βΌ CVE-2020-29059 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered on CDATA 72408A, 9008A, 9016A, 92408A, 92416A, 9288, 97016, 97024P, 97028P, 97042P, 97084P, 97168P, FD1002S, FD1104, FD1104B, FD1104S, FD1104SN, FD1108S, FD1204S-R2, FD1204SN, FD1204SN-R2, FD1208S-R2, FD1216S-R1, FD1608GS, FD1608SN, FD1616GS, FD1616SN, and FD8000 devices. There is a default panger123 password for the suma123 account for certain old firmware.π Read
via "National Vulnerability Database".
βΌ CVE-2020-29054 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered on CDATA 72408A, 9008A, 9016A, 92408A, 92416A, 9288, 97016, 97024P, 97028P, 97042P, 97084P, 97168P, FD1002S, FD1104, FD1104B, FD1104S, FD1104SN, FD1108S, FD1204S-R2, FD1204SN, FD1204SN-R2, FD1208S-R2, FD1216S-R1, FD1608GS, FD1608SN, FD1616GS, FD1616SN, and FD8000 devices. Attackers can use "show system infor" to discover cleartext TELNET credentials.π Read
via "National Vulnerability Database".
βΌ CVE-2020-29063 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered on CDATA 72408A, 9008A, 9016A, 92408A, 92416A, 9288, 97016, 97024P, 97028P, 97042P, 97084P, 97168P, FD1002S, FD1104, FD1104B, FD1104S, FD1104SN, FD1108S, FD1204S-R2, FD1204SN, FD1204SN-R2, FD1208S-R2, FD1216S-R1, FD1608GS, FD1608SN, FD1616GS, FD1616SN, and FD8000 devices. A custom encryption algorithm is used to store encrypted passwords. This algorithm will XOR the password with the hardcoded *j7a(L#yZ98sSd5HfSgGjMj8;Ss;d)(*&^#@$a2s0i3g value.π Read
via "National Vulnerability Database".
βΌ CVE-2020-29055 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered on CDATA 72408A, 9008A, 9016A, 92408A, 92416A, 9288, 97016, 97024P, 97028P, 97042P, 97084P, 97168P, FD1002S, FD1104, FD1104B, FD1104S, FD1104SN, FD1108S, FD1204S-R2, FD1204SN, FD1204SN-R2, FD1208S-R2, FD1216S-R1, FD1608GS, FD1608SN, FD1616GS, FD1616SN, and FD8000 devices. By default, the appliance can be managed remotely only with HTTP, telnet, and SNMP. It doesn't support SSL/TLS for HTTP or SSH. An attacker can intercept passwords sent in cleartext and conduct man-in-the-middle attacks on the management of the appliance.π Read
via "National Vulnerability Database".
βΌ CVE-2020-26235 βΌ
π Read
via "National Vulnerability Database".
In Rust time crate from version 0.2.7 and before version 0.2.23, unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires the user to set any environment variable in a different thread than the affected functions. The affected functions are time::UtcOffset::local_offset_at, time::UtcOffset::try_local_offset_at, time::UtcOffset::current_local_offset, time::UtcOffset::try_current_local_offset, time::OffsetDateTime::now_local and time::OffsetDateTime::try_now_local. Non-Unix targets are unaffected. This includes Windows and wasm. The issue was introduced in version 0.2.7 and fixed in version 0.2.23.π Read
via "National Vulnerability Database".
βΌ CVE-2020-29056 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered on CDATA 72408A, 9008A, 9016A, 92408A, 92416A, 9288, 97016, 97024P, 97028P, 97042P, 97084P, 97168P, FD1002S, FD1104, FD1104B, FD1104S, FD1104SN, FD1108S, FD1204S-R2, FD1204SN, FD1204SN-R2, FD1208S-R2, FD1216S-R1, FD1608GS, FD1608SN, FD1616GS, FD1616SN, and FD8000 devices. One can escape from a shell and acquire root privileges by leveraging the TFTP download configuration.π Read
via "National Vulnerability Database".
βΌ CVE-2020-29061 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered on CDATA 72408A, 9008A, 9016A, 92408A, 92416A, 9288, 97016, 97024P, 97028P, 97042P, 97084P, 97168P, FD1002S, FD1104, FD1104B, FD1104S, FD1104SN, FD1108S, FD1204S-R2, FD1204SN, FD1204SN-R2, FD1208S-R2, FD1216S-R1, FD1608GS, FD1608SN, FD1616GS, FD1616SN, and FD8000 devices. There is a default root126 password for the root account.π Read
via "National Vulnerability Database".
βΌ CVE-2020-26241 βΌ
π Read
via "National Vulnerability Database".
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. This is a Consensus vulnerability in Geth before version 1.9.17 which can be used to cause a chain-split where vulnerable nodes reject the canonical chain. Geth's pre-compiled dataCopy (at 0x00...04) contract did a shallow copy on invocation. An attacker could deploy a contract that writes X to an EVM memory region R, then calls 0x00..04 with R as an argument, then overwrites R to Y, and finally invokes the RETURNDATACOPY opcode. When this contract is invoked, a consensus-compliant node would push X on the EVM stack, whereas Geth would push Y. This is fixed in version 1.9.17.π Read
via "National Vulnerability Database".
βΌ CVE-2020-29071 βΌ
π Read
via "National Vulnerability Database".
An XSS issue was found in the Shares feature of LiquidFiles before 3.3.19. The issue arises from the insecure rendering of HTML files uploaded to the platform as attachments, when the -htmlview URL is directly accessed. The impact ranges from executing commands as root on the server to retrieving sensitive information about encrypted e-mails, depending on the permissions of the target user.π Read
via "National Vulnerability Database".
βΌ CVE-2020-29072 βΌ
π Read
via "National Vulnerability Database".
A Cross-Site Script Inclusion vulnerability was found on LiquidFiles before 3.3.19. This client-side attack requires user interaction (opening a link) and successful exploitation could lead to encrypted e-mail content leakage via messages/sent?format=js and popup?format=js.π Read
via "National Vulnerability Database".
βΌ CVE-2020-26242 βΌ
π Read
via "National Vulnerability Database".
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.18, there is a Denial-of-service (crash) during block processing. This is fixed in 1.9.18.π Read
via "National Vulnerability Database".
βΌ CVE-2020-26240 βΌ
π Read
via "National Vulnerability Database".
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. An ethash mining DAG generation flaw in Geth before version 1.9.24 could cause miners to erroneously calculate PoW in an upcoming epoch (estimated early January, 2021). This happened on the ETC chain on 2020-11-06. This issue is relevant only for miners, non-mining nodes are unaffected. This issue is fixed as of 1.9.24π Read
via "National Vulnerability Database".
β S3 Ep8: A conversation with Katie Moussouris β
π Read
via "Naked Security".
Here's the latest Naked Security Podcast - listen now!π Read
via "Naked Security".
Naked Security
S3 Ep8: A conversation with Katie Moussouris [Podcast]
Hereβs the latest Naked Security Podcast β listen now!
β Light-Based Attacks Expand in the Digital Home β
π Read
via "Threat Post".
The team that hacked Amazon Echo and other smart speakers using a laser pointer continue to investigate why MEMS microphones respond to sound.π Read
via "Threat Post".
Threat Post
Laser-Based Hacking from Afar Goes Beyond Amazon Alexa
The team that hacked Amazon Echo and other smart speakers using a laser pointer continue to investigate why MEMS microphones respond to sound.
π΄ Why Security Awareness Training Should Be Backed by Security by Design π΄
π Read
via "Dark Reading".
Cybersecurity training needs an overhaul, though the training itself is only one small part of how security teams can influence user behavior.π Read
via "Dark Reading".
Dark Reading
Why Security Awareness Training Should Be Backed by Security by Design
Cybersecurity training needs an overhaul, though the training itself is only one small part of how security teams can influence user behavior.
π΄ Prevention Is Better Than the Cure When Securing Cloud-Native Deployments π΄
π Read
via "Dark Reading".
The "OODA loop" shows us how to secure cloud-native deployments and prevent breaches before they occur.π Read
via "Dark Reading".
Dark Reading
Prevention Is Better Than the Cure When Securing Cloud-Native Deployments
The OODA loop shows us how to secure cloud-native deployments and prevent breaches before they occur.
β How to Update Your Remote Access Policy β And Why You Should Now β
π Read
via "Threat Post".
Reducing the risks of remote work starts with updating the access policies of yesterday.π Read
via "Threat Post".
Threat Post
How to Update Your Remote Access Policy β And Why You Should Now
Amit Bareket of Perimeter 81 believes that reducing the risks of remote work starts with updating the access policies of yesterday.
π¦Ώ Banks looking to confidential computing for solutions to money laundering, theft, and fraud π¦Ώ
π Read
via "Tech Republic".
Tech companies are offering this emerging technology to help financial institutions secure data while it is being processed.π Read
via "Tech Republic".
TechRepublic
Banks looking to confidential computing for solutions to money laundering, theft, and fraud
Tech companies are offering this emerging technology to help financial institutions secure data while it is being processed.
π What is a Security Operations Center (SOC)? π
π Read
via "Digital Guardian".
Learn about how security operations centers work and why many organizations rely on SOCs as a valuable resource for security incident detection.π Read
via "Digital Guardian".
Digitalguardian
What is a Security Operations Center (SOC)?
Learn about how security operations centers work and why many organizations rely on SOCs as a valuable resource for security incident detection.
β Major BEC Phishing Ring Cracked Open with 3 Arrests β
π Read
via "Threat Post".
Some 50,000 targeted victims have been identified so far in a massive, global scam enterprise that involves 26 different malwares.π Read
via "Threat Post".
Threat Post
Major BEC Phishing Ring Cracked Open with 3 Arrests
Some 50,000 targeted victims have been identified so far in a massive, global scam enterprise that involves 26 different malwares.
β Critical MobileIron RCE Flaw Under Active Attack β
π Read
via "Threat Post".
Attackers are targeting the critical remote code-execution flaw to compromise systems in the healthcare, local government, logistics and legal sectors, among others.π Read
via "Threat Post".
Threat Post
Critical MobileIron RCE Flaw Under Active Attack
Attackers are targeting the critical remote code-execution flaw to compromise systems in the healthcare, local government, logistics and legal sectors, among others.