π¦Ώ Digital driver's licenses: Are they secure enough for us to trust? π¦Ώ
π Read
via "Tech Republic".
States should use a privacy by design approach instead of creating a new system to track purchases and other activities, according to security experts.π Read
via "Tech Republic".
TechRepublic
Digital driver's licenses: Are they secure enough for us to trust?
States should use a privacy by design approach instead of creating a new system to track purchases and other activities, according to security experts.
βΌ CVE-2021-43172 βΌ
π Read
via "National Vulnerability Database".
NLnet Labs Routinator prior to 0.10.2 happily processes a chain of RRDP repositories of infinite length causing it to never finish a validation run. In RPKI, a CA can choose the RRDP repository it wishes to publish its data in. By continuously generating a new child CA that only consists of another CA using a different RRDP repository, a malicious CA can create a chain of CAs of de-facto infinite length. Routinator prior to version 0.10.2 did not contain a limit on the length of such a chain and will therefore continue to process this chain forever. As a result, the validation run will never finish, leading to Routinator continuing to serve the old data set or, if in the initial validation run directly after starting, never serve any data at all.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43173 βΌ
π Read
via "National Vulnerability Database".
In NLnet Labs Routinator prior to 0.10.2, a validation run can be delayed significantly by an RRDP repository by not answering but slowly drip-feeding bytes to keep the connection alive. This can be used to effectively stall validation. While Routinator has a configurable time-out value for RRDP connections, this time-out was only applied to individual read or write operations rather than the complete request. Thus, if an RRDP repository sends a little bit of data before that time-out expired, it can continuously extend the time it takes for the request to finish. Since validation will only continue once the update of an RRDP repository has concluded, this delay will cause validation to stall, leading to Routinator continuing to serve the old data set or, if in the initial validation run directly after starting, never serve any data at all.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43174 βΌ
π Read
via "National Vulnerability Database".
NLnet Labs Routinator versions 0.9.0 up to and including 0.10.1, support the gzip transfer encoding when querying RRDP repositories. This encoding can be used by an RRDP repository to cause an out-of-memory crash in these versions of Routinator. RRDP uses XML which allows arbitrary amounts of white space in the encoded data. The gzip scheme compresses such white space extremely well, leading to very small compressed files that become huge when being decompressed for further processing, big enough that Routinator runs out of memory when parsing input data waiting for the next XML element.π Read
via "National Vulnerability Database".
π¦Ώ Kaspersky finds 31% increase in "smart" DDoS attacks π¦Ώ
π Read
via "Tech Republic".
The security company expects these attacks to keep rising through the end of the year.π Read
via "Tech Republic".
TechRepublic
Kaspersky finds 31% increase in "smart" DDoS attacks
The security company expects these attacks to keep rising through the end of the year.
π΄ Why Self-Learning AI Is Changing the Paradigm of ICS Security π΄
π Read
via "Dark Reading".
By focusing on the organization rather than the threat, AI can identify subtle changes in your digital environment that point to a cyber threat.π Read
via "Dark Reading".
Dark Reading
Why Self-Learning AI Is Changing the Paradigm of ICS Security
By focusing on the organization rather than the threat, AI can identify subtle changes in your digital environment that point to a cyber threat.
β Not Punny: Angling Direct Breach Cripples Retailer for Days β
π Read
via "Threat Post".
A U.K. fishing retailerβs site has been hijacked and redirected to Pornhub.π Read
via "Threat Post".
Threat Post
Not Punny: Angling Direct Breach Cripples Retailer for Days
A U.K. fishing retailerβs site has been hijacked and redirected to Pornhub.
βοΈ Microsoft Patch Tuesday, November 2021 Edition βοΈ
π Read
via "Krebs on Security".
Microsoft Corp. today released updates to quash at least 55 security bugs in its Windows operating systems and other software. Two of the patches address vulnerabilities that are already being used in active attacks online, and four of the flaws were disclosed publicly before today -- potentially giving adversaries a head start in figuring out how to exploit them.π Read
via "Krebs on Security".
Krebsonsecurity
Microsoft Patch Tuesday, November 2021 Edition
Microsoft Corp. today released updates to quash at least 55 security bugs in its Windows operating systems and other software. Two of the patches address vulnerabilities that are already being used in active attacks online, and four of the flawsβ¦
π¦Ώ Security pros say federal government should do more to protect and secure private sector π¦Ώ
π Read
via "Tech Republic".
A full 95% of professionals surveyed by Tripwire believe the government should play a bigger role in securing non-governmental companies.π Read
via "Tech Republic".
TechRepublic
Security pros say federal government should do more to protect and secure private sector
A full 95% of professionals surveyed by Tripwire believe the government should play a bigger role in securing non-governmental companies.
βΌ CVE-2020-28419 βΌ
π Read
via "National Vulnerability Database".
During installation with certain driver software or application packages an arbitrary code execution could occur.π Read
via "National Vulnerability Database".
βΌ CVE-2021-20119 βΌ
π Read
via "National Vulnerability Database".
The password change utility for the Arris SurfBoard SB8200 can have safety measures bypassed that allow any logged-in user to change the administrator password.π Read
via "National Vulnerability Database".
β Microsoft Nov. Patch Tuesday Fixes Six Zero-Days, 55 Bugs β
π Read
via "Threat Post".
Experts urged users to prioritize patches for Microsoft Exchange and Excel, those favorite platforms so frequently targeted by cybercriminals and nation-state actors.π Read
via "Threat Post".
Threat Post
Microsoft Nov. Patch Tuesday Fixes Six Zero-Days, 55 Bugs
Experts urged users to prioritize patches for Microsoft Exchange and Excel, those favorite platforms so frequently targeted by cybercriminals and nation-state actors.
π¦Ώ It's time to dump Chrome as your default browser on Android π¦Ώ
π Read
via "Tech Republic".
Jack Wallen makes his case for Android users to switch from Chrome as their default browsers. He also shows you how.π Read
via "Tech Republic".
TechRepublic
It's time to dump Chrome as your default browser on Android
Jack Wallen makes his case for Android users to switch from Chrome as their default browsers. He also shows you how.
βΌ CVE-2021-43569 βΌ
π Read
via "National Vulnerability Database".
The verify function in the Stark Bank .NET ECDSA library (ecdsa-dotnet) 1.3.1 fails to check that the signature is non-zero, which allows attackers to forge signatures on arbitrary messages.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43570 βΌ
π Read
via "National Vulnerability Database".
The verify function in the Stark Bank Java ECDSA library (ecdsa-java) 1.0.0 fails to check that the signature is non-zero, which allows attackers to forge signatures on arbitrary messages.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43572 βΌ
π Read
via "National Vulnerability Database".
The verify function in the Stark Bank Python ECDSA library (ecdsa-python) 2.0.0 fails to check that the signature is non-zero, which allows attackers to forge signatures on arbitrary messages.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43568 βΌ
π Read
via "National Vulnerability Database".
The verify function in the Stark Bank Elixir ECDSA library (ecdsa-elixir) 1.0.0 fails to check that the signature is non-zero, which allows attackers to forge signatures on arbitrary messages.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43571 βΌ
π Read
via "National Vulnerability Database".
The verify function in the Stark Bank Node.js ECDSA library (ecdsa-node) 1.1.2 fails to check that the signature is non-zero, which allows attackers to forge signatures on arbitrary messages.π Read
via "National Vulnerability Database".
π΄ Are You Planning for the Quantum, Transhumanist Threat? π΄
π Read
via "Dark Reading".
Breaking encryption in a day and hacking without visible devices are two threats that could become a reality in the next decade and beyond, experts say.π Read
via "Dark Reading".
Dark Reading
Are You Planning for the Quantum, Transhumanist Threat?
Breaking encryption in a day and hacking without visible devices are two threats that could become a reality in the next decade and beyond, experts say.
π΄ Microsoft Fixes Exchange Server Zero-Day π΄
π Read
via "Dark Reading".
November security update contains patches for 55 bugs β including six zero-days across various products.π Read
via "Dark Reading".
Dark Reading
Microsoft Fixes Exchange Server Zero-Day
November security update contains patches for 55 bugs β including six zero-days across various products.
βΌ CVE-2021-43575 βΌ
π Read
via "National Vulnerability Database".
** DISPUTED ** KNX ETS6 through 6.0.0 uses the hard-coded password ETS5Password, with a salt value of Ivan Medvedev, allowing local users to read project information, a similar issue to CVE-2021-36799. NOTE: The vendor disputes this because it is not the responsibility of the ETS to securely store cryptographic key material when it is not being exported.π Read
via "National Vulnerability Database".