ATENTIONβΌ New - CVE-2017-13889 (mac_os_x)
π Read
via "National Vulnerability Database".
In macOS High Sierra before 10.13.3, Security Update 2018-001 Sierra, and Security Update 2018-001 El Capitan, a logic error existed in the validation of credentials. This was addressed with improved credential validation.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2017-13888 (iphone_os)
π Read
via "National Vulnerability Database".
In iOS before 11.2, a type confusion issue was addressed with improved memory handling.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2016-7576 (iphone_os)
π Read
via "National Vulnerability Database".
In iOS before 9.3.3, a memory corruption issue existed in the kernel. This issue was addressed through improved memory handling.π Read
via "National Vulnerability Database".
π΄ 'We Want IoT Security Regulation,' Say 95% of IT Decision-Makers π΄
π Read
via "Dark Reading: ".
New global survey shows businesses are valuing IoT security more highly, but they are still challenged by IoT data visibility and privacy.π Read
via "Dark Reading: ".
Dark Reading
'We Want IoT Security Regulation,' Say 95% of IT Decision-Makers
New global survey shows businesses are valuing IoT security more highly, but they are still challenged by IoT data visibility and privacy.
ATENTIONβΌ New - CVE-2017-13891 (iphone_os)
π Read
via "National Vulnerability Database".
In iOS before 11.2, an inconsistent user interface issue was addressed through improved state management.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2016-4642 (apple_tv, iphone_os, mac_os)
π Read
via "National Vulnerability Database".
In iOS before 9.3.3, tvOS before 9.2.2, and OS X El Capitan before v10.11.6 and Security Update 2016-004, proxy authentication incorrectly reported HTTP proxies received credentials securely. This issue was addressed through improved warnings.π Read
via "National Vulnerability Database".
π β4 ways to prepare for GDPR and similar privacy regulations π
π Read
via "Security on TechRepublic".
Data privacy is no longer a nice-to-have security commodity, but a must-have commodity.π Read
via "Security on TechRepublic".
TechRepublic
β4 ways to prepare for GDPR and similar privacy regulations
Data privacy is no longer a nice-to-have security commodity, but a must-have commodity.
π How to connect to VNC using SSH π
π Read
via "Security on TechRepublic".
If your network doesn't allow connections into the default VNC port 5901, you can tunnel it through SSH.π Read
via "Security on TechRepublic".
TechRepublic
How to connect to VNC using SSH
If your network doesn't allow connections into the default VNC port 5901, you can tunnel it through SSH.
ATENTIONβΌ New - CVE-2016-4644 (apple_tv, iphone_os, mac_os)
π Read
via "National Vulnerability Database".
In iOS before 9.3.3, tvOS before 9.2.2, and OS X El Capitan before v10.11.6 and Security Update 2016-004, a downgrade issue existed with HTTP authentication credentials saved in Keychain. This issue was addressed by storing the authentication types with the credentials.π Read
via "National Vulnerability Database".
π Over 87GB of email addresses and passwords exposed in Collection 1 dump π
π Read
via "Security on TechRepublic".
An 87GB dump of email addresses and passwords containing almost 773 million unique addresses and just under 22 million unique passwords has been found.π Read
via "Security on TechRepublic".
TechRepublic
Over 87GB of email addresses and passwords exposed in Collection 1 dump
An 87GB dump of email addresses and passwords containing almost 773 million unique addresses and just under 22 million unique passwords has been found.
π΄ The Security Perimeter Is Dead; Long Live the New Endpoint Perimeter π΄
π Read
via "Dark Reading: ".
The network no longer provides an air gap against external threats, but access devices can take up the slack.π Read
via "Dark Reading: ".
Darkreading
The Security Perimeter Is Dead; Long Live the New Endpoint Perimeter
The network no longer provides an air gap against external threats, but access devices can take up the slack.
π΄ Go Hands-On with New Security Tricks at Black Hat Asia π΄
π Read
via "Dark Reading: ".
Get up close and personal with the latest tools and techniques for testing (and breaking) everything from HTTPS to deep neural networks to Microsoft Office!π Read
via "Dark Reading: ".
Dark Reading
Black Hat
The Global Leader in Cybersecurity Events & Trainings
β Apple CEO Demands Federal Data Privacy Legislation β
π Read
via "Threatpost | The first stop for security news".
Apple CEO Tim Cook has called on the government to double down on data privacy regulation in 2019.π Read
via "Threatpost | The first stop for security news".
Threat Post
Apple CEO Demands Federal Data Privacy Legislation
Apple CEO Tim Cook has called on the government to double down on data privacy regulation in 2019.
π 4 strategies for your IT wearables policy π
π Read
via "Security on TechRepublic".
Without a formal plan or policy, wearables may introduce your company to a security breachβ.π Read
via "Security on TechRepublic".
TechRepublic
4 strategies for your IT wearables policy
Without a formal plan or policy, wearables may introduce your company to a security breachβ.
<b>⌨ 773M Password βMegabreachβ is Years Old ⌨</b>
<code>My inbox and Twitter messages positively lit up today with people forwarding stories from Wired and other publications about a supposedly new trove of nearly 773 million unique email addresses and 21 million unique passwords that were posted to a hacking forum. A story in The Guardian breathlessly dubbed it βthe largest collection ever of breached data found.β But in an interview with the apparent seller, KrebsOnSecurity learned that it is not even close to the largest gathering of stolen data, and that it is at least two to three years old.</code><code>The dump, labeled βCollection #1β and approximately 87GB in size, was first detailed earlier today by Troy Hunt, who operates the HaveIBeenPwned breach notification service. Hunt said the data cache was likely βmade up of many different individual data breaches from literally thousands of different sources.β</code><code>KrebsOnSecurity sought perspective on this discovery from Alex Holden, CTO of Hold Security, a company that specializes in trawling underground spaces for intelligence about malicious actors and their stolen data dumps. Holden said the data appears to have first been posted to underground forums in October 2018, and that it is just a subset of a much larger tranche of passwords being peddled by a shadowy seller online.</code><code>Hereβs a screenshot of a subset of that sellerβs current offerings, which total almost 1 Terabyte of stolen and hacked passwords:</code><code>Media</code><code>The 87GB βCollection1β archive is one of but many similar tranches of stolen passwords being sold by a particularly prolific neβer-do-well in the underground.</code><code>As we can see above, Collection #1 offered by this seller is indeed 87GB in size. He also advertises a Telegram username where he can be reached β βSanixer.β So, naturally, KrebsOnSecurity contacted Sanixer via Telegram to find out more about the origins of Collection #1, which he is presently selling for the bargain price of just $45.</code><code>Sanixer said Collection#1 consists of data pulled from a huge number of hacked sites, and was not exactly his βfreshestβ offering. Rather, he sort of steered me away from that archive, suggested that β unlike most of his other wares β Collection #1 was at least 2-3 years old. His other password packages, which he said are not all pictured in the above screen shot and total more than 4 terabytes in size, are less than a year old, Sanixer explained.</code><code>By way of explaining the provenance of Collection #1, Sanixer said it was a mix of βdumps and leaked bases,β and then he offered an interesting screen shot of his additional collections. Click on the image below and notice the open Web browser tab behind his purloined password trove (which is apparently stored at Mega.nz): Troy Huntβs published research on this 773 million Collection #1.</code><code>Media</code><code>Sanixer says Collection #1 was from a mix of sources. A description of those sources can be seen in the directory tree on the left side of this screenshot.</code><code>Holden said the habit of collecting large amounts of credentials and posting it online is not new at all, and that the data is far more useful for things like phishing, blackmail and other indirect attacks β as opposed to plundering inboxes. Holden added that his company had already derived 99 percent of the data in Collection #1 from other sources.</code><code>βIt was popularized several years ago by Russian hackers on various Dark Web forums,β he said. βBecause the data is gathered from a number of breaches, typically older data, it does not present a direct danger to the general user community. Its sheer volume is impressive, yet, by account of many hackers the data is not greatly useful.β</code><code>A core reason so many accounts get compromised is that far too many people have the nasty habit(s) of choosing poor passwords, re-using passwords and email addressesβ¦
<code>My inbox and Twitter messages positively lit up today with people forwarding stories from Wired and other publications about a supposedly new trove of nearly 773 million unique email addresses and 21 million unique passwords that were posted to a hacking forum. A story in The Guardian breathlessly dubbed it βthe largest collection ever of breached data found.β But in an interview with the apparent seller, KrebsOnSecurity learned that it is not even close to the largest gathering of stolen data, and that it is at least two to three years old.</code><code>The dump, labeled βCollection #1β and approximately 87GB in size, was first detailed earlier today by Troy Hunt, who operates the HaveIBeenPwned breach notification service. Hunt said the data cache was likely βmade up of many different individual data breaches from literally thousands of different sources.β</code><code>KrebsOnSecurity sought perspective on this discovery from Alex Holden, CTO of Hold Security, a company that specializes in trawling underground spaces for intelligence about malicious actors and their stolen data dumps. Holden said the data appears to have first been posted to underground forums in October 2018, and that it is just a subset of a much larger tranche of passwords being peddled by a shadowy seller online.</code><code>Hereβs a screenshot of a subset of that sellerβs current offerings, which total almost 1 Terabyte of stolen and hacked passwords:</code><code>Media</code><code>The 87GB βCollection1β archive is one of but many similar tranches of stolen passwords being sold by a particularly prolific neβer-do-well in the underground.</code><code>As we can see above, Collection #1 offered by this seller is indeed 87GB in size. He also advertises a Telegram username where he can be reached β βSanixer.β So, naturally, KrebsOnSecurity contacted Sanixer via Telegram to find out more about the origins of Collection #1, which he is presently selling for the bargain price of just $45.</code><code>Sanixer said Collection#1 consists of data pulled from a huge number of hacked sites, and was not exactly his βfreshestβ offering. Rather, he sort of steered me away from that archive, suggested that β unlike most of his other wares β Collection #1 was at least 2-3 years old. His other password packages, which he said are not all pictured in the above screen shot and total more than 4 terabytes in size, are less than a year old, Sanixer explained.</code><code>By way of explaining the provenance of Collection #1, Sanixer said it was a mix of βdumps and leaked bases,β and then he offered an interesting screen shot of his additional collections. Click on the image below and notice the open Web browser tab behind his purloined password trove (which is apparently stored at Mega.nz): Troy Huntβs published research on this 773 million Collection #1.</code><code>Media</code><code>Sanixer says Collection #1 was from a mix of sources. A description of those sources can be seen in the directory tree on the left side of this screenshot.</code><code>Holden said the habit of collecting large amounts of credentials and posting it online is not new at all, and that the data is far more useful for things like phishing, blackmail and other indirect attacks β as opposed to plundering inboxes. Holden added that his company had already derived 99 percent of the data in Collection #1 from other sources.</code><code>βIt was popularized several years ago by Russian hackers on various Dark Web forums,β he said. βBecause the data is gathered from a number of breaches, typically older data, it does not present a direct danger to the general user community. Its sheer volume is impressive, yet, by account of many hackers the data is not greatly useful.β</code><code>A core reason so many accounts get compromised is that far too many people have the nasty habit(s) of choosing poor passwords, re-using passwords and email addressesβ¦
π΄ New Attacks Target Recent PHP Framework Vulnerability π΄
π Read
via "Dark Reading: ".
Multiple threat actors are using relatively simple techniques to take advantage of the vulnerability, launching cryptominers, skimmers, and other malware payloads.π Read
via "Dark Reading: ".
Darkreading
New Attacks Target Recent PHP Framework Vulnerability
Multiple threat actors are using relatively simple techniques to take advantage of the vulnerability, launching cryptominers, skimmers, and other malware payloads.
ATENTIONβΌ New - CVE-2016-4643 (apple_tv, iphone_os, mac_os)
π Read
via "National Vulnerability Database".
In iOS before 9.3.3, tvOS before 9.2.2, and OS X El Capitan before v10.11.6 and Security Update 2016-004, a validation issue existed in the parsing of 407 responses. This issue was addressed through improved response validation.π Read
via "National Vulnerability Database".
π΄ Microsoft Launches New Azure DevOps Bug Bounty Program π΄
π Read
via "Dark Reading: ".
A new program will pay bounties of up to $20,000 for new critical bugs in the company's Azure DevOps systems and services.π Read
via "Dark Reading: ".
Darkreading
Microsoft Launches New Azure DevOps Bug Bounty Program
A new program will pay bounties of up to $20,000 for new critical bugs in the company's Azure DevOps systems and services.
π΄ Facebook Shuts Hundreds of Russia-Linked Pages, Accounts for Disinformation π΄
π Read
via "Dark Reading: ".
Facebook says the accounts and pages were part of two unrelated disinformation operations aimed at targets outside the US.π Read
via "Dark Reading: ".
Darkreading
Facebook Shuts Hundreds of Russia-Linked Pages, Accounts for Disinformation
Facebook says the accounts and pages were part of two unrelated disinformation operations aimed at targets outside the US.
β Microsoft Launches Azure DevOps Bug Bounty Program β
π Read
via "Threatpost | The first stop for security news".
Microsoft is offering rewards of up to $20,000 for flaws in its Azure DevOps online services and the latest release of the Azure DevOps server.π Read
via "Threatpost | The first stop for security news".
Threat Post
Microsoft Launches Azure DevOps Bug Bounty Program
Microsoft is offering rewards of up to $20,000 for flaws in its Azure DevOps online services and the latest release of the Azure DevOps server.
π΄ 773 Million Email Addresses, 21 Million Passwords For Sale on Hacker Forum π΄
π Read
via "Dark Reading: ".
Data appears to be from multiple breaches over past few years, says researcher who discovered it.π Read
via "Dark Reading: ".
Darkreading
773 Million Email Addresses, 21 Million Passwords For Sale on Hacker Forum
Data appears to be from multiple breaches over past few years, says researcher who discovered it.