a new method to detect cryptomining and cryptojacking attacks using hardware-based detection technology.Third time's hopefully a charm for Cisco, which has patched a high-severity flaw once again in its Webex video conferencing platform.Researchers are urging Ring users to update to the latest version of the smart doorbell after a serious flaw triggered privacy concerns.The campaign is marked by a significant level of customization, with an βindividualized yet very consistent approach to every compromise.Researchers investigate malicious apps designed to intercept calls to legitimate numbers, making voice phishing attacks harder to detect.Learn about what GLBA means for data protection and how to achieve GLBA compliance in Data Protection 101, our series on the fundamentals of information security.Operating a database of software vulnerabilities is a challenging undertaking, according to private vulnerability database operator Risk Based Security.Although human oversight is required, advanced technologies built on AI will become pivotal in building safer financial markets and a safer world.Vishwanath Akuthota has been accused of using a 'USB killer device' to destroy dozens of computers, officials report.CQTools suite includes both exploit kits and information-extraction functions, its developers say.Illinois man offered "DDoS for hire" services that hit millions of victims.The new Intel SGX Card is intended to extend application memory security using Intel SGX in existing data center infrastructure.Study of the Bronze Union group-also known as APT27 or Emissary Panda-underscores how most advanced persistent threat (APT) groups now use administrative tools or slight variants of well-known tools.As in previous years, input validation vulnerabilities accounted for a substantial proportion of total, Risk Based Security report shows.A pair of reports reach similar conclusions about some of the threats growing in cyberspace and the industries likely to be most affected.The US blocked internet access to Russian trolls who, they say, were trying to spread FUD.A steady stream of hair-raising revelations about the treatment of users' data by Facebook, et al. is pushing Congress to do *something.*Researchers have revealed how malicious Thunderbolt and PCI Express (PCIe) peripherals could be used to compromise computers running macOS, Windows, Linux and FreeBSD.From data exfiltration over FM radio to open-source cybersecurity training suites, Black Hat Asia's Arsenal offers live demos of the latest security tools.Cisco said that CVE-2019-1663, which has a CVSS score of 9.8, allows unauthenticated, remote attackers to execute arbitrary code.The practice today is so pervasive that cryptojacking scripts are said to be running on an estimated 3% of all sites that users visit.The controversial cryptomining service is shutting down.CQTools suite includes both exploit kits and information-extraction functions, its developers say.Bots now account for 39.9% of all ticketing traffic, mostly originating in North America.New services, which are both available in preview, arrive at a time when two major trends are converging on security.The Watchlist, which contained the identities of government officials, politicians, and people of political interest, is used to identify risk when researching someone.The internal WebBrowserPersist code does not use correct origin context for a resource being saved. This manifests when sub-resources are loaded as part of "Save Page As..." functionality. For example, a malicious page could recover a visitor's Windows username and NTLM hash by including resources otherwise unreachable to the malicious page, if they can convince the visitor to save the complete web page. Similarly, SameSite cookies are sent on cross-origin requests when the "Save Page As..." menu item is selected to save a page, which can result in saving the wrong version of resources based on those cookies. This vulnerability affects Firefox < 63.Some special resource URIs will cause a non-exploitable crash if loaded with optional parameters following a '?' in the parsed string. This could lead to denial of service (DOS) attacks. This vulnerability affects Firefox < 63.In private browsing mode on Firefox for Android, favicons are cached in the cache/icons folder as they are in non-private mode. This allows information leakage of sites visited during private browsing sessions. *Note: this issue only affects Firefox for Android. Desktop versions of Firefox are unaffected.*. This vulnerability affects Firefox < 63.When a new protocol handler is registered, the API accepts a title argument which can be used to mislead users about which domain is registering the new protocol. This may result in the user approving a protocol handler that they otherwise would not have. This vulnerability affects Firefox < 63.By using the reflected URL in some special resource URIs, such as chrome:, it is possible to inject stylesheets and bypass Content Security Policy (CSP). This vulnerability affects Firefox < 63.A WebExtension can request access to local files without the warning prompt stating that the extension will "Access your data for all websites" being displayed to the user. This allows extensions to run content scripts in local pages without permission warnings when a local file is opened. This vulnerability affects Firefox ESR < 60.3 and Firefox < 63.A vulnerability where a WebExtension can run content scripts in disallowed contexts following navigation or other events. This allows for potential privilege escalation by the WebExtension on sites where content scripts should not be run. This vulnerability affects Firefox ESR < 60.3 and Firefox < 63.By rewriting the Host: request headers using the webRequest API, a WebExtension can bypass domain restrictions through domain fronting. This would allow access to domains that share a host that are otherwise restricted. This vulnerability affects Firefox ESR < 60.3 and Firefox < 63.A potential vulnerability was found in 32-bit builds where an integer overflow during the conversion of scripts to an internal UTF-16 representation could result in allocating a buffer too small for the conversion. This leads to a possible out-of-bounds write. *Note: 64-bit builds are not vulnerable to this issue.*. This vulnerability affects Firefox < 63, Firefox ESR < 60.3, and Thunderbird < 60.3.When manipulating user events in nested loops while opening a document through script, it is possible to trigger a potentially exploitable crash due to poor event handling. This vulnerability affects Firefox < 63, Firefox ESR < 60.3, and Thunderbird < 60.3.During HTTP Live Stream playback on Firefox for Android, audio data can be accessed across origins in violation of security policies. Because the problem is in the underlying Android service, this issue is addressed by treating all HLS streams as cross-origin and opaque to access. *Note: this issue only affects Firefox for Android. Desktop versions of Firefox are unaffected.*. This vulnerability affects Firefox < 63, Firefox ESR < 60.3, and Thunderbird < 60.3.Mozilla developers and community members reported memory safety bugs present in Firefox 62 and Firefox ESR 60.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 63, Firefox ESR < 60.3, and Thunderbird < 60.3.Mozilla developers and community members reported memory safety bugs present in Firefox ESR 60.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox ESR < 60.3 and Thunderbird < 60.3.Mozilla developers and community members reported memory safety bugs present in Firefox 62. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 63.To effectively defend against today's risks and threats, organizations must examine their failings as well as their successes.In some cases, attackers have demanded ransom, nude photos/videos of victims in exchange for stolen account, Trend Micro says.What's the real deal with the "Momo challenge"?Office 365, Microsoft 365 and the Security Graph are coming together at last.A company with access to the Dow Jones Watchlist of risky people and businesses left it on a public AWS server without a password.Warith Al Maawali is blaming wallet vendor Coinomi for the loss of $65,000 in bitcoin. Coinomi countered by blaming him for blackmail.At $100, the old-gen iPhone encryption-cracking tools are a bargain to hackers looking to pick up leftover forensics or police Wi-Fi data.Researchers have spotted an unusual βtrackwareβ attack triggered by a viewing a PDF inside the Chrome browser.The same encryption that secures private enterprise data also provides security to malware authors and criminal networks.Oftentimes, responsibility for securing the cloud falls to IT instead of the security organization, researchers report.A DEFINITION OF SOX COMPLIANCEIT professionals have the know-how and requisite privileges to deploy Bitcoin miners, and to cover their tracks. Could your organization be at risk?Ransomware attacks in 2018 used Remote Desktop Protocol (RDP) as a main attack vector, according to a Webroot report.CISOs: Stop abdicating responsibility for problems with users - it's part of your job.Using an on-again, off-again strategy of C2 communication helps it hide from researchers.Why you shouldn't worry about the Momo Challenge, and what we can learn from it.The Watchlist, which contained the identities of government officials, politicians, and people of political interest, is used to identify risk when researching someone.News on a new data privacy bill, the FTC's latest $5.7M fine, and hacking Instagram profiles - catch up on the week's infosec news with this roundup!The Threatpost team talks about the biggest cybersecurity stories, trends and research we'll see at RSA this year.Adobe has hurried out a patch for a critical arbitrary code execution vulnerability in its ColdFusion product.What does the age of near-ubiquitous data breaches, deep fakes, and fallible biometric authentication mean for enterprise security?New look at server data behind a previously-identified espionage campaign shows that it has exceeded researchers' expectations in complexity, scope and breadth.From the Momo Challenge to Mozilla's potential insider threats from Aussie staff, and everything in between - it's weekly roundup time.Student researchers working with IBM X-Force Red team find security holes in five leading visitor management systems.As many ponder the big ethical questions around cyber, some are proposing public interest technologist as a solution.A security company was able to track command and control traffic generated by hacking groups thanks to an anomaly in a pen-testing tool.Facebook, Signal and Telegram are all planning cryptocurrencies. But why these companies, why now, and will they be successful?It's been a predator's playground, where children's photos have been public by default and trolling adults could message them.After big brands pulled ads, YouTube banned millions of comments, closed hundreds of accounts, and sped up development of a predator filter.A proof-of-concept hack allows adversaries to tweak old exploits, have code jump containers and attack underlying infrastructure.The workforce and skills gap in cybersecurity continues to plague organizations.Training and certification offerings are becoming less effective in helping organizations retain security employees, according to an ISACA report.Despite initial apprehension, security pros immediately began to notice some benefits.Prioritizing risk under a deluge of vulnerabilities is stretching IT security professionals too thin, while the C-suite fails to provide adequate support, according to a Deloitte report.Google Project Zero researchers detailed a new high-severity macOS flaw after Apple failed to patch it by the 90-day disclosure deadline.Nearly 75% of CEOs say their companies are affected by geopolitical cyber attacks, but only 15% feel resilient, according to a PwC report.A rash of security flaws in the Outdoor Tech CHIPS smart headphones, which fit in ski helmets, allow bad actors to collect data like emails, passwords, GPS location - and even listen to conversations in real time.NetApp SnapCenter Server prior to 4.0 is susceptible to cross site scripting vulnerability that could allow a privileged user to inject arbitrary scripts into the custom secondary policy label field.He is also the all-time top-ranked hacker on HackerOneβs leaderboard, out of more than 330,000 hackers competing for the top spot.Company aims to replace usernames and passwords by combining GPS location, biometrics, and keys issued through a blockchain-based network.Falcon for Mobile offers detection and response capabilities for mobile platforms.Consolidating technology and breaking down functional silos can bring solid financial results, a new study finds.Organizations signed up with the vulnerability disclosure platform shelled out a record $19 million for bug discoveries in their systems.Google spinoff Alphabet rolls out a new cloud-based security data platform that ultimately could displace some security tools in organizations.Users of Logitechβs Harmony Hub get long-awaited answers about the critical bugs that left their home networks wide open to attack.While mobile security risks have skyrocketed, 85% of organizations say they aren't doing enough to stay protected, according to a Verizon report.An Argentinian has garnered $1m in bug bounties, while a German researcher has given up on getting any bounty at all from Apple.Researchers say that Microsoft won't issue a patch for the issue.Microsoft's IoT version of Windows is vulnerable to an exploit that could give an attacker complete control of the system.At least 463,546 malicious URLs contained in the 28.4 million analyzed emails made it through to corporate in-boxes in Q4 of 2018.Raoul Strackx, one of the researchers who discovered the Foreshadow speculative execution vulnerability, talks at RSA about the Catch-22 issue when it comes to fixing speculative execution flaws.Adobe has issued an urgent patch for a critical flaw in the ColdFusion web development platform it says is being exploited in the wild.It didn't require an account PIN to switch carriers. Everybody uses 0000, it said, making it easier for customersβ¦ and phone hijackers.Data shows organizations neglect to review and update breach response plans as employees and processes change, putting data at risk.Consumer confidence in companies keeping their data safe is at an all-time low, but password hygiene and not reading EULAs and app permissions remain big problems.But by the time they became aware, attackers have been on their networks for more than six months, new 2018 data shows.The Jmail Breaker attack leverages an old vulnerability in Joomla! along with a newly found flaw in the mail module.Judges award top honor to new company solving an old, unsolved problem: asset discovery and management.IT managers are flying blind in the battle to protect their companies from cyber attacks, according to a new Sophos survey.More than half (51%) of respondents said their security teams spend more time on manual processes than handling vulnerabilities, according to a Tenable and Ponemon report.Is it possible that the combination of AI, facial recognition, and the coalescence of global mass-hack data could lead us toward a Skynet-like future?Here are six questions to keep in mind when you walk into the showroom to buy a networked car.Untrained insiders and foreign governments create huge cybersecurity risks in government agencies, according to a SolarWinds report.UltraVNC revision 1198 has a buffer underflow vulnerability in VNC client code, which can potentially result in code execution. This attack appears to be exploitable via network connectivity. This vulnerability has been fixed in revision 1199.A scammer ring dubbed Scarlet Widow has targeted nonprofits, schools and universities with an array of business email compromise (BEC) attacks over the past few months.A widespread attack against companies and government agencies have been linked to the North Korean Lazarus group, underscoring that the countries hackers are becoming more brazen.You can turn to your trusty Apple Watch to log into websites that use your Microsoft Account. Here's how.Six simple steps to mitigate the grunt work and keep your organization safe.The incident stems from an employee at a vendor working with the medical center improperly disclosing patient data.Tuesday's keynotes kicking off RSA tackled both light and dark visions of the future, the imperative to become obsessed with trust, IoT and AI, and they even featured Helen Mirren and a flash mob.Deceptive and inappropriate tactics are prevalent in free gaming apps, according to a new report to be released at the RSA Conference.Facebook admits it's using numbers supplied for 2FA for more than security, and you can't turn it off.Neither machines nor humans might be entirely trustworthy, but the cooperation of the two might be the answer to issues of misinformation, deep fake videos, and other issues of trust, say security leaders.When parsing a JSON payload with deeply nested JSON structures, the parser in Apache Mesos versions pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.1, 1.6.0 to 1.6.1, and 1.7.0 might overflow the stack due to unbounded recursion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable.Problem lies in the manner in which Word handles integer overflow errors in OLE file format, Mimecast says.People claim to value data privacy and don't trust businesses to protect them - but most fail to protect themselves.Here's the latest episode of the Naked Security podcast - listen now!The certificates are often paired with ancillary products, like Google-indexed βagedβ domains, after-sale support, web design services and even integration with a range of payment processors.Two models of Android TVs showed a stream of strangers' Google accounts, along with profile pics, though not the actual photos.Public policy honchos for the tech giants discussed what they would like to see in sweeping GDPR-like federal data privacy legislation.Chips 2.0 speakers are the perfect accessory for any on-trend skier. Thereβs just one problem: Everyone else can listen in too.Organizations can change employee security behaviors by creating a strategic plan, according to SANS Security Awareness.At RSA 2019, Paula Januszkiewicz of CQURE explained common infrastructure shortcuts that open the door to hacking.Googleβs Project Zero researchers have revealed a "high severity" macOS security flaw nicknamed βBuggyCowβ which Apple appears to be in no rush to patch.A new report outlines the cyberattacks and threats that financial firms are facing.Panelists react to missing noted cryptographer Adi Shamir who was denied a visa to enter the US to attend the RSAC.By fine-tuning security system algorithms, analysts can make alerts intelligent and useful, not merely generators of noise.When a security expert on the Chrome team says, "update your Chrome installs... like right this minute" - well, here's how to check!To get the most from a vendor management program you must trust, then verify. These six best practices are a good place to begin.Offensive cyber attack chains are accelerating rapidly thanks to a combination of artificial intelligence, machine learning and broadening threat landscape.Satellites are spotted with vulnerabilities and design flaws - and hackers are taking note, researchers report at the RSA Conference.Verizon's Insider Threat Report breaks down five categories of inside threat actors and outlines 11 steps to reduce risk and defend against malicious insiders.A grassroots movement is emerging to train high-risk groups and underrepresented communities in cybersecurity protection and skills - all for the public good.Whitefly is exploiting DLL hijacking with considerable success against organizations since at least 2017, Symantec says.IBM DOORS Next Generation (DNG/RRC) 6.0.2 through 6.0.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 152736.IBM DOORS Next Generation (DNG/RRC) 5.0 through 5.0.2 and 6.0 through 6.0.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 152735.BleedingBit's impact continues to spread across various devices, researchers at RSA Conference 2019 said.If you're looking for an easy to use password manager that doesn't save your data to a third-party server, Jack Wallen believes Myki might be what you're looking for.Data loss protection helps companies get more proactive than data loss prevention and will help customers in an era of Big Data, says Vijay Ramanathan of Code 42. Data loss protection helps with both time to awareness and time to response; its reliance on automation also means greater volumes of data can be managed.Risk management and compliance technologies emerge from the intersection of technology, security, and regulation; continuous security management helps professionals from multiple departments and disciplines access the info they need, when they need it, according to Sam Abadir of Lockpath.New technology can help cybersecurity bridge the talent gap, but tech won't do much without people to operate it.Application security is always important to infosec professionals, and as Ravi Iyer of Synopsys points out, software development trends like Agile, DevOps and CI/CD push app security to the forefront. Polaris, the new software integrity platform from Synopsys, can help with early detection of software vulnerabilities.With digital transformation in full swing and Big Data accumulating, end-user organizations have their hands full to manage, store and protect all their data, according to Todd Moore of Gemalto. While end-users have access to cloud-based encryption and other security services, Moore warns that the bad guys have access to them too.With a record number of cyber-attacks recorded in 2018 and even more expected this year, integrating multiple security sub-systems is essential for enterprises, says Anomali's Hugh Njemanze. He also encourages companies to operationalize their threat intelligence and to get better at sharing threat intel data.Not all security data that's publicly shared gets analyzed or vetted, but Forrester's recent independent analysis of MITRE ATT&CK evaluation offers up useful insights to infosec pros and can guide their procurement and security strategy, according to Mike Nichols of Endgame. These reports can help with intelligent evaluation of detection and response versus prevention approaches.Deep learning, as a subset of machine learning (which is itself a subset of artificial intelligence), can help transform a company's security posture, says Deep Instinct's Guy Caspi. Deep learning's predictive capabilities also change the security management equation reactive to proactive, an important breakthrough in forecasting and risk management.Vulnerability rates in application software remain as high as they were 15 years ago, according to Jeff Williams, CTO of Contrast Security. But by injecting intelligent agents into code, app software gets instruments with thousands of smart, agile sensors that detect and correct vulnerabilities before deployment, and protect apps in operation.Data loss protection helps companies get more proactive than data loss prevention and will help customers in an era of Big Data, says Vijay Ramanathan of Code 42. Data loss protection helps with both time to awareness and time to response; its reliance on automation also means greater volumes of data can be managed.SOAR, or Security Orchestration, Automation and Response, helps customers ensure the sanctity of their infrastructure, data and end-users, according to Sanjay Ramnath, vice president, product marketing, of AT&T Cybersecurity. Integrating analytics, automation and threat intelligence helps customers eliminate the seams where the bad guys get in.Does your organization need NIST, CSC, ISO, or FAIR frameworks? Here's how to start making sense of security frameworks.The Privacy Framework is being developed to be risk-based/outcome-based and non-prescriptive, unlike the GDPR.Tapping the flexibility and reach of the cloud makes good sense for customers, according to Jon Check, senior director, cyber protection solutions for Raytheon Intelligence, Information and Services. Cybersecurity as a Service (CYaaS) ensures both data resilience and cyber resilience by integrating analytics and automation features into the mix.WhiteHat Security will continue to operate as an independent subsidiary of NTT Security following the deal.CEO Mark Zuckerberg published a lengthy post detailing the company's shift from open platform to privacy-focused communications.Email continues to be the largest area of exposure for most organizations, and phishing emails lead the charge, according to Stu Sjouwerman, founder and CEO of KnowBe4. And while AI and machine learning can make a difference, these same tools are used by the bad guys, Sjouwerman adds. Regular, monthly trainings help reduce phishing click rates.macOS is perfectly capable of working with SSH keys, for more secure remote connections. Jack Wallen shows you how to generate the necessary keys and copy them to a server.Hacker groups in Asia have weaponized the networking and pentesting tools in a series of attacks first identified in March 2018, as well as the high-profile SingHealth attack.In pfSense 2.4.4_1, blocking of source IP addresses on the basis of failed HTTPS authentication is inconsistent with blocking of source IP addresses on the basis of failed SSH authentication (the behavior does not match the sshguard documentation), which might make it easier for attackers to bypass intended access restrictions.Collaboration applications make users and IT teams more efficient. But they come with an added cost: security.Researchers have uncovered a network of GitHub accounts containing backdoored versions of legitimate software.By integrating endpoint security with network security, end-users can reduce their risk and greatly improve their overall security, says Ashley Fidler of eSentire. For managed detection to deliver an orchestrated response, they must tap a reliable framework for decision-making and management, she adds.A recently-disclosed vulnerability in the Docker containerisation platform is being exploited by cybercriminals to mine the Monero (XMR) cryptocurrency on hundreds of servers.Password protecting the GRUB boot loader protects against unwanted rebooting and logging into your system, and stops unwanted users from gaining access to single user mode.We've heard this tale before. This time, it was mentioned by a congressional aide. Also, the NSA released Ghidra, a free reverse-engineering tool.When it comes to domestic abuse, smart products around the house are turning into new threats, a panel of experts said at RSA.She didn't create it, but she allegedly shared it. That's enough to get in trouble in Japan, with its history of being tough on cyber crime.The campaign, which counts oil, gas, and heavy machinery manufacturers among its victims, has been responsible for millions of dollars in lost productivity and data.Learn how to install Auditd on CentOS 7 and how to add a new rule to watch for file system changes.The campaign, which counts oil, gas, and heavy machinery manufacturers among its victims, has been responsible for millions of dollars in lost productivity and data.sslheaders plugin extracts information from the client certificate and sets headers in the request based on the configuration of the plugin. The plugin doesn't strip the headers from the request in some scenarios. This problem was discovered in versions 6.0.0 to 6.0.3, 7.0.0 to 7.1.5, and 8.0.0 to 8.0.1.Deep learning, as a subset of machine learning (which is itself a subset of artificial intelligence), can help transform a company's security posture, says Deep Instinct's Guy Caspi. Deep learning's predictive capabilities also change the security management equation reactive to proactive, an important breakthrough in forecasting and risk management.Deep learning, as a subset of machine learning (which is itself a subset of artificial intelligence), can help transform a company's security posture, says Deep Instinct's Guy Caspi. Deep learning's predictive capabilities also change the security management equation reactive to proactive, an important breakthrough in forecasting and risk management.Dan Patterson discusses how 5G will enable IoT, AR, VR, 3D renderings, and more. He also talks about the numerous cybersecurity concerns with 5G.Dan Patterson discusses how 5G will enable IoT, AR, VR, 3D renderings, and more. He also talks about the numerous cybersecurity concerns with 5G.Yes! You can predict the chance of a mechanical failure or security breach before it happens . Here's how.In a proof-of-concept hack, researchers penetrated an ultrasound and were able to download and manipulate patient files, then execute ransomware.IoT is growing more popular in the home - and so to are the attacks that target these devices featuring valuable data, researchers said at RSA 2019.Read about the saga of Facebook's failures in ensuring privacy for user data, including how it relates to Cambridge Analytica, the GDPR, the Brexit campaign, and the 2016 US presidential election.Dan Patterson spoke with the deputy CTO for the NYC mayor's office about taking a community-centered approach to digital transformation and cybersecurity, as well as its Moonshot Challenge.Researchers break down the differences in how China and Russia use social media to manipulate American audiences.RSA panelists address the delicate technical challenges of combating information warfare online without causing First Amendment freedoms to take collateral damage.In Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5, the Config API allows to configure the JMX server via an HTTP POST request. By pointing it to a malicious RMI server, an attacker could take advantage of Solr's unsafe deserialization to trigger remote code execution on the Solr side.The repository component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, TIBCO Jaspersoft Reporting and Analytics for AWS contains a persistent cross site scripting vulnerability. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Server: versions up to and including 6.3.4; 6.4.0; 6.4.1; 6.4.2; 6.4.3; 7.1.0, TIBCO JasperReports Server Community Edition: versions up to and including 7.1.0, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.3, TIBCO Jaspersoft for AWS with Multi- Tenancy versions up to and including 7.1.0, and TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 7.1.0.The REST API component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a vulnerability that theoretically allows unauthenticated users to bypass authorization checks for portions of the HTTP interface to the JasperReports Server. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Server: 6.4.0; 6.4.1; 6.4.2; 6.4.3; 7.1.0, TIBCO JasperReports Server Community Edition: versions up to and including 7.1.0, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.3, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 7.1.0, and TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 7.1.0.The default server implementation of TIBCO Software Inc.'s TIBCO JasperReports Library, TIBCO JasperReports Library Community Edition, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a directory-traversal vulnerability that may theoretically allow web server users to access contents of the host system. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Library: versions up to and including 6.3.4; 6.4.1; 6.4.2; 6.4.21; 7.1.0; 7.2.0, TIBCO JasperReports Library Community Edition: versions up to and including 6.7.0, TIBCO JasperReports Library for ActiveMatrix BPM: versions up to and including 6.4.21, TIBCO JasperReports Server: versions up to and including 6.3.4; 6.4.0; 6.4.1; 6.4.2; 6.4.3; 7.1.0, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.3; 7.1.0, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.3, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 7.1.0, TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 7.1.0.The domain management component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a race-condition vulnerability that may allow any users with domain save privileges to gain superuser privileges. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Server: versions up to and including 6.3.4; 6.4.0; 6.4.1; 6.4.2; 6.4.3; 7.1.0, TIBCO JasperReports Server Community Edition: versions up to and including 7.1.0, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.3, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 7.1.0, and TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 7.1.0.Social engineering scam continued to be preferred attack vector last year, but attackers were forced to adapt and change.As more enterprise work takes place on mobile devices, more companies are feeling insecure about the security of their mobile fleet, according to a new Verizon report.Dan Patterson spoke with the deputy CTO for the NYC mayor's office about taking a community-centered approach to digital transformation and cybersecurity, as well as its Moonshot Challenge.The deputy CTO for the New York City mayor's office explains why a people-centered approach is key to smart cities, STEM programs, and any technology, and ultimately to a better society.The deputy CTO for the New York City mayor's office explains why a people-centered approach is key to smart cities, STEM programs, and any technology, and ultimately to a better society.At RSA 2019, Richard Bird of Ping Identity discussed identity-related security issues and solutions for enterprises.At RSA 2019, Charles Henderson of IBM X-Force Red explained the cybersecurity challenges involved in bringing blockchain to the enterprise.At RSA 2019, Emily Mossburg of Deloitte explained the challenges companies face when it comes to cybersecurity.EmpireCMS 7.5 allows CSRF for adding a user account via an enews=AddUser action to e/admin/user/ListUser.php, a similar issue to CVE-2018-16339.LayerBB 1.1.1 has SQL Injection via the search.php search_query parameter./console/account/manage.php?type=action&action=add in JTBC v3.0(C) has CSRF for adding an administrator account.WUZHI CMS 4.1.0 has stored XSS via the "Extension module" "SMS in station" field under the index.php?m=core URI.WUZHI CMS 4.1.0 has stored XSS via the "Membership Center" "I want to ask" "detailed description" field under the index.php?m=member URI.dotCMS before 5.0.2 has open redirects via the html/common/forward_js.jsp FORWARD_URL parameter or the html/portlet/ext/common/page_preview_popup.jsp hostname parameter.An issue was discovered in ZrLog 2.0.3. There is stored XSS in the file upload area via a crafted attached/file/ pathname.An issue was discovered in ZrLog 2.0.3. There is a SQL injection vulnerability in the article management search box via the keywords parameter.An issue was discovered in setTA in scan_rr.go in the Miek Gieben DNS library before 1.0.10 for Go. A dns.ParseZone() parsing error causes a segmentation violation, leading to denial of service.Monstra CMS 3.0.4 allows remote attackers to execute arbitrary PHP code via a mixed-case file extension, as demonstrated by the 123.PhP filename, because plugins\box\filesmanager\filesmanager.admin.php mishandles the forbidden_types variable.A SQL injection vulnerability exists in zzcms v8.3 via the /admin/adclass.php bigclassid parameter.zzcms V8.3 has a SQL injection in /user/zs_elite.php via the id parameter.zzcms v8.3 has a SQL injection in /user/jobmanage.php via the bigclass parameter.XSS exists in zzcms v8.3 via the /uploadimg_form.php noshuiyin parameter.zzcms v8.3 contains a SQL Injection vulnerability in /user/logincheck.php via an X-Forwarded-For HTTP header.An issue was discovered in Dolibarr through 7.0.0. expensereport/card.php in the expense reports module allows SQL injection via the integer parameters qty and value_unit.An issue was discovered in Dolibarr through 7.0.0. There is Stored XSS in expensereport/card.php in the expense reports plugin via the comments parameter, or a public or private note.An issue was discovered in UCMS 1.4.6. There is XSS in the title bar, as demonstrated by a do=list request.An issue was found in HYBBS through 2016-03-08. There is an XSS vulnerablity via an article title to post.html.get_8bit_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG through 3.3.1 allows attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted 8-bit BMP in which one or more of the color indices is out of range for the number of palette entries.The aout_32_swap_std_reloc_out function in aoutx.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils before 2.31, allows remote attackers to cause a denial of service (segmentation fault and application crash) via a crafted file, as demonstrated by objcopy.The aout_32_swap_std_reloc_out function in aoutx.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils before 2.31, allows remote attackers to cause a denial of service (segmentation fault and application crash) via a crafted file, as demonstrated by objcopy.GdkPixBuf (aka gdk-pixbuf), possibly 2.32.2, as used by GNOME Nautilus 3.14.3 on Ubuntu 16.04, allows attackers to cause a denial of service (stack corruption) or possibly have unspecified other impact via a crafted file folder.Simple Machines Forum (SMF) 2.0.4 allows PHP Code Injection via the index.php?action=admin;area=languages;sa=editlang dictionary parameter.Simple Machines Forum (SMF) 2.0.4 allows XSS via the index.php?action=pm;sa=settings;save sa parameter.Simple Machines Forum (SMF) 2.0.4 allows local file inclusion, with resultant remote code execution, in install.php via ../ directory traversal in the db_type parameter if install.php remains present after installation.The prototype iPhones are slipping out of Apple's supply chain with disabled security, to the delight of researchers and jailbreakers.Can the combined power of the worldβs developers possibly improve the iconic Windows Calculator app? Microsoft seems to think so.Facebook's planning a new, highly integrated platform and talking a lot about encrypted messaging.Enterprises must build a security strategy that is aligned with business needs.Letterboxing comes straight from the Tor browser, and will help Firefox users avoid advertisers that follow them around the web.From privacy to patches, Threatpost editors discuss the biggest infosec news and trends that they saw this week at RSA Conference 2019.At RSA 2019, Emily Mossburg of Deloitte explained the challenges companies face when it comes to cybersecurity.At RSA 2019, Richard Bird of Ping Identity discussed identity-related security issues and solutions for enterprises.As smart devices permeate our lives, Google sends up a red flag and shows how the underlying systems can be attacked.At RSA 2019, Charles Henderson of IBM X-Force Red explained the cybersecurity challenges involved in bringing blockchain to the enterprise.The password 'ji32k7au4a83' looks pretty random and feels as though it should be unique - read this article to find out why it's neither!At RSA 2019, Jason Escaravage from Booz Allen Hamilton explained why organizations need to have an incident response plan in place.At RSA 2019, Jason Escaravage from Booz Allen Hamilton explained why organizations need to have an incident response plan in place.At RSA 2019, Jeff Reed of Cisco discussed the company's 2019 CISO Benchmark Study and the top threats enterprises face.The NSA open sources a reverse engineering tool, Chinese hackers hit US universities, and a Chrome zero day - catch up on the week's news with this roundup!At RSA 2019, Jeff Reed of Cisco discussed the company's 2019 CISO Benchmark Study and the top threats enterprises face.At RSA 2019, Emily Heath of United Airlines explained the gender and diversity gap in cybersecurity and offered advice for women and companies in how to close it.At RSA 2019, Emily Heath of United Airlines explained the top security challenges businesses face.Check Point researchers investigate security risks and point to implications for medical IoT devices.RAT activity in Latin America and Asia ramped up at the end of 2018, indicating widespread coordinated targeting by threat actors.These multi-day Trainings provide excellent hands-on technical skill-building opportunities, but you have to act fast -- many are almost sold out.At RSA 2019, Emily Heath of United Airlines explained the top security challenges businesses face.At RSA 2019, Emily Heath of United Airlines explained the gender and diversity gap in cybersecurity and offered advice for women and companies in how to close it.At RSA 2019, Elena Elkina of Women in Security and Privacy discussed how businesses can seek out female and minority candidates for cybersecurity jobs.At RSA 2019, Dana Simberkoff of AvePoint discussed how companies can reevaluate privacy policies.The subtext to a panel discussion during RSA is that risks to national infrastructure are fraught with political considerations.International cybercriminals likely exploited weak passwords on an internal network, the FBI said.Can you guess whom we chose for our #IWD2019 technoheroes? There are hints in the image...At RSA 2019, Elena Elkina of Women in Security and Privacy discussed how businesses can seek out female and minority candidates for cybersecurity jobs.Between operational technology and open source, the supply chain is rapidly expanding - and companies that can't keep up will be the next security targets, said experts at RSA Conference 2019.FBI informed Citrix this week of a data breach that appears to have begun with a 'password spraying' attack to steal weak credentials to access the company's network.Card-present fraud is down, but attackers continue to find new strategies, and consumers are paying the price.This year's RSA Conference concluded with actress Tina Fey and program chair Hugh Thompson chatting about teambuilding, diversity, and improv.Server Side Request Forgery in Apache Solr, versions 1.3 until 7.6 (inclusive). Since the "shards" parameter does not have a corresponding whitelist mechanism, a remote attacker with access to the server could make Solr perform an HTTP GET request to any reachable URL.At RSA 2019, Dana Simberkoff of AvePoint discussed how companies can reevaluate privacy policies.Hacking into smart homes is becoming increasingly easy and a great way to steal victims' personal information, Trend Micro said at RSA 2019.The biggest problem of targeting open source software to find security issues relates to IT.Education, monitoring and response tools, and training about the dark web are essential to protecting your small business from cybercriminals.Find out why data privacy breaches and scandals (think Facebook, Marriott, and Yahoo), artificial intelligence, and analytics have implications for how your business manages cybersecurity.Beyond Patch Tuesday: understanding the different monthly security and quality updates for Windows, and how they're getting more efficient.From a serious Chrome zero-day to Comcast's security nightmare, and everything in between - it's weekly roundup time.The real Social Security people will never call to threaten your benefits or tell you to wire money, send cash, or put money on gift cards.Bon appΓ©tit, Dave. Google's table-booking Duplex AI needs to pass the creepy test.The US Army has been forced to clarify its intentions for killer robots after unveiling a new program to build AI-powered targeting systems last month.Industrial Ethernet switches from Moxa were found to lack basic security measures, making it possible to brute-force access to the switch management console, according to Positive Technologies.IT security administrators and their teams are responsible for evaluating an organization's security tools and technologies, but are they armed with the proper tools, considerations, and budget to do so? Fourth in a six-part series.Facebook is suing two Ukrainian men who were able to scrape data from 63,000 users' profiles by enticing users to download a malicious browser extension.The ransomware campaign started March 1 and shut down most of Jackson County's IT systems.Coinhive is at the top of the global threat index for the 15th consecutive month, according to a Check Point report.At RSA 2019, John Prisco of Quantum Xchange discussed what solutions organizations should consider to protect against quantum threats.At RSA 2019, Steve Martino of Cisco discussed the top cybersecurity threats businesses are facing, and how to help employees improve their security posture.At RSA 2019, Alicia Jessip of TEKsystems explained why it's important for security teams to include women and underrepresented minorities.At RSA 2019, Brian Roddy of Cisco discussed what CISOs should include in a cloud security plan.At RSA 2019, Alicia Jessip of TEKsystems explained why it's important for security teams to include women and underrepresented minorities.At RSA 2019, Steve Martino of Cisco discussed the top cybersecurity threats businesses are facing, and how to help employees improve their security posture.At RSA 2019, Brian Roddy of Cisco discussed what CISOs should include in a cloud security plan.At RSA 2019, John Prisco of Quantum Xchange discussed what solutions organizations should consider to protect against quantum threats.Learn how to install the open source security audit tool, OpenVAS, on the Ubuntu Server platform.A Data Protection Authority said last week that when websites use cookie walls in exchange for access to a site, they're failing to comply with the GDPR.In this video, Josh Zelonis, senior analyst at Forrester Research, discusses the next great security threats to enterprises.More than 900 colleges and universities use Slate, owned by Technolutions, to collect and manage information on applicants.If you're searching for an easy-to-use password manager that doesn't save your data to a third-party server, give Myki a try.In all, Google reported 45 bugs in its March update with 11 ranked critical and 33 rated high.IRIDIUM is an APT that uses proprietary techniques to bypass two-factor authentication for critical applications, according to security firm Resecurity.Dark Reading caught up with RSA Security president Rohit Ghai at the RSA Conference to discuss critical areas where CISOs and their teams are spinning their wheels.Industry leaders debate how government and businesses can work together on key cybersecurity issues.Coinhive has remained on top of Check Point Software's global threat index for 15 straight months.MongoDB once again used by database admin who opens unencrypted database to the whole world.Learn what experts at a Wall Street Journal forum suggest businesses should do to improve their cybersecurity stance.The Last Week Tonight host launched an anti-robocalling robocalling campaign to force the FCC to put a stop to the pervasive, irritating calls.The number of records exposed online by Verification.io email list-cleaning service may be far higher than originally anticipated.On Friday, software giant Citrix issued a short statement admitting that hackers recently managed to get inside its internal network. According to a statement by chief information security officer Stan Black, the company was told of the attack by the FBI on 6 March, since when it had established that attackers had taken βbusiness documentsβ [β¦]A recent study shows that if you aren't prepared to ask or pay for security, you probably won't get it.Some 11% of US business computers are at risk of malware infection, compared to 20% of home PCs, according to an Avast report.Downloaded by 63K users, the quizzes promised answers to questions such as "What kind of dog are you according to your zodiac sign?"Smaller organizations are more agile at patching vulnerabilities, and vendor support goes a long way in easing patching, according to a report from Kenna Security and the Cyentia Institute.A new guide from the Cloud Security Alliance offers mitigations, best practices, and a comparison between traditional applications and their serverless counterparts.Adobe fixed two arbitrary code execution flaws in its Photoshop and Digital Edition products.Microsoft won't be patching the bug, but a proof of concept shows the potential for successful malware implantation.As the number of breaches increased 424% in 2018, the average breach size shrunk 4.7 times as attackers aimed for smaller, more vulnerable targets.On certain Lexmark devices that communicate with an LDAP or SMTP server, a malicious administrator can discover LDAP or SMTP credentials by changing that server's hostname to one that they control, and then capturing the credentials that are sent there. This occurs because stored credentials are not automatically deleted upon that type of hostname change.Nearly 100 companies were exposing sensitive data, including raw CAD files and Social Security Numbers, on misconfigured Box accounts.