β Microsoft Revamps βInvasiveβ M365 Feature After Privacy Backlash β
π Read
via "Threat Post".
The Microsoft 365 tool that tracked employee usage of applications like Outlook, Skype and Teams was widely condemned by privacy experts.π Read
via "Threat Post".
Threat Post
Microsoft Revamps βInvasiveβ M365 Feature After Privacy Backlash
The Microsoft 365 tool that tracked employee usage of applications like Outlook, Skype and Teams was widely condemned by privacy experts.
π¦Ώ Sales of CEO email accounts may give cyber criminals access to the "crown jewels" of a company π¦Ώ
π Read
via "Tech Republic".
Multiple security professionals said stolen credentials on Exploit.in were part of a tidal wave of business email compromise attacks.π Read
via "Tech Republic".
TechRepublic
Sales of CEO email accounts may give cyber criminals access to the "crown jewels" of a company
Multiple security professionals said stolen credentials on Exploit.in were part of a tidal wave of business email compromise attacks.
β Healthcare 2021: Cyberattacks to Center on COVID-19 Spying, Patient Data β
π Read
via "Threat Post".
The post-COVID-19 surge in the criticality level of medical infrastructure, coupled with across-the-board digitalization, will be big drivers for medical-sector cyberattacks next year.π Read
via "Threat Post".
Threat Post
Healthcare 2021: Cyberattacks to Center on COVID-19 Spying, Patient Data
The post-COVID-19 surge in the criticality level of medical infrastructure, coupled with across-the-board digitalization, will be big drivers for medical-sector cyberattacks next year.
β How to steal photos off someoneβs iPhone from across the street β
π Read
via "Naked Security".
The bug at the heart of this is already patched - but there's a lot to learn from this story anyway.π Read
via "Naked Security".
Naked Security
How to steal photos off someoneβs iPhone from across the street
The bug at the heart of this is already patched β but thereβs a lot to learn from this story anyway.
βΌ CVE-2020-28273 βΌ
π Read
via "National Vulnerability Database".
Prototype pollution vulnerability in 'set-in' versions 1.0.0 through 2.0.0 allows attacker to cause a denial of service and may lead to remote code execution.π Read
via "National Vulnerability Database".
βΌ CVE-2020-25638 βΌ
π Read
via "National Vulnerability Database".
A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28272 βΌ
π Read
via "National Vulnerability Database".
Prototype pollution vulnerability in 'keyget' versions 1.0.0 through 2.2.0 allows attacker to cause a denial of service and may lead to remote code execution.π Read
via "National Vulnerability Database".
βΌ CVE-2020-14369 βΌ
π Read
via "National Vulnerability Database".
This release fixes a Cross Site Request Forgery vulnerability was found in Red Hat CloudForms which forces end users to execute unwanted actions on a web application in which the user is currently authenticated. An attacker can make a forgery HTTP request to the server by crafting custom flash file which can force the user to perform state changing requests like provisioning VMs, running ansible playbooks and so forth.π Read
via "National Vulnerability Database".
βΌ CVE-2020-12524 βΌ
π Read
via "National Vulnerability Database".
Uncontrolled Resource Consumption can be exploited to cause the Phoenix Contact HMIs BTP 2043W, BTP 2070W and BTP 2102W in all versions to become unresponsive and not accurately update the display content (Denial of Service).π Read
via "National Vulnerability Database".
β Turlaβs βCrutchβ Backdoor Leverages Dropbox in Espionage Attacks β
π Read
via "Threat Post".
In a recent cyberattack against an E.U. country's Ministry of Foreign Affairs, the Crutch backdoor leveraged Dropbox to exfiltrate sensitive documents.π Read
via "Threat Post".
Threat Post
Turlaβs βCrutchβ Backdoor Leverages Dropbox in Espionage Attacks
In a recent cyberattack against an E.U. country's Ministry of Foreign Affairs, the Crutch backdoor leveraged Dropbox to exfiltrate sensitive documents.
π FINRA Warns of Yet Another Phishing Attack Targeting Finance Industry π
π Read
via "Digital Guardian".
Emails from an ongoing campaign are not connected to FINRA and should be deleted, the organization warns.π Read
via "Digital Guardian".
Digital Guardian
FINRA Warns of Yet Another Phishing Attack Targeting Finance Industry
Emails from an ongoing campaign are not connected to FINRA and should be deleted, the organization warns.
π΄ Security Slipup Exposes Health Records & Lab Results π΄
π Read
via "Dark Reading".
NTreatment failed to add password protection to a cloud server, exposing thousands of sensitive medical records online.π Read
via "Dark Reading".
Dark Reading
Security Slipup Exposes Health Records & Lab Results
NTreatment failed to add password protection to a cloud server, exposing thousands of sensitive medical records online.
π I2P 0.9.48 π
π Read
via "Packet Storm Security".
I2P is an anonymizing network, offering a simple layer that identity-sensitive applications can use to securely communicate. All data is wrapped with several layers of encryption, and the network is both distributed and dynamic, with no trusted parties. This is the source code release version.π Read
via "Packet Storm Security".
Packetstormsecurity
I2P 0.9.48 β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
π΄ Automated Pen Testing: Can It Replace Humans? π΄
π Read
via "Dark Reading".
These tools have come a long way, but are they far enough along to make human pen testers obsolete?π Read
via "Dark Reading".
Dark Reading
Automated Pen Testing: Can It Replace Humans?
These tools have come a long way, but are they far enough along to make human pen testers obsolete?
βΌ CVE-2020-13494 βΌ
π Read
via "National Vulnerability Database".
A heap overflow vulnerability exists in the Pixar OpenUSD 20.05 parsing of compressed string tokens in binary USD files. A specially crafted malformed file can trigger a heap overflow which can result in out of bounds memory access which could lead to information disclosure. This vulnerability could be used to bypass mitigations and aid further exploitation. To trigger this vulnerability, victim needs to access an attacker-provided malformed file.π Read
via "National Vulnerability Database".
βΌ CVE-2020-25266 βΌ
π Read
via "National Vulnerability Database".
AppImage appimaged before 1.0.3 does not properly check whether a downloaded file is a valid appimage. For example, it will accept a crafted mp3 file that contains an appimage, and install it.π Read
via "National Vulnerability Database".
βΌ CVE-2017-14451 βΌ
π Read
via "National Vulnerability Database".
An exploitable out-of-bounds read vulnerability exists in libevm (Ethereum Virtual Machine) of CPP-Ethereum. A specially crafted smart contract code can cause an out-of-bounds read which can subsequently trigger an out-of-bounds write resulting in remote code execution. An attacker can create/send malicious smart contract to trigger this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2020-13496 βΌ
π Read
via "National Vulnerability Database".
An exploitable vulnerability exists in the way Pixar OpenUSD 20.05 handles parses certain encoded types. A specially crafted malformed file can trigger an arbitrary out of bounds memory access in TfToken Type Index. This vulnerability could be used to bypass mitigations and aid further exploitation. To trigger this vulnerability, the victim needs to access an attacker-provided malformed file.π Read
via "National Vulnerability Database".
βΌ CVE-2020-13493 βΌ
π Read
via "National Vulnerability Database".
A heap overflow vulnerability exists in Pixar OpenUSD 20.05 when the software parses compressed sections in binary USD files. A specially crafted USDC file format path jumps decompression heap overflow in a way path jumps are processed. To trigger this vulnerability, the victim needs to open an attacker-provided malformed file.π Read
via "National Vulnerability Database".
βΌ CVE-2020-29389 βΌ
π Read
via "National Vulnerability Database".
The official Crux Linux Docker images 3.0 through 3.4 contain a blank password for a root user. System using the Crux Linux Docker container deployed by affected versions of the Docker image may allow an attacker to achieve root access with a blank password.π Read
via "National Vulnerability Database".
βΌ CVE-2020-13497 βΌ
π Read
via "National Vulnerability Database".
An exploitable vulnerability exists in the way Pixar OpenUSD 20.05 handles parses certain encoded types. A specially crafted malformed file can trigger an arbitrary out of bounds memory access in String Type Index. This vulnerability could be used to bypass mitigations and aid further exploitation. To trigger this vulnerability, the victim needs to access an attacker-provided malformed file.π Read
via "National Vulnerability Database".