🕴 How to Hire — and Retain — Effective Threat Hunters 🕴
📖 Read
via "Dark Reading".
Key characteristics that should be evaluated include curiosity, disposition, and fit with the culture.📖 Read
via "Dark Reading".
Dark Reading
How to Hire — and Retain — Effective Threat Hunters
Key characteristics that should be evaluated include curiosity, disposition, and fit with the culture.
‼ CVE-2021-43494 ‼
📖 Read
via "National Vulnerability Database".
OpenCV-REST-API master branch as of commit 69be158c05d4dd5a4aff38fdc680a162dd6b9e49 is affected by a directory traversal vulnerability. This attack can cause the disclosure of critical secrets stored anywhere on the system and can significantly aid in getting remote code access.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-43496 ‼
📖 Read
via "National Vulnerability Database".
Clustering master branch as of commit 53e663e259bcfc8cdecb56c0bb255bd70bfcaa70 is affected by a directory traversal vulnerability. This attack can cause the disclosure of critical secrets stored anywhere on the system and can significantly aid in getting remote code access.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-38972 ‼
📖 Read
via "National Vulnerability Database".
IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-4140 ‼
📖 Read
via "National Vulnerability Database".
IBM Security SiteProtector System 3.1.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 174052.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-43493 ‼
📖 Read
via "National Vulnerability Database".
ServerManagement master branch as of commit 49491cc6f94980e6be7791d17be947c27071eb56 is affected by a directory traversal vulnerability. This vulnerability can be used to extract credentials which can in turn be used to execute code.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-4146 ‼
📖 Read
via "National Vulnerability Database".
IBM Security SiteProtector System 3.1.1 could allow a remote attacker to obtain sensitive information, caused by missing 'HttpOnly' flag. A remote attacker could exploit this vulnerability to obtain sensitive information. IBM X-Force ID: 174129.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-38973 ‼
📖 Read
via "National Vulnerability Database".
IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-38985 ‼
📖 Read
via "National Vulnerability Database".
IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-43492 ‼
📖 Read
via "National Vulnerability Database".
AlquistManager branch as of commit 280d99f43b11378212652e75f6f3159cde9c1d36 is affected by a directory traversal vulnerability. This attack can cause the disclosure of critical secrets stored anywhere on the system andcan significantly aid in getting remote code access.📖 Read
via "National Vulnerability Database".
⚠ S3 Ep58: Faces on Facebook, scams that pose as complaints, and a Kaseya bust [Podcast] ⚠
📖 Read
via "Naked Security".
Latest epsiode - listen now!📖 Read
via "Naked Security".
Naked Security
S3 Ep58: Faces on Facebook, scams that pose as complaints, and a Kaseya bust [Podcast]
Latest epsiode – listen now!
🦿 Score an extra 15% discount on this cyber analysis training on sale ahead of Black Friday 🦿
📖 Read
via "Tech Republic".
Eight courses and 51 hours of content on CompTIA CySA+, ethical hacking, social engineering and more. Everything you need to be a certified cybersecurity analyst.📖 Read
via "Tech Republic".
TechRepublic
Get an extra 15% discount on this cyber analysis training on sale ahead of Black Friday
Eight courses and 51 hours of content on CompTIA CySA+, ethical hacking, social engineering and more. Everything you need to be a certified cybersecurity analyst.
❌ Mac Zero Day Targets Apple Devices in Hong Kong ❌
📖 Read
via "Threat Post".
Google researchers have detailed a widespread watering-hole attack that installed a backdoor on Apple devices that visited Hong Kong-based media and pro-democracy sites.📖 Read
via "Threat Post".
Threat Post
Mac Zero Day Targets Apple Devices in Hong Kong
Google researchers have detailed a widespread watering-hole attack that installed a backdoor on Apple devices that visited Hong Kong-based media and pro-democracy sites.
🔏 Friday Five 11/12 🔏
📖 Read
via "".
Apple fixes a macOS zero day, Microsoft warns of HTML smuggling phishing attacks, and more - catch up on the infosec news of the week with the Friday Five!📖 Read
via "".
Digital Guardian
Friday Five 11/12
Apple fixes a macOS zero day, Microsoft warns of HTML smuggling phishing attacks, and more - catch up on the infosec news of the week with the Friday Five!
⚠ Samba update patches plaintext passwork plundering problem ⚠
📖 Read
via "Naked Security".
When Microsoft itself says STOP USING X, where X is one of its own protocols... we think you should listen.📖 Read
via "Naked Security".
Sophos News
Naked Security – Sophos News
🦿 The mobile VPNs of 2021 that you need to try 🦿
📖 Read
via "Tech Republic".
Privacy is essential, especially on a mobile device. These five options available for both Android and iOS can help keep your device secure and your traffic private, but not without cost.📖 Read
via "Tech Republic".
TechRepublic
The mobile VPNs of 2021 that you need to try
Privacy is essential, especially on a mobile device. These five options available for both Android and iOS can help keep your device secure and your traffic private, but not without cost.
🦿 How AI fights fraud in the telecom industry 🦿
📖 Read
via "Tech Republic".
Americans lost $29.8 billion in phone fraud over the past year. Can AI fraud detection change this?📖 Read
via "Tech Republic".
TechRepublic
How AI fights fraud in the telecom industry | TechRepublic
Americans lost $29.8 billion in phone fraud over the past year. Can AI fraud detection change this?
‼ CVE-2021-41264 ‼
📖 Read
via "National Vulnerability Database".
OpenZeppelin Contracts is a library for smart contract development. In affected versions upgradeable contracts using `UUPSUpgradeable` may be vulnerable to an attack affecting uninitialized implementation contracts. A fix is included in version 4.3.2 of `@openzeppelin/contracts` and `@openzeppelin/contracts-upgradeable`. For users unable to upgrade; initialize implementation contracts using `UUPSUpgradeable` by invoking the initializer function (usually called `initialize`). An example is provided [in the forum](https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301).📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41259 ‼
📖 Read
via "National Vulnerability Database".
Nim is a systems programming language with a focus on efficiency, expressiveness, and elegance. In affected versions the uri.parseUri function which may be used to validate URIs accepts null bytes in the input URI. This behavior could be used to bypass URI validation. For example: parseUri("http://localhost\0hello").hostname is set to "localhost\0hello". Additionally, httpclient.getContent accepts null bytes in the input URL and ignores any data after the first null byte. Example: getContent("http://localhost\0hello") makes a request to localhost:80. An attacker can use a null bytes to bypass the check and mount a SSRF attack.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41254 ‼
📖 Read
via "National Vulnerability Database".
kustomize-controller is a Kubernetes operator, specialized in running continuous delivery pipelines for infrastructure and workloads defined with Kubernetes manifests and assembled with Kustomize. Users that can create Kubernetes Secrets, Service Accounts and Flux Kustomization objects, could execute commands inside the kustomize-controller container by embedding a shell script in a Kubernetes Secret. This can be used to run `kubectl` commands under the Service Account of kustomize-controller, thus allowing an authenticated Kubernetes user to gain cluster admin privileges. In affected versions multitenant environments where non-admin users have permissions to create Flux Kustomization objects are affected by this issue. This vulnerability was fixed in kustomize-controller v0.15.0 (included in flux2 v0.18.0) released on 2021-10-08. Starting with v0.15, the kustomize-controller no longer executes shell commands on the container OS and the `kubectl` binary has been removed from the container image. To prevent the creation of Kubernetes Service Accounts with `secrets` in namespaces owned by tenants, a Kubernetes validation webhook such as Gatekeeper OPA or Kyverno can be used.📖 Read
via "National Vulnerability Database".
🦿 Pay-per-click fraud is costing top tech companies, and you, hundreds of millions of dollars 🦿
📖 Read
via "Tech Republic".
With an estimated 14% of PPC costs being lost to fraud, all it takes is a look at the advertising budgets of top tech firms to see how much money they're wasting, says PPC Shield.📖 Read
via "Tech Republic".
TechRepublic
Pay-per-click fraud is costing top tech companies, and you, hundreds of millions of dollars
With an estimated 14% of PPC costs being lost to fraud, all it takes is a look at the advertising budgets of top tech firms to see how much money they're wasting, says PPC Shield.