‼ CVE-2020-28577 ‼

An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal server hostname and db names.

📖 Read

via "National Vulnerability Database".

❌ Android Messenger App Still Leaking Photos, Videos ❌

The GO SMS Pro app has been downloaded 100 million times; now, underground forums are actively sharing images stolen from GO SMS servers.

📖 Read

via "Threat Post".

❌ Misconfigured Docker Servers Under Attack by Xanthe Malware ❌

The never-before-seen Xanthe cryptomining botnet has been targeting misconfigured Docker APIs.

📖 Read

via "Threat Post".

🕴 SASE 101: Why All the Buzz? 🕴

Wide area networking and network security services unite to provide secure, cloud-based connectivity for enterprises' remote employees -- and these days that means billions of workers.

📖 Read

via "Dark Reading".

🦿 How to protect your personal data from being sold on the Dark Web 🦿

Cybercriminals can use stolen information for extortion, scams and phishing schemes, and the direct theft of money, says Kaspersky.

📖 Read

via "Tech Republic".

🕴 Malicious or Vulnerable Docker Images Widespread, Firm Says 🕴



📖 Read

via "Dark Reading".

🕴 Inside North Korea's Rapid Evolution to Cyber Superpower 🕴

Researchers examine North Korea's rapid evolution from destructive campaigns to complex and efficient cyber operations.

📖 Read

via "Dark Reading".

‼ CVE-2020-26250 ‼

OAuthenticator is an OAuth login mechanism for JupyterHub. In oauthenticator from version 0.12.0 and before 0.12.2, the deprecated (in jupyterhub 1.2) configuration `Authenticator.whitelist`, which should be transparently mapped to `Authenticator.allowed_users` with a warning, is instead ignored by OAuthenticator classes, resulting in the same behavior as if this configuration has not been set. If this is the only mechanism of authorization restriction (i.e. no group or team restrictions in configuration) then all authenticated users will be allowed. Provider-based restrictions, including deprecated values such as `GitHubOAuthenticator.org_whitelist` are **not** affected. All users of OAuthenticator 0.12.0 and 0.12.1 with JupyterHub 1.2 (JupyterHub Helm chart 0.10.0-0.10.5) who use the `admin.whitelist.users` configuration in the jupyterhub helm chart or the `c.Authenticator.whitelist` configuration directly. Users of other deprecated configuration, e.g. `c.GitHubOAuthenticator.team_whitelist` are **not** affected. If you see a log line like this and expect a specific list of allowed usernames: "[I 2020-11-27 16:51:54.528 JupyterHub app:1717] Not using allowed_users. Any authenticated user will be allowed." you are likely affected. Updating oauthenticator to 0.12.2 is recommended. A workaround is to replace the deprecated `c.Authenticator.whitelist = ...` with `c.Authenticator.allowed_users = ...`. If any users have been authorized during this time who should not have been, they must be deleted via the API or admin interface, per the referenced documentation.

📖 Read

via "National Vulnerability Database".

🕴 Unmanaged Devices Heighten Risks for School Networks 🕴

Gaming consoles, Wi-Fi Pineapples, and building management systems are among many devices Armis says it discovered on K-12 school networks.

📖 Read

via "Dark Reading".

‼ CVE-2020-29458 ‼

Textpattern CMS 4.6.2 allows CSRF via the prefs subsystem.

📖 Read

via "National Vulnerability Database".

‼ CVE-2020-29456 ‼

Multiple cross-site scripting (XSS) vulnerabilities in Papermerge before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via the rename, tag, upload, or create folder function. The payload can be in a folder, a tag, or a document's filename. If email consumption is configured in Papermerge, a malicious document can be sent by email and is automatically uploaded into the Papermerge web application. Therefore, no authentication is required to exploit XSS if email consumption is configured. Otherwise authentication is required.

📖 Read

via "National Vulnerability Database".

🕴 Free Mobile App Measures Your Personal Cyber Risk 🕴

New app for Android and Apple iOS uses an algorithm co-developed with MIT to gauge security posture on an ongoing basis.

📖 Read

via "Dark Reading".

❌ DNS Filtering: A Top Battle Front Against Malware and Phishing ❌

Peter Lowe with DNSFilter discusses the science behind domain name system (DNS) filtering and how this method is effective in blocking out phishing and malware.

📖 Read

via "Threat Post".

‎
⚫️🔴⚫️🔴⚫️🔴⚫️🔴⚫️🔴⚫️
🔴
⚫️ 🤪 Incredible pack of books from €1 in Humble Bundle! 🤭
🔴
⚫️🔴⚫️🔴⚫️🔴⚫️🔴⚫️🔴⚫️
‎

▪️ Hacking: The Art of Exploitation.
▪️ The Car Hacker's Handbook: A Guide for the Penetration Tester.
▪️ Metasploit: A Penetration Tester's Guide.
▪️ Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software.
▪️ Penetration Testing: A Hands-On Introduction to Hacking.
▪️ Attacking Network Protocols: A Hacker's Guide to Capture, Analysis, and Exploitation.
▪️ Practical Packet Analysis, 3rd Edition: Using Wireshark to Solve Real-World Network Problems.
▪️ Practical Binary Analysis: Build Your Own Linux Tools for Binary Instrumentation, Analysis, and Disassembly.
▪️ Malware Data Science: Attack Detection and Attribution.
▪️ Linux Basics for Hackers: Getting Started with Networking, Scripting, and Security in Kali.
▪️ The Linux Command Line, 2nd Edition: A Complete Introduction.
▪️ Serious Cryptography: A Practical Introduction to Modern Encryption.
▪️ Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats.
▪️ Black Hat Go: Go Programming For Hackers and Pentesters.
▪️ The Hardware Hacker: Adventures in Making and Breaking Hardware.
▪️ Web Security for Developers: Real Threats, Practical Defense.
▪️ Foundations of Information Security: A Straightforward Introduction.


🔻🔻🔻🔻

‎

🔴 PACK OF BOOKS FROM €1 IN HUMBLE BUNDLE ‼️

---------
▪️ Hacking: The Art of Exploitation.
▪️ The Car Hacker's Handbook: A Guide for the Penetration Tester.
▪️ Metasploit: A Penetration Tester's Guide.
▪️ Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software.
▪️ Penetration Testing: A Hands-On Introduction to Hacking.
▪️ Attacking Network Protocols: A Hacker's Guide to Capture, Analysis, and Exploitation.
▪️ Practical Packet Analysis, 3rd Edition: Using Wireshark to Solve Real-World Network Problems.
▪️ Etc., Etc., Etc.

🕴 Why I'd Take Good IT Hygiene Over Security's Latest Silver Bullet 🕴

Bells and whistles are great, but you can stay safer by focusing on correct configurations, posture management, visibility, and patching.

📖 Read

via "Dark Reading".

🦿 Productivity Score: Microsoft limits features of new tool following 'workplace surveillance' concerns 🦿

Productivity Score will no longer identify how individual users interact with Microsoft 365 apps.

📖 Read

via "Tech Republic".

❌ Microsoft Revamps ‘Invasive’ M365 Feature After Privacy Backlash ❌

The Microsoft 365 tool that tracked employee usage of applications like Outlook, Skype and Teams was widely condemned by privacy experts.

📖 Read

via "Threat Post".

🦿 Sales of CEO email accounts may give cyber criminals access to the "crown jewels" of a company 🦿

Multiple security professionals said stolen credentials on Exploit.in were part of a tidal wave of business email compromise attacks.

📖 Read

via "Tech Republic".

❌ Healthcare 2021: Cyberattacks to Center on COVID-19 Spying, Patient Data ❌

The post-COVID-19 surge in the criticality level of medical infrastructure, coupled with across-the-board digitalization, will be big drivers for medical-sector cyberattacks next year.

📖 Read

via "Threat Post".

⚠ How to steal photos off someone’s iPhone from across the street ⚠

The bug at the heart of this is already patched - but there's a lot to learn from this story anyway.

📖 Read

via "Naked Security".