ATENTIONβΌ New - CVE-2018-11742
π Read
via "National Vulnerability Database".
NEC Univerge Sv9100 WebPro 6.00.00 devices have Cleartext Password Storage in the Web UI.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2018-11741
π Read
via "National Vulnerability Database".
NEC Univerge Sv9100 WebPro 6.00.00 devices have Predictable Session IDs that result in Account Information Disclosure via Home.htm?sessionId=#####&GOTO(8) URIs.π Read
via "National Vulnerability Database".
β FTC Warns of Netflix Phishing Scam Making Rounds β
π Read
via "Threatpost | The first stop for security news".
The scam targets Netflix users and asks for payment information.π Read
via "Threatpost | The first stop for security news".
Threat Post
FTC Warns of Netflix Phishing Scam Making Rounds
The scam targets Netflix users and asks for payment information.
π΄ Toxic Data: How 'Deepfakes' Threaten Cybersecurity π΄
π Read
via "Dark Reading: ".
The joining of 'deep learning' and 'fake news' makes it possible to create audio and video of real people saying words they never spoke or things they never did.π Read
via "Dark Reading: ".
Darkreading
Toxic Data: How 'Deepfakes' Threaten Cybersecurity
The joining of 'deep learning' and 'fake news' makes it possible to create audio and video of real people saying words they never spoke or things they never did.
π΄ 2018: The Year Machine Intelligence Arrived in Cybersecurity π΄
π Read
via "Dark Reading: ".
Machine intelligence, in its many forms, began having a significant impact on cybersecurity this year - setting the stage for growing intelligence in security automation for 2019.π Read
via "Dark Reading: ".
Dark Reading
2018: The Year Machine Intelligence Arrived in Cybersecurity
Machine intelligence, in its many forms, began having a significant impact on cybersecurity this year - setting the stage for growing intelligence in security automation for 2019.
π΄ IoT Bug Grants Access to Home Video Surveillance π΄
π Read
via "Dark Reading: ".
Due to a shared Amazon S3 credential, all users of the Guardzilla All-In-One Video Security System can view each other's videos.π Read
via "Dark Reading: ".
Dark Reading
IoT Bug Grants Access to Home Video Surveillance
Due to a shared Amazon S3 credential, all users of a certain model of the Guardzilla All-In-One Video Security System can view each other's videos.
π΄ The Coolest Hacks of 2018 π΄
π Read
via "Dark Reading: ".
In-flight airplanes, social engineers, and robotic vacuums were among the targets of resourceful white-hat hackers this year.π Read
via "Dark Reading: ".
Dark Reading
The Coolest Hacks of 2018
In-flight airplanes, social engineers, and robotic vacuums were among the targets of resourceful white-hat hackers this year.
β 35C3 Day One: Security, Art and Hacking β
π Read
via "Threatpost | The first stop for security news".
Conference showcases cutting-edge cybersecurity research, hacking collectives and art.π Read
via "Threatpost | The first stop for security news".
Threat Post
35C3 Day One: Security, Art and Hacking
Conference showcases cutting-edge cybersecurity research, hacking collectives and art.
β Hijacking Online Accounts Via Hacked Voicemail Systems β
π Read
via "Threatpost | The first stop for security news".
Proof-of-concept hack of a voicemail systems shows how it can lead to account takeovers multiple online services.π Read
via "Threatpost | The first stop for security news".
Threat Post
Hijacking Online Accounts Via Hacked Voicemail Systems
Proof-of-concept hack of a voicemail systems shows how it can lead to account takeovers multiple online services.
π΄ Start Preparing Now for the Post-Quantum Future π΄
π Read
via "Dark Reading: ".
Quantum computing will break most of the encryption schemes on which we rely today. These five tips will help you get ready.π Read
via "Dark Reading: ".
Dark Reading
Start Preparing Now for the Post-Quantum Future
Quantum computing will break most of the encryption schemes on which we rely today. These five tips will help you get ready.
β How to protect your Facebook account: a walkthrough β
π Read
via "Naked Security".
We walk you through the important settings you can change and behaviors you can implement to lock down your privacy on Facebook. π Read
via "Naked Security".
Naked Security
How to protect your Facebook account: a walkthrough
We walk you through the important settings you can change and behaviors you can implement to lock down your privacy on Facebook.
β Guardzilla Home Cameras Open to Anyone Watching Their Footage β
π Read
via "Threatpost | The first stop for security news".
The home surveillance cams have hard-coded credentials.π Read
via "Threatpost | The first stop for security news".
Threat Post
Guardzilla Home Cameras Open to Anyone Wanting to Watch Their Footage
The home surveillance cams have hard-coded credentials.
<b>π³ The Path of Privacy β 2019 Privacy Predictions by TrustArc CEO Chris Babel π³</b>
<code>MediaPrivacy was ubiquitous in 2018. The General Data Protection Regulation (GDPR) deadline on May 25, 2018 came and went as companies scrambled to meet and maintain compliance under the new regulation. Data protection had a strong presence in the media as large companiesβ handling of user data was widely discussed and reviewed. New privacy regulations were introduced β such as the California Consumer Privacy Act (CCPA) and Brazilβs General Data Protection Law (LGPD) β meaning more and more companies will fall under the scope of at least one enforceable privacy regulation. So whatβs in store for privacy in 2019? TrustArc CEO Chris Babel breaks down next yearβs predictions for the path of privacy.
1) Managing privacy will be the new normal, like securing data or paying taxes Privacy will continue on a similar path as the evolution of cybersecurity. The number of breaches and privacy-related incidents will continue to rise, up and to the right. This rise will be comprised of peaks and valleys. Like with security, a standard of constant privacy will become the new normal. For example, while many organizations treated GDPR as a project, with a finite end, compliance is a continuous exercise that requires the same focus and vigilance as security or taxes.
Automating aspects of this continuous process using Assessment Manager will save your company time. Assessment Manager is built on powerful technology that identifies where and why your practices donβt align with regulations, and defines the path to remediation. The workflow tools and Intelligence Engine detect the need for, and then streamline assessments.
2) Ethics will become increasingly important to data-driven innovationOnce a focus only in health care, research, and highly regulated organizations, GDPR and similar laws are driving businesses across sectors to consider ethics by showing that the benefits they claim that new tech and other innovations will bring do not outweigh the potential for data misuse and other risks. While companies may start with a check-the-box compliance exercise, in 2019 the more innovative players will look to differentiate themselves from their competition by setting up ethical review committees, ethics teams and data ethics officers to formally consider the implications of algorithms and machine learning on customer trust and business outcomes.
Determining whether processing is ethical can be done at scale by automating manual processes. TrustArc offers the expertise and technology to complete these assessments, build a sustainable DPIA & PIA program if needed, automate the process using the TrustArc Platform, and produce reporting needed to show accountability on demand.
3) Consumers will exercise their right to privacy In 2019, consumers will become more aware of and better understand the rights and mechanisms that regulations like the GDPR have made available to them to manage and protect their data. As a result, we will see consumers become more engaged and active in controlling their privacy settings, sharing less information, unsubscribing from marketing communications and requesting copies of their data or that companies delete their data entirely from marketing databases.
Individual Rights Manager helps with the requirements of the GDPR and CCPA, which require that organizations provide data subjects and individuals with a variety of rights, including: right of access by the data subject; rectification or erasure; restriction of processing; data portability.
4) To be or not to be β 2019 privacy laws at a glanceA U.S. federal privacy law will be much discussed but not passed. The trade deal replacing NAFTA β USMCA β will drive new discussions around cross-border data sharing between the U.S., Canada and Mexico. A handful more states in the U.S. will seek to adopt state privacy laws such as the California Consumer Privacy Act, and 2-3 statesβ¦
<code>MediaPrivacy was ubiquitous in 2018. The General Data Protection Regulation (GDPR) deadline on May 25, 2018 came and went as companies scrambled to meet and maintain compliance under the new regulation. Data protection had a strong presence in the media as large companiesβ handling of user data was widely discussed and reviewed. New privacy regulations were introduced β such as the California Consumer Privacy Act (CCPA) and Brazilβs General Data Protection Law (LGPD) β meaning more and more companies will fall under the scope of at least one enforceable privacy regulation. So whatβs in store for privacy in 2019? TrustArc CEO Chris Babel breaks down next yearβs predictions for the path of privacy.
1) Managing privacy will be the new normal, like securing data or paying taxes Privacy will continue on a similar path as the evolution of cybersecurity. The number of breaches and privacy-related incidents will continue to rise, up and to the right. This rise will be comprised of peaks and valleys. Like with security, a standard of constant privacy will become the new normal. For example, while many organizations treated GDPR as a project, with a finite end, compliance is a continuous exercise that requires the same focus and vigilance as security or taxes.
Automating aspects of this continuous process using Assessment Manager will save your company time. Assessment Manager is built on powerful technology that identifies where and why your practices donβt align with regulations, and defines the path to remediation. The workflow tools and Intelligence Engine detect the need for, and then streamline assessments.
2) Ethics will become increasingly important to data-driven innovationOnce a focus only in health care, research, and highly regulated organizations, GDPR and similar laws are driving businesses across sectors to consider ethics by showing that the benefits they claim that new tech and other innovations will bring do not outweigh the potential for data misuse and other risks. While companies may start with a check-the-box compliance exercise, in 2019 the more innovative players will look to differentiate themselves from their competition by setting up ethical review committees, ethics teams and data ethics officers to formally consider the implications of algorithms and machine learning on customer trust and business outcomes.
Determining whether processing is ethical can be done at scale by automating manual processes. TrustArc offers the expertise and technology to complete these assessments, build a sustainable DPIA & PIA program if needed, automate the process using the TrustArc Platform, and produce reporting needed to show accountability on demand.
3) Consumers will exercise their right to privacy In 2019, consumers will become more aware of and better understand the rights and mechanisms that regulations like the GDPR have made available to them to manage and protect their data. As a result, we will see consumers become more engaged and active in controlling their privacy settings, sharing less information, unsubscribing from marketing communications and requesting copies of their data or that companies delete their data entirely from marketing databases.
Individual Rights Manager helps with the requirements of the GDPR and CCPA, which require that organizations provide data subjects and individuals with a variety of rights, including: right of access by the data subject; rectification or erasure; restriction of processing; data portability.
4) To be or not to be β 2019 privacy laws at a glanceA U.S. federal privacy law will be much discussed but not passed. The trade deal replacing NAFTA β USMCA β will drive new discussions around cross-border data sharing between the U.S., Canada and Mexico. A handful more states in the U.S. will seek to adopt state privacy laws such as the California Consumer Privacy Act, and 2-3 statesβ¦
ATENTIONβΌ New - CVE-2018-1000890
π Read
via "National Vulnerability Database".
FrontAccounting 2.4.5 contains a Time Based Blind SQL Injection vulnerability in the parameter "filterType" in /attachments.php that can allow the attacker to grab the entire database of the application.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2018-1000889
π Read
via "National Vulnerability Database".
Logisim Evolution version 2.14.3 and earlier contains an XML External Entity (XXE) vulnerability in Circuit file loading functionality (loadXmlFrom in src/com/cburch/logisim/file/XmlReader.java) that can result in information leak, possible RCE depending on system configuration. This attack appears to be exploitable via the victim opening a specially crafted circuit file. This vulnerability appears to have been fixed in 2.14.4.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2018-1000888
π Read
via "National Vulnerability Database".
PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because `@unlink($this->_temp_tarname)` is called. If another class with useful gadget is loaded, it may possible to cause remote code execution that can result in files being deleted or possibly modified. This vulnerability appears to have been fixed in 1.4.4.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2018-1000887
π Read
via "National Vulnerability Database".
Peel shopping peel-shopping_9_1_0 version contains a Cross Site Scripting (XSS) vulnerability that can result in an authenticated user injecting java script code in the "Site Name EN" parameter. This attack appears to be exploitable if the malicious user has access to the administration account.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2018-1000631
π Read
via "National Vulnerability Database".
Battelle V2I Hub 3.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the tmx/TmxCtl/src/lib/PluginStatus.cpp and TmxControl::user_info() function, which could allow the attacker to view, add, modify or delete information in the back-end database.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2018-1000630
π Read
via "National Vulnerability Database".
Battelle V2I Hub 2.5.1 is vulnerable to SQL injection. A remote authenticated attacker could send specially-crafted SQL statements to /api/PluginStatusActions.php and /status/pluginStatus.php using the jtSorting or id parameter, which could allow the attacker to view, add, modify or delete information in the back-end database.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2018-1000629
π Read
via "National Vulnerability Database".
Battelle V2I Hub 2.5.1 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by api/SystemConfigActions.php?action=add and the index.php script. A remote attacker could exploit this vulnerability using the parameterName or _login_username parameter in a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2018-1000628
π Read
via "National Vulnerability Database".
Battelle V2I Hub 2.5.1 could allow a remote attacker to bypass security restrictions, caused by the direct checking of the API key against a user-supplied value in PHP's GET global variable array using PHP's strcmp() function. By adding "[]" to the end of "key" in the URL when accessing API functions, an attacker could exploit this vulnerability to execute API functions.π Read
via "National Vulnerability Database".