TechRepublic's Karen Roby discusses the findings of a recent FileCloud study concerning enterprise cloud and data issues.π Read
via "Security on TechRepublic".
π‘ Cybersecurity & Privacy news π‘
TechRepublic's Karen Roby discusses the findings of a recent FileCloud study concerning enterprise cloud and data issues.Apple has now patched the patch that Google said didn't patch the hole it was supposed to.SophosLabs researchers discovered at least 15 apps with millions of downloads charging extraordinary prices right under the Google's nose.Most companies have too many tools, causing increased costs and security issues.The epic theme through 2014-09-07 for WordPress allows arbitrary file downloads via the file parameter to includes/download.php.The May 4 incident exposed data belonging to users on the platform on or before April 5, 2018.In total, Microsoft has now blocked 142 file extensions that it deems as at risk or that are typically sent as malicious attachments in emails.This data-harvesting tool is perfect for the deep well of low-skilled adversaries looking to make their cybercrime mark.Lawsuit alleges Dunkin' Donuts failed to act fast enough to notify and protect customers and is in violation of New York State data breach notification laws.Vulnerable webcams, news on DHS' FISMA ratings, and a bug in vBulletin - catch up on the week's news with the Friday Five!Swiss technology non-profit group joins others, such as the Obama-era President's Commission, in recommending that certain classes of technology products be tested.The malware harvests data, steals cryptocurrency and drops additional malware, while masquerading as a Fortnite aimbot and more.Updates address two separate issues in Apple's desktop and mobile operating systems.A new BootROM exploit - which is unpatchable - potentially opens the door to jailbreaks, a researcher said.A flaw in the OnApp cloud management platform could let an attacker compromise a private cloud with access to a single server.Looking for a user-friendly encryption tool? Look no further than the open source Cryptomator.Looking for a user-friendly encryption tool? Look no further than the open source Cryptomator.Recent breaches in Americans smart home systems have raised the level of concern with IoT devices.Is it rude to ask someone to shut off their Alexa? Ask the family who's written the book on etiquette for nearly 100 years -- the descendants of Emily Post herself.From the fleeceware apps ripping off consumers to Microsoft's emergency IE patch - and everything in between. It's weekly roundup time.Instagram's testing a program to hide the Likes that have created a toxic cyberbullying environment. Now, Facebook is as well.Outlook on the web bans a further 38 file typesA Bitglass survey said 52% of the world's most profitable companies do not have any language on their websites about how they protect the data of customers.Researchers say 'cyber troops' in 70 countries are using it to automate suppression, mount smear campaigns, or spread disinformation.Don't fall victim to these common mistakes on the path to developing better security boundaries and limiting the blast radius of security incidents.Stockpiles of stolen information sitting in foreign databases are ready to be exposed the minute there's a working quantum computer in five to ten years. The time to act is now.A fix has been issued for a critical Exim flaw that could lead to servers crashing or remote code execution attacks being launched.People are taking different tacks to get around Apple's tightly controlled phone rules.The same attacker was reportedly behind the Collection #1 and Collection #2 data dumps earlier this year.New legislation has been approved by the U.S. senate aimed at protecting local cities and schools from ransomware attacks.Flaw in National Security Agency's Ghidra reverse-engineering tools allows hackers to execute code in vulnerable systems.In a new lawsuit, a U.S. based battery company is alleging one of its former employees brazenly took its trade secrets and infringed its patents.City lost key data in a ransomware attack earlier this year that's already cost more than $18.2 million in recovery and related expenses.Watch out for suspicious Google Calendar invites and learn how to prevent them from making their way to your calendar.Transport Layer Security (TLS) can be critical for security, but it must be deployed in a current version. Microsoft now provides a mechanism for administrators to guarantee the right version in their network.Police overcame not only digital defenses of the "bulletproof" provider CyberBunker but also barbed wire fences and surveillance cams.The 'super camera' can identifying people dozens of meters away using facial recognition.The eGobbler threat actor is back with a new malvertising campaign that has hijacked more than 1 billion sessions.That's how Senator Wyden described the results of DefCon's Voting Village, where all of 100 voting systems were easily picked apart by hackers.CrowdStrike threat hunting data shows major increase in targeted financially motivated attacks in the first six months of 2019.Everything about IT has changed, but our security measures are still built around how we used to design software and systems. Where does security need to catch up with digital transformation...and how?A cybersecurity expert with the US Navy believes military personnel understand operational risk and should be appointed to corporate boards.A cybersecurity expert with the US Navy believes military personnel understand operational risk and should be appointed to corporate boards.As promised in April, Cloudflare has finally launched Warp, a consumer mobile privacy app that looks a lot like a VPN without actually being one.How machine learning and artificial intelligence are changing the game of acting on large volumes of network data in near real time.A total of 172 malicious apps were detected on Google Play in September, with more than 330 million installations.Details from a campaign tracked over the past five months shows how cybercriminals are continuing to refine their strategies and attempting to adjust to victims' resolve to not pay ransoms.You can now register to attend Black Hat Europe at a discounted rate but move quickly: the early bird discount period ends this Friday, October 4th!Researchers report businesses with an internal SOC suffer half the average financial damage.IT security budgets now average $18.9 million, up from $8.9 million, with savings credited to internal cybersecurity, according to new Kaspersky report.Malware laced OpenDocument files target Microsoft Office, OpenOffice and LibreOffice users.The single most important thing you can do is to start building the relationships and political capital you'll need to run your security program. Here's how.James Jackson, a 58-year-old Memphis resident, used the identities of deceased individuals to steal money from banks and the estates of the dead.To kickoff this yearβs National Cybersecurity Awareness Month we asked our VP of Cybersecurity what organizations can do to find and retain skilled cybersecurity talent.Ransomware attacks have crippled hospitals worldwide, forcing them to turn away patients and cancel surgeries.Attackers are using an obfuscated version of Adwind Remote Access Trojan for stealing data, Netskope says.Ransomware continues to present a real cybersecurity threat. Tom Merritt offers five ways you can prevent it from affecting your business.Ransomware continues to present a real cybersecurity threat. Tom Merritt offers five ways you can prevent it from affecting your business.The "Prying-Eye" vulnerability could let intruders scan for unprotected meeting IDs and snoop on conference calls.tcpdump allows you to dump the traffic on a network. It can be used to print out the headers and/or contents of packets on a network interface that matches a given expression. You can use this tool to track down network problems, to detect many attacks, or to monitor the network activities.sqlmap is an open source command-line automatic SQL injection tool. Its goal is to detect and take advantage of SQL injection vulnerabilities in web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user's specified DBMS tables/columns, run his own SQL statement, read or write either text or binary files on the file system, execute arbitrary commands on the operating system, establish an out-of-band stateful connection between the attacker box and the database server via Metasploit payload stager, database stored procedure buffer overflow exploitation or SMB relay attack and more.haveged is a daemon that feeds the /dev/random pool on Linux using an adaptation of the HArdware Volatile Entropy Gathering and Expansion algorithm invented at IRISA. The algorithm is self-tuning on machines with cpuid support, and has been tested in both 32-bit and 64-bit environments. The tarball uses the GNU build mechanism, and includes self test targets and a spec file for those who want to build an RPM.PDFex can bypass encryption and password protection in most PDF readers and online validation servicesEveryone in your company needs a password manager -- and there are lots of great options. But two cross-platform tools rise above the rest, thanks to their excellent support for enterprise networks.Reyes Daniel Ruiz went after younger women's accounts, including those of his personal friends and work colleagues, he admitted.Celebrate Cybersecurity Awareness Month by turning on two-factor authentication and replacing your "fido123" password.Attack simulation tool will be integrated into ReliaQuest's GreyMatter platform.Akamai security architect Marc Pardee tells the story of cutting his security teeth as an NSA intern and why all cybersecurity professionals can benefit from learning how to break things.Some 36% of companies who haven't suffered a breach said it is likely they are unknowingly experiencing one now.The serial hacker GnosticPlayers is claiming to have ransacked Zynga's user data - including names, emails and passwords.This malicious O.MG Lightning cable has come a long way, with extensive work on the kinds of payload it can deliver.This latest Exim flaw could lead to at least a denial of service crash in the software but also the possibility of remote code execution.The focus on digital transformation and compressing development release cycles is appealing, but that means security can be left behind. How should security practitioners address this challenge?A new botnet known as MasterMana shows a high level of sophistication with a low cost to execute, according a report from cybersecurity firm Prevailion.Google's new password checkup tool joins other similar services including Have I Been Pwned and Mozilla's Firefox Monitor.This week, a former Yahoo employee pleaded guilty to hacking into the email accounts of more than 6,000 users, looking for porn. Companies need to protect themselves from similar security breaches. Here's what to do.Lure possible attackers into a trap with a Kali Linux honeypot.Lure possible attackers into a trap with a Kali Linux honeypot.Think twice before posting about ... grits.For less than $200, attackers were able to infect thousands of systems, stealing user credentials, cryptocurrency wallets, and web histories, an analysis finds.Multiyear campaigns stretching back to at least 2014 have been seen using zero-days in region-specific software.The feature will check the strength of saved passwords and alert users when they're compromised in a breach.Bad OpSec led to the botnet's discovery -- revealing 800,000 victims in Russia.Quantum computing is real and it's evolving fast. Is the security industry up to the challenge?An employee - since terminated - at the financial services corporation is being investigated for fraud after accessing and stealing cardholder data.Cybergang Silent Starling is taking BEC to the next level by targeting suppliers and going after their customers.The West African cybergang has successfully infiltrated more than 500 companies using a tactic dubbed 'vendor email compromise.'FDA, DHS issue fresh warnings on easily exploitable URGENT/11 flaws in medical, SCADA systems, industrial controllers, and other devices.pdfgrab is a python script that analyzes pdf files to extract their metadata. You can direct it to analyze a single file, a directory of pdfs, provide it a url, or have it leverage googlesearch to get pdfs at a target site.Clam AntiVirus is an anti-virus toolkit for Unix. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a command-line scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use in your own software.A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this flaw to obtain the user's credentials from the log files.Zendesk says access occurred in 2016 and that only a small percentage of customers were impacted.Stalkware is being installed on more and more victims' devices, and the trend is only accelerating, according to a new report.New attacks on the perennially besieged sector have crippled hospitals in the US and Australia and caused one health clinic to shut down.A new mobile app makes a cybersecurity threat lab available to more small businesses in Los Angeles.Google has taken the next step in its strategy to secure users' passwords. The search giant has taken a password-checking feature released in February as an extension to its Chrome browser and embedded it directly into its password manager service.Feeling creative? Submit your caption in the comments, and our panel of experts will reward the winner with a $25 Amazon gift card.Researchers have discovered weaknesses in PDF encryption which could be exploited to reveal the plaintext contents of a file to an attacker.Without one, the companies that collect our data will likely face compliance with California's take-no-prisoners law, in effect 1 January 2020.A double-free bug could allow an attacker to achieve remote code execution; users are encouraged to update to a patched version of the messaging app.Federal guidelines can help all organizations pragmatically and meaningfully improve their firmware security.An unprotected Elasticsearch cluster contained personally identifiable information on Russian citizens from 2009 to 2016.Eight high-severity vulnerabilities exist in the Foxit Reader tool for editing PDF files.Black Hat's Network Operations team members discuss looking for the "bad within the bad." Also, RSA's CTO talks about managing risks to prevent an individual problem from becoming a societal problem.Whether intentionally or unintentionally, employees can pose a significant security risk to company data, according to a new report from data protection firm Code42.On top of the forthcoming California Consumer Privacy Act, a new ballot initiative seeks to tamp down data privacy even further in the state.Black Hat's Network Operations team members discuss looking for the "bad within the bad." Also, RSA's CTO talks about managing risks to prevent an individual problem from becoming a societal problem.The SMB parser in tcpdump before 4.9.3 has stack exhaustion in smbutil.c:smb_fdata() via recursion.The SMB parser in tcpdump before 4.9.3 has buffer over-reads in print-smb.c:print_trans() for \MAILSLOT\BROWSE and \PIPE\LANMAN.libpcap, as used in tcpdump before 4.9.3, has a buffer overflow and/or over-read.The BGP parser in tcpdump before 4.9.3 allows stack consumption in print-bgp.c:bgp_attr_print() because of unlimited recursion.The BGP parser in tcpdump before 4.9.3 has a buffer over-read in print-bgp.c:bgp_attr_print() (MP_REACH_NLRI).The DCCP parser in tcpdump before 4.9.3 has a buffer over-read in print-dccp.c:dccp_print_option().The HNCP parser in tcpdump before 4.9.3 has a buffer over-read in print-hncp.c:print_prefix().The IEEE 802.11 parser in tcpdump before 4.9.3 has a buffer over-read in print-802_11.c for the Mesh Flags subfield.The ICMPv6 parser in tcpdump before 4.9.3 has a buffer over-read in print-icmp6.c.The BGP parser in tcpdump before 4.9.3 has a buffer over-read in print-bgp.c:bgp_capabilities_print() (BGP_CAPCODE_RESTART).The OSPFv3 parser in tcpdump before 4.9.3 has a buffer over-read in print-ospf6.c:ospf6_print_lshdr().The command-line argument parser in tcpdump before 4.9.3 has a buffer overflow in tcpdump.c:get_next_file().The Babel parser in tcpdump before 4.9.3 has a buffer over-read in print-babel.c:babel_print_v2().The IKEv1 parser in tcpdump before 4.9.3 has a buffer over-read in print-isakmp.c:ikev1_n_print().The FRF.16 parser in tcpdump before 4.9.3 has a buffer over-read in print-fr.c:mfr_print().The BGP parser in tcpdump before 4.9.3 has a buffer over-read in print-bgp.c:bgp_capabilities_print() (BGP_CAPCODE_MP).The Rx parser in tcpdump before 4.9.3 has a buffer over-read in print-rx.c:rx_cache_find() and rx_cache_insert().The RSVP parser in tcpdump before 4.9.3 has a buffer over-read in print-rsvp.c:rsvp_obj_print().The LMP parser in tcpdump before 4.9.3 has a buffer over-read in print-lmp.c:lmp_print_data_link_subobjs().The VRRP parser in tcpdump before 4.9.3 has a buffer over-read in print-vrrp.c:vrrp_print().The ICMP parser in tcpdump before 4.9.3 has a buffer over-read in print-icmp.c:icmp_print().The ICMP parser in tcpdump before 4.9.3 has a buffer over-read in print-icmp.c:icmp_print().The LDP parser in tcpdump before 4.9.3 has a buffer over-read in print-ldp.c:ldp_tlv_print().tcpdump before 4.9.3 mishandles the printing of SMB data (issue 2 of 2).tcpdump before 4.9.3 mishandles the printing of SMB data (issue 1 of 2).The ex-employee accessed cardholder personal information in an apparent attempt to commit fraud.The ex-employee accessed names, Social Security numbers, card numbers, and more in an attempt to commit fraud.Their findings demonstrate how Group 4 is likely conducting server-side skimming in addition to client-side activity.Find out how to create and export a GPG keypair from the macOS command line.Find out how to create and export a GPG keypair from the macOS command line.Bug gives attackers a way to use GIF images to steal data from Android devices running the message app.Dubbed Reductor, this malware can manipulate HTTPS traffic by tweaking a browserβs random numbers generator.There are dozens of known groups, hundreds of C2 servers and millions of victim websites.It's good, but also a perfect opportunity for us to remember that Incognito mode doesn't translate to "I'm invisible!""You misguidedly tried to help your son" by moving his cryptocurrency, but it "didn't help him at all," a judge said.Officials say they are concerned about their ability to fight crime and protect citizens, while privacy advocates remain critical of government interferenceThe winning captions for September's cartoon contest are nothing to yawn about.A UK class action lawsuit against Google, that represents around 5 million iPhone users, can go ahead, according to the UK Court of Appeal.A researcher has released details of a WhatsApp flaw that could be used to compromise the app and the mobile device the app is running on.From lengthy email signatures to employees' social media posts, we look at the many ways organizations make it easier for attackers to break in.Listen to the latest episode of our podcast now.Cyberecurity incidents expected to rise by nearly 70% and cost $5 trillion annually by 2024.Getting the basics right gives you a lot of protection. Here's how.An attacker whose motives are unclear compromised an Asterisk server in a highly targeted campaign.As ransomware attacks surge against school systems, an analysis of 1,200 K-12 institutions in North America shows complex environments and conflicting security controls.The local privilege escalation vulnerability affects Pixel, Samsung, Huawei, Xiaomi, and other devices.Flaw impacts 18 Android models including Googleβs flagship Pixel handset as well as phones made by Samsung, Huawei and Xiaomi.News on new vulnerabilities - both in the PDF format and a network protocol, and why fighting cyber crime is a focal point of the U.S. Secret Service.In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage.A group tried to access West Virginia's mobile voting app in 2018; now, the FBI is looking into what actually happened.In a market that favors the job seeker, what are some alternatives to resume-sifting that will identify the talent you need?Microsoft detected the so-called Phosphorus nation-state gang attacking 241 user accounts associated with a US presidential campaign, current and former US government officials, journalists, others.WhatWeb identifies websites. Its goal is to answer the question, "What is that Website?". WhatWeb recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1800 plugins, each to recognise something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.Zeek is a powerful network analysis framework that is much different from the typical IDS you may know. While focusing on network security monitoring, Zeek provides a comprehensive platform for more general network traffic analysis as well. Well grounded in more than 15 years of research, Zeek has successfully bridged the traditional gap between academia and operations since its inception. Today, it is relied upon operationally in particular by many scientific environments for securing their cyber-infrastructure. Zeek's user community includes major universities, research labs, supercomputing centers, and open-science communities.From the hacker's folks who whisked away his stolen crypto to the O.MG! evil lightning cable - and all the top security stories in between.Police could set up transceivers outside a building and compare spectrograms of suspects walking vs. crime scene footage.The EU's top court ruled that platforms like Facebook can be ordered to proactively seek out and delete all copies of illegal content.The US, UK and Australian governments last week officially urged Facebook to halt its plans for end-to-end encryption.Android smartphones have recently become vulnerable to a zero-day vulnerability that Google thought it had patched for good two years ago.A group called Phosphorous has been trying to access Microsoft-based email accounts of people associated with the campaign.Facing a system and organization controls audit doesn't have to be stressful for small and midsize businesses if they follow these guidelines.According to cybersecurity company Optiv, hackers are now impersonating each other to hide their true goals.Nevada's new privacy law requires websites to post a privacy notice and allow consumers to opt out of the sale of their personal data.A trio of Alabama hospitals have decided to pay for a decryption key.As the internet begins to split into different versions in different countries, the laws that govern data are changing. Tom Merritt explains five things you need to know about the splinternet.As the internet begins to split into different versions in different countries, the laws that govern data are changing. Tom Merritt explains five things you need to know about the splinternet.Researchers say supply chain attacks are responsible for the most significant spikes in Magecart detections.CVE-2019-16920 allows remote unauthenticated attackers to execute code on a target device.The unappreciated core of your enterprise IT network needs your security team's TLC. Here are a few ways to give Active Directory the security love it needs.Hackers are taking advantage of vulnerabilities in the Drupal CMS platform by using malicious code disguised as gifs.Millions of iOS users could be vulnerable to man-in-the-middle attacks that trace back to flawed Twitter code used in popular iPhone apps.A pair of laws provides recourse for victims of deepfake technology.A new wave of attacks has been discovered on Drupal-based content management systems that weren't patched for the older flaw.New ISACA data emphasizes a gap between men and women who share their opinions on underrepresentation of women and equal pay in the tech industry.PayPal abruptly announced that it was leaving the Libra Association.It's coming next month, in spite of a lawsuit and the data regulator's protests about lack of consent, data security and privacy.Girlfriend found it, girlfriend popped it onto a city bus, gadget got found, multiyear investigation got launched, 20 got indicted.Remember the FaceTime bug that allowed a caller to eavesdrop on your phone? Researchers just discovered another - this time in Signal.Political parties and election systems will be heavily targeted in the months leading up to the 2020 general elections, some security experts say.U.S. and U.K. agencies warn consumers to update technologies from Fortinet, Pulse Secure and Palo Alto Networks to mitigate attacks that are likely coming from ChinaThe orbisius-child-theme-creator plugin before 1.2.8 for WordPress has incorrect access control for file modification via the wp-admin/admin-ajax.php?action=orbisius_ctc_theme_editor_ajax&sub_cmd=save_file theme_1, theme_1_file, or theme_1_file_contents parameter.The buddypress-activity-plus plugin before 1.6.2 for WordPress has CSRF with resultant directory traversal via the wp-admin/admin-ajax.php bpfb_photos[] parameter in a bpfb_remove_temp_images action.The smooth-slider plugin before 2.7 for WordPress has SQL Injection via the wp-admin/admin.php?page=smooth-slider-admin current_slider_id parameter.The broken-link-manager plugin before 0.6.0 for WordPress has XSS via the HTTP Referer or User-Agent header to a URL that does not exist.The nex-forms-express-wp-form-builder plugin before 4.6.1 for WordPress has SQL injection via the wp-admin/admin.php?page=nex-forms-main nex_forms_Id parameter.The plugmatter-optin-feature-box-lite plugin before 2.0.14 for WordPress has SQL injection via the wp-admin/admin-ajax.php?action=pmfb_mailchimp pmfb_tid parameter.The plugmatter-optin-feature-box-lite plugin before 2.0.14 for WordPress has SQL injection via the wp-admin/admin-ajax.php?action=pmfb_cc pmfb_tid parameter.We're seeing a dramatic rise in targeted attacks, but following these guidelines can help your enterprise stay safe.The curl package can be build to include SFTP support. Find out how easy this is to do.Over three quarters of US businesses have faced cyberattacks in the past 12 months, with 86% of US firms experiencing attacks feeling let down by their antivirus.The majority of workers worldwide think the tech industry needs more regulation, but the US in particular is falling behind.Computerized auto dialers deliver pre-recorded phone calls with 60 billion expected in 2019 alone. Here's how to handle robocalls.Here's what to think through as you prepare your organization for standards compliance.Google's October security update fixed several critical and high-severity vulnerabilities.This new cybersecurity defense mechanism proactively protects organizations and prevents attacks.The goal is to predict incidents in advance by tracing it back to the actual hijackers.Users still have to juggle far too many passwords, which leads to password sharing, reuse, and other bad habits, according to a new report from password manager LastPass.A new Mimecast report finds a significant uptick in BEC attacks, malware attachments, and spam landing in target inboxes.More companies than ever are adopting new email security methods, like DMARC, but few actually put them to full use.A new campaign is evading secure email gateways that rely on identifying word patterns in order to filter out spam.A cyber attack on the company's website in August prompted an investigation that uncovered additional attacks dating back to 2016.New audit finds that privacy policies on 70% of the sites have no limits on data sharing.Apple released fixes for Catalina and patches for iCloud and iTunes for Windows software.With the shortage of cybersecurity professionals in the US, UT's program aims to develop individuals who can mitigate security risks in healthcare.Microsoft has released fixes for nine critical and 49 important vulnerabilities as part of Patch Tuesday.The Girl Scouts Cyber Challenge event, later this month, pledges to give middle and high-school girls a realistic, and fun, look at cybersecurity careers.Faraday is a tool that introduces a new concept called IPE, or Integrated Penetration-Test Environment. It is a multiuser penetration test IDE designed for distribution, indexation and analysis of the generated data during the process of a security audit. The main purpose of Faraday is to re-use the available tools in the community to take advantage of them in a multiuser way.Ponemon survey data shows that only a third of IT staff say they take a security-first approach to data storage in the cloud.Vulnerabilities with Pulse Secure, Fortinet, and Palo Alto Networks VPNs are called out in the advisory.More than half of utilities have suffered an outage or data loss in the last 12 months, but only a minority of organizations seem ready for an attack that could affect operations, a survey finds.None of the total 59 patches were for previously known vulnerabilities nor are any under active attack, Microsoft reports.TOMS seems like a really nice shoe company, and it just got hacked in a really nice way. But it's still a hack.Itβs the time-saving technique employed by many coders - copy and paste code from crowd-sourcing 'Q&A' websites. But is it always secure?Deepfake tech has push-button apps and service portals. Can code commodification do the same for detection, so women can actually afford it?Data collected for two-factor authentication purposes βinadvertentlyβ matched users to targeted-advertising lists, the company admits.Microsoft fixed 59 vulnerabilities in October's Patch Tuesday, including several critical remote code execution (RCE) flaws.In a world where traditional network boundaries no longer exist, VPNs are showing their age.This is a Linux/portable port of OpenBSD's excellent OpenSSH. OpenSSH is based on the last free version of Tatu Ylonen's SSH with all patent-encumbered algorithms removed, all known security bugs fixed, new features reintroduced, and many other clean-ups.Ignorance surrounding Pass the Hash attacks puts the majority of businesses at risk of compromised credentials.Increasing concerns over unauthorized surveillance, integration with facial recognition and more are plaguing the doorbell-video camera company.Email addresses and phone numbers provided to secure user accounts were accidentally shared with marketers.A new study says financial services organizations experienced an average of 10 attacks a year and spent an average of $1.3 million to restore services after each DNS attack.For many people, overly restrictive advice about passwords and other security practices is doing more harm than good. Here's why.A European tech organization is encouraging the European Commission to reconsider its proposal for ePrivacy Regulation, a proposal that's set to regulate cookie usage.Study participants fail to correctly identify core security concepts and tools to help them stay safe online.While USB drives are frequent pieces of business hardware, a new report says that one-third of US businesses have no policy governing their use.The Intel NUC and Nvidia Shield both are vulnerable to high-severity flaws, Intel and Nvidia warned in dual advisories.How a new open source initiative for interoperable security tools and a wave of consolidation could finally provide some relief for overwhelmed security analysts and SOCs.State has highest number of people in information security roles and the most current job openings, Comparitech study finds.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2017. Notes: none.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2017. Notes: none.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2017. Notes: none.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2017. Notes: none.Most people nowadays are quite aware that hiring managers put their social media postings under a microscope, a new survey finds.The bill was introduced by Phil Ting: one of 26 state lawmakers misidentified as suspects in an ACLU test of the technology.Twitter may have βinadvertentlyβ handed phone and email data from some users to advertisers as part of its Tailored Audiences system that targets usersβ feeds with ads.Attackers exploit an βunquoted pathβ flaw in the Bonjour updater in iTunes for Windows to deliver ransomware attacks.An integrated approach is the best way to provide organizations with the tools they need to decrease the attack surface and use strong security controls.The vulnerability stems from an issue with DLL loading in Open Source Hardware, used by tens of millions of computers, researchers say.Apple has been called out by Chinese state-run media as protecting βrioters,β while Blizzard bans a Hearthstone player for supporting Hong Kong.GRR Rapid Response is an incident response framework focused on remote live forensics. The goal of GRR is to support forensics and investigations in a fast, scalable manner to allow analysts to quickly triage attacks and perform analysis remotely. GRR consists of 2 parts: client and server. GRR client is deployed on systems that one might want to investigate. On every such system, once deployed, GRR client periodically polls GRR frontend servers for work. "Work" means running a specific action: downloading file, listing a directory, etc. GRR server infrastructure consists of several components (frontends, workers, UI servers) and provides web-based graphical user interface and an API endpoint that allows analysts to schedule actions on clients and view and process collected data.Attackers compromised Volusion's Google Cloud environment to load malicious skimmer code onto more than 6,500 customer sites.One in four malicious URLs employed a legitimate domain, making it more difficult for potential victims to spot possible dangers, a mid-year report finds.The Attor malware targets government and diplomatic victims with unusual tactics.IBM, McAfee and international consortium OASIS are coming together to offer the world a way to develop open source security technologies.The case illustrates that the government agency could be doing a better job safeguarding tax payer data.Black Hat Europe returns to the Excel in London December 2-5 bearing a cornucopia of intriguing cybersecurity tools in its Arsenal.In the arms race of computer security, it's never been more important to develop an adversarial mindset that can identify assumptions and determine if and how they can be violated.The ACF-Frontend-Display plugin through 2015-07-03 for WordPress has arbitrary file upload via an action=upload request to js/blueimp-jQuery-File-Upload-d45deb1/server/php/index.php.prettyPhoto before 3.1.6 has js/jquery.prettyPhoto.js XSS.The Vernissage theme 1.2.8 for WordPress has insufficient restrictions on option updates.The Teardrop theme 1.8.1 for WordPress has insufficient restrictions on option updates.The Pont theme 1.5 for WordPress has insufficient restrictions on option updates.The Simpolio theme 1.3.2 for WordPress has insufficient restrictions on option updates.The estrutura-basica theme through 2015-09-13 for WordPress has directory traversal via the scripts/download.php arquivo parameter.The incoming-links plugin before 0.9.10b for WordPress has referrers.php XSS via the Referer HTTP header.The dzs-zoomsounds plugin through 2.0 for WordPress has admin/upload.php arbitrary file upload.The history-collection plugin through 1.1.1 for WordPress has directory traversal via the download.php var parameter.The content-grabber plugin 1.0 for WordPress has XSS via obj_field_name or obj_field_id.The broken-link-manager plugin 0.4.5 for WordPress has XSS via the page parameter in a delURL action.The broken-link-manager plugin before 0.5.0 for WordPress has wpslDelURL or wpslEditURL SQL injection via the url parameter.The wti-like-post plugin before 1.4.3 for WordPress has WtiLikePostProcessVote SQL injection via the HTTP_CLIENT_IP, HTTP_X_FORWARDED_FOR, HTTP_X_FORWARDED, HTTP_FORWARDED_FOR, or HTTP_FORWARDED variable.The yet-another-stars-rating plugin before 0.9.1 for WordPress has yasr_get_multi_set_values_and_field SQL injection via the set_id parameter.The s3bubble-amazon-s3-html-5-video-with-adverts plugin 0.7 for WordPress has directory traversal via the adverts/assets/plugins/ultimate/content/downloader.php path parameter.The s3bubble-amazon-s3-audio-streaming plugin 2.0 for WordPress has directory traversal via the adverts/assets/plugins/ultimate/content/downloader.php path parameter.The awesome-filterable-portfolio plugin before 1.9 for WordPress has afp_get_new_category_page SQL injection via the cat_id parameter.The awesome-filterable-portfolio plugin before 1.9 for WordPress has afp_get_new_portfolio_item_page SQL injection via the item_id parameter.The booking-system plugin before 2.1 for WordPress has DOPBSPBackEndTranslation::display SQL injection via the language parameter.The searchterms-tagging-2 plugin through 1.535 for WordPress has XSS via the wp-admin/options-general.php count parameter.The searchterms-tagging-2 plugin through 1.535 for WordPress has XSS via the wp-admin/options-general.php count parameter.The searchterms-tagging-2 plugin through 1.535 for WordPress has SQL injection via the pk_stt2_db_get_popular_terms count parameter exploitable via CSRF.The pretty-link plugin before 1.6.8 for WordPress has PrliLinksController::list_links SQL injection via the group parameter.The Center for Long Term Cybersecurity recently awarded grants to six artists in a contest to come up with ideas for works with security themes and elements. Check 'em out.The Israel-based ChameleonX aims to protect websites from cyberattacks targeting payment data.An alleged fraudster built a vast web of AWS cloud accounts, becoming the platform's biggest consumer of data resources.A hacker is selling the email addresses of 250,000 users of a Dutch sex-work forum -- data that researchers say could be used for blackmail.The cloud security's CEO and CTO lay out the timeline of events and the steps customers should take to protect their accounts.The ransomware operators targeted an "unquoted path" vulnerability in iTunes for Windows to evade detection and install BitPaymer.Apple was under fire this week after banning an app that tracked the location of both police and protesters in Hong Kong on a live map.According to a new report, its algorithmic labelling may expose minors to age-inappropriate, targeted advertising.Some types of 2FA security can no longer be guaranteed to keep the bad guys out, the FBI warned US companies....and wouldn't know 2FA from a hole in the ground, according to Pew Research.IceWarp Webclient before 10.2.1 has XSS via an HTTP POST request: webmail/ with the parameter password is non-persistent in 10.2.0.IceWarp Webclient before 10.2.1 has XSS via an HTTP POST request: webmail/basic/ with the parameter _dlg[captcha][uid] is non-persistent in 10.1.3 and 10.2.0.IceWarp Webclient before 10.2.1 has XSS via an HTTP POST request: webmail/basic/ with the parameter _dlg[captcha][action] is non-persistent in 10.1.3 and 10.2.0.IceWarp Webclient before 10.2.1 has XSS via an HTTP POST request: webmail/basic/ with the parameter _dlg[captcha][controller] is non-persistent in 10.1.3 and 10.2.0.IceWarp Webclient before 10.2.1 has XSS via an HTTP POST request: admin/login.html with the parameter username is persistent in 10.2.0.IceWarp Webclient before 10.2.1 has a directory traversal vulnerability. This can result in loss of confidential data of IceWarp Mailserver and the operating system. Input passed via a certain parameter (script to basic/minimizer/index.php) is not properly sanitised and can therefore be exploited to browse the partition where IceWarp is installed (or the whole system) and read arbitrary files.IceWarp Webclient before 10.2.1 has a directory traversal vulnerability. This can result in loss of confidential data of IceWarp Mailserver and the operating system. Input passed via a certain parameter (_c to basic/index.html) is not properly sanitised and can therefore be exploited to browse the partition where IceWarp is installed (or the whole system) and read arbitrary files.A campaign first observed last year has ramped up its attack methods and appears to be linked to activity targeting President Trumpβs 2020 re-election campaign.Four steps outlining how security teams can better understand their company's cyber-risk and demonstrate to company leadership what's being done to mitigate the resulting business risk.Let's see a hacker figure out one of these.Listen to the latest episode now!Now's the time to start planning what to see and do at Black Hat Europe, which is jam-packed with relevant Briefings and Arsenal demos.Learn how to enable SSH session recording in CentOS 8.Learn how to enable SSH session recording in CentOS 8.News on a new military cyber alert system, Twitter mishandles user data, and what to do with data if there's a no-deal Brexit. Catch up on the week's news with the Friday Five.A new dropper and payload show that Fin7 isn't going anywhere despite a crackdown on the infamous group by law enforcement in 2018.Poisoning can be used against network infrastructure and applications. Understanding how DNS cache poisoning, machine learning model poisoning and other attacks work can help you prepare the proper antidote.The Center for Long Term Cybersecurity recently awarded grants to six artists in a contest to come up with ideas for works with security themes and elements. Check 'em out.Hackers were able to steal an AWS administrative API key housed in a compute instance left exposed to the public internet.A recent Privacy Industry Notification points to two new hacker tools that can turn a victim's browser into a credential-stealing zombie.After being notified on July 4, HP waited four months before releasing a security advisory.Without naming Huawei, the EU warns on state-backed 5G suppliers.With National Cybersecurity Awareness Month as a backdrop, industry leaders weigh in on how SMBs can more effectively protect themselves from cyberattacks.Mail provider discovered customer data being used in spam messages.From hackers bypassing 2FA to an Android zero day Google thought it had fixed - get yourself up to date with everything we've written in the last seven days. It's weekly roundup time.Some points to consider before you break open your wallet.In spite of prostitution being legal in the Netherlands, this could lead to the same type of blackmail attempts/suicide from Ashley Madison.Old passwords never die... they just become easier to decode.The tiny ATtiny85 chip doesnβt look like the next big cyberthreat facing the world, but sneaking one on to a firewall motherboard would be bad news for security were it to happen.The company acknowledged itβs using βsafe browsingβ technology from Tencent, which has ties to the Chinese government.A man confessed to stalking and attacking a young pop star by zooming in on the reflections in her eyes from selfies.The FBI Cyber Task Force recently issued a Private Industry Notice on how businesses can deal with vulnerabilities tied to token and phone-based multi-factor authentication methods.A company's security battle is not between that company and a specific fraudster; rather, it's between the company and connected cybercriminal ecosystem.The California Attorney General's Office finally released draft regulations around the CCPA last week, outlining the requirements of businesses and consumersJournalists are increasingly concerned about what cloud providers may access or share with governments - and companies should worry as well.The feature, designed to block unauthorized changes to security features, is now generally available.The attack does not appear to have endangered customer data, but it has had an impact on orders for supplies and postage refills.Beijing likely saved a lot of time and billions of dollars by copying components for its C919 plane from others, a new report from CrowdStrike says.Sophos' board of directors plans to unanimously recommend the offer to the company's shareholders.Organizers said 100 leads were generated every 10 minutes by contestants using OSINT - open-source intelligence such as online searches.Apple was quick to allay user concerns this weekend after someone spotted that it was working with Chinese company Tencent to check its users' website requests for malicious URLs.Gone: Mastercard, Visa, PayPal, eBay, Stripe, Mercado Pago. Of six payments firms first involved in Libra, just one, PayU, remains.Deepfake technology is becoming easier to create β and thatβs opening the door for a new wave of malicious threats, from revenge porn to social-media misinformation.The flaw is a rare βunquoted path classβ described as "so thoroughly documented that you would expect programmers to be well aware..." But that's not the case.The attack left customers unable to access key services for shipping and mailing, the company said.If your privacy is more important than Facebook knowing exactly where you are at all times, you might want to disable location tracking.Learn how to secure and protect your Apple Card, both the virtual card and the physical one.If your privacy is more important than Facebook knowing exactly where you are at all times, you might want to disable location tracking.In an industry where certifications can make or break a job candidacy, which ones have security pros been going after in 2019?The bug allows users to bypass privilege restrictions to execute commands as root.James Plouffe, cybersecurity consultant for "Mr. Robot" reveals how he helped make hacking a reality on the USA-Network drama series starring Rami Malek and Christian Slater.A fake website purports to enable iPhone users to download an iOS jailbreak - but ultimately prompts them to download a gaming app and conducts click fraud.Symantec Endpoint Security aims to deliver protection, detection, threat hunting, and response in a single tool.Paying a ransom is strongly discouraged by experts. So, how do you protect your organization?The data protection commission, one of the world's most vigilant, is disappointed in the government for its smaller-than-expected budget next year.The number of attacks on IoT devices in 2019 is nine times greater than the number found in the first half of 2018.New research finds it's now less than $10 for full credit details on a consumer, $100 for a distributed denial-of-service attack, and $50 for access to a US bank account.New research shows attacks increased ninefold year-over-year, coming from more than a quarter-million unique IP addresses.Criminals are becoming more sophisticated and targeted in going after enterprise organizations, a new Q2/Q3 report finds.Unknown, vulnerable systems are present in nearly every ship environment that researchers have pen-tested.Researchers create digital dossiers of mobile users scraped from Tor network traffic.We recently showed you how crooks rip off social networking passwords - here's what they do with stolen accounts.Users report bad accounts, got presented with a request to verify ID, couldn't upload said ID, and got frozen out.Xbox gamers: fed up with seeing profanity in messages from other gamers? Microsoft has you covered.Two more large organisations find themselves struggling after a ransomware attack...Her accounts were drained in spite of 2FA: SIM swaps are the easiest way around what's still a good security tool.A U.K. woman alleged that her husband was able to bypass her Samsung Galaxy S10 smartphone's fingerprint reader when the phone was encased by a third-party screen protector.A report reveals data, services and toolkits available for cybercriminals are becoming more expensive and sophisticated.For many security decision-makers, the real challenge is communicating the ongoing IR process to their management.Threatpost talks to Digital Guardian's Tim Bandos about the top insider threats that enterprises are facing today.Hundreds of fake domains have been set up against some of the presidential candidates through typosquatting, according to a report from digital risk company Digital Shadows.Here's how federal CIOs can begin utilizing the security concept and avoid predictable obstacles.If you need to password protect a zip file, look no farther than the zip command itself.If you need to password protect a zip file, look no farther than the zip command itself.The Pont theme 1.5 for WordPress has insufficient restrictions on option updates.The Simpolio theme 1.3.2 for WordPress has insufficient restrictions on option updates.Basic and 'inept' worm managed to compromise Docker hosts by exploiting misconfigurations.A worm with a randomized propagation method is spreading via the popular container technology.The tool is designed to help identify misconfigurations and compliance violations in the Google Cloud Platform.Three different loaders and two payloads are hiding in audio files.Silent Librarian cyberattackers are switching up tactics in a phishing scheme bent on stealing student credentials.The debate about whether Android or iOS is the more inherently secure platform misses the larger issues that both platforms are valuable targets and security today is no guarantee of security tomorrow.Looking back at the last 10 years, what are the biggest and most notable incidents in cybersecurity history? We created an infographic that reflects on the decade and can educate users on how to prevent the next major incident.TechRepublic's Karen Roby talks with a cryptocurrency expert about blockchain, bitcoin and IoT connected devices.TechRepublic's Karen Roby talks with a cryptocurrency expert about blockchain, bitcoin and IoT connected devices.The $37.5 million acquisitions will boost SailPoint's portfolio across all cloud platforms.Here are things you can do right now to shore up your defenses and help your recovery when you get hit.The history-collection plugin through 1.1.1 for WordPress has directory traversal via the download.php var parameter.The pretty-link plugin before 1.6.8 for WordPress has PrliLinksController::list_links SQL injection via the group parameter.Among the beloved entertainer's advice: "Double bag those passwords."Thanks, Betty.In part one of this two-part series, we start with the basics - getting everyone to understand what's at stake - and then look at lessons from the trenches.People who mistype the URL for their political candidate or party's website could end up on an opposing party or candidate's website, Digital Shadow's research shows.The content-grabber plugin 1.0 for WordPress has XSS via obj_field_name or obj_field_id.Adobe patched a total of 82 vulnerabilities across a range of products on Tuesday, including 46 critical bugs.They stole 26 million credit cards from the massive black market site, and now financial institutions are ensuring the cards can't be abused.The system figured out how to overcome little hurdles, like being nudged by a stuffed giraffe when trying to do important robot work.It had an Ethernet connection to the ship LAN but was also connected to a Windows console on the bridge which was so bright at night the crew had covered it up. The assumption had been that it was meant to be there.Listen to the latest episode now!This is the first time that a cryptojacking attack has been observed on Docker.The business case for why companies that respect the privacy of individuals, and especially minors, will have a strong competitive advantage.The flaws in the container technology, CVE-2019-16276 and CVE-2019-11253, are simple to exploit.Cisco has issued patches for critical and high-severity vulnerabilities in its Aironet access point devices.A misconfigured website development tool exposed hundreds of email servers to takeover, including President Donald Trumpβs official campaign website.Suricata is a network intrusion detection and prevention engine developed by the Open Information Security Foundation and its supporting vendors. The engine is multi-threaded and has native IPv6 support. It's capable of loading existing Snort rules and signatures and supports the Barnyard and Barnyard2 tools.The cyber-espionage group, linked to Russia and blamed for hacking the Democratic National Committee in 2016, has been using covert communications and other techniques to escape detection for at least two years.The ACF-Frontend-Display plugin through 2015-07-03 for WordPress has arbitrary file upload via an action=upload request to js/blueimp-jQuery-File-Upload-d45deb1/server/php/index.php.Pending approval of the settlement, affected account holders may be eligible for a payout or two years of free credit monitoring.The theft of 26 million card records from an underground site offers valuable intel for banks.New research looks at 10 years of healthcare data breaches and breaks down the specific types of data exposed.Mozilla is set to launch a Certificate Viewer. Find out why and how to open it.Organizations of all sizes should include both human firewalls and virtual tools in their cybersecurity budgets.Mozilla is set to launch a Certificate Viewer. Find out why and how to open it.The ThemeMakers Car Dealer / Auto Dealer Responsive theme through 2015-05-15 for WordPress allows remote attackers to obtain sensitive information (such as user_login, user_pass, and user_email values) via a direct request for the wp-content/uploads/tmm_db_migrate/wp_users.dat URI.IceWarp Webclient before 10.2.1 has a directory traversal vulnerability. This can result in loss of confidential data of IceWarp Mailserver and the operating system. Input passed via a certain parameter (_c to basic/index.html) is not properly sanitised and can therefore be exploited to browse the partition where IceWarp is installed (or the whole system) and read arbitrary files.SMBs still perceive themselves at low risk from cyberthreats - in spite of attack statistics that paint a different picture.Attackers make use of an old trick and evade detection by blocking users from viewing an embedded link when hovering over the URL.Adding public SSH keys with Cockpit can easily be handled by a Cockpit admin.A decade-old botnet is using infected computers to send out sextortion emails, in a wide-scale campaign with the potential to reach millions of victims.The ThemeMakers Diplomat | Political theme through 2015-05-15 for WordPress allows remote attackers to obtain sensitive information (such as user_login, user_pass, and user_email values) via a direct request for the wp-content/uploads/tmm_db_migrate/wp_users.dat URI.Adding public SSH keys with Cockpit can easily be handled by a Cockpit admin.The vulnerability in first-generation Echoes and eight-generation Kindles lets an attacker wage man-in-the-middle attacks.The problem is not with the tool itself but with how some developers and administrators are using it, Comparitech says.The ThemeMakers Accio One Page Parallax Responsive theme through 2015-05-15 for WordPress allows remote attackers to obtain sensitive information (such as user_login, user_pass, and user_email values) via a direct request for the wp-content/uploads/tmm_db_migrate/wp_users.dat URI.The ThemeMakers Invento Responsive Gallery/Architecture Template component through 2015-05-15 for WordPress allows remote attackers to obtain sensitive information (such as user_login, user_pass, and user_email values) via a direct request for the wp-content/uploads/tmm_db_migrate/wp_users.dat URI.IT workers have been storing files on their computers' hard drives. One councilman's alleged response: βThat canβt be right? Thatβs real?βA special episode dedicated to social media culture!The Darknet server running the site, "Welcome to Video", and the website's convicted admin were tracked down by a global police force.SophosLabs has discovered 15 apps on Google Play that install without icons as a ploy to keep themselves on the userβs device.Lawyers will get $1.6 million in a settlement that stems from a breach that affected more than 24 million customers.Applied Security Briefing lineup for this December event also includes expert looks at Google's ClusterFuzz and the art of breaking PDF encryption.At what point will infiltrating companies via the "insider threat model" become less costly and difficult than using malware? Threatpost discusses with a SolarWind expert.Social engineering, SOC analysts, and Sock puns. And the winners are:Which sort of company is most likely to contact you via SMS? Why, your mobile phone provider, of course!Glitching is difficult, complex, and dangerous. It's one of the reasons that physical security should be part of your cybersecurity planning, particularly as the IoT expands.Customer names, addresses, email addresses, and phone numbers were left open on a MongoDB server for 10 months, researchers report.A patch is currently under revision but has not yet been incorporated into the Linux kernel.A cryptomining infection spread to half of the workstations at a major international airport.A new bill that could put execs in jail for not taking privacy seriously, Singapore hires 500 data protection officers, and more - catch up on the news of the week with the Friday Five!The bill is a direct shot at big tech companies like Facebook as senators try to reel in data-collection policies.Find out what a Zero Day Vulnerability is and if there's anything you can do to protect yourself against them.Experts examine the drivers pushing today's endpoint security market to consolidate as its many players compete to meet organizations' changing demands and transition to the cloud.A years-long campaign targets users of Russian darknet markets with a modified install of a privacy-oriented browser.Cloud migration is accelerating as companies face compliance, security, and control concerns.Researchers can earn up to $15,000, depending on the severity of the bug found.From mystery devices on ships to the stalker who found his victim through the reflections in her eyes - and everything in between.US CEOs who lie about misusing consumers' data could face up to 20 years in prison under a new piece of legislation proposed last week.Developer interfaces used by Security Research Labs researchers to turn digital home assistants into βSmart Spiesβ.The fingerprint reader on Samsungβs flagship S10 and Note10 smartphones can be spoofed with a $3 screen protector.There's a risk that someone might get hold of a device and unlock it by holding the screen to the face of its sleeping or unconscious owner.Experts discuss why security teams are increasingly overwhelmed with alerts and share tactics for lightening the load.There is no one road to security operations success, but these guidelines will smooth your path.A bill introduced last week could threaten years of jail time for execs who lie to the FTC about protecting user data.Avast said it believes that threat actors are again looking to target CCleaner in a supply chain attack.The cloud security posture management startup was acquired for a reported $70 million.The Russian-speaking APT stole the Neuron and Nautilus implants and accessed the Iranian APT's C2 infrastructure.Eight Amazon Alexa and Google Home apps were approved for official app stores even though their actual purposes were eavesdropping and phishing.3 out of 4 Americans check out other people's screens, and read unclaimed docs on office printer trays.The travel reservation data, along with personal details, of hundreds of thousands was discovered in a database exposed online for all to see.'Abiss' attackers used an older VPN profile to get into Avast's network and targeted its CCleaner utility.Partnerships with Intel, Qualcomm, and AMD will bring a new layer of device security that alters the boot process to detect firmware compromise.A host of new features have been added to the malware.Gartner identified the top strategic technology trends likely to reach tipping points in the near future.New advisory from the UK's NCSC and the NSA throws fresh light on activity first revealed by Symantec in June.Rick Osterloh says he discloses smart speaker use when someone enters his home, and the products should probably do so themselves.It's not a violation of her Fifth Amendment rights, the court said, because it's a βforegone conclusion" that she knows her phone passcode.Most IT and security pros surveyed say they could afford some, but not all, of the minimum security needed to protect themselves.A report by HP found that most people admit to looking at othersβ computer screens and documents in the workplace while still keeping their own privacy top of mind.Among the takeaways from a Gartner Symposium/Xpo session: who should be accountable for data security, why security groups should stop thinking of themselves as protectors, and the consequence of locking down 'dumb' users.By monitoring their environment, companies can be ready to take action if any weakness β usually a software vulnerability β is found.A survey of nearly 300 Black Hat conference attendees this year showed strong agreement that service accounts are an attractive target.New service searches for errant or vulnerable devices on the Internet.Led by the University of Cincinnati, the new center will work with government and industry to conduct research on how to defend electronics and embedded systems from sabotage, hacking, and spying.Now fixed, the Vatican's new fitness-and-prayer eRosary and its accompanying app, Click to Pray, were found to have a serious privacy bug.Experts discuss why security teams are increasingly overwhelmed with alerts and share tactics for lightening the load.A good security team helps the business help itself operate more securely -- soliciting input while adhering to a unified strategy, vision, goals, and priorities.How much of our stuff is going to the cloud? Probably a lot more than you realize. Let's look at the risks and how to mitigate them.The disks are part of the command centres that run the countryβs nuclear missile deterrent on behalf of SACCS.The Magecart splinter group known for supply-chain attacks appears to be tied to advanced threat actors.Biometric cards could make a strong dent against credit card fraud, but several myths surround the technology.Karsten Nohl, who was behind this week's research that outlined new eavesdropping hacks for Alexa and Google Home, says that privacy for smart home assistants still has a ways to go.An open Elasticsearch database exposed hundreds of thousands of hotel booking reservations, compromising data from full names to room numbers.The VPN company said that one of its 3,000 servers in a third-party data center was open to exploitation through a misconfigured management tool.A recent VA inspector general report discovered veterans' medical records among a cache of data left exposed on shared drives.Information Leakage in PPPoE Packet Padding in AVM Fritz!Box 7490 with Firmware versions Fritz!OS 6.80 and 6.83 allows physically proximate attackers to view slices of previously transmitted packets or portions of memory via via unspecified vectors.In cybersecurity, the combination of men, women and machines can do what neither can do alone -- form a complementary team capable of upholding order and fighting the forces of evil.The Qode Instagram Widget and Qode Twitter Feed both have bugs that could allow redirects to malicious sites.The FTC has banned the sale of three apps - marketed to monitor children and employees - unless the developers can prove that the apps will be used for legitimate purposes.The Nok Nok App SDK for Smart Watch is designed to let businesses implement FIDO-based authentication on smartwatches.The Exquisite Ultimate Newspaper theme 1.3.3 for WordPress has XSS via the anchor identifier to assets/js/jquery.foundation.plugins.js.The Showbiz Pro plugin through 1.7.1 for WordPress has PHP code execution by uploading a .php file within a ZIP archive.The wps-hide-login plugin before 1.1 for WordPress has CSRF that affects saving an option value.The ad-inserter plugin before 1.5.3 for WordPress has CSRF with resultant XSS via wp-admin/options-general.php?page=ad-inserter.php.The freshmail-newsletter plugin before 1.6 for WordPress has shortcode.php SQL Injection via the 'FM_form id=' substring.The syndication-links plugin before 1.0.3 for WordPress has XSS via the genericons/example.html anchor identifier.The indieweb-post-kinds plugin before 1.3.1.1 for WordPress has XSS via the genericons/example.html anchor identifier.The my-wish-list plugin before 1.4.2 for WordPress has multiple XSS issues.While mainly made up of vendors, the Operational Technology Cyber Security Alliance aims to offer security best practices for infrastructure operators and industrial partners.In rush to fix newly discovered security issues, developers are neglecting to address older ones, Veracode study finds.The Artificial Intelligence theme before 1.2.4 for WordPress has XSS because Genericons HTML files are unnecessarily placed under the web root.A property management company owned by hotel chain Best Western has exposed 179 GB of sensitive travel information on thousands of travelers.A fresh look at the penetration testing tool Metasploit reveals the 15-year old hacking tool still has some tricks up its sleeves, even against modern defenses.It took down four foreign interference campaigns and announced initiatives to prevent foreign interference in US elections.NordVPN has been forced to admit that a hacker stole an expired TLS certificate key used to securely connect customers to its web servers.The researchers' "Smart Spies" apps showed how Amazon Alexa and Google Home users could be exposed to vishing and eavesdropping.Mobile devices are a huge part of enterprise IT. Here's what to advise their users to do to keep their devices - and critical business data - best protected.As cyberattacks intensify and the skills gap broadens, it's hard not to wonder how much more those in the industry can take before throwing in the towel.Multiple critical memory safety bugs in Firefox 69 and Firefox ESR 68.1 in particular affect medium and large government entities and enterprises.Nine out of 12 Democratic candidates have yet to enable DNSSEC, a simple set of extensions that stops most targeted domain-based attacks.As a result of cybercrime, 69% of small organizations were forced offline for a limited time and 37% experienced financial loss.With DoubleClick, Analytics and AdWords under its belt, Google continues dominating when it comes to global data collection for advertising, a new report found.To combat the ongoing epidemic around IP theft, the U.S. Air Force recently announced plans to develop an internal group to better protect the USAF's "hard-won intellectual property."If you start by focusing on users, data, access, and managed devices, you will make major strides toward achieving better security.Two high-severity vulnerabilities in a Fujitsu wireless keyboard expose passwords and allow keystroke injection attacks.The Easy Digital Downloads (EDD) htaccess Editor extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.The Easy Digital Downloads (EDD) Free Downloads extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.The Easy Digital Downloads (EDD) Favorites extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.The Easy Digital Downloads (EDD) CSV Manager extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.The Easy Digital Downloads (EDD) Conditional Success Redirects extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.The Easy Digital Downloads (EDD) Cross-sell Upsell extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.The Easy Digital Downloads (EDD) Content Restriction extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.The Easy Digital Downloads (EDD) Commissions extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.The Easy Digital Downloads (EDD) Attach Accounts to Orders extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.The Easy Digital Downloads (EDD) Amazon S3 extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.The Easy Digital Downloads (EDD) core component 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7 for WordPress has XSS because add_query_arg is misused.The weeklynews theme before 2.2.9 for WordPress has XSS via the s parameter.The Modern theme before 1.4.2 for WordPress has XSS via the genericons/example.html anchor identifier.The Auberge theme before 1.4.5 for WordPress has XSS via the genericons/example.html anchor identifier.A vulnerability in version 0.90 of the Open Floodlight SDN controller software could allow an attacker with access to the OpenFlow control network to selectively disconnect individual switches from the SDN controller, causing degradation and eventually denial of network access to all devices connected to the targeted switch.TechRepublic's Karen Roby talks with futurist Brian Solis about the trends shaping digital transformation.TechRepublic's Karen Roby talks with futurist Brian Solis about the trends shaping digital transformation.Princeton computer science professor Ed Felten says blockchain will enable smart contracts that provide trust to company systems in the future, but there are some myths and misconceptions.An unsecured NFC tag opens a door to trivial exploitation of robots inside Japanese hotels.State-sponsored groups take advantage of the lack of effective mobile malware solutions to target mobile users, according to a new report from BlackBerry.RoboForm is more than a password manager--you can also use it as a tool for syncing your browser bookmarks.IXP Filter Check gives Internet Exchange Points a way to verify whether they are properly filtering out incorrect and malicious routes.If you could only protect one category of your organization's data, what would it be?A vulnerability in version 0.90 of the Open Floodlight SDN controller software could result in a denial of service attack and crashing of the controller service. This effect is the result of a flaw in OpenFlow protocol processing, where specific malformed and mistimed FEATURES_REPLY messages cause the controller service to not delete switch and port data from its internal tracking structures.Integer overflow in the new[] operator in gcc before 4.8.0 allows attackers to have unspecified impacts.Agency offers tips on how to detect and eradicate the spyware.GlobalPlatform launches an initiative to help companies secure connected devices and services across markets.How IBM works with clients in regulated industries to scale AI across public clouds and protect data.Wireshark is a GTK+-based network protocol analyzer that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and Win32 and to give Wireshark features that are missing from closed-source sniffers.It's the first time we've gone after a stalking app, the FTC said. In this case, that would be a stalking app that got breached - twice.At work, security pros have their fingers on some pretty cutting-edge technology. But are their homes souped up, too?The everything-as-code revolution requires cybersecurity to increasingly enlist the help of developers to solve the industry's most pressing issues.Is βquantum supremacyβ the moment that the rarefied world of quantum computing finally enters popular consciousness? Probably not.Researchers have uncovered malware in 17 iOS apps that were removed from Apple's official App Store.Consumers don't vet apps well enough to mitigate mobile threat risk, according to the latest mobile-threat report from RiskIQNext time you just might want to answer the phone.When it comes to cybersecurity, the insurance industry is subject to a range of regulatory issues. Thanks to the wealth of sensitive data they handle, they're also popular targets of hackers. How can insurance firms best mitigate cybersecurity risks? We asked 20 experts.The rising costs of breaches and regulatory fines are driving demand for better measurement and articulation of business impacts.Japan's Henn na Hotel says it's "modified" the bots so pervs can't exploit the ability to run unsigned code and spy on future guests.Researchers have found a flaw that could lead to denial of service attacks on content distribution networks around the world.New episode available now!The Naked Security team gives their top 5 cybersecurity tips.Connected devices are increasingly being targeted by hackers and cybercriminals. Deloitte shares five tips on how companies can better protect their IoT devices.Cybercriminals continue to seed app stores with malicious apps, advanced attackers successfully compromise mobile devices, and advertisers continue to track users, new reports show.Samsung is reportedly rolling out fixes for a glitch that allowed anyone to dupe its Galaxy S10 fingerprint authentication sensor.Scammers are targeting those hoping for #CashAppFriday "blessings."Google Cloud Platform suffered issues around the same time as Amazon Web Services but claims they were not caused by DDoS.Why Google and Mozilla are wrong about the benefits of Extended Validation certificates that aim to prevent fraud and protect user privacy.A new information stealer is gaining rapid popularity with the cybercriminal community - leading to it infecting hundreds of millions of victims.Malware was designed to carry out click-fraud, Wandera says.I2P is an anonymizing network, offering a simple layer that identity-sensitive applications can use to securely communicate. All data is wrapped with several layers of encryption, and the network is both distributed and dynamic, with no trusted parties. This is the source code release version.IoT and software defined networking (SDN) are key components to help the enterprise move forward in a digital society.Potential follow-on attacks on religious organizations could include credit-card theft via spearphishing, fraud and network intrusion.The program offers resources and advice to help protect elections at every level within the US.Symptoms of job dissatisfaction creep into an industry already plagued with gaps in diversity and work-life balance.As 5G permeates the industry, Syniverse shows how major companies can prepare for the tech.Blockchain isn't reserved for bitcoin. Here's how the telecommunications sector can benefit.What were the phishers after? People's login details for Office 365.He drained data from firms working on hot new technology, sneaking in with a fake access badge, planting hardware and software keyloggers.Targeted ransomware, mobile malware and other attacks will surge, while companies will adopt AI, better cloud security and cyber insurance to help defend and protect against them.Blockchain is a powerful security tool for mobile providers. Here's how to unlock its potential.Mozilla has added another privacy tweak to Firefox version 70 - the ability to quickly see how often websites are tracking users.With a little research and basic planning, small companies can make big strides against the cybersecurity threats they face. Here's how.Avivah Litan, vice president and distinguished analyst for Gartner, explains how deepfake videos can be used to distort reality and how people can fight it through AI models and blockchain.With a little research and basic planning, small companies can make big strides against the cybersecurity threats they face. Here's how.Hundreds of fake domains have been set up against some of the presidential candidates through typosquatting, according to a report from digital risk company Digital Shadows.Attackers who broke into the city's network demand four Bitcoins in ransom or threaten to share stolen personal and financial data.Turns out, a lot. Get people to fall in love with the security team, and you'll get them to care about security, CISOs say in part 2 of a two-part series about building security culture.From hacking hotel room robots to crackdowns on stalkerware apps, Threatpost editors break down this week's top news stories.A smart mobile-first phishing effort uses valid certificates to sign fake Office 365 pages, and logs keystrokes in real time.Zend Framework before 2.2.10 and 2.3.x before 2.3.5 has Potential SQL injection in PostgreSQL Zend\Db adapter.An open cloud database sets the stage for phishing attacks for users of the subscription service.October is Cybersecurity Awareness Month, and the Identity Theft Resource Center is providing tips to keep consumers and companies safe.October is Cybersecurity Awareness Month, and the Identity Theft Resource Center is providing tips to keep consumers and companies safe.The FBI warns about e-skimming, a VPN is hacked, and the best and worst states for online privacy. Catch up on the news of the week with the Friday Five!Study the weaknesses of WPA-TKIP encryption bone up on the most secure cryptographic APIs at Black Hat Europe.D-Link DIR-865L has PHP File Inclusion in the router xml file.D-Link DIR-865L has Information Disclosure.D-Link DIR-865L has SMB Symlink Traversal due to misconfiguration in the SMB service allowing symbolic links to be created to locations outside of the Samba share.TP-Link TL-WDR4300 version 3.13.31 has multiple CSRF vulnerabilities.Linksys EA6500 has SMB Symlink Traversal allowing symbolic links to be created to locations outside of the Samba share.An e-skimmer placed on the Procter & Gamble-owned First Aid Beauty site to steal payment card data went undetected for five months.Senators penned a letter to the FTC urging it to investigate whether Amazon is to blame for the massive Capital One data breach disclosed earlier this year.CVE-2017-11882 has been attackers' favorite malware delivery mechanism throughout the second and third quarters of 2019.Bitfinex says the payment processor has $880M of the cryptocurrency exchange's βlostβ funds. Polish authorities seized $390m of it.Attacks are targeting international companies in the financial sector, demanding that victims pay ransom in Bitcoin.A mirror copy of the BBCβs international news website is now available to users on the so-called dark web.US lawmakers asked intelligence to look into whether the app and others like it could pose a security threat or be used to influence opinion.Johannesburg spent the weekend struggling to recover from its second malware attack this year as it took key services systems offline.Get yourself up to date with everything we've written in the last seven days - it's weekly roundup time.Traditionally, the worlds of IT (the hoodie) and OT (the hard hat) have been separate. That must change.A Magecart skimmer, discovered on the site of First Aid Beauty, was only just removed after being in place for five months.The Showbiz Pro plugin through 1.7.1 for WordPress has PHP code execution by uploading a .php file within a ZIP archive.Whether you're a leader of a large enterprise or a smaller business, part of your ongoing security, risk management, and compliance strategy will be sourcing the most effective solution. This guide, sponsored by Akamai, will help you determine what to look for.Blockchain, cloud and IoT are just a few of the tools being used within the IBM Garage to help clients innovate. The New York Times is using the IBM Garage to combat fake news by using blockchain.CVE-2019-11043 is trivial to exploit -- and a proof of concept is available.pootle 2.0.5-0.2 has XSS via 'match_names' parameterTiki Wiki CMS Groupware 5.2 has CSRFTiki Wiki CMS Groupware 5.2 has XSSTiki Wiki CMS Groupware 5.2 has Local File Inclusionmailscanner can allow local users to prevent virus signatures from being updatedpixelpost 1.7.1-5 has XSSpixelpost 1.7.1-5 has SQL injectionZoo 2.10-27 has Directory traversalSnoopy 2.0.0-1 has a security hole in exec cURLThe database was open for approximately one week before the problem was discovered.The DOJ says a former SEC examiner stole information from the government agency to help him land a chief compliance officer gig at a firm the SEC was investigating.The popular video app has more than 110 million downloads in the United States and could give China access to users' personal data, they say.White-hat hackers will now have the chance to win $20,000 for sniffing out remote code-execution flaws in industrial control systems.Nielsen released predictions for the next decade at the Gartner IT Symposium/Xpo 2019 and CPG and retail supply chains will need automation, blockchain and enhanced analytics to improve security.Python keyring lib before 0.10 created keyring files with world-readable permissions.Adobe has become the latest company to be caught leaving an Elasticsearch database full of customer data exposed on the internet.UniCredit was also hit with hacking incidents in September-October 2016 and June-July 2017.A new report from IntSights details the many ways cybercriminals break into a new generation of highly digitized cars.Security experts say voting by app adds another level of risk, as mobile-voting pilots expand for overseas military and voters with disabilities.The Zero Day Initiative will bring its first ICS Pwn2Own competition to the S4x20 conference in January.Stegano is a basic Python Steganography module. Stegano implements two methods of hiding: using the red portion of a pixel to hide ASCII messages, and using the Least Significant Bit (LSB) technique. It is possible to use a more advanced LSB method based on integers sets. The sets (Sieve of Eratosthenes, Fermat, Carmichael numbers, etc.) are used to select the pixels used to hide the information.Alternative data allows businesses to discover trends and financial opportunities without compromising consumer privacy. Tom Merritt explains the five things you need to know about alternative data.Alternative data allows businesses to discover trends and financial opportunities without compromising consumer privacy. Tom Merritt explains the five things you need to know about alternative data.As companies reduce their vendor count, consolidation will likely continue to accelerate in the next year.The technology - which Facebook won't use in its own apps - subtly distorts face images so they're still recognizable, but not to machines.The PHP development team has fixed a bug that could allow remote code execution in some setups of the programming language.The Kardashians love the Gradient app - but they're being paid to use it, whereas for you it's the other way round. Is it safe?Overall, across all retail programs, more than 18 percent of all bug bounty submissions are critical in severity, a new Bugcrowd report found.The attack on local web-hosting provider Pro-Service - likely politically motivated - took out 2,000 websites and the national television station.The answer, in a word, is segmentation. But the inconvenient truth is that segmentation is hard.As industrial enterprises face the disruptive forces of an increasingly connected world, these two cultures must learn to coexist.The Easy Digital Downloads (EDD) Amazon S3 extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.The APT is once again targeting the sports world, Microsoft warns.A new version of the typically platform-agnostic Adwind trojan has been spotted targeting Windows applications and systems and Chromium-based browsers.The average company has seen its risk increase, with cybersecurity topping the list of business threats, followed by damage to reputation and financial risks, a report finds.1.3 million stolen cards, mostly from India, could fetch $130 million for the cybercrooks.The ServiceNow and Ponemon study found an average 24% increase in cybersecurity spending and a 17% rise in attacks.This year's compilation features well-known ransomware, botnet, and cryptomining software.Desktop devices that log into G Suite will have device management enabled by default, streamlining processes for IT admins.Today's developers and the enterprises they work for must prioritize security in order to reap the speed and feature benefits these applications and new architectures provide.Learn how to make specific folders and files on OneDrive more secure by using Personal Vault.A man admitted he installed keyloggers at two companies and used them as a launching pad to steal data on emerging technology they were developing.Is the C-suite really that bad at following security policy? Or is it a case of mixed messages and misunderstanding?In a new lawsuit, WhatsApp owner Facebook says that NSO Group was behind the WhatsApp zero-day exploits earlier in 2019.The Adwind remote access Trojan conceals malicious activity in Java commands to slip past threat intelligence tools and steal user data.Hadoop 1.0.3 contains a symlink vulnerability.Bitlbee does not drop extra group privileges correctly in unix.cmediawiki allows deleted text to be exposedgpw generates shorter passwords than requiredCisco Video Communications Server (VCS) before X7.0.3 contains a command injection vulnerability which allows remote, authenticated attackers to execute arbitrary commands.Cross Site Scripting (XSS) in ikiwiki before 3.20110122 could allow remote attackers to insert arbitrary JavaScript due to insufficient checking in comments.Mercurial before 1.6.4 fails to verify the Common Name field of SSL certificates which allows remote attackers who acquire a certificate signed by a Certificate Authority to perform a man-in-the-middle attack.qtparted has insecure library loading which may allow arbitrary code executionpaxtest handles temporary files insecurelyytnef has directory traversalasterisk allows calls on prohibited networksThe proposal would require biometrics systems to verify age before allowing visits to adult sites.SugarCRM CE <= 6.3.1 contains scripts that use "unserialize()" with user controlled input which allows remote attackers to execute arbitrary PHP code.ikiwiki before 3.20110608 allows remote attackers to hijack root's tty and run symlink attacks.Mapserver 5.2, 5.4 and 5.6 before 5.6.5-2 improperly validates symbol index values during Mapfile parsing.rpcbind 0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on (1) /tmp/portmap.xdr and (2) /tmp/rpcbind.xdr.rpcbind 0.2.0 does not properly validate (1) /tmp/portmap.xdr and (2) /tmp/rpcbind.xdr, which can be created by an attacker before the daemon is started.The anonymized real-time location data the city's after can easily be associated with riders, thereby jeopardizing their privacy, Uber says.Facebook is using trademark law to target the operators of sites that imitate or target Facebook and Instagram sites.Sextortion scammers have started hijacking poorly managed or defunct blogs to expand an increasingly profitable business.Calling Apple iPhone 5, iPhone 4s or early iPad owners - your device may be about to turn into a vintage technology paperweight.A Shadow Kill Hackers attack that compromised the cityβs network and shut down key services was the second ransom-related attack on the city in months.The source of infection behind an increasingly precarious mobile malware is causing researchers to scratch their heads.MDR providers can provide a first-of-its-kind solution: Protection across the endpoints, user accounts and the network itself, in one solution.A Zensar survey of 1,000 workers also found that 45% said a successful company should adopt new tech faster than anyone else.The utility can identify insecure code in production from third-party packages as well as original code.It's no longer true that society must choose to either weaken everybody's privacy or let criminals run rampant.Should you find yourself at a loss for words ...Find out how to better secure your chromebook with these easy tips.The housewares giant disclosed a breach with few details-- but security researchers have some theories.Ansvif is "A Not So Very Intelligent Fuzzer". It feeds garbage arguments and data into programs trying to induce a fault.Unpatched flaws continue to be a major security issue for many organizations.Decentralized threat intel sharing, more public-private collaboration, and greater use of automated incident response are what's needed to combat phishingOf the 200 schools in the report, the University of Pittsburgh and Georgetown University received top marks, with their DMARC policy set to "reject."Users of Microsoft, PayPal, DHL, and Dropbox are among the top targets of phishers, according to a new report from cloud service provider Akamai.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.JohnΒ Scott Railton with Citizen Lab, who helped WhatsApp investigate the NSO Group over the alleged WhatsApp hack, said the subsequent lawsuit is a "certified big deal."More than half of security practitioners surveyed say insider attack detection has grown more difficult since migrating to cloud.The attack early in the morning of October 29 has taken all of the school district's systems offline.Evidence suggests NSO Group used WhatsApps servers to distribute mobile spyware to targeted devices.The company received $3.6 million in cyber insurance - out of $71 million incurred in damages after a massive March cyberattack.Jack Wallen offers up his best advice for avoiding malware on Android.Don't miss all the promising enterprise security Briefings at Black Hat Europe in London this December.Cybersecurity professionals often talk about the economic drivers of security. But should the conversation shift to include a moral component? At least one analyst says "yes."Most phishing kits last less than 20 days, a sign defenders are keeping up in the race against cybercrime.Authentication bypass vulnerability in the the web interface in Hunt CCTV, Capture CCTV, Hachi CCTV, NoVus CCTV, and Well-Vision Inc DVR systems allows a remote attacker to retrieve the device configuration.In xpdf, the xref table contains an infinite loop which allows remote attackers to cause a denial of service (application crash) in xpdf-based PDF viewers.xpdf allows remote attackers to cause a denial of service (NULL pointer dereference and crash) in the way it processes JBIG2 PDF stream objects.A cross-site scripting (XSS) vulnerability in ikiwiki before 3.20101112 allows remote attackers to inject arbitrary web script or HTML via a comment.Transmission before 1.92 allows attackers to prevent download of a file by corrupted data during the endgame.Transmission before 1.92 allows an attacker to cause a denial of service (crash) or possibly have other unspecified impact via a large number of tr arguments in a magnet link.drbd8 allows local users to bypass intended restrictions for certain actions via netlink packets, similar to CVE-2009-3725.A missing permission check was found in The CLI in JBoss Operations Network before 2.3.1 does not properly check permissions, which allows JBoss ON users to perform management tasks and configuration changes with the privileges of the administrator user.The init script in autokey before 0.61.3-2 allows local attackers to write to arbitrary files via a symlink attack.Post-acquisition, Symantec DLP customers looking to reduce vendor uncertainty should take advantage of this exclusive offer.WhatsApp has publicly attributed the attack on its users in May 2019 to the Israeli spyware makers, NSO Group.The EU has fixed a flaw in the powerful yet complex eIDAS digital identification system that let people authenticate as someone else.A US court shielded ISP account holders from a request for expedited discovery to see whose IP addresses were used to share pirated videos.Servers hosting Valve Source Engine and popular games like Fortnite are targeted by a new variant of the Gafgyt botnet.Executives at high-profile companies are being targeted by a fake voicemail campaign hunting for Office 365 credentials.Mirror, mirror on the wall, which is the worst side-channel vulnerability of them all?While it remains difficult to attack critical infrastructure successfully, adversaries aim to use past experience to launch more destructive future attacks, according to analysis.Pull a Van Helsing on those sucking the lifeblood from your data and intellectual property.More than half of cybersecurity professionals believe detecting insider attacks has become harder since the migration to the cloud.Reported cyberattacks against K-12 schools in the US have hit 301 so far in 2019 compared to 124 in 2018 and 218 in 2017, according to a new report from security provider Barracuda Networks.Sysdig falco is a behavioral activity monitoring agent that is open source and comes with native support for containers. Falco lets you define highly granular rules to check for activities involving file and network activity, process execution, IPC, and much more, using a flexible syntax. Falco will notify you when these rules are violated. You can think about falco as a mix between snort, ossec and strace.Locating and blocking unwanted open ports in Linux should be a task every network admin knows how to do.Chinese state-sponsored hackers are attacking telecom networks to sniff out SMS messages that contain keywords revolving around political dissidents.These ex-employees copied trade secrets onto private storage devices then bragged that their new business would soon be competing with it.A fake voice message lures victims to a fake Microsoft 365 login page that prompts them to enter credentials.The CISO job isn't to protect the entire business from all threats for any budget. It's to spell out what level of protection executives can expect for a given budget.Mumble: murmur-server has DoS due to malformed client queryburn allows file names to escape via mishandled quotation markspython-docutils allows insecure usage of temporary filesoverkill has buffer overflow via long player names that can corrupt data on the server machineFelony charges against two employees tasked with testing the physical security of the Dallas County, Iowa, courthouse have been lessened, but that's not enough, CEO says.Researchers believe the threat group is based in China.APT41's new campaign is latest to highlight trend by Chinese threat groups to attack upstream service providers as a way to reach its intended targets, FireEye says.Find out how to configure FreeRADIUS as an SSH authentication server on Ubuntu.Find out how to configure FreeRADIUS as an SSH authentication server on Ubuntu.The end of life is near for Python 2, and there will be no rising from the grave this time. So why are some companies and developers risking a lack of security patches to stay with the old version of the programming language?Researchers detect an updated Gafgyt variant that targets flaws in small office and home wireless routers from Zyxel, Huawei, and Realtek.IcedTea6 before 1.7.4 allow unsigned apps to read and write arbitrary files, related to Extended JNLP Services.IcedTea6 before 1.7.4 does not properly check property access, which allows unsigned apps to read and write arbitrary files.The two men pointed to Uber's $100K hush-money payment when they tried to extort Linkedin-owned Lynda... that instead called the cops.Interesting timing: Right before Facebook's earnings call, two weeks after Facebook said it won't pull political ads that spout lies.The Ai.type app was removed from Google Play in June 2019 β but still remains on millions of Android devices and is still available from other Android marketplaces, researchers warn.The Common Vulnerabilities and Exposures (CVE) system is 20 years old this week.Training your people and building relationships outside of the security organization is the most significant investment a CISO can make.TWiki allows arbitrary shell command execution via the Include functionA vocal minority of the committed Apple base has been quick to express dissatisfaction at the move to Catalina from macOS 10.14 Mojave.Is it possible to configure SSH to listen for connections on both internal and external interfaces, using different ports? Jack Wallen says "yes."Google warns exploits in the wild against a Use After Free vulnerability in Chrome's audio component.As retailers head into the holiday rush, here's how they can protect their businesses from attackers and scammers hoping to wreak havoc during the most wonderful time of the year.A latest episode of the Naked Security podcast is out now!The fix addresses CVE-2019-13720, a high-severity, use-after-free vulnerability discovered by Kaspersky Lab researchers.QNAP Systems says there is no known way to remove the Qsnatch malware infecting its NAS devices besides a full factory reset.An elaborate fraudster ring stole PII then used DoD and VA benefits portals to steal payments and funds from bank accounts.Find out how to work some SSH magic, by transferring a file from one machine to another from a third.Samhain is a file system integrity checker that can be used as a client/server application for centralized monitoring of networked hosts. Databases and configuration files can be stored on the server. Databases, logs, and config files can be signed for tamper resistance. In addition to forwarding reports to the log server via authenticated TCP/IP connections, several other logging facilities (e-mail, console, and syslog) are available. Tested on Linux, AIX, HP-UX, Unixware, Sun and Solaris.sqlmap is an open source command-line automatic SQL injection tool. Its goal is to detect and take advantage of SQL injection vulnerabilities in web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user's specified DBMS tables/columns, run his own SQL statement, read or write either text or binary files on the file system, execute arbitrary commands on the operating system, establish an out-of-band stateful connection between the attacker box and the database server via Metasploit payload stager, database stored procedure buffer overflow exploitation or SMB relay attack and more.The March 5 DDoS attack interrupted communications between generating facilities and the electrical grid in three western states.The hackers behind Uber's 2016 breach finally plead guilty, WhatsApp pushes back against NSO Group, and an army admin steals millions from veterans - catch up on the week's news with the Friday Five.Threatpost editors discuss this week's biggest news - from a data breach of Bed Bath & Beyond, a tricky phishing attack and widespread APT activity.Β Capture the Flag challenge encourages women to pursue cybersecurity careers and connects experts with newcomersMutt before 1.5.20 patch 7 allows an attacker to cause a denial of service via a series of requests to mutt temporary files.Cross-site scripting (XSS) vulnerability in websieve v0.62 allows remote attackers to inject arbitrary web script or HTML code in the web user interface.Nonprofit Defending Digital Campaigns (DDC) offers security services for email, user education, mobile, and encrypted communications, to federal election committees.A simple attack on an unpatched server could have been catastrophic for the Utah-based utility.Researchers warn XML macros embedded in SYLK files can sidestep Microsoft Office for Mac protections.I race condition in Temp files was found in gs-gpl before 8.56 addons scripts.Roundup: From updating macOS Catalina and old i-devices, to the ransomware attack that took a city offline - and everything in between.The exception: drones being used in emergencies, such as fighting wildfires, search and rescue, and dealing with natural disasters.The first attacks that exploit the zero-day Windows vulnerability install cryptominers and scan for targets rather than a worm with WannaCry potential.Together with her troll colleagues, she managed 200 fake social profiles, promoted clientsβ products, and trolled their competitors.Phishing attacks require two things: a lure and a landing. This Akamai-sponsored report digs deep into how the phishing economy works and ways organizations can protect themselves from the ever-evolving threat.As the specter of warrior robots looms large, the Pentagon has published a set of ethical guidelines for its use of artificial intelligence.The new law compels the countryβs ISPs to forward all data arriving and departing from their networks through special gateway servers.Multicloud environments change rapidly. Organizations need a security framework that is purpose-built for the cloud and that aligns with their digital transformation strategy.Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen bookWith their lens into the human side of business, human resources can be an effective partner is the effort to train employees on awareness and keep an organization secure.In September, a Nikkei America employee transferred $29 million to BEC scammers who were purporting to be a Nikkei executive.The network configuration management utility has two unpatched critical remote code execution vulnerabilities.Wake-on-LAN and ARP pinging have expanded Ryuk's reach into corporate LANs -- and its operators' monetization abilities.Sumo Logic plans to integrate JASK's autonomous security operations center software into a new intelligence tool.Crashing honeypots alerted the researcher who found the Bluekeep vulnerability.Know any Apple developers? Make sure they're signed up to Apple's security advisories, and getting their developer updates.Smart voice assistants can be hijacked by attackers using lasers to send them remote, inaudible commands.There is a possible tty hijacking in shadow 4.x before 4.1.5 and sudo 1.x before 1.7.4 via "su - user -c program". The user session can be escaped to the parent session by using the TIOCSTI ioctl to push characters into the input buffer to be read by the next process.Stealing payment-card data and PII from e-commerce sites has become so lucrative that some are being targeted by multiple groups at the same time.New tools and updates aimed at addressing ongoing challenges with insider threats and sensitive data classification.TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows SQL Injection on the backend.Excel's handling of an old macro format gives unauthenticated remote attackers a way to take control of vulnerable systems, Carnegie Mellon's CERT/CC says.A friend heard a couple arguing but couldn't make out what it was about. Police hope that Alexa might have a better idea.Incident that exposed emails to a PayPal scam once again highlights the persistent nature of third-party security risk.βHere's our new bank account number,β the scammers said. When the real construction firm sent their invoice, payment was made to the crooks.Google has patched an Android bug that could have allowed attackers to use NFC to send over a malicious file to the victim's phoneWeb development is at much more risk than commonly perceived. As attackers eye the enterprise, third-party code provides an easy way in.In 2019, 23 city governments in Texas experienced a coordinated ransomware attack. Tom Merritt explains how they defended themselves and ways you can protect your own business.Cybercriminals are leveraging political names and figures for social engineering as the elections loom.In 2019, 23 city governments in Texas experienced a coordinated ransomware attack. Tom Merritt explains how they defended themselves and ways you can protect your own business.A missing permission check was found in The CLI in JBoss Operations Network before 2.3.1 does not properly check permissions, which allows JBoss ON users to perform management tasks and configuration changes with the privileges of the administrator user.The init script in autokey before 0.61.3-2 allows local attackers to write to arbitrary files via a symlink attack.Still running Office 2011 on a Mac? If so, there are at least two reasons why that might not be a good idea.The $225 million acquisition will help Proofpoint expand its data loss prevention capabilities with email, CASB, and data at rest.Digital Guardian, through its integration with Microsoft Information Protection, helps enrich Microsoftβs data loss prevention capabilities.New study: 3 in 5 have experienced discrimination in the workplaceCyberspace is the fifth domain of warfare, yet there is a critical shortage of security experts ready to combat cybercrime.Phishing and ransomware top the list of security risks that organizations are not fully prepared to deal with.A pair of experts pass along lessons learned while building out the team and processes necessary to support Starbucks' mobile app.In the past, outing nation-state cyber espionage groups caused a few to close up shop, but nowadays actors are more likely to switch to new infrastructure and continue operations.Feeling creative? Submit your caption in the comments, and our panel of experts will reward the winner with a $25 Amazon gift card.OpenTitan is an open source collaboration among Google and technology companies to strengthen root-of-trust chip design.The _ger_parse_control function in Red Hat Directory Server 8 and the 389 Directory Server allows attackers to cause a denial of service (NULL pointer dereference) via a crafted search query.rpcbind 0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on (1) /tmp/portmap.xdr and (2) /tmp/rpcbind.xdr.rpcbind 0.2.0 does not properly validate (1) /tmp/portmap.xdr and (2) /tmp/rpcbind.xdr, which can be created by an attacker before the daemon is started.Nvu 0.99+1.0pre uses an old copy of Mozilla XPCOM which can result in multiple security issues.Company introduces Falcon for AWS, Falcon Firewall Management, and third-party applications.A hidden feature in some newer models of the vendor's programmable logic controllers leaves the devices open to attack. Siemens says it plans to fix it.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2007-3947. Reason: This candidate is a reservation duplicate of CVE-2007-3947. Notes: All CVE users should reference CVE-2007-3947 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.There is a possible heap overflow in libclamav/fsg.c before 0.100.0.archivemail 0.6.2 uses temporary files insecurely leading to a possible race condition.linux vserver 2.6 before 2.6.17 suffers from privilege escalation in remount code.termpkg 3.3 suffers from buffer overflow.xlockmore 5.13 allows potential xlock bypass when FVWM switches to the same virtual desktop as a new Gaim window.xlockmore 5.13 and 5.22 segfaults when using libpam-opensc and returns the underlying xsession. This allows unauthorized users access to the X session.Invest in "binary options," they said, neglecting to mention the software set up to rig transactions so that customers lost the gamble.A ransomware attack has ransacked at least two Spanish companies, leaving their employees without computer access.Mozilla on Friday posted a letter urging Congress to take the broadband industry's lobbying against encrypted DNS within Firefox and Chrome with a grain of salt.Researchers have discovered that some voice assistants will accept βsignal injectionβ commands sent to them using pulses of laser light.The 2020Β Security Plan PPT template helps security professionals engage their organization's decision-makers and gets their backing for critical security decisions.Web analytics help phishers hone their attacks -- but website defenders can also use these tactics to better detect the scope of attacks and mitigate their effects.A new platform is being unveiled that is aimed at banks and their suppliers. The goal is to help them adhere to strict industry regulatory compliance, security and resiliency requirements.Since Emotet came out of hibernation last month, researchers are seeing the banking trojan's authors take on a consistent trend of new evasion tactics and social engineering techniques.Should you get an e-mail with the subject 'stinky cheese'...Should you get an e-mail with the subject 'stinky cheese'...Prioritizing alerts is foundational to security, but almost every organization struggles to manage this process efficiently. Here's what you can do about it.Locating and blocking unwanted open ports in Linux should be a task every network admin knows how to do.Bluto is a dns reconnaissance, vulnerability checking, and enumeration tool.AIEngine is a packet inspection engine with capabilities of learning without any human intervention. It helps network/security professionals to identify traffic and develop signatures for use them on NIDS, Firewalls, Traffic classifiers and so on.Find out how to work some SSH magic, by transferring a file from one machine to another from a third.The group was exposed after a ShadowBrokers leak.Facebook said that 100+ third-party app developers had access to restricted data for members of Groups, in its latest privacy snafu.Federal agencies reportedly had improper access to Social Security data belonging to 3,200 license holders.A report from security firm Akamai found that hackers were using analytics services to optimize their phishing efforts.A report in the New York Times this week revealed how widespread the theft of biomedical secrets is at U.S. universities and research institutions.Proactive defense and automation can help your company deal with scale and prioritize risks in order to more efficiently fight cyber espionage.drupal6 version 6.16 has open redirectionRbot Reaction plugin allows command executionmakepasswd 1.10 default settings generate insecure passwordsA recent US Commerce Department blacklist of several Chinese entities leaves a looming question: What happens if your products are now prohibited?konversation before 1.2.3 allows attackers to cause a denial of service.WebApp JSP Snoop page XSS in jetty though 6.1.21.Cookie Dump Servlet stored XSS vulnerability in jetty though 6.1.20.JSP Dump and Session Dump Servlet XSS in jetty before 6.1.22.Dump Servlet information leak in jetty before 6.1.22.burn allows file names to escape via mishandled quotation markspython-docutils allows insecure usage of temporary filesTrend Micro customers whose data was sold are getting scam calls from criminals purporting to be support staff.The industry partnership will scan apps for malware before they're published on the Google Play Store.Yes, ransomware is plaguing businesses and government organizations, but impersonators inserting themselves into financial workflows - most often via e-mail - continue to enable big paydays.A targeted campaign is delivering an information-stealing malware called Predator the Thief.Tactics for when authorized users need to connect to network resources, or need to venture out to the web to complete important tasks.This is a "game changer" when it comes to genetic privacy rights, experts say.An email scam from earlier this year has resurfaced on Facebook - don't fall for it!Security researcher Stanislas Lejay offers a preview of his upcoming Black Hat Europe talk on automotive engine computer management and hardware reverse engineering.Threat actor was active between 2009 and 2017, targeting military, government, and private organizations.It shut down that access in April 2018, or at least thought it did. At least 11 improperly accessed data in the last two months.After years of unsuccessfully battling malware and bad apps in the Google Play store and on more than 2.5 billion Android devices, Google is finally doing something about it. The tech giant this week unveiled an alliance with three companies with specific expertise in endpoint security to help prevent the spread of malware on its [β¦]We've all been there - faced with a button that is just begging to be pressed...The bug is identified as CVE-2019-18408, a high-priority βuse-after-freeβ bug when dealing with a failed archive.Despite trillions of dollars in breach fine payouts, each year the number of compromised companies and individuals with private data exposed rise.An old piece of malware is storming the WordPress community, enabling its perpetrators to take control of sites and inject code of their choosing.Dangerous URL messages, the resurgence of Emotet, and banking trojans flood the cyberthreat landscape, Proofpoint found.A member of IBM's X-Force Red team hacked two CBS reporters for three weeks. Find out what information she gathered, as well as what phishing entails.Mission-critical systems can't just be switched off to apply security updates -- so patching can take weeks if not years.There is no premium that will recover the millions of dollars your company spends on R&D if your intellectual property is hacked and stolen.Travesty is a tool that can leverage a known directory traversal to assist in identifying interesting directories and files.BlueKeep's back, ransomware batters Spain, and yet more sextortion - listen now!Vulnerabilities in several PC gaming products offered by Nvidia can lead to escalation of privilege, denial of service and other malicious attacks.Stephanie "Snow" Carruthers, Chief People Hacker at IBM, gives advice about protecting yourself online. She also explains how the robocalls and spoofing process works.An IBM X-Force Red team member explains how her background in makeup and sales helps her social engineering career. Also, she demonstrates how cybercriminals can easily clone your work ID badge.IBM's Chief People Hacker Stephanie "Snow" Carruthers describes how criminals use caller ID spoofing to get your private data.Support for Windows 7 and Server 2008 is ending in January 2020. Here's how to protect your systems.The skills gap will only be closed by attracting and retaining new talent. So don't limit your talent search to CISSPs, says the COO of the organization that issues the CISSP certification.Several factors edged the world's most popular payment service into the top spot.Flaws in Das U-Boot affect third-party hardware that uses the universal bootloader as an underlying component.Threat actor was active between 2009 and 2017, targeting military, government, and private organizations.The bank is searching for a new chief information security officer months after its major data breach.How tying and measuring security investments to business impacts can elevate executives' understanding and commitment to cyber-risk reduction.Drupal 6.x before 6.16 uses a user-supplied value in output during site installation which could allow an attacker to craft a URL and perform a cross-site scripting attack.A vulnerability exists in kernel/time/clocksource.c in the Linux kernel before 2.6.33 where on non-GENERIC_TIME systems (GENERIC_TIME=n), accessing /sys/devices/system/clocksource/clocksource0/current_clocksource results in an OOPS.The DoJ charges former Twitter employees for allegedly accessing thousands of accounts on behalf of Saudi Arabia.The latest version of iOS offers some convenient ways to manage location tracking by apps.Two breaches at healthcare providers in Maine recently led to the exposure of 52,000 patients' protected health information.Smart prioritization, great staff and supportive tools are a good start.Security operations must focus on three key areas: detection, response, and prediction.Smart prioritization, great staff, and supportive tools are a good start.Overall volumes of banking Trojans and RATs increased during the third quarter, when Emotet was suspiciously absent until mid-September.viewvc 1.0.3 allows improper access control to files in a repository when using the "forbidden" configuration option.Mondo 2.24 has insecure handling of temporary files.In Linux 2.6 before 2.6.23, the TRACE_IRQS_ON function in iret_exc calls a C function without ensuring that the segments are set properly. The kernel's %fs needs to be restored before the call in TRACE_IRQS_ON and before enabling interrupts, so that "current" references work. Without this, "current" used in the window between iret_exc and the middle of error_code where %fs is reset, would crash.The companies are the latest on a long and growing list of organizations that have fallen victim to users with legitimate access to enterprise systems and data.Andrew Conway, general manager for Microsoft 365 Security, discusses how to prevent credential theft by relying on biometric security.Chris Bell, director of product management at Secureworks, describes the difficult balance to strike for presenting actionable information to security professionals without exhausting them with information overload.Nitzan Miron, VP of application security services at Barracuda Networks, discusses the Azure-delivered WAF-as-a-Service product offering announced at Microsoft Ignite 2019gri before 2.12.18 generates temporary files in an insecure way.FireGPG before 0.6 handle userΓ―ΒΏΒ½s passphrase and decrypted cleartext insecurely by writing pre-encrypted cleartext and the user's passphrase to disk which may result in the compromise of secure communication or a usersΓ―ΒΏΒ½s private key.In JON 2.1.x before 2.1.2 SP1, users can obtain unauthorized security information about private resources managed by JBoss ON.frysk packages through 2008-08-05 as shipped in Red Hat Enterprise Linux 5 are built with an insecure RPATH set in the ELF header of multiple binaries in /usr/bin/f* (e.g. fcore, fcatch, fstack, fstep, ...) shipped in the package. A local attacker can exploit this vulnerability by running arbitrary code as another user.clamav 0.91.2 suffers from a floating point exception when using ScanOLE2.Bandits? Egg hurling?! Up to 92.5% visibility obscured??!! Don't share this turkey, but do let us know if you decide to test your wipers!This weekβs bold rebrand of Facebook to FACEBOOK canβt hide the growing sense that nobody is happy with the company right now.An IT project manager has pleaded guilty to accessing the email account of a former client's CEO, said reports this week.Attackers could access Wi-Fi credentials due to a problem in initial configuration of the smart doorbell device.From voice assistant hacks to insider threats, Threatpost editors break down this week's biggest news.The right password manager can help bring enterprise-class security to small businesses. Here are a half-dozen candidates to strengthen your access management.This isn't a one-size-fits-all situation. Simplify as much as you can, as the saying goes, but no more than that.A vulnerability in Amazon's Ring doorbell cameras would have allowed a local attacker to gain access to a target's entire wireless network.The latest edition of the bi-annual hacking contest saw creative exploits in new device categories.Breach remediation processes adversely impact timeliness in patient care and outcomes, a new study finds.Unlike Elliot, real-world adversaries donβt have lofty ideals nor do they suffer crises of conscience.In all, bug hunters from around the world submitted over 6,500 vulnerabilities in October alone.IR teams are under tremendous pressure, often working long hours and putting their needs aside amid a security crisis. Their care is just as important as policy and procedure.Fallout from giants at the top is one of the largest drivers of cyber-impacts on everyday people and companies.The company announced at VMworld 2019 Europe in Barcelona how it will integrate Carbon Black into its suite of tools.Learn how to obfuscate SSH login with port knocking.Learn how to obfuscate SSH login with port knocking.The trojan was observed as the final payload in a sophisticated and complex malware installation code set.qpid-cpp 1.0 crashes when a large message is sent and the Digest-MD5 mechanism with a security layer is in use .dtc-xen 0.5.x before 0.5.4 suffers from a race condition where an attacker could potentially get a bash access as xenXX user on the dom0, and then access a potentially reuse an already opened VPS console.liboping 1.3.2 allows users reading arbitrary files upon the local system.In RHEV-M VDC 2.2.0, it was found that the SSL certificate was not verified when using the client-side Red Hat Enterprise Virtualization Manager interface (a Windows Presentation Foundation (WPF) XAML browser application) to connect to the Red Hat Enterprise Virtualization Manager. An attacker on the local network could use this flaw to conduct a man-in-the-middle attack, tricking the user into thinking they are viewing the Red Hat Enterprise Virtualization Manager when the content is actually attacker-controlled, or modifying actions a user requested Red Hat Enterprise Virtualization Manager to perform.MantisBT 1.2.x before 1.2.2 insecurely handles attachments and MIME types. Arbitrary inline attachment rendering could lead to cross-domain scripting or other browser attacks.alsa-utils 1.0.19 and later versions allows local users to overwrite arbitrary files via a symlink attack via the /usr/bin/alsa-info and /usr/bin/alsa-info.sh scripts.From hackable voice assistants to ISPs allegedly lying about encrypted DNS, and everything in between. It's weekly roundup time.Shuffling people into - surprise! - cobwebby rat traps has been a snap. Actual vetting may help, plus a new guarantee of 100% refunds.Aventura allegedly imported cheap cameras and network-enabled security gear from China, then slapped US flag stickers on them.The text-generating AI has only been released in neutered forms until now, for fear it would be used to mass-produce fake news and spam.It can't be overstated: Web attacks and credential stuffing are real, long-term threats. This white paper, sponsored by Akamai, focuses on how they are impacting the high-tech, video media, and entertainment sectors.Researchers noticed that the main app configuration file, ADBMobileConfig.json, contained settings that could lead to security problems.Apple is investigating an issue raised by a Mac specialist discovered to be storing emails that are supposed to be S/MIME-encrypted as readable files.Security needs to be a central element of due diligence if a merger or acquisition is to succeedThis engineer purportedly stole sensitive aerospace technology from his employer and emailed it his brother in the Iranian military.SmarterASP.NET said that it is in the middle of recovering accounts downed by the ransomware attack.With 5G comes a larger attack surface and more devices accessing the network. Companies must ramp up security strategies to stay protected, AT&T report finds.Commentary: Open source is a tangled web of interdependencies. How can we do better to secure this web?Microsoft has urged people to patch their Windows systems following the appearance of mass BlueKeep exploits just over a week ago.When it comes to bouncing back, long-term impact to share prices from a data breach incident is significant on average for large companies.Master new exploit techniques for Microsoft RDP, Java remote protocols at Black Hat Europe in London next month.A new analysis advises security teams on what they should know about the underground payment card seller.How to solve the cybersecurity skills gap by striking a balance with artificial intelligence.How to solve the cybersecurity skills gap by striking a balance with artificial intelligence.Cheap labor, frequent data breaches, and better fraud detection technology are fueling frustrating changes in attackers' methods.The acquisition was confirmed just six months after Carbonite bought Webroot.Cloud APIs' accessibility over the Internet opens a new window for adversaries to gain highly privileged access to cloud assets.The specific type of TCP attack used in the recent spate of DDoS efforts were TCP SYN-ACK reflection attacks.An annual Verizon report looks at how complete compliance to credit-card payment-regulations can boost business, save time and money, and maintain safe cybersecurity.With more than 440,000 customers, SmarterASP.NET is said to be one of the most popular ASP.NET hosting providers.The SIM-swap victim knew he was in trouble when he got a 3:30 a.m. message about his phone service being cut off.The move takes a broader stand to protect user data and support the requirements of CCPA nationwide.The update fixes 11 mainly high-severity security flaws in Windows and GeForce graphics card drivers, including three in the program used to update them.Apple may care about your privacy but that doesn't mean it gets it right all the time, especially when it comes to training its Siri AI assistant.Organizations realize the scale of cyber-risk but lack counter-actions to build resilience.An overabundance of confidence can lead to blind spots, but a Nominet report finds widespread doubt in organizations' security posture.A majority of IT staffers polled by firewall management service FireMon said they still use manual processes to manage changes.Cybercriminals tried to take the Labour Party's digital platforms offline weeks before the election on December 12.The ubiquitous Caller ID hasn't changed much over the years, but the technology to exploit it has exploded. That may be about to change.Adobeβs monthly patch load is low for November, with only three critical bugs fixed and eight important.The platform is a favorite target for the Magecart collective of card-skimming threat groups.The issue is in an Intel chip used for remote management.A member of IBM's X-Force Red team hacked two CBS reporters for three weeks. Find out what information she gathered, as well as what phishing entails.MonsterCloud CEO says RYUK attacks can be fatal for businesses that can't afford to pay the ransom or to get help from experts.In wake of a massive breach, a U.S. Senator is pressing the U.S. Department of Health and Human Services to explain how it oversees medical imaging security.Hospitals are reluctant to disclose attacks, and regulations don't offer clear advice about what to tell patients.Attackers could take advantage of simple design flaws in widely distributed drivers to gain control over Windows systems.Organizations without MFA are wide open to attack when employees fall for phishing scams or share passwords. What's holding them back?IIoT-generated data β calibrations, measurements and other parameters β still need to be stored, managed and shared securely.Attackers over the past month have been using a rarely seen approach to disrupt services at large organizations in several countries.Microsoft tackles 74 bugs as part of its November Patch Tuesday security bulletin.Rogue employees -- not just external threat groups -- pose a formidable threat to incident response teams.The November Patch Tuesday update fixed 13 critical flaws, including a zero-day bug in Internet Explorer.Stability of PCI DSS helps companies cope and create more mature security programs, but some parts of the Payment Card Industry's Data Secure Standard continue to cause headaches.makepasswd 1.10 default settings generate insecure passwordsA new Nominet survey shows a familiar disconnect between business and security teams on the matter of cyber preparedness.Or your small/new channel, or to shut you down if you use an ad blocker, though a clause in its new ToS is leading people to fear the worst.Microsoft said CCPA is good news, given the failure of Congress to pass a comprehensive privacy protection law at the federal level.U.S. Customs agents now must have reasonable cause and suspicion to search traveler devices at points of entry.Medtronic's latest problem is in their Valleylab electrosurgical generators used by surgeons things like cauterisation during operations.Apple has yanked an app from its iTunes App Store that allowed Instagram users to follow their friendsβ activities on the social network.