βΌ CVE-2020-26250 βΌ
π Read
via "National Vulnerability Database".
OAuthenticator is an OAuth login mechanism for JupyterHub. In oauthenticator from version 0.12.0 and before 0.12.2, the deprecated (in jupyterhub 1.2) configuration `Authenticator.whitelist`, which should be transparently mapped to `Authenticator.allowed_users` with a warning, is instead ignored by OAuthenticator classes, resulting in the same behavior as if this configuration has not been set. If this is the only mechanism of authorization restriction (i.e. no group or team restrictions in configuration) then all authenticated users will be allowed. Provider-based restrictions, including deprecated values such as `GitHubOAuthenticator.org_whitelist` are **not** affected. All users of OAuthenticator 0.12.0 and 0.12.1 with JupyterHub 1.2 (JupyterHub Helm chart 0.10.0-0.10.5) who use the `admin.whitelist.users` configuration in the jupyterhub helm chart or the `c.Authenticator.whitelist` configuration directly. Users of other deprecated configuration, e.g. `c.GitHubOAuthenticator.team_whitelist` are **not** affected. If you see a log line like this and expect a specific list of allowed usernames: "[I 2020-11-27 16:51:54.528 JupyterHub app:1717] Not using allowed_users. Any authenticated user will be allowed." you are likely affected. Updating oauthenticator to 0.12.2 is recommended. A workaround is to replace the deprecated `c.Authenticator.whitelist = ...` with `c.Authenticator.allowed_users = ...`. If any users have been authorized during this time who should not have been, they must be deleted via the API or admin interface, per the referenced documentation.π Read
via "National Vulnerability Database".
π΄ Unmanaged Devices Heighten Risks for School Networks π΄
π Read
via "Dark Reading".
Gaming consoles, Wi-Fi Pineapples, and building management systems are among many devices Armis says it discovered on K-12 school networks.π Read
via "Dark Reading".
Dark Reading
Unmanaged Devices Heighten Risks for School Networks
Gaming consoles, Wi-Fi Pineapples, and building management systems are among many devices Armis says it discovered on K-12 school networks.
βΌ CVE-2020-29458 βΌ
π Read
via "National Vulnerability Database".
Textpattern CMS 4.6.2 allows CSRF via the prefs subsystem.π Read
via "National Vulnerability Database".
βΌ CVE-2020-29456 βΌ
π Read
via "National Vulnerability Database".
Multiple cross-site scripting (XSS) vulnerabilities in Papermerge before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via the rename, tag, upload, or create folder function. The payload can be in a folder, a tag, or a document's filename. If email consumption is configured in Papermerge, a malicious document can be sent by email and is automatically uploaded into the Papermerge web application. Therefore, no authentication is required to exploit XSS if email consumption is configured. Otherwise authentication is required.π Read
via "National Vulnerability Database".
π΄ Free Mobile App Measures Your Personal Cyber Risk π΄
π Read
via "Dark Reading".
New app for Android and Apple iOS uses an algorithm co-developed with MIT to gauge security posture on an ongoing basis.π Read
via "Dark Reading".
Darkreading
Free Mobile App Measures Your Personal Cyber Risk
New app for Android and Apple iOS uses an algorithm co-developed with MIT to gauge security posture on an ongoing basis.
β DNS Filtering: A Top Battle Front Against Malware and Phishing β
π Read
via "Threat Post".
Peter Lowe with DNSFilter discusses the science behind domain name system (DNS) filtering and how this method is effective in blocking out phishing and malware.π Read
via "Threat Post".
Threat Post
DNS Filtering: A Top Battle Front Against Malware and Phishing
Peter Lowe with DNSFilter discusses the science behind domain name system (DNS) filtering and how this method is effective in blocking out phishing and malware.
β«οΈπ΄β«οΈπ΄β«οΈπ΄β«οΈπ΄β«οΈπ΄β«οΈ
π΄
β«οΈ π€ͺ Incredible pack of books from β¬1 in Humble Bundle! π€
π΄
β«οΈπ΄β«οΈπ΄β«οΈπ΄β«οΈπ΄β«οΈπ΄β«οΈ
βͺοΈ Hacking: The Art of Exploitation.
βͺοΈ The Car Hacker's Handbook: A Guide for the Penetration Tester.
βͺοΈ Metasploit: A Penetration Tester's Guide.
βͺοΈ Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software.
βͺοΈ Penetration Testing: A Hands-On Introduction to Hacking.
βͺοΈ Attacking Network Protocols: A Hacker's Guide to Capture, Analysis, and Exploitation.
βͺοΈ Practical Packet Analysis, 3rd Edition: Using Wireshark to Solve Real-World Network Problems.
βͺοΈ Practical Binary Analysis: Build Your Own Linux Tools for Binary Instrumentation, Analysis, and Disassembly.
βͺοΈ Malware Data Science: Attack Detection and Attribution.
βͺοΈ Linux Basics for Hackers: Getting Started with Networking, Scripting, and Security in Kali.
βͺοΈ The Linux Command Line, 2nd Edition: A Complete Introduction.
βͺοΈ Serious Cryptography: A Practical Introduction to Modern Encryption.
βͺοΈ Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats.
βͺοΈ Black Hat Go: Go Programming For Hackers and Pentesters.
βͺοΈ The Hardware Hacker: Adventures in Making and Breaking Hardware.
βͺοΈ Web Security for Developers: Real Threats, Practical Defense.
βͺοΈ Foundations of Information Security: A Straightforward Introduction.
π»π»π»π»
β«οΈπ΄β«οΈπ΄β«οΈπ΄β«οΈπ΄β«οΈπ΄β«οΈ
π΄
β«οΈ π€ͺ Incredible pack of books from β¬1 in Humble Bundle! π€
π΄
β«οΈπ΄β«οΈπ΄β«οΈπ΄β«οΈπ΄β«οΈπ΄β«οΈ
βͺοΈ Hacking: The Art of Exploitation.
βͺοΈ The Car Hacker's Handbook: A Guide for the Penetration Tester.
βͺοΈ Metasploit: A Penetration Tester's Guide.
βͺοΈ Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software.
βͺοΈ Penetration Testing: A Hands-On Introduction to Hacking.
βͺοΈ Attacking Network Protocols: A Hacker's Guide to Capture, Analysis, and Exploitation.
βͺοΈ Practical Packet Analysis, 3rd Edition: Using Wireshark to Solve Real-World Network Problems.
βͺοΈ Practical Binary Analysis: Build Your Own Linux Tools for Binary Instrumentation, Analysis, and Disassembly.
βͺοΈ Malware Data Science: Attack Detection and Attribution.
βͺοΈ Linux Basics for Hackers: Getting Started with Networking, Scripting, and Security in Kali.
βͺοΈ The Linux Command Line, 2nd Edition: A Complete Introduction.
βͺοΈ Serious Cryptography: A Practical Introduction to Modern Encryption.
βͺοΈ Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats.
βͺοΈ Black Hat Go: Go Programming For Hackers and Pentesters.
βͺοΈ The Hardware Hacker: Adventures in Making and Breaking Hardware.
βͺοΈ Web Security for Developers: Real Threats, Practical Defense.
βͺοΈ Foundations of Information Security: A Straightforward Introduction.
π»π»π»π»
π΄ PACK OF BOOKS FROM β¬1 IN HUMBLE BUNDLE βΌοΈ
---------
βͺοΈ Hacking: The Art of Exploitation.
βͺοΈ The Car Hacker's Handbook: A Guide for the Penetration Tester.
βͺοΈ Metasploit: A Penetration Tester's Guide.
βͺοΈ Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software.
βͺοΈ Penetration Testing: A Hands-On Introduction to Hacking.
βͺοΈ Attacking Network Protocols: A Hacker's Guide to Capture, Analysis, and Exploitation.
βͺοΈ Practical Packet Analysis, 3rd Edition: Using Wireshark to Solve Real-World Network Problems.
βͺοΈ Etc., Etc., Etc.
π΄ PACK OF BOOKS FROM β¬1 IN HUMBLE BUNDLE βΌοΈ
---------
βͺοΈ Hacking: The Art of Exploitation.
βͺοΈ The Car Hacker's Handbook: A Guide for the Penetration Tester.
βͺοΈ Metasploit: A Penetration Tester's Guide.
βͺοΈ Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software.
βͺοΈ Penetration Testing: A Hands-On Introduction to Hacking.
βͺοΈ Attacking Network Protocols: A Hacker's Guide to Capture, Analysis, and Exploitation.
βͺοΈ Practical Packet Analysis, 3rd Edition: Using Wireshark to Solve Real-World Network Problems.
βͺοΈ Etc., Etc., Etc.
π΄ Why I'd Take Good IT Hygiene Over Security's Latest Silver Bullet π΄
π Read
via "Dark Reading".
Bells and whistles are great, but you can stay safer by focusing on correct configurations, posture management, visibility, and patching.π Read
via "Dark Reading".
Dark Reading
Why I'd Take Good IT Hygiene Over Security's Latest Silver Bullet
Bells and whistles are great, but you can stay safer by focusing on correct configurations, posture management, visibility, and patching.
π¦Ώ Productivity Score: Microsoft limits features of new tool following 'workplace surveillance' concerns π¦Ώ
π Read
via "Tech Republic".
Productivity Score will no longer identify how individual users interact with Microsoft 365 apps.π Read
via "Tech Republic".
β Microsoft Revamps βInvasiveβ M365 Feature After Privacy Backlash β
π Read
via "Threat Post".
The Microsoft 365 tool that tracked employee usage of applications like Outlook, Skype and Teams was widely condemned by privacy experts.π Read
via "Threat Post".
Threat Post
Microsoft Revamps βInvasiveβ M365 Feature After Privacy Backlash
The Microsoft 365 tool that tracked employee usage of applications like Outlook, Skype and Teams was widely condemned by privacy experts.
π¦Ώ Sales of CEO email accounts may give cyber criminals access to the "crown jewels" of a company π¦Ώ
π Read
via "Tech Republic".
Multiple security professionals said stolen credentials on Exploit.in were part of a tidal wave of business email compromise attacks.π Read
via "Tech Republic".
TechRepublic
Sales of CEO email accounts may give cyber criminals access to the "crown jewels" of a company
Multiple security professionals said stolen credentials on Exploit.in were part of a tidal wave of business email compromise attacks.
β Healthcare 2021: Cyberattacks to Center on COVID-19 Spying, Patient Data β
π Read
via "Threat Post".
The post-COVID-19 surge in the criticality level of medical infrastructure, coupled with across-the-board digitalization, will be big drivers for medical-sector cyberattacks next year.π Read
via "Threat Post".
Threat Post
Healthcare 2021: Cyberattacks to Center on COVID-19 Spying, Patient Data
The post-COVID-19 surge in the criticality level of medical infrastructure, coupled with across-the-board digitalization, will be big drivers for medical-sector cyberattacks next year.
β How to steal photos off someoneβs iPhone from across the street β
π Read
via "Naked Security".
The bug at the heart of this is already patched - but there's a lot to learn from this story anyway.π Read
via "Naked Security".
Naked Security
How to steal photos off someoneβs iPhone from across the street
The bug at the heart of this is already patched β but thereβs a lot to learn from this story anyway.
βΌ CVE-2020-28273 βΌ
π Read
via "National Vulnerability Database".
Prototype pollution vulnerability in 'set-in' versions 1.0.0 through 2.0.0 allows attacker to cause a denial of service and may lead to remote code execution.π Read
via "National Vulnerability Database".
βΌ CVE-2020-25638 βΌ
π Read
via "National Vulnerability Database".
A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28272 βΌ
π Read
via "National Vulnerability Database".
Prototype pollution vulnerability in 'keyget' versions 1.0.0 through 2.2.0 allows attacker to cause a denial of service and may lead to remote code execution.π Read
via "National Vulnerability Database".
βΌ CVE-2020-14369 βΌ
π Read
via "National Vulnerability Database".
This release fixes a Cross Site Request Forgery vulnerability was found in Red Hat CloudForms which forces end users to execute unwanted actions on a web application in which the user is currently authenticated. An attacker can make a forgery HTTP request to the server by crafting custom flash file which can force the user to perform state changing requests like provisioning VMs, running ansible playbooks and so forth.π Read
via "National Vulnerability Database".
βΌ CVE-2020-12524 βΌ
π Read
via "National Vulnerability Database".
Uncontrolled Resource Consumption can be exploited to cause the Phoenix Contact HMIs BTP 2043W, BTP 2070W and BTP 2102W in all versions to become unresponsive and not accurately update the display content (Denial of Service).π Read
via "National Vulnerability Database".
β Turlaβs βCrutchβ Backdoor Leverages Dropbox in Espionage Attacks β
π Read
via "Threat Post".
In a recent cyberattack against an E.U. country's Ministry of Foreign Affairs, the Crutch backdoor leveraged Dropbox to exfiltrate sensitive documents.π Read
via "Threat Post".
Threat Post
Turlaβs βCrutchβ Backdoor Leverages Dropbox in Espionage Attacks
In a recent cyberattack against an E.U. country's Ministry of Foreign Affairs, the Crutch backdoor leveraged Dropbox to exfiltrate sensitive documents.
π FINRA Warns of Yet Another Phishing Attack Targeting Finance Industry π
π Read
via "Digital Guardian".
Emails from an ongoing campaign are not connected to FINRA and should be deleted, the organization warns.π Read
via "Digital Guardian".
Digital Guardian
FINRA Warns of Yet Another Phishing Attack Targeting Finance Industry
Emails from an ongoing campaign are not connected to FINRA and should be deleted, the organization warns.